RE: 3550 EMI [7:50103]
My only gripe with the 3550 series is that they once again changed some of the commands to do the same stuff. For example, to upgrade the IOS, the image now resides in a folder in flash and you use the archive command with several possible options. Fallback bridging is another one that really threw me for a loop. I didn't think this thing would bridge IPX at first... Other than that, I think this box rocks! Rik -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 30, 2002 10:29 AM To: [EMAIL PROTECTED] Subject: Re: 3550 EMI [7:50103] just getting into it. 1500 pages of documentation to read :-O They do IGRP, EIGRP, RIPv1, RIPv2, and OSPF. Don't believe the output of the router ? BGP is expected to be released real soon now, but according to Cisco people I've spoken to, it will not be a full featured release. Limitations as to the number of routes processed and stored, for example ( due to the physical limitations of the switch ) I.e. don't expect to get full BGP routes over your DSL connection. Chuck Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Anyone played with the new 3550 EMI switches? They report layer 3 routing etc. Symon Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50220t=50103 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ADSL - unable to reach URL's [7:50068]
Chances are this is NOT a DNS issue. Try to PING www.cisco.com by name and see if you get name resolution. If you resolve the name to an address then DNS is not at fault here. I believe that your issue is more likely caused by an MTU problem. PPPOE requires 8 bytes of overhead and so your MTU now must be set to 1492 or less. The reason you can PING anything you want to is that your IP stack will typically use a small transmission size for ICMP (PING) by default. You can test this by typing ping /? on a Windows host to get the correct syntax and then change the transmission size to 1500 and see if the PING still works like it did. -Original Message- From: Derrick Monahan [mailto:[EMAIL PROTECTED]] Sent: Monday, July 29, 2002 6:10 PM To: [EMAIL PROTECTED] Subject: ADSL - unable to reach URL's [7:50068] I have been setting up a DSL connection for a home user, but he is currently unable to reach ANY website. I am able to ping IP addresses of servers on the internet and get a reply. But, neither IE nor Netscape is able to reach a single page (via IP or Name). The DHCP servers gives his adapter an IP address and gateway of the same address. The subnet is a /24. He is using the PPPoE adapter and no router or firewall exists at his site. I hardcoded the DNS server addresses to ensure DNS name resolution, but this did not fix anything. If you have any recommendations please reply. This should be a simple task to complete, but obviously I am missing something. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50081t=50068 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT - PPPOE on a PIX [7:50085]
Has anybody had a problem with PPPOE on a PIX 506 running 6.2(1) code? My problem appears to be MTU-related - I can PING all day but HTTP only brings up about a third of the sites I browse. There is a caveat in the docs about MTU dropping to 1492 with PPPOE, which is supposed to happen automagically but I tried to hard-code it and still the same problem. I opened a case with TAC but the engineer hasn't given me any good info. 6.2(2) is out so I'll try to upgrade it Wednesday but I thought maybe somebody else has run into this before. Rik Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50085t=50085 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can get it to work (Pix 515 behind cable modem [7:49845]
This reply is a lng one! Please allow me to clear up a couple of misconceptions I have read on this thread. First, a while it is true a PIX blocks everything by default, this only applies to inbound traffic initiated from the outside. Outbound sessions initiated from the inside are all allowed out by default with no access lists needed. Your config looks okay in this regard. The only thing you might want to do is add access-list outside permit icmp any any echo-reply and access-group outside in interface outside to allow PING responses to come back in for testing connectivity. Second, even though the nat (inside) 0 has nat in the line, this doesn't mean specifically that you are using nat (one-to-one translation). It's actually the global statement that defines whether NAT or PAT is used. When a single address (or interface option) is used in this statement, PAT is used as is indicated by the console message that appears. Otherwise, if a range of addresses is used, nat will be enabled. This could be a problem if you use a range and don't back it up with another global statement with just a single address for PAT (PAT is also called NAT overload) as the first hosts to connect will use up the NAT addresses and no other connections will be allowed. Unless, of course, you have as many public addresses as you have internal hosts. You config looks fine in this regard also. The only thing I might question is your use of the the following lines: dhcpd auto_config outside sysopt connection permit-ipsec sysopt connection permit-pptp None of these is necessary and may be causing a problem. I would remove these and see if it resolves anything for you. Also, be sure to cycle the power on the PIX. I have to do this more and more on Cisco boxes as they get more complex and bloated with functionality. I have seen weirdness with PIXes before. One such time I saved the config, erased and rebooted the PIX, and then pasted the config back in to have it work fine at that time. Re-flashing the code has also fixed oddball problems for most of us on this list from time to time. Using show interface will give you a bunch of info including addressing you're getting from the ISP and show route will give you the default route you supposedly pull down from them. Are you sure you're not using PPPOE? If so, this requires a totally different config. Otherwise, with the exception of the 3 lines I mentioned earlier, your config looks good. One question - why did you turn off fixup on SMTP? This is generally a good thing. I would check this features out unless you already know that you need it turned off. Good luck! Rik -Original Message- From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 4:30 PM To: [EMAIL PROTECTED] Subject: RE: Can get it to work (Pix 515 behind cable modem [7:49744] From what I can see, you've initiated NAT, but didn't define a NAT Pool of addresses. So, I can only deduce that the PIX is defaulting to PAT operation rather than just not allowing traffic across the PIX at all. (wasn't that nice of Cisco :-] ) I'm just starting to study the ins/outs of PIX, so I could be wrong. Try defining a NAT Pool, and see what happens; let us know! Mark -Original Message- From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] Sent: Friday, July 26, 2002 12:20 AM To: [EMAIL PROTECTED] Subject: Can get it to work (Pix 515 behind cable modem) [7:49744] Dear All, Below is my config. Can someone tell me why ckients on the inside interface cant get to the internet (browwse, ping, nothing) Yet show xlate shows clients Pat(ing) to outside address.. I am so frustrated, dont know whats the issue???!!! PIX Version 6.2(2) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password 8Ry2YjIyt7RRXU24 encrypted passwd 2KFQnbNIdI.2KYOU encrypted hostname pixfirewall fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no fixup protocol smtp 25 names pager lines 24 logging on logging trap debugging logging host inside 192.168.0.2 interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside dhcp setroute ip address inside 192.168.0.1 255.255.255.0 ip address dmz 127.0.0.1 255.255.255.255 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 0.0.0.0 0.0.0.0 0 0 timeout xlate 0:30:00 timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si p 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server
RE: Quick Vlan question [7:49533]
There are some router models that have 10Mb interfaces that support trunking (Dot1Q). What differentiates them is the IOS feature set. You need IP+ on some of the older models whereas most of the newer models have 100Mb interfaces and support trunking with just the IP feature set. If your router is a Cisco device and it turns out it will support trunking, then once you setup the trunking parameters, you would then create sub-interfaces for each VLAN. Rik -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, July 24, 2002 6:33 PM To: [EMAIL PROTECTED] Subject: RE: Quick Vlan question [7:49533] =?iso-8859-1?q?maine=20dude?= wrote: Hi, If I have two Vlans and want to route between them using an external router, but the router has only 10mb ports, how can it be done? I can't use ISL or 802.1q because it isn't supported on 10mb/s ports, correct? Does every Vlan need a separate physical connection? or do i use sub interfaces? You say 10mb ports, i.e. plural. If the router has two ports, use them both, one for one VLAN and one for the other. It's as simple as that. I have this same problem in my home lab due to ancient equipment. I simply put e0 on the router in subnet 172.16.10.0 and e1 on the router in subnet 172.16.50.0. I connect one of my switches to the router using two ports on the switch, one going to e0 and one going to e1 on the router. These don't even have to be trunk ports, just any old ports. On the switch I have some devices in VLAN 1 (172.16.10.0) and some in VLAN 2 (172.16.50.0). The devices use the appropriate router address for their default gateway. I have the swtich connected to another switch in a redundant fashion to get some practice with trunking, etc., but the router just acts like an ordinary router from the pre-VLAN days when life was simple. ;-) Priscilla Oppenheimer http://www.priscilla.com please advise. thank you -DJ - Get a bigger mailbox -- choose a size that fits your needs. http://uk.docs.yahoo.com/mail_storage.html Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49597t=49533 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Security hazard?? [7:45731]
Pete, bear in mind that this document is 2 years old. The IOS version on the switch was 11.2. Anybody care to speculate on how much has changed since 11.2? How about the changes in Dot1Q since then? Nonetheless, I don't get a warm and fuzzy feeling with separating external and internal traffic with VLANs. I like physical separation coupled with firewall protection. I believe it's not just protecting what has been hacked already but minimizing what can be hacked in the future. Rik -Original Message- From: Peter van Oene [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 1:18 PM To: [EMAIL PROTECTED] Subject: RE: Security hazard?? [7:45731] Interesting indeed. I hadn't seen that before. This is obviously an architecturally flawed implementation. Ideally, the CAM (MAC) table should be fully isolated to prevent unwanted forwarding and ports not considered trunks shouldn't accept tagged packets. I assume folks are working on this, but at this time, it would look like securing a topology of this nature requires some additional effort. Thanks for the link Pete At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote: if you do not have Ip routing on the VLANs you can still hope from one VLAN to another. See this artical for more info: http://www.sans.org/newlook/resources/IDFAQ/vlan.htm -Original Message- From: Peter van Oene [mailto:[EMAIL PROTECTED]] Sent: Tuesday, June 04, 2002 8:41 AM To: [EMAIL PROTECTED] Subject: RE: Security hazard?? [7:45731] Assuming the untrusted VLAN offers no IP connectivity to it's control engine (ie the routed aspects are not reachable therein) what vulnerabilities exist here? With no routing on the VLAN, I'm not exactly sure how one gets from untrusted to trusted without traversing the Firewall. The only limitation I see here would be one of either poorly implemented VLAN technology on the part of the vendor, and fat fingering on the part of the admimistrator. Pete At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote: If I understand what you're describing, it sounds like you've pretty well by-passed the firewall. As a general comment, it seems pointless to have a firewall if you're not going to utilize it with sound network security design. I think I understand what you're trying to do, but you may want to rethink the reasoning. You're VLANs ( on the same devices ) are a very thin security veil between the trusted and untrusted networks. Without a net diagram, we can only speculate. But, I'm guessing that the most secure you can be with this physical config is to pin strong ACLs to the outside interfaces of the 3640 access routers. You could also pin ACLs to the VLAN interfaces to filter unwanted traffic. What kind of capability do these switches have? Have you considered the IOS firewall ( CBAC ) for the edge routers? I think a tech support call to your firewall vendor may be an eye-opening experience. Send them a diagram of what you've got and see if it's a network design scenario that they support. I assume the 2 3640s are being used redundantly with HSRP? If so, why not consider a second, redundant firewall and place them both in-line between the edge routers and the internal LANs? HTH, Bob McIntire -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig Columbus Sent: Tuesday, June 04, 2002 9:42 AM To: [EMAIL PROTECTED] Subject: Re: Security hazard?? [7:45731] Do I understand you correctly that your 6808s have both internal (secure) and external (unsecure) traffic on them, separated only by VLAN? At 09:30 PM 6/3/2002 -0400, you wrote: All, We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's). The two 3640's are doing IBGP between them on each of their eth0's. I have created a vlan on the Extremes called 'unsecure'(there are only 2 ports on each Extreme in this vlan... one coming in from the 3640 and the other going into the firewall). I am getting some complaints from the 'uppers' that bringing the 3640's into the Extreme's is a security hazard. I am sure someone is now working on a way to hack from one vlan to the next, but for now, I don't see the difference between putting a hub in there and using a couple of ports on these monster 'almost-never-go-down' switches. I just don't want another unmanaged piece of equipment in the flow. Has anyone ever heard of this being a leak. I worked in a datacenter before and this is what we did with 6509's and we didn't blink! I know these are Extreme switches... which is probably taboo in the group, but I am pretty sure this would be platform independent... right Thanks, bk Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45768t=45731 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and
RE: VLANS [7:42932]
Well, you can, just like you can put 2 physical segments in the same logical (IP) network. Of course, the question begs to be asked, why? as this doesn't give you anything. You won't be able to do much with it except bridge the traffic and then you kill the entire rationale behind VLANs. After all, without VLANs, aren't you just bridging/switching the traffic to begin with? I suggest you read up on VLANs on CCO. You will find that they really act like physical segments (with a few arcane exceptions) and shouldn't be treated any other way, including routing between them. Rik -Original Message- From: Rizzo, Damian [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 8:11 PM To: [EMAIL PROTECTED] Subject: VLANS [7:42932] Hey all, got a quick question regarding VLANS. Can you create multiple VLANS in the same subnet? For instance if you have RouterA--VLAN1-- VLAN2--etc... Can both VLAN 1 and 2 be in the same subnet? Thank you. This electronic mail transmission contains confidential information intended only for the person(s) named. Any use, distribution, copying or disclosure by any other person is strictly prohibited. If you received this transmission in error, please notify the sender by reply e-mail and then destroy the message. Opinions, conclusions, and other information in this message, that do not relate to the official business of MARAKON ASSOCIATES shall be understood to be neither given nor endorsed by the Company. When addressed to MARAKON clients, any information contained in this e-mail is subject to the terms and conditions in the governing client contract. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42960t=42932 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Trunking over Aironet bridge? [7:42833]
I agree. Change the MTU on the bridges. I have a customer with 5 remote sites connected via 802.11b and trunking across all 5 and I have to increase the MTU. What I would love to see is an update to the Aironet code that supports the actual trunking header so my bridge management interfaces could be on a non-native VLAN. I tend to make the native VLAN (Dot1Q) the most active VLAN and not the default VLAN 1. Unfortunately, in this scenario, the bridges won't communicate in VLAN 1 as these frames will be tagged and the bridges don't understand the tags. Maybe some day... Rik -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Monday, April 29, 2002 9:19 PM To: [EMAIL PROTECTED] Subject: RE: Trunking over Aironet bridge? [7:42833] An ISL frame can be as big as 1518 + 30 = 1548 bytes. The original frame is encapsulated in a 26-byte header and a 4-byte CRC. An 802.1Q frame can be as big as 1522 bytes. 802.1Q inserts a 4-byte header immediately the destination and source MAC addresses (and source-routing information, if present) of the frame to be transmitted, which could have already been 1518 bytes. Priscilla At 05:24 PM 4/29/02, Marko Milivojevic wrote: yes, you must change the default frame size on the ethernet side of both bridges to 1522 (default 1518). As far as the radio is concern it will pass the frames out over the wireless. You will need a switch on the other end of the bridge to recieve the frames and break out the vlans. That would be required for ISL, but 802.1q should go with no changes? Marko. Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42872t=42833 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Gigabit GBIC for 3550 [7:42680]
Geez...all you guys had to do was ask! ;-} Rik -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: Re: Gigabit GBIC for 3550 [7:42680] do great minds think alike, or what ;- ( see my response to the same question ) Chuck P.S. happy Friday, everyone. MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think the answer is in here: http://www.cisco.com/warp/public/cc/pd/si/casi/ca3500xl/prodlit/gbic_ds.htm Dave Brian Zeitz wrote: If I wanted to connect 2 Cisco 3550 switches together, would I need 1 Gigabit stacking GBIC or 2? I think I need 2 of them. I am trying to find out exactly what I need to hook together (2) 3350 (24 port) with 2 GIG ports. The part number im looking at is CIS-WS-X3500-XL, is this all I would need? Any help would be appreciated... Brian -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42726t=42680 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: SSH RSA key [7:40297]
Don't forget the ca save all command to save the key once you generate it. Otherwise it will go away when you reboot the PIX. Rik -Original Message- From: Mark Odette II [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 2:21 AM To: [EMAIL PROTECTED] Subject: RE: SSH RSA key [7:40297] John, I have some new info, but also some info that we were told via the list response last yesterday. 1. From the Cisco PIX FW Command Reference for 6.1: The 'ca generate rsa' command is not saved in the PIX Firewall configuration. However, the keys generated by this command are saved in a persistent data file in Flash memory, which can be viewed with the 'show ca mypubkey rsa' command. Page 3-10 -- the 'show ca mypubkey rsa' command is what you issue to view your SSH RSA key. It should actually show you two keys, which are labeled : General Purpos Key, and Encryption Key i.e., Public/Private key pair. 2. From the same reference: Note- You must generate an RSA Key-Pair for the PIX Firewall before clients can connect to the PIX Firewall Console. To use SSH, your PIX Firewall must hae a DES or 3DES activation key installed. Page 7-17 3.From the same reference: The 'SHOW FLASHFS' command displays the size in bytes of each filesystem sector and the current state of the filessystem. The data in each sector is as follows: *file 0 - PIX FW binare image, wher ethe .bin file is stored. *file 1 - PIX FW config data that you can view with the 'show config' command. *file 2 - PIX FW datafile that stores IPSec key and certificate information. *file 3 - 'FlashFs downgrade' information for the 'show flashfs' command. Page 4-34 Now interestingly enough, it doesn't mention anything about what File 4 is, as shown by the following output on my personal PIX: cisco-pix# show flashfs flash file system: version:2 magic:0x12345679 file 0: origin: 0 length:2469944 file 1: origin: 2490368 length:4183 file 2: origin: 0 length:0 file 3: origin: 2621440 length:3528136 file 4: origin: 7864320 length:280 cisco-pix# .. and if you notice, File 2 seems blank, yet I have generated an RSA key, and then reconnected to my PIX with an SSH client to get the output of the Show FlashFS command. I suspect the RSA key data is being kept in the File 4 of my PIX Flash filesystem. for a Cisco Router, I'm not sure where the RSA key data is kept, but I would not be surprised if it is kept on the Flash Filesystem there too. Of course, watch me be wrong, and it's kept in NVRAM. Hope that answered your questions. -Mark Odette II -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Green Sent: Wednesday, April 03, 2002 12:16 AM To: [EMAIL PROTECTED] Subject: SSH RSA key [7:40297] how to read the SSH RSA key in pix and a cisco router ? what is the command and where is it stored ? nvram ? __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40397t=40297 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Radius and Win2K IAS [7:40336]
James, I have done this with NT 4.0 and doubt that it really differs much with Windows 2000. In my opinion, the MS RADIUS product is very basic but if all you want is authentication then it should work just fine for you, especially as it's free and lightweight. Different devices are setup in a different fashion for RADIUS so there is no magic one command fits all method. Rik -Original Message- From: Fraasch James [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 03, 2002 11:35 AM To: [EMAIL PROTECTED] Subject: Radius and Win2K IAS [7:40336] I have a quick question about Radius Authentication and the Win2K Server Internet Authentication Service (IAS). We have finally decided to go with Radius authentication for our network equipment. This after my boss asked me to change all the passwords and add usernames to every switch and router in the network (over 300 devices) and I was supposed to do this every 90 days. So I asked him if we could look into Radius Authentication. It looks quite simple but I am not sure if there are any tips or tricks that I need to know about Cisco devices authenticating to a Win2K IAS service. I am sure someone in this group has come across this and was hoping you could tell me of any pitfalls or 'gotchas' before I get started. Thanks in advance! James Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40399t=40336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX VS CheckPoint [7:40136]
One point I believe should be mentioned is the different levels of awareness each product brings to the table. One of the strengths of the PIX becomes its primary weakness: the lack of true integrated application-level awareness. While this lack makes the PIX much faster than say Checkpoint, you don't have nearly as many options such as virus scanning, content scanning, etc. Rather, you are required to rely upon additional products to handle what Checkpoint has built-in. I know that the PIX has a few built-in features (such as MailGuard), the selection is rather slim. With that said, I'm really a PIX person so don't get the wrong impression. ;-) Rik -Original Message- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 02, 2002 7:08 PM To: [EMAIL PROTECTED] Subject: Re: PIX VS CheckPoint [7:40136] On the other hand, there's a distinct third option, which is to run Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso line of gear. This removes one of the Checkpoint disadvantages (don't need to know Unix or NT), but introduces another disadvantage (less flexible - you should have included in your advantages that regular Checkpoint is more flexible than Pix because you can integrate it with Unix and enjoy all the features of Unix, but of course with a Nokia, you don't have that). In fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash. I believe the Pix is faster, but the Nokia Checkpoint is still more flexible (but not as flexible as Checkpoint software). Nurudeen Aderinto wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear x, I love your presentation. You spoke well. Nurudeen x wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have setup and managed both PIX and Checkpoint in a variety of environments. I think they are both solid options in different situations. Here is how I market these products. PIX - more cost effective - fast - you can have fail over - Can be more complicated to setup the CLI, but PIX has a nice feature of allowing all traffic out and none in by default. Who would I market this for? I would target this as an ideal candidate for small companies with rulesets that don't change much. They also need a Cisco savy person to manage it, usually a consultant. I am guessing you would fill this role. I have only made minor changes in the firewall I have managed for almost two years. Checkpoint - nice GUI for ruleset management - more expensive - required to know Unix or NT ( for the love of God don't use NT. Its security is very poor out of the box and requires a great deal of configuration to become mildly secure ) Who would I market this toward? I would target larger companies with Checkpoint. It is easier to manage the ruleset, but more setup time and more costly. I would also say this solution is slightly slower and more prone to security issues since you have to patch the OS and the firewall software. --- Jeffrey Reed wrote: Has anyone performed or seen an in depth study of PIX vs Checkpoint? I have a customer who is looking at both. Ive read various magazine articles, but nothing from real people such as this group! :) Thanks!! Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://http://taxes.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40262t=40136 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: root switch [7:39975]
I agree...always enter a specific value. Yonghai, there is one thing I want to clear up after reading your posts. MAC address only comes into the root election process AFTER the bridge ID selection process. Since the default bridge ID on a Cisco switch will always be the same value, MAC addresses are the only DEFAULT value that will be unique. Once you specify a given bridge ID, the MAC address is no longer used for root election. Rik -Original Message- From: Kris Keen [mailto:[EMAIL PROTECTED]] Sent: Monday, April 01, 2002 2:11 AM To: [EMAIL PROTECTED] Subject: RE: root switch [7:39975] How about setting your priority to 1? That will make it the root :D or even 0! Default is 32768. We always make ours 0 or 1, I never use set spantree root.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=40024t=39975 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: If it's a 2611, you're out of luck [7:39788]
Mayo, I humbly must disagree with you. The 2600 series does indeed require IP Plus. The newer 1700s (1721, 1760 probably) only require IP (I setup trunking on a 1721 w/IP a couple of weeks ago), which makes them a perfect choice for low-cost InterVLAN routing. I have attempted to use IP but found the necessary configs missing. Rik -Original Message- From: Mayo, Simer [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 9:37 PM To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] It should work with IP feature. IP Plus is not mandatory but recommended. -Original Message- From: Cisco Nuts [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 11:57 AM To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] So if I understand, a 2620 router with a Fast Ethernet intf. with IP Plus feature set is reqd. to get trunking working, either isl or dotqIs this absolutely true that you need IP PlusHas anyone got it working with just the IP feature set with ISL trunking? The reason I ask is the IP Plus feature set requires more than 24Mb of mem. and I only have 24Mb on my 2620Moreover, there are no feature sets for 11.3x on Cisco's site. That could have helped :-) Thank you. From: James Wilson Reply-To: James Wilson To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] Date: Fri, 29 Mar 2002 10:35:59 -0500 I have a 1751 trunked to my c2924XL running IP/FW/IDS/PLUS/IPSEC/3DES and it only supports dot1q trunking on the 100Mb interface. Works like a champ, though. -- James D. Wilson, CCDA, MCP Sr. Network/Security Engineer non sunt multiplicanda entia praeter necessitatem William of Ockham (1285-1347/49) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rik Guyler Sent: Thursday, March 28, 2002 5:44 PM To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] Another bit of good info to know: Traditionally, the 1700 series would not support trunking, either ISL or Dot1Q. That includes both the 1720 and 1750. In these cases, you had to purchase a 2600 with IP Plus, which is an expensive proposition to avoid the necessity of 2 or more E/FE interfaces. I just setup for a client a 1721 router which DOES support both trunking encapsulations and does it with IP only IOS! This is a huge savings over the traditional options for inter-VLAN routing. There are also new 1751 and 1760 models which I believe also support both modes of trunks. Rik -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:23 PM To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] apparently last week some one on the list made the ethernets work in a 2600 router at 10mb Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 10:15 AM To: [EMAIL PROTECTED] Subject: If it's a 2611, you're out of luck [7:39788] Vlan trunking requires a fast ethernet connection. It cannot be trunked with a 261X. You'd need a 262X. If you have to deal with a 2611, your options become much more limited. You could replace the 2611 with a 2620. Or you could get a ethernet module for the 2611. Unfortunately, last time I checked (whish was a couple years ago, given) those ethernet modules came in two models, 1 and 4 port, and cost about $1000 per port. Another option would be to replace the 2611 with a 1750. It's got one fast ethernet port. If this network is as small as it sounds, it'd be a viable option. Oh, and about trunking, the way it works is you define the switch port connected to the router as a trunk. This allows multiple (in your case, all) vlans to use the one port. The router is configured with subinterfaces on the fastethernet port, one for each vlan. The router can then route between these vlans. _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39985t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: AS5301 modem question [7:39917]
Michael, I have not worked on a 5301, only a 5300 so I will tell you what I know and maybe it will carry over. Since nobody else has any ideas, maybe this will help. In a 5300, the T1 card is a different card than the modem card(s). You said this is a quad T1 card so you should see 4 T1 ports on a card by themselves with maybe a couple of various other ports like console, etc. The modem cards, again on my 5300, had no ports to speak of. They were accessed directly via the backplane of the device. In order to gather modem information, type show modem at the enable prompt and this will output individual modem stats as well as tell you how many modems you have. If the 5301 is like the 5300, there are different modem options depending on the options you ordered. The 5300 could have up to 96 modems per card and held up to 2 cards for a total of 192 modems in a single chassis. Hope this helps! Rik -Original Message- From: Michael Douglas [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 31, 2002 12:32 PM To: [EMAIL PROTECTED] Subject: RE: AS5301 modem question [7:39917] Does anyone have any ideas? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=3t=39917 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: If it's a 2611, you're out of luck [7:39788]
Another bit of good info to know: Traditionally, the 1700 series would not support trunking, either ISL or Dot1Q. That includes both the 1720 and 1750. In these cases, you had to purchase a 2600 with IP Plus, which is an expensive proposition to avoid the necessity of 2 or more E/FE interfaces. I just setup for a client a 1721 router which DOES support both trunking encapsulations and does it with IP only IOS! This is a huge savings over the traditional options for inter-VLAN routing. There are also new 1751 and 1760 models which I believe also support both modes of trunks. Rik -Original Message- From: Larry Letterman [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:23 PM To: [EMAIL PROTECTED] Subject: RE: If it's a 2611, you're out of luck [7:39788] apparently last week some one on the list made the ethernets work in a 2600 router at 10mb Larry Letterman Cisco Systems [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 10:15 AM To: [EMAIL PROTECTED] Subject: If it's a 2611, you're out of luck [7:39788] Vlan trunking requires a fast ethernet connection. It cannot be trunked with a 261X. You'd need a 262X. If you have to deal with a 2611, your options become much more limited. You could replace the 2611 with a 2620. Or you could get a ethernet module for the 2611. Unfortunately, last time I checked (whish was a couple years ago, given) those ethernet modules came in two models, 1 and 4 port, and cost about $1000 per port. Another option would be to replace the 2611 with a 1750. It's got one fast ethernet port. If this network is as small as it sounds, it'd be a viable option. Oh, and about trunking, the way it works is you define the switch port connected to the router as a trunk. This allows multiple (in your case, all) vlans to use the one port. The router is configured with subinterfaces on the fastethernet port, one for each vlan. The router can then route between these vlans. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39866t=39788 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Designated Port/Switch and Root Port?? [7:39811]
I'll try to explain this: Think of a root port as the closest port to the root bridge on a given BRIDGE. Think of a designated port as the closest port to the root bridge on a given SEGMENT. This is the port used by all bridges on a given segment to get to the ROOT. Consider the following basic diagram to explain this further with 1 root bridge, 3 non-root bridges and 3 segments: |ROOT|--segment 1--|A|--segment 2--|B|--segment 3--|C| The root port on bridge A is the closet int to ROOT - the int on the left. The designated port on segment 1 is actually the int on ROOT that's in segment 1. The root port on Bridge B is the closest int to ROOT - the int on the left. The designated port on segment 2 is the closet interface to ROOT in segment 2 - the int on the right side of bridge A. The root port on bridge C is the the closest int to ROOT - the int on the left. The designated port on segment 3 is the port closest to ROOT - the int on the right side of bridge B. So, you wind up with something like a consistent and logical topology: ROOT(DP)--(RP)A(DP)--(RP)B(DP)--(RP)C The real distinction is knowing that a root port is a designation specific to a switch and a designated port is specific to a segment. To show this, we can make the following modification to the above topology: ROOT(DP)--(RP)A(DP)--(RP)B(DP)--(RP)C | |--(RP)D(DP)--(RP)E In this case, there are 2 root ports in segment 2 but there will always be ONLY 1 designated port per segment. This is one of the foundational concepts of STP. Also, the ROOT will never have a root port, all non-root bridges will have ONLY 1 root port (per VLAN) and there will ONLY be 1 designated port per segment (per VLAN). Root ports send BPDUs and designated ports receive BPDUs. Hope this helps, Rik -Original Message- From: Lomker, Michael [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 28, 2002 2:44 PM To: [EMAIL PROTECTED] Subject: RE: Designated Port/Switch and Root Port?? [7:39811] Hello,If every non-root bridge elects one root port to get to the root-bridge, then why do we still need a designated switch/port per segment? Do these two have different functions altogether?Thank you. I did a few searches on cisco.com and google and they appear to be different works for the same thing. I'll agree that the explanation I read in my Examcram wasn't that explicit. http://netcert.tripod.com/ccna/switches/2switch.html Ports that have the lowest cost to the root bridge are called designated ports. The other ports on the bridge are considered non designated and will not send or receive traffic, (blocking mode). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39870t=39811 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Gigastack Etherchannel [7:39033]
Yes and no. Gigastacks are FD when only one port is used. When you truly stack with these GBICs, meaning one port is used for inbound and the other for outbound, a show int will reveal a HD connection. As you notice in ole's output, only one port is in use. GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down Rik -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 12:02 PM To: [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] GigaStack GBIC's are Full Duplex: ELVIS#show int gigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia 0002.fd13.52f1) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex (Full), link type is autonegotiation, media type is CX_GIGASTACK output flow-control is off, input flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down Last input 00:00:06, output 00:00:01, output hang never Last clearing of show interface counters 11w1d Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 107000 bits/sec, 15 packets/sec 5 minute output rate 91000 bits/sec, 16 packets/sec 122086095 packets input, 1719966070 bytes, 0 no buffer Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 163799 multicast, 0 pause input 165588418 packets output, 149633091 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Jeffrey Reed [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] I'm not sure, but I thought I read somewhere that the GigaStack GBICs are half duplex. I think I read somewhere that you shouldn't use them in an environment that requires QOS. If this is true, your throughput would be better with 1000B-T GBICs or Fiber GBICs running at full duplex. Jeffrey Reed Classic Networking, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gaz Sent: Thursday, March 21, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: Gigastack Etherchannel [7:39033] Hi all, Been searching all over CCO for this infoanybody know for sure? Using Gigastack, can both slots be used as Gigastack Etherchannel (ie all four ports (two on each module)) to provide 4Gb link. Scenario would be a 3508 with two Gigastack modules and 3548 with two Gigastack modules - connected with four gigastack cables. Various web pages show 2Gb full duplex using Gigastack and also mention 4Gb Full Duplex using Gigabit Ethernet. Even though the latter was on a Gigastack data sheet, it was worded as though (or could mean) an alternative was to use Gigabit Ethernet at 4Gb. Hopefully I've got the question over - Basically, I know 4Gb is possible with fibre SX/LX etc, but what about Gigastack? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39488t=39033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Gigastack Etherchannel [7:39033]
The answer is yes. The FD/HD issue isn't switch port dependent but GBIC port dependent. If you're only using a single Gigastack port, even if you have 2 Gigastack GBICs in the same switch, then the GBIC will set up a FD connection both upstream and downstream. Rik -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 8:43 PM To: 'Rik Guyler'; [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] Hi Rik, You're correct, and if you continue to read the rest of the e-mails regarding this question, another question pop's up - what if only one port on each module is used, and instead two modules are installed in each switch - would that allow a stack 2 in full duplex? Ole Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.RouterChief.com NEED A JOB ??? http://www.oledrews.com/job -Original Message- From: Rik Guyler [mailto:[EMAIL PROTECTED]] Sent: Monday, March 25, 2002 6:50 PM To: [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] Yes and no. Gigastacks are FD when only one port is used. When you truly stack with these GBICs, meaning one port is used for inbound and the other for outbound, a show int will reveal a HD connection. As you notice in ole's output, only one port is in use. GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down Rik -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 12:02 PM To: [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] GigaStack GBIC's are Full Duplex: ELVIS#show int gigabitEthernet 0/1 GigabitEthernet0/1 is up, line protocol is up Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia 0002.fd13.52f1) MTU 1500 bytes, BW 100 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Auto-duplex (Full), link type is autonegotiation, media type is CX_GIGASTACK output flow-control is off, input flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down Last input 00:00:06, output 00:00:01, output hang never Last clearing of show interface counters 11w1d Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 107000 bits/sec, 15 packets/sec 5 minute output rate 91000 bits/sec, 16 packets/sec 122086095 packets input, 1719966070 bytes, 0 no buffer Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 163799 multicast, 0 pause input 165588418 packets output, 149633091 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Hth, Ole ~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~ http://www.RouterChief.com ~ Need a Job? http://www.OleDrews.com/job ~ -Original Message- From: Jeffrey Reed [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 21, 2002 10:22 AM To: [EMAIL PROTECTED] Subject: RE: Gigastack Etherchannel [7:39033] I'm not sure, but I thought I read somewhere that the GigaStack GBICs are half duplex. I think I read somewhere that you shouldn't use them in an environment that requires QOS. If this is true, your throughput would be better with 1000B-T GBICs or Fiber GBICs running at full duplex. Jeffrey Reed Classic Networking, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gaz Sent: Thursday, March 21, 2002 10:16 AM To: [EMAIL PROTECTED] Subject: Gigastack Etherchannel [7:39033] Hi all, Been searching all over CCO for this infoanybody know for sure? Using Gigastack, can both slots be used as Gigastack Etherchannel (ie all four ports (two on each module)) to provide 4Gb link. Scenario would be a 3508 with two Gigastack modules and 3548 with two Gigastack modules - connected with four gigastack cables. Various web pages show 2Gb full duplex using Gigastack and also mention 4Gb Full Duplex using Gigabit Ethernet. Even though the latter was on a Gigastack data sheet, it was worded as though (or could mean) an alternative was to use Gigabit Ethernet at 4Gb. Hopefully I've got the question over - Basically, I know 4Gb is possible with fibre SX/LX etc, but what about Gigastack? Thanks, Gaz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39508t=39033
RE: CCIE#8903 [7:37490]
George, you are an inspiration to us all. Thanks for the description of your journey and congratulations! Rik -Original Message- From: George Zhang [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 06, 2002 6:01 PM To: [EMAIL PROTECTED] Subject: CCIE#8903 [7:37490] All, The title says it all. I took my first attempt at the CCIE lab test yesterday (March 5) in Halifax and received the Congratulations on Passing the CCIE Lab! this morning. I was the only person taking the lab test in Halifax yesterday. I was told that there was another person scheduled yesterday but did not show up. My test started about 8:15 AM in the morning. We broke for lunch at about 12:20PM. By then, I only finished all the IGP stuff and felt some pressure on time. But I have already reviewed rest of the test and knew that I could go through the rest quickly. After the 15 min lunch break, I worked through rest of the test very quickly. By about 3:00 PM, I finished every thing except one small requirement that I had no clue how to do it. I decided to skip that item. Then, I started reviewing and checking my config. Along the way of reviewing/checking, I spotted and fixed a few issues. Just about the time I finished reviewing every thing, the proctor walked in and told me that it' time. I looked at the watch. It was 4:30 PM. My proctor was Steve. Steve is a great proctor. He answered quite a few of my questions and cleared my mis-understanding and confusion about the requirements of the test. I would like to take this opportunity to thank all people who helped me to achieve my goal. First, I would like to thank my wife for her support and understanding. Without her support, there is no way I could achieve my goal. Next, I will give my thanks to Bruce, Val, and Fred of NetMasterClass. As I said earlier, the NMC1 class is the most important part of my final preparation. Thanks to Katie Wong of Cisco who scheduled me to access the ASET racks. Thats my primary resource for hands-on practices for the past couple of months. Thanks to Eric Fairfield for lending me a few routers when I was in Wisconsin. Also thanks to those that I've either studied with or have helped me one way or another. Thanks also to Paul for putting this great list together. As far as my story, I started my quest of the Cisco certifications a little over two and half years ago. I got my CCNA and CCNP in the first year. Three months later, I passed the CCIE written test. I wanted to take the lab a year ago. However, due to work and personal reasons, I did not get time to do it until now. Last year, I was too busy to do much study. At work, as a consultant, I was billing at least 40 hours/week for the whole year. At home, my second child was born in February, my wife finished school in July, and we moved to New Jersey from Wisconsin in September. In October of last year, I foresaw a window of opportunity for me to take the lab test early this year. Then, I lobbed my manager to let me go to the ECP1 class. By the time my manager approved my training request, I found that Mentor Technologies went belly up. However, I learned that Bruce and Val founded a new company called NetMasterClass, LLC (www.netmasterclass.net) and offering the NMC1 and NMC2 classes. I registered and took the NMC1 class by the end January. By the end of last year, the project I worked on finished. So since the beginning of this year I got a lot of time to study. For the past couple of months, I have studied 8-10 hours every day. As far as how I prepared, I have read most of the books (Doyle I II, Caslow, Halabi, Tam-Nam-Kee, Solie, Satterlee, etc.) recommended by people on this list. Among this long list of books, the only one I dont like is Solies book because there are too many errors in the book. There are a few topics I was more confused after reading the book. I dont have a home lab. So my primary resource for hands-on practice is remote labs such as Mentor Technologies vlabs (not available any more), Cisco ASET lab. Because I dont have a home lab, my preparation included more reading than hands-on practice. That actually worked out very well for me. Above all, the most important part of my preparation is the NMC1 class taught by Bruce, Val and Fred. IF I HAD NOT TAKEN THE NMC1 CLASS, IT PROBABLY WOULD HAVE TAKEN ME ONE OR TWO MORE ATTEMPTS BEFORE I COULD GET MY NUMBER. There are a lot of things that just cannot be learned from reading books or practicing. So the NMC1 class helped me to fill in that gap very well. It also helped me to access my strength and weakness. So I know what to study on the last few weeks. I strongly recommend taking the NMC1 class a few weeks before your lab date. Thanks again. George Zhang CCIE#8903, CCNA, CCNP Sr. Network Architect Compuware Corpration 1 Meadowlands Plaza, Suite 1050 East Rutherford, NJ 07073 732-494-0288
RE: Catalyst 3508G XL , 2950T-24 [7:37098]
You will need the updated IOS for this GBIC. Being a newer GBIC, the older IOS won't recognize it so run the upgrade and it will work. To confirm this, type sh int g0/1 (g0/2, etc..) and the output will tell you if the GBIC is recognized or not. Rik -Original Message- From: Chuck Collins [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098] I wouldn't upgrade the IOS. We had a 3550 that was doing the same thing (GBIC not blinking at all). We called into TAC and got a replacement. We did the upgrade first and when the switch would boot it would no recognize the Ethernet controller. It may be different for you since you have a 3508. I guess you would need to ask yourself do I feel lucky? Good Luck, Chuck Collins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 03, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: Catalyst 3508G XL , 2950T-24 [7:37098] Dear all I need clarification regarding these two points thanking your help in proceed, First point: We have Catalyst 3508G XL , 8 GBIC slots , 12.0(5.2)XU IOS software. We tried to make operate it but the GBIC was not blinking at all , as I had read this document http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/1000gbic/ins tnot e.htm , I got conclusion that the switches detect and enable the GBIC only when they are running the minimum software releases which in case of Catalyst 3508G XL Cisco the minimum IOS Release is 12.0(5)XW , so in order to enable the GBIC we have to upgrade the IOS software from 12.0(5.2)XU to 12.0(5)XW . Second point: we have Catalyst 2950T-24 Switch-24 10/100 ports and 2 fixed 10/100/1000BaseT uplink ports, IOS available 12.0(5.3)WC(1). As I had read this document http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/1169 303. htm , I got conclusion that we do not have to upgrade the ios image because the ios will support the following: Catalyst 2950T-24 24 fixed autosensing 10/100 ports and 2 fixed autosensing 10/100/1000 Ethernet ports. please tell me if there is something missing here , the equipment is placed far away from our office we need to put the network on there as soon as possible , in case we have to upgrade the ios of the any platform then please let us go ahead solving this issue. Warm regards, Ismail Al-shelh Network Engineer [GroupStudy.com removed an attachment of type application/ms-tnef] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37218t=37098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Catalyst 3508G XL , 2950T-24 [7:37098]
That's not good advice. An LX GBIC uses a laser transmitter, which is powerful enough to burn a hole in your retina as a coworker of mine found out. Besides, this is a copper GBIC so no light to see. 12.0(5.3) is a new enough IOS to recognize the copper GBIC so this version will work on all of your 3500 switches. Rik -Original Message- From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098] I don't believe that it's the IOS on the 3508. First, check to make sure your fiber is connected correctly. When the switch is powered up, you can see which side the laser is on in the GBIC connector. Then, if you cup the fiber in your hands, briefly (very briefly) look to see which connector the laser is on. Then make sure that the connector with the laser goes to the connector on the switch without the laser. If this isn't the problem, there's a good chance it's probably a bad GBIC. Shawn K. -Original Message- From: Chuck Collins [mailto:[EMAIL PROTECTED]] Sent: Monday, March 04, 2002 8:22 AM To: [EMAIL PROTECTED] Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098] I wouldn't upgrade the IOS. We had a 3550 that was doing the same thing (GBIC not blinking at all). We called into TAC and got a replacement. We did the upgrade first and when the switch would boot it would no recognize the Ethernet controller. It may be different for you since you have a 3508. I guess you would need to ask yourself do I feel lucky? Good Luck, Chuck Collins -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Sunday, March 03, 2002 10:33 AM To: [EMAIL PROTECTED] Subject: Catalyst 3508G XL , 2950T-24 [7:37098] Dear all I need clarification regarding these two points thanking your help in proceed, First point: We have Catalyst 3508G XL , 8 GBIC slots , 12.0(5.2)XU IOS software. We tried to make operate it but the GBIC was not blinking at all , as I had read this document http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/1000gbic/ins tnot e.htm , I got conclusion that the switches detect and enable the GBIC only when they are running the minimum software releases which in case of Catalyst 3508G XL Cisco the minimum IOS Release is 12.0(5)XW , so in order to enable the GBIC we have to upgrade the IOS software from 12.0(5.2)XU to 12.0(5)XW . Second point: we have Catalyst 2950T-24 Switch-24 10/100 ports and 2 fixed 10/100/1000BaseT uplink ports, IOS available 12.0(5.3)WC(1). As I had read this document http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/1169 303. htm , I got conclusion that we do not have to upgrade the ios image because the ios will support the following: Catalyst 2950T-24 24 fixed autosensing 10/100 ports and 2 fixed autosensing 10/100/1000 Ethernet ports. please tell me if there is something missing here , the equipment is placed far away from our office we need to put the network on there as soon as possible , in case we have to upgrade the ios of the any platform then please let us go ahead solving this issue. Warm regards, Ismail Al-shelh Network Engineer [GroupStudy.com removed an attachment of type application/ms-tnef] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37219t=37098 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX PAT Problem!! Urgent [7:37052]
Yes but there are caveats. You cannot do an all inclusive static mapping to a PAT interface but you can redirect certain traffic based on port to specific inside hosts. For example, if you only have a single outside address and you are using it on your outside interface, not only can you use PAT with the interface command, but you can then redirect traffic to a specific host(s) depending on requested TCP/UDP port. In other words, you can redirect all inbound traffic destined for TCP port 25 to your mail host inside while all other traffic inbound is denied while still using PAT for all of your outbound traffic. If you want more info, search for port redirection on CCO. Rik -Original Message- From: Ivan [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 02, 2002 2:31 AM To: [EMAIL PROTECTED] Subject: PIX PAT Problem!! Urgent [7:37052] Hi all, That is Very very Urgent!!!Please Help!!! Does anyone know that Can Cisco Pix Pat Ouside address to Inside address? for exampe: |---205.11.1.0---| | | (outside Security L 0) (--PIX--) (-Inside security L100) | | |--10.1.1.0---| can 205.11.1.0 255.255.255.0 PAT to 10.1.1.100?? Thank you very much for your kindly help ivan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=37085t=37052 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Firewall authentication [7:35947]
Another option would be Websense for PIX. This product will not only authenticate the user but provide URL filtering and detailed reporting, which the Proxy box doesn't do too well. I install this product frequently and hear nothing but good about it from our customers. Check out www.websense.com for more info. Rik -Original Message- From: Rafay Aslam [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 2:11 PM To: [EMAIL PROTECTED] Subject: Re: PIX Firewall authentication [7:35947] You can do authentication against Windows NT or Windows 2000 user database Via PIX using Windows 2000 Radius Server, called Internet Authentication Service, or Install RADIUS on Windows NT server, or If you wanna spend $2000 you can buy Cisco ACS software. sajith nair wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I have a customer with Proxy server and he want to replace it with PIX.The customer want to authenticate all users before they access internet.Whether the PIX can support authentication thru a normal Windows NT server than going thru a Radius/Tacacs server?I talked with Cisco TAC and they told it is possible.But I am confused.Can anyone of you can guide me please. Thanks in advance. Saj __ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36008t=35947 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VTP and gigastack connectors [7:35971]
I have seen this before. I don't remember the IOS versions in question but it was an IOS bug. Try upgrading the IOS on the 35xx switches to the latest version. Also, VTP domain is case sensitive, so when you set it on the client, make sure you enter it correctly. Rik -Original Message- From: dildog . [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 2:48 PM To: [EMAIL PROTECTED] Subject: VTP and gigastack connectors [7:35971] All, I have a 3 3548's on a floor, the top and bottom ones are connected to the core 6509's by fiber GBIC's. The middle one however is only connected via a giga stack connector to the top and bottom switch. Configuration for Gig0/1 (the Gigastack connector) interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 1,7,1002-1005 switchport mode trunk end The middle switch does not have any VTP updates coming to it. VTP Version : 2 Configuration Revision : 1 Maximum VLANs supported locally : 254 Number of existing VLANs: 5 VTP Operating Mode : Client VTP Domain Name : XX VTP Pruning Mode: Disabled VTP V2 Mode : Enabled VTP Traps Generation: Disabled MD5 digest : 0x49 0x95 Configuration last modified by x.x.1.249 at 2-5-02 20:01:45 switch# Has anyone out ther passed VTP information via the gigastack connectors? If so, is there a secret to get it to work correctly? The switches that are connected to the 6509 do have updated VTP information. Thanks. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36009t=35971 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Blocking ICQ and other Instant Messengers [7:35976]
I wouldn't say this covers all of them but the most widely used IM apps. This is used on a PIX and applied to the inside interface so modify as necessary to fit your needs. access-list inside deny tcp any any eq 1863 access-list inside deny tcp any any eq 5000 access-list inside deny tcp any any eq 5001 access-list inside deny tcp any any eq 5050 access-list inside deny tcp any any eq 5100 access-list inside deny tcp any any eq 1214 access-list inside deny tcp any any range 6665 6669 access-list inside deny udp any any eq 5000 access-list inside deny udp any any eq 5001 access-list inside deny udp any any eq 5050 access-list inside deny udp any any eq 5100 access-list inside deny udp any any eq 1214 access-list inside deny ip any host 64.12.161.153 access-list inside deny ip any 206.142.53.0 255.255.255.0 access-list inside deny ip any 64.245.58.0 255.255.254.0 access-list inside deny ip any 213.248.107.0 255.255.255.0 access-list inside deny ip any host 205.188.179.233 Rik -Original Message- From: Paul Pavlicko [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 20, 2002 3:06 PM To: [EMAIL PROTECTED] Subject: Blocking ICQ and other Instant Messengers [7:35976] Has anyone created an ACL to block all the Instant Messengers? If so, could you send all the IP Addresses (or the ACL) that you use to block them. Thanks, Paul Pavlicko ** Privileged/Confidential Information may be contained in this message. Unless you are the addressee (or authorized to receive for the addressee), you may not use, copy, deliver or disclose to anyone the message or any information contained in the message. If you have received the message in error, please advise the sender by reply e-mail and delete the message. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=36011t=35976 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VOIP Certification [7:35879]
I took the CIPT test and thought it not too difficult. This exam covers primarily Call Manager and general voice technology. Fortunately for you there are finally resources being published for Call Manager but hands-on with the product will go a long way. CCO offers a demo version you can download. I haven't taken the QOS test yet but will soon. I'm in the KnowledgeNet placeware (online) class and I have to say it's very good, which surprises me. If you work for a partner I believe you can get special pricing. Rik -Original Message- From: Logan, Harold [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 4:18 PM To: [EMAIL PROTECTED] Subject: RE: VOIP Certification [7:35879] That's true, the CCNP Specializations are retired. There is however the Cisco IP Telephony Specialist (CIPTS???) which has CCNP certification as a prerequisite. I took the old CVoice exam (VoFR, VoATM, VoIP) to get the CCNP Voice Specialization about a year ago. I used Global Knowledge's Configuring Cisco Voice over IP by Elliot Lewis, edited by Keith O'Brien, ISBN 1-928994-03-2. I used it in conjunction with various docs on cisco's page, and that was enough to pass the exam, combined with the experience I had at the time. There are probably better publications out there nowadays, if nothing else because they're more up-to-date. I haven't taken the CIPT or QOS exams, and I don't know if the current CVoice is the same exam as the old one. I thought about taking the other two exams to get the Telephony specialization, but my CCNP Voice specialization doesn't expire for another year, and my lab date is in July. Good luck, Hal -Original Message- From: Jason [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 19, 2002 3:16 PM To: [EMAIL PROTECTED] Subject: Re: VOIP Certification [7:35879] Last I check, there is any CCNP specialisation track anymore !! ;-) Kelley Allen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Has anyone out there attempted the CIPT, CVOICE, and QOS tests yet for the CCNP / Voice Specialization certification? If so, what training did you use and what was the tone of the tests? Thanks, Kelley. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35911t=35879 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy ways to pick up a few extra minutes on th [7:35580]
A proctor graced our presence at my last ASET meeting and I asked him this very question about which terminal emulator is used in the lab (I prefer TeraTerm myself and am accustomed to the shortcuts). His response was that they use Hyper Terminal exclusively so everybody better get to know it very well. Rik -Original Message- From: Chuck [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 11:30 AM To: [EMAIL PROTECTED] Subject: Re: Easy ways to pick up a few extra minutes on th [7:35580] for some reason, the Lab proctors frown on people installing their own software on their terminals. ;- I've been told that they frown on people even saving things like their notepad files to the computers in the lab. I don't recall any instruction one way or another on this one. I do vaguely recall one proctor saying that if somehow you hack your way to the internet, and they catch you, you will be disqualified immediately. Chuck Ozzie Sutcliffe wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can you use terraTerm instead of hyperterm ? If so set the scroll buffer to 10,000 lines this way you have a complete history by scrolling up the gui in terra term oz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35697t=35580 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Easy ways to pick up a few extra minutes on th [7:35580]
You will get Windows boxes with the MS telnet client and Hyper Terminal. Rik -Original Message- From: Ozzie Sutcliffe [mailto:[EMAIL PROTECTED]] Sent: Saturday, February 16, 2002 12:08 PM To: [EMAIL PROTECTED] Subject: Re: Easy ways to pick up a few extra minutes on th [7:35580] So everthing is telnet then I guess..If so which telnet client.. Ok troops we need to get Cisco to put terra term on the docs CD rom hey it's freeware. Also the terminals are *nix windoze sparky or ??? Oz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35698t=35580 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Flash upgrade disaster [7:35184]
Did you format the new flash? I've had issues with corruption adding flash while existing flash is still installed. Try to boot to rommon mode and format the flash. You should be able to do this with both sticks installed without too much problem. Then install IOS, build the config, etc. Rik -Original Message- From: Wilson, Christian [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 9:26 AM To: [EMAIL PROTECTED] Subject: Flash upgrade disaster [7:35184] Begging for help once again . . . I have upgraded the flash in a 3640 from the 8 Mb chip to a 16 Mb chip. I did this by installing the second, 16 Mb chip into slot 1 of the motherboard, leaving the original 8 Mb in slot 1, for a total of 24 Mb of flash memory. I then installed 12.1, which was the reason I needed to upgrade the flash. 12.1 went on without a hitch, but when the router was reloaded, it would run for about 30 minutes and then go into rommon mode. It did this repeatedly, so I removed the 8 Mb chip, installed the 16 Mb chip into slot 0, and then used xmodem to transfer 12.1 through the console, a painstaking two hour task. Now the file is on flash, but at reload the file is unable to decompress, returning these errors: Error: Uncompression of the image failed. invalid compressed data-format violated Error: zip decompress failed ***System received a software forced crash *** signal = 0x17, code = 0x7, context = 0x0 PC = 0x80008094, cause = 0x20, Status Reg = 0x3041f003 The crc checks are the same as displayed on the software centers web page. I have downloaded a new copy of the file and it still did not work. I put the original 8 Mb chip in slot 0 and removed the 16 Mb chip, reloaded a fresh 11.3 image, and received the same errors. What have I done?? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35196t=35184 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VOIP for CCIE [7:34849]
I considered those for my lab as well but Brad Ellis mentioned that they won't run Enterprise IOS, which limits their value in your lab. Rik -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Friday, February 08, 2002 10:51 AM To: [EMAIL PROTECTED] Subject: Re: VOIP for CCIE [7:34849] try a 1750 or 1751. Woods, Randall, SOBUS wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I was wondering if anyone could give me some recommendations of what equipment would be best suited for adding VOIP to my home lab. I am considering getting the 2600 series but wanted some advise on if there was anything smaller or better suited for the job. Thanks for the help. Woody Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34903t=34849 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 3DES [7:34754]
Unless this is a brand new change, the 515R certainly does support 3DES as I have installed it many times on this firewall. The DES license is the only FREE license but you can pay for the 3DES. The difference between the R and U versions has to do primarily with interfaces (R=3, U=6) and failover (R=no, U=yes). Rik -Original Message- From: Brian Zeitz [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 10:39 AM To: [EMAIL PROTECTED] Subject: 3DES [7:34754] I have been looking at routers/firewalls. I am thinking of going with the 2611 with a ADSL card, I also want to get a 515. Our office is not that big yet, but I want to plan for the future. I see that the Pix 515R only does DES, but doesn't do 3DES. But when I buy the router, I can get it with 3DES. I am just kinda confused, where is the best place to use 3DES, on the firewall, or on the router? Or it doesn't matter. The way I see it, if I wanted to do 3DES on the firewall with the 515, I would have to buy the 515UR, which is about 10K. I don't really need the thoughput for 100,000 users just yet though. Any suggestions on this? Thanks in advance... Brian Zee MCSE, CCNA, A+ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34791t=34754 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: GBIC's for single mode fiber [7:34699]
I can tell you that the last I knew, there were 3 companies manufacturing GBICs for Cisco. You can buy from them direct as my company has done on occasion. I was told that the difference in price was incredible but there is a minimum order required. Unfortunately I don't know where we bought them. Rik -Original Message- From: Doug Korell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 6:40 PM To: [EMAIL PROTECTED] Subject: GBIC's for single mode fiber [7:34699] I need some GBIC's for single mode fiber that will reach 40km. Cisco's GBIC (GBIC-ZX) will go up to 70km and needs a 5-dB in-line optical attenuator to lower the power. It is also quite pricey. Are there other manufacturers out there that make GBIC's that work in Cisco gear? If so, has anyone used them? Thanks. Doug Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34711t=34699 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix and vlan [7:34663]
Well, you're close. The tag will get removed if the VLAN information is necessary in a given location (switch). In other words, the tag is only permanently removed by the last switch to touch it before the frame actually arrives at the final destination. If a given switch is not the last switch to touch the frame, the tag will be reapplied to the frame before it leaves the fabric and gets forwarded to the next switch in line. Since routing (Layer 3 switching, etc.) is the mechanism to move packets back and forth from the PIX, the 6509 will be the last switch to touch the frame so the tag would be removed by the time it reaches the PIX. In any case, since the PIX uses routing to discriminate between networks, not VLAN tagging, it would have no knowledge of the tag. A layer 2 bridge will forward the tagged frame and maybe not recognize the tag but the PIX being a Layer 3/4 device may not even pass a tagged frame, let alone recognize the tag. I would think that your best chance for the PIX to forward tagged frames would be with Dot1Q as it embeds the tag inside of the frame whereas ISL encapsulates the frame, which the PIX might take exception. Of course, stateful inspection might not like a Dot1Q frame either. I am curious about what scenario you have that you would want to pass tagged packets outside of the PIX? The only scenario I can think of is you are using a PIX between LANs. Is this correct? Rik -Original Message- From: Robert [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 7:50 PM To: [EMAIL PROTECTED] Subject: Re: Pix and vlan [7:34663] I have my PIX 520 interfaces hanging of a 6509 in multiple VLANs with no issues. But doesn't traffic get tagged only when it crosses a trunk or the switch fabric? I thought that once it left the switch fabric, the tagging is removed. Robert Bates, Steven (SIGNAL) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... No I was referring to when a PIX is being hung off a switch, and if the PIX can pass tagged traffic, (i.e. frames) in switched network. Sorry about the confusion -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 2:39 PM To: [EMAIL PROTECTED] Subject: Re: Pix and vlan [7:34663] I never knew the pix was even capable of VLAN's Bates, Steven (SIGNAL) 02/06/02 03:03PM Has anyone heard of the PIX having problems passing tagged packets as in dot1q and how about ISL? I did some testing before with the Lucent Brick and it could not deal with tagged packets. I know the the new Bricks will handle it, but don't know about the PIX. Specifically 6.0 Steven Kell Bates Confidentiality DisclaimerThis email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34712t=34663 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VLan Ooops Part 2 [7:34687]
You will also need IP-Plus IOS for the trunking feature on the 2600. Rik -Original Message- From: Erick B. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 06, 2002 8:19 PM To: [EMAIL PROTECTED] Subject: Re: VLan Ooops Part 2 [7:34687] 802.1q (dot1q) works on 10meg interfaces. I'm doing it on a 2600 here... --- Nisus wrote: Ok so I understand the trunk feature now after talking to a good CCIE friend of mine. (he runs http://www.IPexpert.net shameless plug) And he explained the trunking feature. Here is my dilemma. I am going into a 2610 router which DOES NOT have a fast Ethernet interface. From what I have been told 10Mb Ethernet doesn't support tunking. Ahhh Crap. Any one know a way around this? And if so where can I learn how to do it ??? Thanks again, you all are great, Steven M Aiello __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34717t=34687 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX activation key [7:34450]
Well, I've seen an R version and a U version but never a UR version. I have always been under the assumption that they were mutually exclusive. As for the lack of an activation key, that is odd. What is the current version of the OS? Have you tried to run an upgrade? When you apply for a feature license, such as the free 56-bit (DES) encryption feature, you will be given a new activation key generated via the serial number. I would apply for the 56-bit key and then do an upgrade to the latest code (6.1.1), which will prompt you for a new key if needed. Rik -Original Message- From: Radford Dion [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 5:28 AM To: [EMAIL PROTECTED] Subject: PIX activation key [7:34450] I've just got a hold of a PIX 515UR and I want to upgrade to the lastest software, but when I do a show ver there is no activation key. Is this normal, or do I have to obtain one from somewhere? Dion Radford Mellon Site Services - Europe 71 Queen Victoria Street, London, EC4V 4DR +44 (0) 20 7653 2850 - Work +44 (0) 20 7653 2227 - Fax +44 (0) 794 092 8809 - Mobile Email: [EMAIL PROTECTED] * DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34453t=34450 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 4000 Series switch [7:34449]
The 4000 uses a very similar CLI to the 5000. The 4000 series is much newer so some of the features are different plus the 5000 was considered a core switch and the 4000 a closet switch. However, the 4000 is coming out of the closet and some cool new features are being released such as Layer 3 switching, making it something of a baby core switch. ;-} Rik -Original Message- From: Nisus [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 5:22 AM To: [EMAIL PROTECTED] Subject: 4000 Series switch [7:34449] First of all I would like to thank you who replied to my questions about VLans and how to set them up. Second. In the information I have been reading about VLans usually 2 classes of switches are referenced. The first being a lower model or switch 1900 series. The Vlan setup is mostly menu driven as I found out from my Cisco instructor in class yesterday. There were some problems we encountered when setting up a VLan on this type of switch. Third. Usually when ever I read about VLans and setting them up it uses a 5000 series switch as a reference, using the OSI command interface. Does the 4000 switch use the same setup or interface as the 5000? Does any one know ? Thank you very much, Steven M Aiello Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34454t=34449 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: info on blocking aol im [7:34459]
Block both TCP and UDP port 5190. Check it out: http://www.chebucto.ns.ca/~rakerman/port-table.html Rik -Original Message- From: Walls Matthew [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 05, 2002 10:13 AM To: [EMAIL PROTECTED] Subject: info on blocking aol im [7:34459] Looking to block aol im with pix and 2600s router. Seems to use multiple ports, etc Any advice on blocking this?... Matthew J. Walls Sr. Systems Engineer, Systems Development [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34578t=34459 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Duplicates [7:33955]
Tom, I had this issue a few weeks ago and I tracked it down to Outlook inbox rules. I deleted my rules and recreated them and now I only receive single posts. Rik -Original Message- From: Tom Lisa [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 7:23 PM To: [EMAIL PROTECTED] Subject: Re: Duplicates [7:33955] Ole, I just got two copies of your message. Very Interrresting!!! Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy Ole Drews Jensen wrote: FYI, I am only getting singlecate messages (or whatever it's called) - only one copy of each message. It might be your end Tom, unless you are a double/trible member. Hth, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Tom Lisa [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 3:48 PM To: [EMAIL PROTECTED] Subject: Duplicates [7:33955] Paul, It might be just me, but we seem to be suffering once again from duplicate/triplicate and more, message transmission disease. Prof. Tom Lisa, CCAI Community College of Southern Nevada Cisco ATC/Regional Networking Academy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33999t=33955 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISDN simulator [7:33841]
Shameless plug? Absolutely! No shame in how Brad does business. :-} Maybe he does have a financial interest but who cares? I have learned over the years to listen to him...he is usually right. His simulator is as inexpensive as you will find and I know he wouldn't offer it if it didn't do the job just fine. I have no financial interest here. I'm just a very satisfied customer standing up for my preferred vendor! Rik -Original Message- From: c1sc0k1d [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 4:41 PM To: [EMAIL PROTECTED] Subject: Re: ISDN simulator [7:33841] Of course Brad forgot to mention he has a financial interest in his recommendation as he is affiliated with the company so his recommendation is not without bias. Here's some of your options. I'll leave out his as he already made a shameless plug. ISDN emulator on the NET http://208.1.40.80/ica/isdnsim.nsf www.brooktrout.com/pages/product_info/pi_data_wan/pdf/multiport.pdf www.diem.com/BT90001.htm http://www.tele-products.com/ http://www.arca-technologies.com/solohome.html http://www.conway-engineering.com/ 5105307682 http://www.acacia-net.com/ http://www.taskit.com/ http://www.monitor.co.at/monitor/498/story/isdnsim.html http://www.digitechinc.com http://www.ertmsales.com/products/search/viewcart.cfm?Page=1QtyNA= Brad Ellis wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ronald, If you want the lowest price simulator available, you should go with the simline2. It has S/T interfaces so it goes nicely with 2503s, 2504s, etc. Paul B. (the owner of groupstudy) also bought one of these for his home lab. I believe he posted about it somewhere. Check the archives: www.groupstudy.com If you want more detailed information on the simline2 you can visit www.cheapisdn.com thanks, -Brad Ellis CCIE#5796 (RS / Security) Network Learning Inc Ronald James wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... just wondering anybody knows which isdn simulator is best for home lab in terms of functionalities and pricing? hope this is not violating nda, but very interest to see whether real ccie lab use isdn simulator or isdn lines?? if it's a simulator, which brand? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34000t=33841 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 6509 roaming disconnects part2 [7:32449]
Larry, you haven't given us much but maybe you don't have much. One thing that may help ease the symptoms is to turn on portfast on the ports the servers are connected. When the port does flap, it won't take so long for it to begin forwarding again. You didn't mention what type of cards the servers are using. Are these 100mbs or gig cards and who makes the cards? There are known issues with certain cards and certain drivers. Are you using the latest drivers downloaded from the vendor's website? If these are gig cards, are they fiber or copper? If copper, could you have bad or old cable or maybe the cables are routed over something causing EMI? What about the OS on the Cat? Is it the latest available (it's up to 7.x now)? Is flow control turned on or off? You can set this separately for transmit and receive. Did you try moving the server(s) to a different port on the switch? Did you get the same results? Is it possible to move ther server(s) to a different blade in the Cat? What about to a different switch? Your logs indicate the port is going up and down and Spanning Tree is doing its job and not much else. You can see when troubleshooting issues on the list, we need more info. This is just a small list to check but maybe it will be helpful. Rik -Original Message- From: Puckette, Larry (TIFPC) [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: 6509 roaming disconnects part2 [7:32449] Hello again group. I have another question to propose to you. But first an updated history of the issue at hand. We have a 6509 that serves as the core to a server farm that has both NT and Unix boxes on it. In the beginning there were infrequent link drops between servers and the switch that had no pattern to isolate a card or VLAN, etc... and then frequency increased to be a constant problem. Sniffer information gave very little to hang our hat on, with 99% of it's findings being 2 messages. Too many retransmissions TCP and octets/s: current value 932,384. High Threshold=500,000. An example of the logging buffer on the switch's interesting messages were; IPPS6509 (enable) show logging buffer 2002 Jan 16 02:15:44 %PAGP-5-PORTFROMSTP:Port 8/23 left bridge port 8/23 2002 Jan 16 02:15:49 %PAGP-5-PORTTOSTP:Port 8/22 joined bridge port 8/22 2002 Jan 16 02:15:49 %PAGP-5-PORTFROMSTP:Port 6/23 left bridge port 6/23 2002 Jan 16 02:15:50 %SPANTREE-6-PORTFWD: Port 8/22 state in VLAN 172 changed to forwarding 2002 Jan 16 02:16:01 %PAGP-5-PORTTOSTP:Port 8/23 joined bridge port 8/23 2002 Jan 16 02:16:02 %SPANTREE-6-PORTFWD: Port 8/23 state in VLAN 172 changed to forwarding 2002 Jan 16 02:16:06 %PAGP-5-PORTTOSTP:Port 6/23 joined bridge port 6/23 2002 Jan 16 02:16:07 %SPANTREE-6-PORTFWD: Port 6/23 state in VLAN 172 changed to forwarding 2002 Jan 16 03:41:28 %PAGP-5-PORTFROMSTP:Port 8/17 left bridge port 8/17 2002 Jan 16 03:41:29 %PAGP-5-PORTFROMSTP:Port 7/16 left bridge port 7/16 2002 Jan 16 03:41:35 %SYS-6-CFG_CHG:Global block changed by SNMP/216.141.33.71/ 2002 Jan 16 03:41:47 %PAGP-5-PORTTOSTP:Port 8/17 joined bridge port 8/17 2002 Jan 16 03:41:47 %PAGP-5-PORTTOSTP:Port 7/16 joined bridge port 7/16 2002 Jan 16 03:41:48 %SPANTREE-6-PORTFWD: Port 7/16 state in VLAN 172 changed to forwarding 2002 Jan 16 03:41:48 %SPANTREE-6-PORTFWD: Port 8/17 state in VLAN 172 changed to forwarding 2002 Jan 16 03:44:27 %PAGP-5-PORTFROMSTP:Port 8/17 left bridge port 8/17 2002 Jan 16 03:44:43 %PAGP-5-PORTTOSTP:Port 8/17 joined bridge port 8/17 2002 Jan 16 03:44:44 %SPANTREE-6-PORTFWD: Port 8/17 state in VLAN 172 changed to forwarding but these had no consistency over time as to what port or group of ports were experiencing this. some interesting 'show tech' information was; udp: 0 incomplete headers 0 bad data length fields 2 bad checksums 20839 socket overflows 108568195 no such ports tcp: 111664 completely duplicate packets (6407 bytes) 29 keepalive timeouts Ok, if you're still with me... It was dictated that we REPLACE the switch by the customer but of course Cisco did not go for that and we did a scheduled reboot on the switch and all problems have cleared. Now the customer wants a bi-monthly reboot of this switch scheduled to prevent the problem from occurring. My questions are: Is there any technical reason that these scheduled reboots would be a bad idea? (politics dictate that logical reasons don't apply) Does anyone know of a previously proven fix for this problem that has documentation that could be used in discussions of whether these scheduled reboots are necessary? Thank you all for any help,, in advance. Larry Puckette Network Analyst CCNA,MCP,LANCP Temple Inland [EMAIL PROTECTED] 512/434-1838 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32472t=32449 -- FAQ, list archives, and subscription info:
RE: Dose PBX has a E1 interface? [7:32404]
Most PBXs are modular, at least to a degree and so you would most likely have the choice to add a linecard to support E1 circuits. Rik -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Friday, January 18, 2002 11:02 AM To: [EMAIL PROTECTED] Subject: Re: Dose PBX has a E1 interface? [7:32404] call up your PBX vendor and ask. or take a close look at the cards in the PBX - they might be labeled. ( which would be how the Cisco guy made the determination ) There is no reason that most PBX's would not support E1 - the vendors want to sell in Europe too. Some of the low end stuff and key systems might not support E1 in particular lines or models. HTH qin jonson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The ciscoman told me the PBX had a E1 interface,but I asked somebody if it was real. They told me any type of PBXs had NOT a E1 interface.Who know the correct answer?Please tell me,appreciate your help. regards, jonsonqin Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32489t=32404 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Multiple posts [7:32204]
A few days ago I started receiving duplicate emails from the Groupstudy. Now I am receiving triplicate emails. Anyone else experiencing this? --- Rik Guyler Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=32204t=32204 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Autosense this ... (add to your knowledgebase) [7:30446]
It's been more than once when I've encountered autonegotiation/autosense issues between a Cisco router and Cisco switch. I've even seen problems when both interfaces were 10/100 and both hard-coded to 100/full and the link wouldn't come up. This may a chink in the Cisco armor as I rarely encounter issues with autonegotiation/autosense with other equipment but when I install a new Cisco network, one thing I ALWAYS have to do is go through the 10/100 ports of every switch and look for duplex (and sometimes speed) mismatches. Crazy... Rik -Original Message- From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 29, 2001 11:02 PM To: [EMAIL PROTECTED] Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446] It's unfortunate that sometimes when things break, they don't perform in expected ways. Rather it truly was an Autosense problem or not, who knows. But it brings up a chance to talk about Autosense. I've had it bite me more than once. I've had problems with Autosense that didn't show up until months after installation. It doesn't matter if its Cisco to Cisco or Cisco to another vendor, I've had to lock down ports at certain speeds and modes to solve problems on several occasions. Just to pass along some experience, you may always be better off hard setting your options. Nice persistence Mr. Jensen, it's cool to stick with something until you can make it work. Chris -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Saturday, December 29, 2001 6:14 PM To: [EMAIL PROTECTED] Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446] An interesting read, particularly since I am reviewing Kennedy clark's cisco Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration. I am somewhat surprised at both the phenomenon and the concludion. Spanning tree blocks for particular reasons. when you concluded that your configurations were identical at all offices, does that mean that your port negotiations were set to auto everywhere else? both on the routers and on the local switches? if so, I would expect to see similar problems elsewhere. is it possible that there was a duplicate mac someplace in another part of the bridged network, one that was being picked up by STP and interpreted as a loop? You mention changing macs of interfaces as part of your experimentation. Are you certain that this process was not part of the solution? To be frank, I'm hard pressed to come up with a reason why the FE port on the router would go into blocking. I can see that hapening on the serial port for reasons that have been discussed on this group in the past. I can't come up with a rationale as to why hard setting of speed and duplex would make a difference. I suppose one MIGHT conclude that if the port is in full duplex, the STP process MIGHT see a loop occuring over the two different wire pairs. that's about the only wild rationale I can come up with. And that one is really stretching the point / bug / whatever. In any case, thanks for the good read. Chuck Ole Drews Jensen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... After a fun evening last night, I have decided not to trust the autosensing on ethernet interfaces anymore. I was at a branch office where the users could not access the corporate network. The router, a 1720 setup as a bridge with the same IP address for the FastEthernet as the Serial subinterface, both configured for bridge-group 1. It was connected to a 2620 at the corporate office via a Fractional Frame Relay connection. I changed the switch out with an old spare hub I had lying around, and connected only one workstation from the local network. After starting the router up, I could ping the local workstation, and I could ping devices on the corporate network, so both my FastEthernet and Serial interfaces were working fine. However, I could not ping anything on the corporate network from my workstation, nor could I from a telnet connection to my corporate router ping the workstation, so traffic was not being passed through between the interfaces. That looked like a typical routing problem, but the only problem was that I was not routing, I was bridging, so ? I did a show bridge 1 group and saw that the FastEthernet was in a blocking state by the spanning tree, so something was wrong here. I cleared the arp table on the router and on all other routers and switches. I tried to assign a different mac address to the FE interface. I tried a different workstation. No matter what I did, it kept being in a blocking state. I went in and did a bridge-group 1 spanning-disabled on the interface, and it changed to forwarding state, but I could still not pass traffic through. This is when I called TAC, but after I guided them through to a telnet connection to my routers, they decided after three hours that something weird was going on with the
RE: Lab Attempt #2 - no go :- [7:28142]
Chuck, I can read the frustration in your post...I feel your pain. I have to say I am surprised to hear that your experience with the new lab was not a good one. If there is anybody I would say that about, it is you. I hope you are planning a vacation from Cisco. Certainly you are tired. A rested mind will make the choice to take the lab again (and take no prisoners). A rested mind will identify the objectives more clearly. And of course a rested mind will focus, comprehend and retain the required information more completely. Keep up the good work dude! Rik -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 04, 2001 8:35 PM To: [EMAIL PROTECTED] Subject: Lab Attempt #2 - no go :- [7:28142] I wish I could say it took so long to get my results back because my excruciatingly sophisticated solutions to the problems presented required detailed and intimate analysis. Alas, that was not the case. For those ninnies who complain that the one day lab devalues the process, all I can say is WRONG! The lab I saw was far more difficult than I remember from my previous attempt, and my previous attempt was NOT easy. In my first attempt, I did not see anything I couldn't do. This time, although FAR better prepared, I saw LOTS of things I couldn't do. IMHO, the one day format, with the elimination of the monkey tasks, allows Cisco to demand a lot more. The 26 points previously allocated to terminal server setup, cabling, and troubleshooting all go someplace. WOW! The places they went! Previous topics that were glossed over appeared in depth. Cisco continues to up the ante, and not always in ways one might expect. Some things I wouldn't have expected were there in spades. Probably THE major factor continues to be reachability. If you don't understand the implications of the given network topology, and given interactions, you will be screwed. The topology presented was interesting. Amazing what one can do on a six router / two switch pod to wreak havoc and let you know what an idiot you are. Devious doesn't begin to describe it. Bootcamp and IPExpert - it ain't the number of routers, boys! The e-mail feedback is amusing, but not particularly informative. I failed with a score greater than 20, meaning I can go back in 30 days for more humiliation, if I so desire. the breakdown percentages ( not scores ) would be of more interest if I were sitting with the proctor discussing the whys and the expectations. Otherwise it does me no god at all. for example, I solved a particular problem doing something a particular way. It worked just fine in terms of the results. Yet on that section I scored very poorly. What were they looking for? Fat fingers are still the major enemy for me, at least. It's no fun fat fingering on a Cat 5K. Not by any means. It also helps to be certain layer two stuff is done correctly. Well, debriefing will be fun. I have the topology duplicated in my home lab, and I will enjoy analyzing the problems I saw in the real lab. No you can't telnet in to look. DON'T ASK! In terms of seating, it appears to me that there are now more racks in the lab, in San Jose, anyway. Half the seats are taken by those testing. The other half seem to be those used the previous day. the proctors crank through the idle racks, grading the previous day's results. One last thing. I know what CCO says, and I know what IOS I saw on my rack. Rats. The advertised IOS would have gone a long way towards eliminating a particular problem I had. Not complaining, because any CCIE should have been able to solve the particular puzzle no matter what the IOS involved. Just observing that some things are still in the process of change. The proctors are still the good folks I remember from last time. Too bad we are not given the opportunity for more interaction afterwards. I would really have enjoyed discussing my results. Whelp, another time. Chuck Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=28244t=28142 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Ohio [7:26942]
Dayton Rik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, November 20, 2001 6:04 PM To: [EMAIL PROTECTED] Subject: Ohio [7:26942] I would like to know if there are any user on this board from Central Ohio. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26948t=26942 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCIE#8387 [7:26309]
Dude, you are SOOO the man! Congrats! Rik -Original Message- From: Nigel Taylor [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 7:55 PM To: [EMAIL PROTECTED] Subject: CCIE#8387 [7:26309] Well as it would turn out it's my turn to write that awesome email... I just got back from RTP today where after checking my email, I was awarded CCIE#8387. What a journey/process this has been and I must say that I'm relieved that it's now over. After countless hours of study and practicing on the rack the reward was most definitely worth the sacrifice. I didn't sleep a any last night as I awaited the results of my lab score which I was unable to check until 12 noon today. So on that note I'm off to catch up on the sleep that escaped me last night. More to follow once I get rested up.. Nigel Taylor CCIE#8387 and all that other stuff.. :- Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26325t=26309 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: 2 sets of Gigabit Ethernet Channels. [7:26317]
Sure it's possible. No problemo. This is no different than connecting the Cats together via single Gig links. Rik -Original Message- From: Washington Rico [mailto:[EMAIL PROTECTED]] Sent: Wednesday, November 14, 2001 9:30 PM To: [EMAIL PROTECTED] Subject: 2 sets of Gigabit Ethernet Channels. [7:26317] As always I appreciate your input on anything you cisco people can give me. Question: If you have 3 cat6500's... Cat 1 and 2 are already channeled by Gigabit ethernet. Can I channel Cat 3 to Cat2 by Gigabit as well? This will obligate Cat 2 to have 2 sets of channels all are Gigabit...is this possible?? Subject: Re: Gigabit Ethernet Channels. [7:26077] Date: Tue, 13 Nov 2001 13:45:56 -0500 I wouldn't create 2 etherchannels between the switches, as this creates a loop, and with STP enabled, one of the channels would be disabled. Use all 4 ports, or 2 of the ports; one from each supervisor engine. The commands to accomplish this would be as follows: set port chan 1/1,2/1 on (2 port etherchannel, one from each supervisor engine) set port chan 1/1-2/2 on (4-port etherchannel) -Brant. - Original Message - From: Washington Rico To: Sent: Tuesday, November 13, 2001 1:28 AM Subject: Gigabit Ethernet Channels. [7:26077] As always I appreciate your input on anything you cisco people can give me. Question.. I am trying to create a Gigabit ethernet channel from two Cat 6500s. Cat A Gigabit pors 1/1-2 and 2/1-2. Cat B Gigabit ports 1/1-2 and 2/1-2. Can I create a channel were Cat A ports 1/1,2/1 are on the same channel or am I forced to use contiguous ports as 1/1-2 as one channel group? Cat software 5.5.7 _ $B$+$o(B $B;H$($k%V%i%%6$G!%$%s%?! http://explorer.msn.co.jp/ _ $B$+$o(B $B;H$($k%V%i%%6$G!%$%s%?!%M%C%H@83h$b$C$H3Z$7$/$J$k!*(B http://explorer.msn.co.jp/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26327t=26317 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Convert Voice T1 to Fram-Relay T1? [7:25063]
Yes, but not by you. If the Voice provider is the same as the FR provider, then the T1 could possibly be reprovisioned for a FR data circuit. In this case, however, I would think most providers would prefer to just run another circuit into your facility and then turn off the old one. Rik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, November 02, 2001 10:14 AM To: [EMAIL PROTECTED] Subject: Convert Voice T1 to Fram-Relay T1? [7:25063] Is it possible to convert a voice T1 to a frame-relay T1 ? Thanks __ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25085t=25063 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: MAC address and VLANs [7:23950]
Priscilla, I'm going to open my mouth wide in preparation for my size 11 foot. while I agree with your core message, I tend to believe that you may be looking at a typical modern network through rose colored glasses. For example, I have been working with 3 small/medium (700-1000+ hosts) sized networks recently. All 3 flat and all 3 suffering from excessive broadcasts. I agree that in an ideal situation, the PCs have 1000Mhz+ processors, 100Mb full-duplex connections, and only IP across the wire. However, while a commendable vision, I just don't see it that way in the field. There are always older PCs on the network, substandard cabling, a myriad of protocols (typically from network printers operating with the default protocols), and/or other issues that just can't be easily and quickly fixed. In the cases of my clients previously mentioned, VLANs are the immediate cure. Priscilla, I surely mean absolutely no disrespect, so I guess we'll just have to agree to disagree that VLANs are still a good thing! Besides, I don't believe we can ever say they won't be useful but rather we'll just need fewer and fewer of them as the size of our well designed IP networks grow because of the reasons you already mentioned. Rik -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 24, 2001 7:52 PM To: [EMAIL PROTECTED] Subject: RE: MAC address and VLANs [7:23950] hooray for you, PO! you are absolutely correct. In military science, it is well known that military establishments enter any war prepared to fight the previous one. In these days of DSL to the home desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML based applications, we networking students study various means of eking out another packet or two on 56K links. Anyone here see the point of ISDN backup for DS3 links? ;- Your forward thinking is commendable. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Priscilla Oppenheimer Sent: Wednesday, October 24, 2001 11:51 AM To: [EMAIL PROTECTED] Subject: Re: MAC address and VLANs [7:23950] The multi-VLAN feature that Leigh Anne mentioned might solve your problem. The Cisco switch port could be associated with two VLANs that way. You didn't say which switch you have, and this feature may not be available on all Cisco switches, though. Assuming that you don't want to upgrade the little switch to one that does 802.1Q or ISL, another somewhat radical fix to the problem might be to not use VLANs. My philosophy is that once VLANs get to the point of causing more problems then they fix, I eliminate them. ;-) One of the main things VLANs were supposed to fix was excessive broadcasts causing too many CPU interruptions on numerous workstations in a large, flat, switched network. Lately I have taken to making the controversial statement that this problem doesn't exist on many modern networks. These days workstations have amazingly fast CPUs. They are not bogged down by processing broadcasts. Also, as we eliminate older desktop protocols such as AppleTalk and IPX, what is still sending broadcasts? An ARP here or there is not a big problem. And ARPs don't actually happen that often. A PC keeps the data-link-layer address of its default gateway and other communication partners for a long time. Also, a lot of PC NICs used to be stupid about multicasts and interrupt the CPU for irrelevant multicasts for which the PC was not registered to listen. I bet that bug has been fixed by now. VLANs have other benefits (security, dividing up management and administrative domains, etc.) But if broadcasts are the issue, one should ask: Which protocol send broadcasts and how often? How fast are the CPUs? And that is my latest harangue against my least favorite LAN technology (VLANs!) Priscilla At 09:52 AM 10/24/01, NetEng wrote: Thanks for the replies. The two MAC addresses would come from the two PC's in an office. The would both connect in to a hub and then the hub would uplink to the cisco switch. I need one pc in VLAN1 and one pc in VLAN2, from what you and Dennis stated this will not work. I appreciate the comments though. Collin Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Actually, that's not correct. The original specification for VLANs from what I understand mandates that only one VLAN can be assigned to a port, but manufacturers such as 3COM decided to do otherwise and support multiple VLANs per port. Cisco responded by creating (on certain switches such as the Catalyst 2900XL) an administrator to configure a port to be a member of more than one VLAN at a time when using a membership mode known as Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the actual number of VLANs to which the port can belong depends on the capability of the switch itself. Although the concept is similar, this membership mode is
RE: help with troubleshooting Cisco VPN connection [7:23695]
Using a different IP subnet is the way to do it. The PIX treats this like a virtual interface and has the intelligence built in to forward traffic between the inside and the VPN address range. Looking at your config, I agree with removing the conduit statement but I don't believe that is causing the issue. Really, besides some unexpected things (such as no NAT for Internet access), I don't see anything glaringly obvious that would cause your issue. The one thing I know I have had issues with is using numbers for access lists on a PIX. Recently, I lost track of what I was configurin and used numbered (extended IP) access lists on a PIX. Nothing worked right! I noticed my mistake, changed the access lists to my normal names and eveything worked again. I suggest trying this. Also, if the access list 80 is not needed, which doesn't look to be in this config, I would remove it as well. Other than that, I might suspect that you have a hardware issue since this same config works on a similar PIX with the same OS. Rik -Original Message- From: chris [mailto:[EMAIL PROTECTED]] Sent: Monday, October 22, 2001 11:36 PM To: [EMAIL PROTECTED] Subject: Re: help with troubleshooting Cisco VPN connection [7:23695] In your config below the vpn client is being assigned an address that is on a different subnet than the inside interface of the pix and there is no sign of a router on that subnet (no default inside route to a router). BTW, you may want to get rid of the conduit permit any any! Chris Anh Lam wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone in this group help me with this problem? I am trying to setup VPN connections for remote users (people who use laptops on the road or when people to who are on their own corporate network) to connect to my home network using IPSec. I am using a PIX515-UR Firewall at my home network. The external IP address (outside) of the PIX is 66.61.46.240 while the internal IP address (inside) of the PIX is 172.16.1.254. On the PIX, I also setup an IP pool so that the PIX will assign IP address to remote clients when they connect to my home network. This ip pool has ip range of 172.16.2.1-172.16.2.254. On the clients side, everyone is running Cisco VPN client software version 3.0.6.rel2-k9 which I download from Cisco website. The clients are running either WinNT 4.0 workstation, or Win2k Professional or RedHat Linux 7.1 with kernel 2.4.10. When a client attempts to make a VPN connection to the PIX (66.61.46.240), the connection is successfully and the client is also assigned an IP address of 172.16.2.1. So what is the problem you ask? Well, even though the client is successfully authenticated to my home network, he/she can NOT ping any of the devices in the 172.16.1.0/24 network. From the client, I can see the packet gets encrypted before sending out but nothing coming back (the counter on the packet decrypted on the client is zero). Rebooting the PIX several times didnot resolve the situation either. At this point, I decided to replace the PIX515 with a PIX520 with the exact configuration. With the PIX520, everything WORKS. Client can access devices on the 172.16.1.0/24 network. I am running the same PIX IOS code on both the 515 and 520. Am I missing something in the PIX515? I thought since I am running the Un-Restricted(UR) license, VPN is supported. Below is the configuration of the PIX515. Please help. Thanks. Anh ciscopix#sh ver Cisco PIX Firewall Version 6.1(1) Cisco PIX Device Manager Version 1.0(2) Compiled on Tue 11-Sep-01 07:45 by morlee ciscopix up 9 hours 37 mins Hardware: PIX-515, 96 MB RAM, CPU Pentium 200 MHz Flash i28F640J5 @ 0x300, 16MB BIOS Flash AT29C257 @ 0xfffd8000, 32KB 0: ethernet0: address is 0050.54ff.7a24, irq 10 1: ethernet1: address is 0050.54ff.7a25, irq 7 2: ethernet2: address is 00aa.00bc.ba87, irq 11 Licensed Features: Failover: Enabled VPN-DES:Enabled VPN-3DES: Disabled Maximum Interfaces: 6 Cut-through Proxy: Enabled Guards: Enabled Websense: Enabled Inside Hosts: Unlimited Throughput: Unlimited ISAKMP peers: Unlimited ciscopix# wr t Building configuration... : Saved : PIX Version 6.1(1) nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security99 enable password xxx encrypted passwd x encrypted hostname ciscopix domain-name micronet.com fixup protocol ftp 21 fixup protocol http 80 fixup protocol h323 1720 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol sip 5060 fixup protocol skinny 2000 no names access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 255.255.255.0 access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0
RE: CCIE written exam format [7:23970]
Yes to both. In the future, please check the archives at www.groupstudy.com for the answers to such questions - they get asked many times over on a regular basis. Thanks, Rik -Original Message- From: juno vtv [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 9:30 PM To: [EMAIL PROTECTED] Subject: CCIE written exam format [7:23970] Hi everybody! Can someone tell me what the format is for the CCIE written? I've heard that you can go back and change you answers. I've also heard that they don't tell you how many answers there are on the multiple choice. Thanks! -junovtv Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23977t=23970 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: fast switching [7:23969]
Gosh Jenny, I don't have a clue but in the past I've had to reboot equipment at times to make a few rare changes take full effect so maybe you're correct. How much pain is involved in rebooting it? Rik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 23, 2001 9:07 PM To: [EMAIL PROTECTED] Subject: fast switching [7:23969] Something odd is happening on my network... (not that that's unusual...) I have a couple of 7507s connected by two E1 links. For various reasons, the links are set up with fast switching disabled (mainly because there are single sessions with enough traffic to flood a single link). The 7507 on one side is running IOS 11.2. Last weekend the 7507 on the other side was upgraded to 12.1(10). According to 'show ip int', fast switching and flow switching are disabled (on both links at both ends). However, MRTG shows that the traffic from the 12.1 router to the 11.2 router is not balanced evenly across the two links. Traffic from the 11.2 router to the 12.1 router is balanced. Any guesses as to why this is so? Bug (surely not, this is Cisco...:-)? Is a reboot or shut/no shut required to change switching states (I didn't do the upgrade myself and I'm not sure what exact configuration sequence was used)? Something really obvious I'm missing here? Ta, JMcL Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23978t=23969 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: GBIC: WS-G5484 / WS-G5486 [7:22675]
Ole, I apologize for getting back so late! I went out of town after originally responding and just returned back. Actually the 3500 switches support the copper GBIC as well, just make sure you put a newer IOS on the switch or it won't recognize it. That's the beauty of the GBIC design - all are supported in any GBIC slot, which makes everything so modular. Going the way you described would be expensive and I'm not sure even possible. I have not seen a Gb media converter but that doesn't mean they don't exist. In any case, I would stay with the coppper stuff and save your money. Rik -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 11, 2001 9:14 AM To: 'Rik Guyler'; [EMAIL PROTECTED] Subject: RE: GBIC: WS-G5484 / WS-G5486 [7:22675] Rik, I appologize if this question is terribly stupid, but I have zero experience with fiber communication (yet). As far as I can see, the available Gigabit modules for the 3500 series are all fiber, so I assume that I will have to go with fiber, and then get some kind of a fiber to copper converter too if I wish to use CAT5 (or better) for the media. How does your installation look regarding this? Thanks in advance, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ -Original Message- From: Rik Guyler [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 10, 2001 7:29 PM To: [EMAIL PROTECTED] Subject: RE: GBIC: WS-G5484 / WS-G5486 [7:22675] Ole, I have installed several Gb Intel cards (no other however) and have had no real issues. If you do use these cards, don't use the shipping drivers (at least for NT) - they are bad news. Download the latest from their site and all will be good. CCO has several papers descibing the issue if you feel the need. If you compare the prices of the copper versus the fiber Gb cards, the price difference is huge - $500-$600 for the fiber cards and less than $200 for the copper version. I have installed a few of the fiber variety but typically the client wants the cheaper alternative. I have had nothing but success using existing Cat5 cable. Cat5e might the preferred variety but the plain ol' Cat5, provided it's terminated, installed, etc. well, should work fine. Rik -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 10, 2001 3:11 PM To: [EMAIL PROTECTED] Subject: GBIC: WS-G5484 / WS-G5486 [7:22675] Any success stories about a Catalyst with either of these two GBIC's and an NT 4.0 server equipped with a Gigabit NIC (brand/model). Most of the NIC's are around $500.- to $600.-, but there are some around $100.- to $200.- Are they okay, or just cheap crap with a lot of lost frames and incompatible drivers? Also, any happy experiences with Gigabit running over existing CAT5 cables? I thought that since it has been almost two years since I got my last speeding ticket, I might as well accelerate a bit (or actually all the bit's). Thanks, Ole ~~~ Ole Drews Jensen Systems Network Manager CCNP, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] ~~~ http://www.RouterChief.com ~~~ NEED A JOB ??? http://www.oledrews.com/job ~~~ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23668t=22675 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Word of Caution [7:23363]
While I don't judge people by their mistakes, I do tend to judge them by how they correct them. Was it Debbie's fault your systems went down? No. I don't pretend to live in a world where malfunctions don't happen, but when your systems take a crap you should be ready to deal with the fallout. Seems to me that just eating the $500 would have been cheaper than having to now clean up the mess and deal with the lost revenue of many, such as myself, that will never buy anything from you. Besides, it would appear that Debbie's bad experience was hardly the first according to other members of our group and we just don't need crap like that to deal with, especially since we have quality vendors like Brad Ellis (Big Brad!) to work with instead. Before you ask, I don't work with Brad in any way...I am a customer only. Rik Buy Only From Brad Guyler -Original Message- From: Robert Davie [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 10:43 AM To: [EMAIL PROTECTED] Subject: Re: Word of Caution [7:23363] I would like to respond to a message (below) that went out over a GroupStudy mailing list regarding our company. When our system is functioning properly (99%) we have two mechanisms that work that were not working when Debbie placed her order: 1.. A guard against low-ball offers for items that have sale prices. This guard prevents offers of less than 80% of the sale price. (Debbie's offer was $100 for a $600 item.) 2.. Order Acceptance. This was malfunctioning and accepting orders that were being declined. After explaining this to Debbie, who appears to be a very knowledgeable and market savvy person, we felt that the system malfunction would garner her understanding. She threatened to send out an email to the GroupStudy mailing list if we did not fulfill the order, and we indicated that we would respond to her email message. Having been in sales all my life and career and with happy customers ranging from ATT to Sun Microsystems, I feel this is a very unfortunate occurrence. Robert Davie EVP Ph: 919-388-9993 x3102 Fax: 919-388-9992 ITParade.com, Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Debbie Westall Sent: Wednesday, October 17, 2001 9:08 AM To: [EMAIL PROTECTED] Subject: OT: A Word of Caution about Vendor [7:23244] Greetings, I wanted to give everyone a heads-up on the list about a vendor I recently dealt with over the Internet. The web site is www.itparade.com. They are a site that acts as a middleman for sellers of equipment. Last week I put an offer on a router (2501). I admit the offer was very low, but I had never used this site so I figured why not. A couple of hours later I received an email from them saying that my offer was accepted by the seller and I was to log on to another site to make payment arrangements. I logged into PitNeyPay.com to add my credit card info as requested. The next day I received a phone call from a person at itparade, saying they have pulled my offer, that the seller actually rejected my offer but itparade's web site was broken so the email went out incorrectly. The person at itparade, also mentioned that the seller would be more than happy to sell me that piece of equipment for 600.00 rather than my offer. Which would have been more than double my initial offer. Needless to say, I rejected that. I spoke to the Executive VP and the CEO of the company to no avail. They will not stand behind the email that came to me that my offer was accepted. Just wanted to give everyone a heads-up to STAY AWAY from this site. If it sounds to good to be true, it probably is.. Has anyone used them before or heard of them. Thanks Debbie __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=23677t=23363 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: route cache? [7:22262]
I agree with the pretty much always except when you want to load balance over multiple paths. When multiple paths exist, fast switching moves data on a per-destination basis and not a per-packet basis as process switching does. Given different amounts of data will most likely be sent to different destinations, it would be possible to saturate one link while another goes relatively unused with fast switching. Of course, who am I to challenge a Madman? ;-} Rik -Original Message- From: MADMAN [mailto:[EMAIL PROTECTED]] Sent: Friday, October 05, 2001 5:47 PM To: [EMAIL PROTECTED] Subject: Re: route cache? [7:22262] Pretty much always, it's default, AKA fast switching. The command no ip route-cache enables process switching which is very CPU intensive. Dave george gittins wrote: when is it a good idea to enable route-cache -- David Madland Sr. Network Engineer CCIE# 2016 Qwest Communications Int. Inc. [EMAIL PROTECTED] 612-664-3367 Emotion should reflect reason not guide it Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22304t=22262 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco PIX Websense (Accounting) ? [7:21850]
No. A quick look through the documentation reveals that bytes transferred is not supported with the PIX. Rik -Original Message- From: Hans Schimek [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 10:50 AM To: [EMAIL PROTECTED] Subject: Cisco PIX Websense (Accounting) ? [7:21850] We are using a combination of Cisco PIX and Websense Devices. What we want to achieve is, getting accounting informations out of this websense application. There is a section called Bytes Transfered - which acctually remains 0 - although the URLs are filtered and logged in the reporter.. Is there a possibility to get this informations out of the Cisco PIX ? resp.- Does this device provide any interface-statistics per connection. ( like : bytes transfered from an IP Adress or User ? thx hans --- Hans Schimek Systems Engineer NTS Netzwerk Telekom Service Gesellschaft m.b.H Co KG Lembvckgasse 49 1230 Wien Tel: +43/1/867 67 76-0, Fax: +43/1/867 67 76-56 Web: , [EMAIL PROTECTED] NTS Vertrieb: [EMAIL PROTECTED] NTS Support: [EMAIL PROTECTED] NTS Training: [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22160t=21850 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: guidance needed for CCIE written exam [7:21807]
I like Bruce's book - coverage of a very broad range of technologies. If your only goal is to pass a test then this book may be all you really need. If, however, yopu desire to learn how things work, then you will need to supplement it. I suggest using Kennedy Clark's CCIE Switching book and of course Jeff Doyle's Routing TCP/IP. I also suggest the Cisco Press BCRAN book for WAN technologies, Lou Rossi's whitepaper on Token Ring (Clark's book covers TR pretty well but I like Rossi's paper), and CCO for various whitepapers on the different frame formats and standards (802.x stuff). Rik -Original Message- From: kruegel kurt [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 2:01 PM To: [EMAIL PROTECTED] Subject: RE: guidance needed for CCIE written exam [7:21807] personally i am using bridges router and switches for ccie's by caslow and boson #1 for prep i'd also like input from anyone else who has passed cciew Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=22163t=21807 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CID - WAN switching design resource [7:21810]
Check the archives on www.groupstudy.com Some time ago, Chuck Larrieu posted a CCO link for the Stratacom stuff you might need. Rik -Original Message- From: Donny Mateo [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 3:52 AM To: [EMAIL PROTECTED] Subject: CID - WAN switching design resource [7:21810] Dear List, I'm taking my CID tomorrow, and still feel a bit uncomfortable with the WAN switching stuff (IGX, MGX, BPX). Can anybody pin point me on the resource that I can use to learn design consideration on this stuff ? tia Donny _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21951t=21810 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cat 6000 [7:21845]
Strange behavior indeed! I don't know if it's the same thing, but an old, well-known bug with NT/Win2k and Catalysts is very similar. By connecting an NT/Win2k serial port to the console port of a Cat when the PC is booting will reset or freeze the switch. I have witnessed (in other words done) this on several different models of switches. I've heard that it has to do with the way NT/Win2k polls the serial port but I haven't confirmed it. Nowadays, I make sure my notebook is all the way up and my terminal emulator (Teraterm usually) is up as well. Funny, but it doesn't seem to affect routers, firewalls, etc...only the switches. Rik -Original Message- From: Patrick Donlon [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 10:29 AM To: [EMAIL PROTECTED] Subject: Cat 6000 [7:21845] We have a couple of Cat 6Ks running IOS, when CRT terminal software is starting from a PC with the console cable connected it goes into rom monitor mode. Anyone know the reason for this, I haven't found anything on the CCO yet regards Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21952t=21845 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: T1 install; line protocol going down and up every 30 [7:21955]
In my area, telcos always provide the clock source. I have never had to provide any form of clocking whatsoever. I am curious what type of router is on the other side. If it's not Cisco, are you running PPP? If you had a protocol mismatch, I wouldn't think layer 2 would even limp to up for 30 seconds, but then again, I've never dealt with an HDLC mismatch. I also have had similar issues with very small local telco's equipment and a real lack of knowledge in troubleshooting anything more than the 1s and 0s flying by. My issues in one situation in particular were all a result of either bad equipment or inexperience on the local provider's part. Does the smartjack give any evidence of the issue? Any red lights to be seen? Have you replaced the cable from the smartjack to the router or tried another DSU and V.35 cable? Here's what I would do at this point: if you have another router, DSU, cables, etc try moving them in place of the current ones. This will help rule out a hardware issue. Also try a slightly different IOS version. This helps rule out buggy IOS and a corrupted image in flash. If you do these and still nothing, I would open a case with TAC and ask them for some troubleshooting assistance. Once they confirm everything for you, you will be loaded for bear when taking on the telco. Good luck! Rik -Original Message- From: Stephen Hoover [mailto:[EMAIL PROTECTED]] Sent: Wednesday, October 03, 2001 10:47 AM To: [EMAIL PROTECTED] Subject: T1 install; line protocol going down and up every 30 seconds [7:21848] I am working on point to point T1 install at a small office. The line protocol keeps going up and down every 30 seconds and I cannot ping myself. My keepalive timers are not incrementing. The telco provider says that they are not providing the clock on this line and that we need to do so ourselves. My condition remains the same whether I set my clock to line or internal. The router on the remote end however seems to be ready to go when they set their clock source to line. When they set to internal, the telco provider sees framing errors on the line. Does it seem feasible that there is a clock source somewhere back towards there end of the line that their router can receive and mine cannot? I am working with the IT staff on the remote end of the link, but none of us seem to have any idea where else to go with this problem. My system works fine when I put my DSU in local loopback and it works when I put their DSU in remote loopback - so I *think* the hardware is sound. Any help is appreciated! Thanks, Stephen Hoover Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=21955t=21955 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX 515 firewall sample config .... [7:20654]
You have to instal the HTML content. The PDM (PIX Device Manager) is a separate install from the OS. --- Rik Guyler -Original Message- From: Kevin McIntyre [mailto:[EMAIL PROTECTED]] Sent: Friday, September 21, 2001 7:48 PM To: [EMAIL PROTECTED] Subject: Re: PIX 515 firewall sample config [7:20654] I have tried to enable this on my 506 with version 6 software with the following two lines: http server enable http 0.0.0.0 0.0.0.0 inside But...nothing is available when you hit the pix with a web browser. ie no server running. Did I miss something?? Kevin Dennis H wrote: You might want to think about upgrading to PIX6 and using the gui client. It's very similar to checkpoint... RAJESH AGNIHOTRI wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Greeting to you all techi guys .. My name is Rajesh ... i have a new project to implement. Basically i am checkpoint guy .. I need to implement cisco PIX firewall 515 at one of our customer place . All i need from you guys is a sample config with nat enable with static mappings .. Thanks Regard Rajesh _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=20754t=20654 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Alert: Some sort of IIS worm seems to be propagating [7:20388]
I was doing battle with this beastie last night until midnight. This one's very bad as it overwrites files with various .eml files, typically seen is readme.eml. If you do a search on the local drives for the extension, you will find numerous files (over 1600 in my case last night) found. How does this relate to Cisco? Well, I was originally called for a router problem as the Internet browsing and email transfer was very slow and of course the client's first thought was that there was a telco, router, DSU, etc. issue. I checked the router and the console (and VTY) was VERY slow. I ran a show processor cpu and discovered the processor utilization was nearly 100% and was staying there, which explains why the console was so slow. Upon deeper scrutiny, I found that IP input was the process using most of the processor, which indicates that IP traffic is jamming the router. With this knowledge, I went after the worm, which unfortunately, has no simple fix, at least at this time. When I removed the server from the network, the router was fine. So, all of the engineers that are so Cisco focused that a mere virus doesn't matter take heed - not everything can be judged on first impressions. --- Rik Guyler -Original Message- From: Brad Ellis [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 2:30 AM To: [EMAIL PROTECTED] Subject: Re: Alert: Some sort of IIS worm seems to be propagating [7:20366] John Kaberna, ([EMAIL PROTECTED]), sent me the following info: This may be what you are experiencing: http://www.cert.org/current/current_activity.html#port80 Make sure you patch IIS if you haven't done so already. Check to see if you're already infected with Code Red and follow the instructions to get rid of it. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec urity/bulletin/MS01-044.asp You can also use NBAR to block Red Worm if you haven't done so already. http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml -Brad Ellis CCIE#5796 Network Learning Inc [EMAIL PROTECTED] used Cisco: www.optsys.net Farhan Ahmed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... -Original Message- From: Simon Clausen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 19, 2001 12:49 AM To: [EMAIL PROTECTED] Subject: Re: Alert: Some sort of IIS worm seems to be propagating Sent on behalf of Rich Zuris ([EMAIL PROTECTED]) due to his network being taken offline by the worm. Following is a list of recorded changes made to NT4 SP6a with Q299444 rollup security patches. The following is appended to EVERY HTML file on the machine: window.open(readme.eml, null, resizable=no,top=6000,left=6000) Just about every directory on the machine has one or more files with extension .eml, mostly readme.eml but also other names that seem to correspond to directory or other filenames. Total of 1234 .eml files created, totalling 98Mb (about 78Kb each). Also got 55 files with extension .nws, containing exact same content. Both .eml and .nws files can be opened by Outlook Express. Virus makes numerous outbound connections to port 80 to propagate itself to other servers. Virus sets IE5 to IE4 compatibility mode (apparently to circumvent security) and crashes Explorer.exe when IE is launched. IExplore.exe appears to be hacked, and there is now a hidden IExplore .exe (note the space before the extension) in same directory. Virus code in stealth executable file with name tftp###, where ### is any numeric string. File has no extension, but it is definitely a Windows executable. This file is placed into \Program Files\Common Files\System\MSADC, and in same directory, Admin.dll appears to be hacked. IIS console hacked: New MMC.EXE placed in \WINNT directory, which may override original version in \WINNT\System32. EXE files placed into TEMP directory. Note that most/all hacked EXE files are flagged Hidden. Riched20.dll files placed in random directories (not on PATH, not containing executables). NT Account Guest was made a member of the NT Administrators group! Regards, Simon Clausen -Original Message- From: Windows NTBugtraq Mailing List [mailto:[EMAIL PROTECTED]] On Behalf Of Russ Sent: Wednesday, 19 September 2001 1:21 AM To: [EMAIL PROTECTED] Subject: Alert: Some sort of IIS worm seems to be propagating -BEGIN PGP SIGNED MESSAGE- There have been numerous reports of IIS attacks being generated by machines over a broad range of IP addresses. These infected machines are using a wide variety of attacks which attempt to exploit already known and patched vulnerabilities against IIS. It appears that the attacks can come both from email and from the network. A new worm, being called w32.nimda.amm, is being sent around. The attachment is called README.EXE and comes as a MIME-type of audio/x-wav together with some html parts. There appears to be no text in this mess
RE: Dial in/Dial Out modem bank [7:17929]
I have had to support this type of activity in the past as well and I agree that an AS5300 (or newer) will do the job well. However, that's a fairly expensive box. Cheaper alternatives would include a 2511/2513 router with octal cable(s) and external modems or maybe a 3600 series router. These both can provide this type of access. In my office, for engineers providing remote dialup support, we use a 2509 with an octal cable and external modems. Works well and is a fraction of the cost of an AS box. Good luck! --- Rik Guyler -Original Message- From: Brian Whalen [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 30, 2001 6:44 PM To: [EMAIL PROTECTED] Subject: RE: Dial in/Dial Out modem bank [7:17929] You actually allow users to dial out from their desktops, while connected to a lan?? The horror of it.. Brian Sonic Whalen Success = Preparation + Opportunity On Thu, 30 Aug 2001, Jim Dixon wrote: Cisco AS5300 should handled your needs nicely. -Original Message- From: Mike Momb [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 30, 2001 2:56 PM To: [EMAIL PROTECTED] Subject: Dial in/Dial Out modem bank [7:17929] To all you cisco wizards, What Cisco product would you recommend for dial in/dial out capability on a LAN. We have many users who dial into our network and do work from home. We also have users that would like to dial out from their desktop without using stand alone modems. Something that would handle at least 16 simultaneous users. We currently use a product that is slow and sometimes it locks up. Any advice/input would be appreciated. Mike Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18012t=17929 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Connect 6509 with CONSOLE [7:17983]
Hmm...I don't know what the little hole is but accessing the console on a 6509 is just like any other device. Set your stop bits to 1 and give that a try. 1 is the default setting for Cisco consoles. Remember: 9600, 8, none, 1 --- Rik Guyler -Original Message- From: Thomas N. [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 30, 2001 7:27 PM To: [EMAIL PROTECTED] Subject: Connect 6509 with CONSOLE [7:17983] Hi All, I attempted to access to the CAT 6509 with the CONSOLE port today. This 6509 is in production. It appeared that I didn't get any output on my HyperTerminal. My HyperTerminal setting is: 9600 bits per second, Data bits = 8, Parity = none, Stope bit = 2 (as indicated on Cisco.com), Flow control = none. There's also a little hidden hole right next to the CONSOLE port labelled as Console mode I don't know if I have to change something to access the console? Also, if I have to press that hidden hole to access the Console mode, will it affect the production enviroment? Thanks All in advance! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=18014t=17983 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Adding NIC to the PIX ?? [7:17691]
Well, Smartnet may be one reason, but another reason Cisco sells these cards as official is because they are. You used to be able to tell by looking but I don't know if that is still the case, but the Cisco cards come with custom firmware. One of the differences I know of is that the official cards cannot be forced into promiscuous mode. --- Rik Guyler -Original Message- From: Ed Horley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 29, 2001 12:09 PM To: [EMAIL PROTECTED] Subject: Re: Adding NIC to the PIX ?? [7:17691] Here is the link for the hardware portion: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/install/boa rd.htm Watch the wrap. This covers the 535, 525, 520, 515 for upgrading circuit boards (NICs). In a pinch I have used standard Intel NICs in the PIX 520 to get it up and going and swapped them out after the offical parts came in. I believe to keep your SmartNET contract it requires that you have Cisco purchased parts. They give you Intel NICs in the PIX anyway so you should be safe. I have no idea if there is a change in licensing or not. Regards, Ed Rodney Jackson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have search the Cisco web site for information on adding interfaces to the PIX firewall but have come up short. Do you guys know how to (what changes I need to make to the config) or where I can find the info? Rodney Jackson Dallas Semiconductor Network Engineer (972) 371-4824 [GroupStudy.com removed an attachment of type application/octet-stream which had a name of Rodney Jackson.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17779t=17691 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Work-related ACL problem [7:17695]
Right! The source port in this case is inconsequential as it can be random, typically 1024 or above. It is the destination port that we are interested in in this case as that is the port the destination host will accept the specified request. Since modern access lists are created in a source first - destination second manner, the eq www statement after the second any indicates the destination port. One other minor note: while it doesn't hurt anything, having the access-list 101 permit ip any 172.0.0.0 0.255.255.255 statement is irrelevant as the following statement covers the permission to the 172.0.0 network as well. In this case it's not a big deal but if you use several dozen or hundred access lists, having unnecessary extras may add noticeable overhead. --- Rik Guyler -Original Message- From: ron [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 29, 2001 10:09 PM To: [EMAIL PROTECTED] Subject: Re: Work-related ACL problem [7:17695] isn't it supposed to be: access-list 101 deny tcp any any eq www ron - Original Message - From: Wilson, Bradley To: [EMAIL PROTECTED] Sent: Wed, 29 Aug 2001 12:03:33 -0400 Subject: Work-related ACL problem [7:17695] Okay gang, this one's work-related so don't feel obligated to help. ;-) I think it's an interesting thought problem though: The Problem I'm Trying To Solve: allow access to a particular website (2.2.2.2) from users on a particular subnet. Do NOT allow them to access any *other* website. Allow them to access other resources within your internal network (172.0.0.0). Here's the ACL I came up with: access-list 101 permit ip any host 167.216.138.4 access-list 101 deny tcp any eq www any access-list 101 permit ip any 172.0.0.0 0.255.255.255 access-list 101 permit ip any any This list was created on an MSFC card running in a 6509 chassis, and has been applied to interface Vlan1 inbound (I tried outbound as well just for kicks). The (unintended) result is that users can access both the target website, as well as other websites on the Internet. Any ideas? Bradley J. Wilson CCNP CCDP MCSE NNCSS CNX MCT CTT EDS/Boston Scientific Account (508) 650-8739 [EMAIL PROTECTED] -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Check any e-mail over the Web for free at MailBreeze (http://www.mailbreeze.com) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17796t=17695 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: vpn through pix [7:17782]
Phil, can you elaborate on the whereabouts of this info? A link maybe? Thanks --- Rik Guyler -Original Message- From: Circusnuts [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 29, 2001 10:40 PM To: [EMAIL PROTECTED] Subject: Re: vpn through pix [7:17782] If you have the time this is covered in the Networkers stream off of the CCO (under Understanding Firewall Technology Troubleshooting the Implementation of IPsec VPNs). Phil - Original Message - From: r r To: Sent: Wednesday, August 29, 2001 9:19 PM Subject: vpn through pix [7:17782] does anybody have ideas on what is needed to use a vpn client through a pix running nat? another way to put it: i have users inside the pix wanting to vpn to another host across the internet through our pix running nat/pat. the vpn client says it gets connected but disconnects after a couple of minutes. i dont know if it really connects or just says it does but it doesnt seem to work. any ideas? D __ Do You Yahoo!? Get email alerts NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17797t=17782 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: What's the diameter of your switched network? [7:17489]
Of course, how often is the root physically in the center? ;-} --- Rik Guyler -Original Message- From: Gareth Hinton [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 28, 2001 7:28 PM To: [EMAIL PROTECTED] Subject: Re: What's the diameter of your switched network? [7:17489] Always thought that Diameter was a misleading term. If the root bridge is physically in the centre of the bridged network, the diameter is actually the radius. Hmmm - more coffee - it's late. Leigh Anne Chisholm wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Here's something funky I've just started researching. Thought many of you might not be aware of this... Awkward STP Parameter Tuning and Diameter Issues We already saw that an aggressive value for the max-age parameter and the forward-delay could lead to a very unstable STP. The loss of some BPDUs can then cause a loop to appear. Another issue, not very known, is related to the diameter of the bridged network. The conservative default values for the STP impose a maximum network diameter of seven. This means that two distinct bridges in the network should not be more than seven hops away the one to the other. Part of this restriction is coming from the age field BPDU carry: when a BPDU is propagated from the root bridge towards the leaves of the tree, the age field is incremented each time it goes though a bridge. Eventually, when the age field of a BPDU goes beyond max age, it is discarded. Typically, this will occur if the root is too far away from some bridges of the network. This issue will impact convergence of the spanning tree. This came from: http://www.cisco.com/warp/public/473/16.html#2f Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17610t=17489 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN to PIX using Win2000 or Millennium?? [7:16452]
Yes, PIX supports PPTP acording to CCO. However, I became frustrated with PPTP as each version of Windows offers different options and interacts with the PIX in a different manner. In other words, I have set this up and made it work most of the times I tried, but this one time, in band camp Now, my experience is with the 5.x code and maybe, just maybe, it's better with the 6.x code as this now seems to be the trendy way to provide remote access. Despite this, I really recommend purchasing the VPN client. The 100-user license retails for around $250. BTW - It used to be that the PPTP configs for the PIX on CCO were flawed. Maybe this is still the same, maybe not. --- Rik Guyler -Original Message- From: Andy [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 6:48 AM To: [EMAIL PROTECTED] Subject: VPN to PIX using Win2000 or Millennium?? [7:16452] Hi Does anyone know if it is possible to set up a VPN using either Windows 2000 or Millennium to connect to a corporate PIX without using any Cisco client software? I believe it is possible but haven't had any luck in getting it to work. I have it working great using NT with the Cisco Secure VPN client, which unfortunately doesn't run on the newer versions of Windows. I've also been told this is because the newer versions of Windows don't need it as they have this capability built in. I've done the usual setting up the VPN part on Windows but to my mind there seems to be a lot of options missing that would allow you to get it to work properly, such as ESP and AHP settings, etc. Any help would be greatly appreciated. Andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16454t=16452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Thanks to all who have contributed... [7:15994]
Chuck, that's an excellent compilation of lab advice! I notice that most of the esteemed contributors had common threads to offer, which I'll surely heed when my time comes. Are you getting close to taking another stab at the lab soon? I know I'd like to get a 4-digit number... ;-} --- Rik Guyler -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 14, 2001 10:48 AM To: [EMAIL PROTECTED] Subject: RE: Thanks to all who have contributed... [7:15994] for anyone who is interested, I have collected some good advice from CCIE's, and posted it at: www.chuck.to/CCIEAdvice.htm Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Donald B Johnson jr Sent: Tuesday, August 14, 2001 7:03 AM To: [EMAIL PROTECTED] Subject: Re: Thanks to all who have contributed... [7:15994] Could you share your experience with us. What you covered, training methodolgy equipment used, classes taken, things like that. Things that were useful along, wastes of time. Of course with the NDA in mind. Not what was on the test but what you did before you opened the door to the Lab center. - Original Message - From: Johns, John A. To: Sent: Tuesday, August 14, 2001 4:57 AM Subject: Thanks to all who have contributed... [7:15994] Hello all, I would like to thank the people who have contributed to the list, I have used the list for probably two plus years. I passed my CCIE Lab on Friday and really appreciate all the help over the years. Thanks to all who have made this list great. John A. Johns, CCIE #7983, CCDP, CCNP, MCSE, MCP+I, CCA, A+ [EMAIL PROTECTED] The information contained in and transmitted with this e-mail is confidential. It is intended only for the individual or entity so designated above. You are hereby notified that any dissemination, distribution, copying, or the use of or reliance upon the information contained in and transmitted with this e-mail by or to anyone other than the recipient(s) designated above is unauthorized and strictly prohibited. If you have received this e-mail in error, please notify us immediately by telephone at (412) 338-3535. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16101t=15994 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX Question [7:15518]
PAT itself won't help you...Pat is only for outbound connections. You didn't mention what version of PIX you have so I'll give you some insight. If you are running PIX 6.01 or can upgrade to it, then things are looking up. I believe that this version of PIX supports port redirection, which can accept a variety of traffic on a single address and forward to various internal addresses based on TCP/UDP port used. A coworker told me that you can even do this on a single address that is also used for outbound PAT but I haven't confirmed this yet. It may also be possible that some of the 5.x versions of PIX support port redirection, but again, I haven't confirmed this. Anyway, check them out. --- Rik Guyler -Original Message- From: Bruce Williams [mailto:[EMAIL PROTECTED]] Sent: Thursday, August 09, 2001 3:35 PM To: [EMAIL PROTECTED] Subject: PIX Question [7:15518] I have many devices on the inside (most secure) interface of my PIX that I need to allow telnet and ftp access to users from the outside (least secure) interface of the PIX. I know that I can create a static map to the inside IP addresses, but I dont have enough outside IP addresses to support all of the devices on the inside. I am using PAT to allow users from the inside (most secure) interface to get access to the outside (less secure) interface. Can I use PAT the same way to allow outside users to access the inside servers on one address or is there a way to open the PIX up for all users from the outside to get in on a temporary basis? Bruce Williams 215-275-2723 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15572t=15518 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Pix static NAT error UPDATE [7:15169]
I've setup several PIX boxes with 6.x and have had no problems whatsoever, certainly never had to use a port in a static statement. I tend to use basic configurations on firewalls...the simpler the better, and setup my statics first, and then apply the ACL(s) or conduits next. If you're sure you can't add a static without ports, I would suspect corruption, possibly the image, flash, or whatever. Try imaging the box with a fresh download of the PIXOS. --- Rik Guyler -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 7:22 PM To: Subject: Re: Pix static NAT error UPDATE [7:15169] ok, this is straight from Cisco's web site for code 6.0 on the pix. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/conf ig.htm It does indeed show this example: static (inside,outside) 10.42.1.0 10.3.1.0 which should work... -Patrick Kevin McIntyre 08/08/01 07:01PM I am using Pix software ver 6.0(1) and it won't allow me to not specify a port. I seem to be forced into specifying the smtp in the command line. It did sound like a good idea though. Kevin Patrick Ramsey wrote: try doing a normal static mapping, then use acl's to allow smtp traffic through...ie: static (inside,outside) 192.168.250.16 10.2.48.50 netmask 255.255.255.255 0 0 -Patrick Kevin McIntyre 08/07/01 06:12PM I have the following line in a PIX 506 for static natting to an inside server. static (inside,outside) tcp interface smtp 172.16.1.21 smtp netmask 255.255.255.255 0 0 When the Pix is started this will work for a short period of time and then will stop answering to connections on port 25 at all. The log on the server that it actually connects to says an unsuccessful attempt was made to connect but won't accept messages. When I try to send mail using the server from inside the PIX, directly to 172.16.1.21, the server itself is running fine. There is a 3640 router between the pix and the smtp server both with static routes. Any ideas? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15399t=15169 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Can't ping outside of PIX [7:15205]---- FIXED [7:15205]
Experience. Those of us that have worked on the PIX line for a number of years think this new-fangled idea of using the outside interface for PAT is pretty slick. We never had that option in the past. One thing looking at your config: I don't know how big your company is, but I would set the xlate timeout to something a little more reasonable than 24 hours. Something like 30 or 60 minutes or even 10 minutes (my choice). Keeping all of those translations around just ties up memory. --- Rik Guyler -Original Message- From: Pierre-Alex [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 8:14 PM To: [EMAIL PROTECTED] Subject: RE: Can't ping outside of PIX [7:15205] FIXED [7:15316] I changed the global statement to another IP address and the PC was able to ping on the Internet. I also removed the inside route and the PC was still able to ping ... I am curious. Where did you find this information? I used: http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc ncfg.htm Pierre-Alex -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of cheekin Sent: Wednesday, August 08, 2001 8:27 AM To: [EMAIL PROTECTED] Subject: Re: Can't ping outside of PIX [7:15205] I think you will need to give a different range of IP address for the global statement. The global statement and the outside interface are using the same ip address. I also think that the route inside statement is not necessary in this case. You can use sh route to display the routing table. PIX gurus, correct me if I am wrong. cheekin - Original Message - From: Pierre-Alex To: Sent: Wednesday, August 08, 2001 11:34 Subject: Can't ping outside of PIX [7:15205] I have spent the all day on the problem below and I still can't see what I did wrong. Can you help? The PC can ping the inside ip address of the firewall The Firewall can ping the default-gateway and anything on the Internet But I cannot get the PC to ping the outside IP address of the firewall (208.136.247.214) or anything outside like (206.26.90.8). |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM PC (1): ip address 10.1.1.12 subnet mask: 255.255.255.0 default gateway: 10.1.1.10 PIX (2): ip adddress 10.1.1.10 subnet mask: 255.255.255.0 PIX (3i ip address 208.136.247.214 subnet mask: 255.255.255.0 DSL MODEM (4): ip address 208.136.247.1 subnet mask: 255.255.255.0 PIX Version 4.0.7 enable password 8Ry2YjIyt7RRXU24 encrypted passwd kIQggKv8.UiICW/r encrypted hostname pixfirewall failover names syslog output 20.3 no syslog console interface ethernet outside 10baset interface ethernet inside 10baset ip address inside 10.1.1.10 255.255.255.0 ip address outside 208.136.247.214 255.255.255.0 arp timeout 14400 global 1 208.136.247.214-208.136.247.214 nat 1 0.0.0.0 0.0.0.0 age 10 no rip outside passive no rip outside default no rip inside passive no rip inside default route outside 0.0.0.0 0.0.0.0 208.136.247.1 1 route inside 0.0.0.0 0.0.0.0 10.1.1.12 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00 no snmp-server location no snmp-server contact mtu outside 1500 mtu inside 1500 : end [OK] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15400t=15205 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Cisco Call Manager [7:15402]
If you have a CCO account with the correct permissions, you can download it. Otherwise, talk to your local Cisco Account Manager for a demo or NFR version. --- Rik Guyler -Original Message- From: Rick Holden [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 08, 2001 9:04 PM To: [EMAIL PROTECTED] Subject: Cisco Call Manager [7:15402] I am looking to pass the CIPT exam and would like to get a copy of Call Manager. Does anyone know where I can get a copy or maybe a shareware voice or an eval? Thanks. /Rick Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15415t=15402 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCDA after CCNP, How tough???? [7:10960]
Why not do both? If you can complete the CCNP track, then technically speaking, you will have no trouble with the CCDA exam. You must understand, however, that the CCDA exam is not one to test you on technical understanding but rather on your communication skills. If you have not dealt with non-technical mamangement making technical decisions, such as you will see as a consultant, then I would advise you to read a design book or 2 (Top Down Network Design is EXCELLENT) and then get some practice tests, such as Boson. These will help you understand and cope with the format of the test. --- Rik Guyler -Original Message- From: Mohamed El Komy [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 5:51 AM To: [EMAIL PROTECTED] Subject: Re: CCDA after CCNP, How tough [7:10960] I also have same situation.I just finished my CCNP and i still whether it worth to go through the desidn track or not. I want advice from u all whether the design track 'll add to me or is it better to go through CCNP Specialization. Oletu Hosea Godswill CCNP, CCNA. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, Please tell me more about the CCDA exam, I recently got my CCNP, I want to get my CCDP before going for the CCIE written, I gather that despite my CCNP, I would have to do CCDA. Am preparing for the CCDA now to write it sometime this week. Am using CCDA by Todd Lammle(Sybex). I found alot of CCNA and BCSN stuffs in the book, I only have about one or two chapters dealing with hardware and other stuffs. Please can someone tell me whether the sybex book is enough or I need some other materials. A friend was once telling me to read up SOHO and other remote/Home office devices covered in BCRAN nothing was mentioned about these in the sybex book. Do I need these additional knowledge? Please help. Thanks. Regards. Oletu Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11686t=10960 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCO questions [7:11275]
Unfortunately, having a reseller/partner account does not grant you the permissions to download software such as IOS, PIX OS, CAT OS, etc. Now, I'm not saying that you absolutely can't get these rights with this account, but it's not the default. According to Cisco, if you're a reseller/partner, the way to download software is to use the customer's account that was setup with their SmartNet contract or a special download access code provided by TAC. --- Rik Guyler -Original Message- From: Sam Deckert [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 08, 2001 1:00 AM To: [EMAIL PROTECTED] Subject: Re: CCO questions [7:11275] Hey all Does anyone know what is involved for a Cisco Authorised Reseller to obtain access to download router images etc from CCO? What level of access or partner status is required to be able to download the software? Thanks! Sam. - Original Message - From: Rik Guyler To: Sent: Sunday, July 08, 2001 12:50 PM Subject: RE: CCO questions [7:11275] Guys (or gals - don't want to offend the female members!), I hate to break it to you, but being a CCNP doesn't get you a CCO account. Being a CCIE does, but that's a different matter. Instead, why don't you sign up with the consultant program? It's free and you will get a CCO account. You can't download any software with this account but you will gain access to the private documents, resources, etc. --- Rik Guyler -Original Message- From: Michael L. Williams [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 9:14 PM To: [EMAIL PROTECTED] Subject: Re: CCO questions [7:11275] How long after finishing CCNP, etc does it usually take to get the CCO account? Just wondering. I finished CCNP and am eager to get my CCO login. Mike W. DNT wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think in order to obtain an account on CCO, you must be a CCNP, CCIE, or reseller. Denny Preston Kilburn wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a newbie question here. What ways can one get a CCO login to the CCO sight? Do you have to own equipment or be a CCIE? -P.Kil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11332t=11275 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX recommendations !!! [7:11336]
Remember that the Proxy server doesn't really provide security as such but rather content caching. Unfortunately the benefit is not that great for big pipes to the Internet and so its value is questionable. If you are using a somewhat slow link or your link is rather oversubscribed, than I would keep the proxy server to reduce the bandwidth requirements via caching. For your situation, I might consider keeping the proxy server in place regardless of your circuit bandwidth. You say you already have filtering software in place so why buy something else to handle the same requirement you're already fulfilling? Websense filters URL (HTTP only) content plus provides authentication via the NT database and creates a variety of reports. For the money, this is one of the best products out there (I know...I install this product quite frequently). A cache engine is a great product also but neither one comes cheap. Since you can already handle the caching and filtering, I wouldn't waste the money replacing them. You can use the MS RADIUS server, which is free (IIS option pack), but you still would be giving up the caching and URL filtering capabilities of your current Proxy server. I like John's overall solution the best but if the budget is limited, stay with the Proxy box and integrate it into the PIX solution. If you want content filtering, then go with --- Rik Guyler -Original Message- From: John Hardman [mailto:[EMAIL PROTECTED]] Sent: Sunday, July 08, 2001 1:23 PM To: [EMAIL PROTECTED] Subject: Re: PIX recommendations !!! [7:11336] Hi I had a very similar problem to solve at work myself. The recommendation I finally came up with to meet the business needs of... 1) Content filtering 2) Logging of Internet activity 3) Improved usage of Internet bandwidth So we used... 1) PIX 520 UR with fail-over 2) WebSense content filtering 3) And add a cache engine using WCCP 4) Added a Private I syslog server/analyzer for detailed usage reports If I also had the need to do authentication against an NT domain I would have also added Cisco Secure ACS and had it use the NT SAM as it's database. I guess you could also use the MS RADUIS server to authenticate against the domain, but I have never used this so I can not guarantee that it will work. HTH -- John Hardman CCNP MCSE Raees Ahmed Shaikh wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, I just need some of the recommendations to install a PIX box 525 in our network, currently we have MS proxy in our network, Should I replace proxy with the PIX, or use two level of defense, comprising of PIXProxy. We have some application level url filtering software running on that proxy as well. Moreover the MS-proxy is using the NT Domain Security Model and thus using cut-through proxy feature, can that security be available if I go on, with PIX. Without the Ms-proxy is it possible to use the same NT database for cut-through authentication. Some helpful tips please which will help me in the designing process. Thanks in advance and Best Regards, Shaikh Raees, CCNP,CCNA,CCDA,MCSE,MCP,CNE,CCIE Written. [GroupStudy.com removed an attachment of type image/jpeg which had a name of Glacier Bkgrd.jpg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11371t=11336 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCO questions [7:11275]
Guys (or gals - don't want to offend the female members!), I hate to break it to you, but being a CCNP doesn't get you a CCO account. Being a CCIE does, but that's a different matter. Instead, why don't you sign up with the consultant program? It's free and you will get a CCO account. You can't download any software with this account but you will gain access to the private documents, resources, etc. --- Rik Guyler -Original Message- From: Michael L. Williams [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 9:14 PM To: [EMAIL PROTECTED] Subject: Re: CCO questions [7:11275] How long after finishing CCNP, etc does it usually take to get the CCO account? Just wondering. I finished CCNP and am eager to get my CCO login. Mike W. DNT wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think in order to obtain an account on CCO, you must be a CCNP, CCIE, or reseller. Denny Preston Kilburn wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a newbie question here. What ways can one get a CCO login to the CCO sight? Do you have to own equipment or be a CCIE? -P.Kil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11290t=11275 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PIX authentication [7:11265]
I assume you are using the PIX to terminate a VPN tunnel? If that's the case, then you can setup local accounts for this purpose. Look into the vpdn ... commands. You didn't mention the PIX OS version so I'll assume 5.x at least. By the way, Microsoft offers a free (yes, I said FREE!) RADIUS server. It comes as part of the IIS option pack for NT 4.0. I don't know where it's setup on Win2k but I'm sure it's there somewhere as well. With this, you could setup a backup RADIUS server. --- Rik Guyler -Original Message- From: Jim Bond [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 4:40 PM To: [EMAIL PROTECTED] Subject: PIX authentication [7:11265] Hello, I'm trying to set up PIX for a client. I would use RADIUS as authentication. The concern I have is if RADIUS server is down, all authentication requests will be denied. On routers, I can create a local account as last resort, something like aaa authentication default radius local, but on PIX, there is no local option, how do I do then? By the way, my client has only 1 RADIUS sever. Thanks in advance. Jim __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11291t=11265 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: CCO questions [7:11275]
Come to think of it, I haven't received anything for awhile either but to be honest, haven't really missed it as I too work for a partner. It may no longer be active but it would be worth it for the listers that don't work for a partner to check it out. I have heard of a CCO guest account. I don't know what it gets you but it exists. Before anybody asks, I don't have a clue how to get it, what it gets you, etc. I just know it's available. How do these things get started...? ;-} --- Rik Guyler -Original Message- From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 11:06 PM To: Subject: RE: CCO questions [7:11275] gotta wonder how these rumors get started. does the consultant's program still exist? and do you still get anything from it? I haven't seen the quarterly goody bag in almost a year. Chuck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Rik Guyler Sent: Saturday, July 07, 2001 7:50 PM To: [EMAIL PROTECTED] Subject: RE: CCO questions [7:11275] Guys (or gals - don't want to offend the female members!), I hate to break it to you, but being a CCNP doesn't get you a CCO account. Being a CCIE does, but that's a different matter. Instead, why don't you sign up with the consultant program? It's free and you will get a CCO account. You can't download any software with this account but you will gain access to the private documents, resources, etc. --- Rik Guyler -Original Message- From: Michael L. Williams [mailto:[EMAIL PROTECTED]] Sent: Saturday, July 07, 2001 9:14 PM To: [EMAIL PROTECTED] Subject: Re: CCO questions [7:11275] How long after finishing CCNP, etc does it usually take to get the CCO account? Just wondering. I finished CCNP and am eager to get my CCO login. Mike W. DNT wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I think in order to obtain an account on CCO, you must be a CCNP, CCIE, or reseller. Denny Preston Kilburn wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a newbie question here. What ways can one get a CCO login to the CCO sight? Do you have to own equipment or be a CCIE? -P.Kil Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11300t=11275 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
OT: 3000 Console cable help [7:11143]
Hey gang, I'm admittedly not much of a serial cable guru and this is beating my brains out! I have a couple of 3000 routers with DB25 console ports (the pinout below was taken from CCO). I wired this to a DB9-RJ45 plug but I'm not doing something right. For example, do I need to cross the TD and RD signals? When it says shorted, does that mean the wire is cut going back to the other end and the 2 local wires are basically looped together? Do RTS and CTS go straight through? I could buy these for $50-something each or make them for $5...not much of a choice if I can get this to work. Any help would be really appreciated! Cisco 3000 series router - Console Port Pinouts (DB-25) Pin Signal Input/Output 1 Frame GND - 2 TD Input 3 RD Output 4 RTS Shorted to pin 5 5 CTS Shorted to pin 4 6 Shorted to pin 8Output 7 GND - 8 CD Output 20 DTR Input --- Rik Guyler Ciscofucious say: If you haven't checked the archives first, don't ask! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11143t=11143 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Still having problems with Inter-vlan routing! Help! [7:10945]
Step back from things and think about this for a minute and try to discover what you're missing. Intervlan routing is no different from any other routing - just try to think about it like it's physically separate broadcast domains, with separate switches, router ports, etc. You didn't say, but did you put the port PC2 is on in a different vlan (whichever vlan the second sub-interface is in)? If PC2 is in vlan 1, this won't work. Even though layer 2 will allow the ping, layer 3, where ping operates, will fail because your PC addresses are in different layer 3 networks. Other than that, it sounds like you did most things right. If you stil can't get it down, you might try posting your configs so the esteemed group members may check 'em out! --- Rik Guyler Ciscofucious say: If you haven't checked the archives first, don't ask! -Original Message- From: cisco guru [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 03, 2001 9:50 PM To: [EMAIL PROTECTED] Subject: Still having problems with Inter-vlan routing! Help! [7:10936] Hi, I am still not able to get inter-vlan routing b/w 2 pc's connected to a Cat 5 switch and a 2620 router. Basically, I have 2 pc's connected to a Cat 5000, ip's, 30.1.1.30. def. gwy. 30.1.1.100 and 40.1.1.10 and def. gwy. 40.1.1.100 The sc0 on the swich is 30.1.1.50 and def. gwy. 30.1.1.100 On the 2620, I have 2 subif's, f0/0.1 at 30.1.1.100 and f0/0.40 at 40.1.1.100 and isl encap enabled. Port 2/11 on the Cat 5 has trunking enabled for the 2620. Ping works from pc1 (30.1.1.30). Can ping the Cat 5 and the 2620 router.( I assumed since the pc and the switch were in Vlan 1 by default, it worked). Ditto from the Cat5 itself and the router back to the pc. BUT cannot ping 40.1.1.100 from the 2nd pc and vice-versa from the router. Reloaded the router to see if it works. No luck. What is it I am missing on the switch to get this working?? Any help/advise would be gratefully accepted. Sincerely. _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10945t=10945 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: access servers? [7:10449]
These are generally remote access servers. Some call them RAS, some call them NAS (network AS) but they're all the same thing for the most part. In short, they provide access to the LAN via dial-up technology. These boxes usually have digital modem cards (the better ones do anyway), which provides high port density and support for 56k analog dial-up since there is one less digital-to-analog conversion as a result of the modems being of the digital variety. The AS5300, just a fantastic box, has the T1 controllers built right in so you don't need a DSU. Just plug the T!(s) into the controller ports and away you go. With this technology, you can get either 23 or 24 dial-up circuits per T1 depending on whether the T1 is channelized (CAS=in-band signaling for 24-56k connections) or Primary Rate Interface (PRI=out-of-band signaling for 23-64k connections such as BRI ISDN). Hope this helps! Rik -Original Message- From: Magenta Bloom [mailto:[EMAIL PROTECTED]] Sent: Friday, June 29, 2001 5:22 PM To: [EMAIL PROTECTED] Subject: access servers? [7:10449] I went to the Cisco homepage and looked at the list of products. I saw Cisco Access Servers. What kind of hardware are those? _ Get your FREE download of MSN Explorer at http://explorer.msn.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10455t=10449 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Strange situation with NAT and telnet [7:10387]
Is this an Internet router or just an internal router running translation? Unless you have static translates setup, NAT overload (PAT) will most likely not allow inbound connections as it tracks ports for outbound and established connections, not inbound connections. This is how you are able to create 64k sessions on a single IP address. A perfect example of this is the PIX, which only allows inbound connections on a static translation throught the use of a conduit. The PIX will not allow an inbound connection on a PATed address(es) as it is for outbound connections only. Is it possible to put a secondary address on the interface and not translate with that address? Port redirection might work if you are running IOS FW. You could redirect telnet requests to the inside interface address. If you're not running IOS FW, then there must be some mechanism blocking your session. Rik -Original Message- From: nrf [mailto:[EMAIL PROTECTED]] Sent: Friday, June 29, 2001 6:21 PM To: [EMAIL PROTECTED] Subject: Re: Strange situation with NAT and telnet [7:10387] Well, to answer your question, I don't want to telnet to the outside interface from the inside. I want to telnet to the outside interface from the outside, and clearly due to the NAT, the outside interface is the only interface I can telnet to, and because of this stupid bug, I cannot. So basically what it boils down to is that nobody from the outside can ever telnet into the router, which bites. And somebody asked what OS and what router I am using. It is 12.2(1), on a 2514. Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... OK I don't have the real answer but it seems that NAT overload is on the same IP address that you're trying to telnet to. That would be kind of weird for the box to receive a telnet request from to the same IP. No flames but I'll just throw a suggestion to try (let me know if it works). Try settting up an access-list for NONAT when going to that IP address. That will leave the source address alone. And it looks like you've set up an access-list to allow telnet to that interface already but double check that. I have to ask...why telnet to the outside interface from inside? Allen - Original Message - From: nrf To: Sent: Friday, June 29, 2001 4:01 AM Subject: Strange situation with NAT and telnet [7:10387] Hey all: I have this strange situation where I cannot telnet into my router. This is what happens. I am successfully running NAT (with overload), with no problem. I can telnet into the interface that is the inside NAT with no problem. I can also telnet into any non-NAT interface with no problem. The problem occurs when I try to telnet into the interface that is the designated outside NAT interface. For example, when I fire up telnet from Windows and telnet to that outside NAT interface, it just shows that it is trying to connect, but it never connects. Now, I can assure you that connectivity is fine. I can ping that interface. People from the inside can get to the outside, with no problem. So it's not a routing issue, I am sure. I have monitored what happens when I try to telnet, as I have an access-class on the vty line that allows anything in (permit ip any any), but is set for logging. So I notice that telnet packets are indeed being permitted by the access-list, meaning the telnet request is hitting the router successfully. On the console, I even get a message saying that the access-list is allowing a telnet packet in. So everything seems cool. But somehow the router doesn't want to acknowledge the telnet request. Does anybody know what is up with that? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10467t=10387 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: back-to-back [7:10469]
That's because the crossover for a T1 is different than 56k. I believe that the crossover you need is 1,2 - 7,8 but I'm not sure if my memory is working all that well or not. Maybe someone else can confirm or deny this for us. Or, if you really want to score points with the list, search on Google for 56k crossover and report your findings. ;-} Rik -Original Message- From: Michelle Sanderson [mailto:[EMAIL PROTECTED]] Sent: Friday, June 29, 2001 9:09 PM To: [EMAIL PROTECTED] Subject: back-to-back [7:10469] I'm trying to get two 1602's and a couple of 2500's (2524/2501) setup into some kind of lab. I can't get the 1602's to see each other on the built-in 56k modules. I've tried service-module settings for clock source line/internal, speed, network-type, but nothing works. I made a cable with pins 1,2 to 4,5 and that works for the T1 modules that I have in the 1602's and 2524, but not on the built in 56k (in the 1602's). What am I doing wrong? Please tell me how I should make my cable or correct config, or point me to where it is on the CD. Thanks for any help, Dave - Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10475t=10469 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: T1 concept? [7:10300]
Well, it's not necessarily true that a T1 circuit is a frame circuit. A T1 is simply the layer 1 technology. In other words, just a piece of wire more or less. Frame relay on the other hand is a layer 2 technology. It will typically run on T1 layer 1 technology but not always. There is a 56k flavor of frame available and this is not run on a T-carrier circuit. What layer 2 encapsulation does a standard T1 use if not frame relay you ask? Usually HDLC. In fact, when setting up a serial interface on a Cisco router in preparation for a T1, full or fractional, the default layer 2 encapsulation is HDLC and not frame relay. You can run PPP on a T1. This is typically used when your upstream router is a non-Cisco router as Cisco's HDLC is proprietary and not compatible with another vendor such as Nortel. When somebody says I have a T1 to the Internet, they are usually bragging about the size of their pipe, which is roughly 1.5Mbs for a full T1. The fact that it's a circuit providing access to the Internet has nothing to do with the layer 2 encapsulation as it could be FR, HDLC, or PPP. That was not always the case as the frame relay cloud was just recently introduced to the Internet cloud, so now many ISPs will provide access via their private frame relay network. Good luck! Rik -Original Message- From: Sam [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 28, 2001 7:06 PM To: Subject: Re: T1 concept? [7:10300] There really is no difference between a T1 to your ISP or a T1 to a branch office (in the scenario you outlined). Of course the one obvious difference is that the T1 to your HQ is part of your corporate frame relay cloud and the T1 to the internet is part of your ISPs frame relay cloud. T1 are usually frame relay connections, therefore they use frame-relay encapsulation. RJ wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, What is the difference between a frame connection to a branch office (I have configured this) and T1 to the internet (I don't know how this is configured). I have heard that our company has a T1 from a (HQ)Atlanta to (backoffice)Tampa. Also they have a T1 to the internet. They also have numerous frame connections to small offices through out the country. When somebody says that they have a T1 to the internet what exactly does this mean? What protocols (encapsulation) are they running? Is it PPP or is it a frame connection? How does one connect to the ISP? I am sure these questions have simple answers. Can somebody please explain this concept? Thanks in advance. Regards, RJ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10366t=10300 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: supervisor engine [7:9902]
The ports on a sup engine are like any other comparable port - they can be trunked. Rik -Original Message- From: Joe Morabito [mailto:[EMAIL PROTECTED]] Sent: Monday, June 25, 2001 10:45 PM To: [EMAIL PROTECTED] Subject: supervisor engine [7:9902] Does anyone know if you can use the ports of a supervisor engine (which ever model) for trunking? Or do you always need to use a port from the chasis...Assuming you have no rsm. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9909t=9902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: supervisor engine [7:9902]
Ummm...this is describing etherchannel, but you can do that also. Rik -Original Message- From: jackxu [mailto:[EMAIL PROTECTED]] Sent: Monday, June 25, 2001 11:10 PM To: [EMAIL PROTECTED] Subject: Re: supervisor engine [7:9902] certainly u can,cisco 6509's supervisor engine provide two gigabit ethernet port in this module, so two 6509 can be combined together by thrunking through the GE port. Joe Morabito wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anyone know if you can use the ports of a supervisor engine (which ever model) for trunking? Or do you always need to use a port from the chasis...Assuming you have no rsm. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9913t=9902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Setting up Sub-interfaces on serial interface for Frame [7:9704]
Well, since you say you have everything else accounted for, have you tried rebooting the router? Subinterfaces and loopbacks tend to be rather troublesome once setup. Deleting and changing these virtual interfaces typically requires a reboot for the changes to take effect completely. You might also check that ip subnet-zero is turned on. If not, you will get that very message if you try to use the zero subnet. Rik -Original Message- From: tazman [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 24, 2001 5:10 PM To: [EMAIL PROTECTED] Subject: Setting up Sub-interfaces on serial interface for Frame Relay [7:9697] I am having a problem when attempting to configure sub-interfaces for a Frame Relay connection and was wondering if anyone has ever seen this problem before. I configured two routers for a point-to-point Frame Relay circuit with sub-interfaces and performed a test and turn-up with ATT which worked fine. The problem I am having is I realized after I configured the interfaces on both routers that I had used the wrong IP addresses. I setup both ends of the circuit with a subnet address of 255.255.255.252 but when I attempted to change the address I get a bad subnet mask error. I have both routers configured as IP Classless and was able to assign a /30 address to both earlier. I removed the IP address from the interfaces and tried to add a new address and I get the same thing. Is there something special with sub-interfaces or Frame Relay which is causing this problem? Any suggestions would be greatly appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9704t=9704 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Linux Console program (Hypterminal equivlant)? [7:7188]
Teraterm Pro is among the favorites of this group, myself included. Plus it's free. Just search on Google for teraterm and you'll get to the site easily. Rik -Original Message- From: Stephen Dunn [mailto:[EMAIL PROTECTED]] Sent: Monday, June 04, 2001 9:51 PM To: Subject: Re: Linux Console program (Hypterminal equivlant)? [7:7188] minicom works like a champ. http://www.pp.clinet.fi/~walker/minicom.html Steve nethacker711 wrote: I was searching the archives and could not find this one. Does anyone know of or can recommend a good HyperTerminal like program that will let me console into Cisco routers and other devices on Linux (RedHat)? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7203t=7188 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CIT - Now a CCNP!! [7:6725]
Dude, great job! -Original Message- From: Andrew Larkins [mailto:[EMAIL PROTECTED]] Sent: Friday, June 01, 2001 3:14 AM To: [EMAIL PROTECTED] Subject: Passed CIT - Now a CCNP!! [7:6725] I passed my final exam yesterday - CIT with a score of 919. At last I have my CCNP. Many thanks to everyone on this list for all the informative threads and help with problems I have had over this pass period. Now to do my CCDP and security specialisation - anyone have any tips for these Thanks again Andrew Larkins BCom, CCNP, CCDA Bytes Technology Group Limited Tel : +27 11 800 9467 Fax : +27 11 800 9496 Mobile : +27 83 656 7214 Email : [EMAIL PROTECTED] OR [EMAIL PROTECTED] This message may contain information which is confidential and subject to legal privilege. If you are not the intended recipient, you may not peruse, use, disseminate, distribute or copy this message. If you have received this message in error, please notify the sender immediately by email, facsimile or telephone and return and/or destroy the original message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6736t=6725 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: PASSED: CCNP SWITCHING 2.0 (BCMSN) [7:6501]
Great job! -Original Message- From: Hire, Ejay [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 30, 2001 3:50 PM To: [EMAIL PROTECTED] Subject: PASSED: CCNP SWITCHING 2.0 (BCMSN) [7:6501] Passed today at 3:00 with a score of 879. 64 questions in 30 minutes. Scoring Range 300-1000, Minimum Passing Score 699. YEAH!! BTW, regarding Atm/lane's presence on the Exam Blueprint, It was accurate. (minimally) FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6536t=6501 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Help on Cisco 4000 Switch [7:6191]
Friend, eh?!? Oh the humanity... ;-} Well, you could set a static entry but why? The ARP table is designed to be dynamic so that it doesn't grow to a large size and really create additional overhead. Remember, before ARP does its broadcast search, the switch will check the ARP cache. The bad news: the ARP cache is parsed from the top down. So if the table becomes large, static entries may actually slow things down. I wouldn't get into the habit of adding static entries, but if his little heart desires it so badly... BTW - removing the router's entry from the ARP table will not disconnect it from the switch. All that it really does is force the switch to broadcast for the MAC address of the router if it's not in the table and that really doesn't take much time at all. If a disconnect is really happening, then you...I mean he...has other issues to contend with. Rik -Original Message- From: Joseph Cheng [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 29, 2001 3:23 AM To: [EMAIL PROTECTED] Subject: Help on Cisco 4000 Switch [7:6191] Hi, My friend has a question on the Cisco 4000 switch, can anyone please help? Thanks in advance. == When a Cisco 1720 is hookup to the switch, if there is no traffice from the 1720, it will be disconnected from the Cisco catalyte 4000 switch after a preset 300 seconds. The mac-address of 1720 will be disappeared from the Cisco 4000 switch arp table. Is this OK to use set arp static-address to permantly write the 1720 mac-address and IP into the 4000 switch arp table? == Thanks, JC __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6356t=6191 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Passed CCIE Written [7:6113]
Congrats dude! Rik -Original Message- From: thangavel vishnukumar mudaliar [mailto:[EMAIL PROTECTED]] Sent: Monday, May 28, 2001 10:47 AM To: [EMAIL PROTECTED] Subject: Passed CCIE Written [7:6113] Hi all, I passed CCIE written,Just narrowly escaped.Anyhow cleared it.Now left with the difficult part to go,The LAB. Can someone suggest me how to proceed for preparing the Lab. Also I am from India and to my knowledge there is no company which offers a practise setup on rental.If anyone has come across,pls let me know. Kind Regards /Thangavel _ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6122t=6113 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: What do interVLAN routing and Layer 3 switching mean [7:6124]
I think that what you have described is multi-layer switching. As Howard has mentioned in past posts, L3S is simply a marketing term as is wire-speed switching. Layer 3 Switching is simply a line card, typically in a chassis-based system, that can make routing decisions (layer 3) using hardware-based technology (layer 2). By not relying on the fundamentally slow software decision making, this process greatly enhances the speed at which the decisions are made. There are other types of L3S devices, such as a 2948G-L3. This switch uses ASICs to make routing decisions within hardware. When you purchase one of these beasts, you basically have a 48-port gigabit router! Inter-VLAN routing is just routing. Basically, it can be performed with any routing-capable device so long as you have the appropriate interfaces. The difference between Inter-VLAn routing and legacy routing really has nothing to do with routing at all. The real difference is how the LANs have been broken out: either Layer 2 (VLANs) or Layer 3 (IP subnetting). If you know something about routing, then you know something about Inter-VLAN routing. Read up on VLANs (I suggest the Kenndy Clark CCIE switching book) and all will become clear. Rik -Original Message- From: Gareth Hinton [mailto:[EMAIL PROTECTED]] Sent: Monday, May 28, 2001 6:09 AM To: [EMAIL PROTECTED] Subject: Re: What do interVLAN routing and Layer 3 switching mean [7:6104] Hi Frank, I think the best description for Layer 3 Switching is Route once - Switch many. The first time a packet in a particular flow passes through, a routing function will be used (on a different card, or even in a different device). But to speed up the processing of any further packets in that flow, a cache is created in the switch to remember this flow. The next time a packet comes through which matches this flow it will be switched without using the router functionality, therefore speeding things up. The definition of a flow can differ depending on configuration. For instance, normally a flow may be any packet to a particular destination, but if , for example, an extended access list is configured, the criteria for the flow may tighten up i.e. to be considered part of a flow, the source and destination are compared. Inter-VLAN routing means a packet gets routed every time. Regards, Gaz frank wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What does the following mean ?it's cut from a description of WS-X4232-L3 on cisco website. The Catalyst 4003 and 4006 Layer 3 Services module provides interVLAN routing for the Catalyst 4000 family switch and provides Layer 3 switching between the Gigabit Ethernet interfaces. John Hardman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi OK I'll bite... Yes there is a difference. It gets a little convoluted, but there is a difference. L3 switching: Think of a L3 switch as a multi port router that operates at wire speed. The 2948G-L3 is an example. It is just a 50 port Ethernet router. So L3 switching is routing traffic at wire speeds. You could use one of these to route between VLANs, or route between networks. Inter-VLAN routing: This is a technique, technology that is only used to route traffic from one VLAN to other VLAN(s). It generally takes place at wire speeds inside a Cat switch with a L3 switch option, but is often see with routers that do not work at wire speeds. So the bottom line... think of a L3 switch as a device, and Inter-VLAN routing as a technology. HTH -- John Hardman CCNP MCSE frank wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Any difference? frank wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks, Frank FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6124t=6124 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: ISL and MTU [7:6059]
Well George, since nobody else answered, I'll help here. Your logic is a little backwards here. by lowering your MTU, you may remove the label of baby giants on some of your data (now maybe they'll be giants), but that is all. Actually, by doing this, you will cause (at least in theory) additional issues. ISL will actually add 30 bytes, so by moving the MTU DOWN 30, you are compounding the issue by now possibly having frames that are 60 bytes too big to be passed. If you are running ISL, I would bump the MTU up to 1548, not lower it. This way, if the interface sees what was formerly considered a giant frame (1518 byte frame + ISL), then it will still be allowed to be forwarded as it is now an acceptable sive based on your specified MTU of 1548. Think of it this way: MTU is an absolute value. This means that the interface will look at the entire frame size including the ISL portion, not just the original data only. Rik -Original Message- From: George Yiannibas [mailto:[EMAIL PROTECTED]] Sent: Sunday, May 27, 2001 6:05 AM To: [EMAIL PROTECTED] Subject: ISL and MTU [7:6059] Hi group I am currently studying for BCMSN 640-504 and I thought of this question: If you reduce MTU from the default 1518 byte size to 1488 you will not get baby giant frames if using ISL True or False ? This is not a question from any book or any exam and I had it since I was studying for CCNA. Any input is welcome. PS Thank you all in advance this is a great forum and I learn something new every day ! George Yiannibas MCSE CCNA FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6150t=6059 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what's the RSM utilization and what slow down network?
It is considered good form to leave VLAN1 only for management, although in small networks, it may not be as "critical". In a large network, however, doing this becomes very important. Here's some reasons why: 1) Keeps most/all SNMP traffic off of data VLANs 2) Adds an extra level of security, especially if you don't route to VLAN1 3) Most important - keeps all of the host-generated broadcasts from the switches, which serves to reduce CPU load on the switches by not having to look at every single broadcast There are other reasons, but these are compelling enough to support this philosophy. Rik ""David spalding"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What? you want move ALL workstations of VLAN 1 as this is amanagment VLAN and only switch/routers should use this. For your info, I have assigned quite a lot of PC to VLAN 1 ports and I used VLAN 1 ports to connect to the WAN via routers too. Will it slow down the network?? why?? somenosuke sh vlan VLAN Name StatusIfIndex Mod/Ports, Vlans - --- 1default active5 1/1-2 3/5-17 4/1-6 5/1-6 2VLAN0002 active83 3/18-19 4/7-17 5/7-17 3VLAN0003 active84 3/20-21 4/18-24 5/18-24 Below are the sh int output, VLAN 2 have been discommisioned. Is that normal?? SOMENOSUKEsh int Vlan1 is up, line protocol is up Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia 0090.92fd.9400) Description: "" Internet address is 100.100.45.253/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 115000 bits/sec, 43 packets/sec 5 minute output rate 125000 bits/sec, 41 packets/sec 331535286 packets input, 3135729531 bytes, 0 no buffer Received 7547855 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 451577502 packets output, 4089081283 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out Vlan2 is up, line protocol is up Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia 0090.92fd.9400) Internet address is 100.100.170.253/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:02, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 33157120 packets input, 103412590 bytes, 0 no buffer Received 533647 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 33438811 packets output, 2522506402 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 output buffer failures, 0 output buffers swapped out Vlan3 is up, line protocol is up Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia 0090.92fd.9400) Internet address is 100.100.171.253/24 MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive set (10 sec) ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:03, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 125000 bits/sec, 42 packets/sec 5 minute output rate 11 bits/sec, 40 packets/sec 409420811 packets input, 1385306767 bytes, 0 no buffer Received 1232865 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 277329303 packets output, 3156818548 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets
RE: Performance Comparision between Linux OS Firewall and Cisco PIX 525
But that just proves my point - you *can't* setup DNS server on a PIX, so it becomes a non-issue with a PIX. Besides, I think everybody I know has done something that they know not to be the best thing but do it because it is a quick and easy solution. Don't get me wrong - I like Linux. The real problem I see with network security is not so much technology, but with human nature. The PIX by design removes many of the holes that human nature can drag us into. A simple case of less is more. Rik -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, March 24, 2001 11:02 PM To: [EMAIL PROTECTED]; Rik Subject: Re: Performance Comparision between Linux OS Firewall and Cisco PIX 525 While I agree that for an enterprise I would choose PIX over Linux for firewall purposes, if your friends configured a Linux firewall and ran other services on it, they may be good Linux admins but they don't know much about security. There is _no_ good reason to run unnecessary services on a firewall. Period. Wintel hardware is too inexpensive to use any argument that a box serving as a firewall needs to run DNS, FTP, SMTP, etc. The only service other than ipchains that a Linux firewall should run is SSH. This gives you all the remote administration of the box you need and makes the box very secure. -Kent On 23 Mar 2001, at 9:24, Rik wrote: I have seen way too many Linux firewalls hacked as a result of mis-administration. Now, I'm not assuming anything about your abilities as the last confirmed hack that I was notified about was a Linux FW setup by 2 guys that I know to be excellent Linux admins. The problem is the inherent nature of the beast. A PIX is totally secure right out of the box. The last Linux hack I speak of was hacked based on an exploit within BIND and had nothing to do with the FW policy. I also find the PIX to be MUCH easier to configure and setup. I can do in only a few lines of code what could possibly take pages and pages of code in Linux. When talking about firewalls, simplicity is a critically important concern. One compromise could easily remove any upfront cost advantage Linux has over Cisco. Also, you don't have to be concerned with shutting down unused services on a PIX as you would on Linux. Go with the PIX. It was designed from the ground up to do just what it does: protect your network. Cisco claims that a properly configured PIX has never been compromised. I believe them. Rik ""Sean Young"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, My company is putting me in charge in implementing a Firewall for our company. One guy in my networking group is recommending PIX Firewall. Furthermore, he also recommends a Cisco Web-caching engine. His reason is that not only Cisco is good Firewall but it also provides VPN connectivity to our remote sites. Myself, on the other hand, would like to implement Linux-based OS firewall along with FreeS/WAN VPN features set. My reason is that a linux firewall can provide everything a Cisco PIX does and even more. In term of hardware, the linux Firewall/ VPN/IPSec box will be running a dual-processor (800MHz) with 1GB of RAM. I just feel that I can get a lot more for the amount that we are going to spend with linux than with Cisco PIX. I also feel that I tweak the source code on the LINUX kernel to increase the performance and security. Also, instead of purchasing the Cisco web-caching engine, I am thinking of building another linux box that will be running squid (web-caching) server. Don't get me wrong, I think Cisco has a lot of good products in the area of routing; however, I just don't think it is necessary to throw away money at Cisco when I know that Linux or BSD can do the same job that PIX and Cisco web-caching engine do but for much less and also I can control the source code. Has anyone has experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco web-caching engine so that you can give advice on what I should do. I am open to your suggestions. Many thanks. Sean _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to
certificationzone.com
I'm having problems getting to the certificationzone website. Anybody else experiencing this? Rik , This mail was processed by Mail essentials for Exchange/SMTP, the email security management gateway. Mail essentials adds content checking, email encryption, anti spam, anti virus, attachment compression, personalised auto responders, archiving and more to your Microsoft Exchange Server or SMTP mail server. For more information visit http://www.mailessentials.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]