RE: 3550 EMI [7:50103]

[Rik Guyler]

My only gripe with the 3550 series is that they once again changed some of
the commands to do the same stuff.  For example, to upgrade the IOS, the
image now resides in a folder in flash and you use the archive command
with several possible options.  Fallback bridging is another one that
really threw me for a loop.  I didn't think this thing would bridge IPX at
first...

Other than that, I think this box rocks!  

Rik

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, July 30, 2002 10:29 AM
To: [EMAIL PROTECTED]
Subject: Re: 3550 EMI [7:50103]


just getting into it. 1500 pages of documentation to read :-O

They do IGRP, EIGRP, RIPv1, RIPv2, and OSPF. Don't believe the output of the
router ?

BGP is expected to be released real soon now, but according to Cisco
people I've spoken to, it will not be a full featured release. Limitations
as to the number of routes processed and stored, for example ( due to the
physical limitations of the switch ) I.e. don't expect to get full BGP
routes over your DSL connection.

Chuck


Symon Thurlow  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Anyone played with the new 3550 EMI switches? They report layer 3 
 routing etc.

 Symon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50220t=50103
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ADSL - unable to reach URL's [7:50068]

[Rik Guyler]

Chances are this is NOT a DNS issue.  Try to PING www.cisco.com by name and
see if you get name resolution.  If you resolve the name to an address then
DNS is not at fault here.

I believe that your issue is more likely caused by an MTU problem.  PPPOE
requires 8 bytes of overhead and so your MTU now must be set to 1492 or
less.  The reason you can PING anything you want to is that your IP stack
will typically use a small transmission size for ICMP (PING) by default.
You can test this by typing ping /? on a Windows host to get the correct
syntax and then change the transmission size to 1500 and see if the PING
still works like it did. 

-Original Message-
From: Derrick Monahan [mailto:[EMAIL PROTECTED]] 
Sent: Monday, July 29, 2002 6:10 PM
To: [EMAIL PROTECTED]
Subject: ADSL - unable to reach URL's [7:50068]


I have been setting up a DSL connection for a home user, but he is currently
unable to reach ANY website. I am able to ping IP addresses of servers on
the internet and get a reply. But, neither IE nor Netscape is able to reach
a single page (via IP or Name).

The DHCP servers gives his adapter an IP address and gateway of the same
address. The subnet is a /24. He is using the PPPoE adapter and no router or
firewall exists at his site. I hardcoded the DNS server addresses to ensure
DNS name resolution, but this did not fix anything.

If you have any recommendations please reply. This should be a simple task
to complete, but obviously I am missing something.

Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50081t=50068
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT - PPPOE on a PIX [7:50085]

[Rik Guyler]

Has anybody had a problem with PPPOE on a PIX 506 running 6.2(1) code?  My
problem appears to be MTU-related - I can PING all day but HTTP only brings
up about a third of the sites I browse.  There is a caveat in the docs about
MTU dropping to 1492 with PPPOE, which is supposed to happen automagically
but I tried to hard-code it and still the same problem.

I opened a case with TAC but the engineer hasn't given me any good info.
6.2(2) is out so I'll try to upgrade it Wednesday but I thought maybe
somebody else has run into this before.

Rik




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50085t=50085
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Can get it to work (Pix 515 behind cable modem [7:49845]

[Rik Guyler]

This reply is a lng one!

Please allow me to clear up a couple of misconceptions I have read on this
thread.

First, a while it is true a PIX blocks everything by default, this only
applies to inbound traffic initiated from the outside.  Outbound sessions
initiated from the inside are all allowed out by default with no access
lists needed.  Your config looks okay in this regard.  The only thing you
might want to do is add access-list outside permit icmp any any echo-reply
and access-group outside in interface outside to allow PING responses to
come back in for testing connectivity.

Second, even though the nat (inside) 0 has nat in the line, this doesn't
mean specifically that you are using nat (one-to-one translation).  It's
actually the global statement that defines whether NAT or PAT is used.
When a single address (or interface option) is used in this statement, PAT
is used as is indicated by the console message that appears.  Otherwise, if
a range of addresses is used, nat will be enabled.  This could be a problem
if you use a range and don't back it up with another global statement with
just a single address for PAT (PAT is also called NAT overload) as the first
hosts to connect will use up the NAT addresses and no other connections will
be allowed.  Unless, of course, you have as many public addresses as you
have internal hosts.  You config looks fine in this regard also.

The only thing I might question is your use of the the following lines:

dhcpd auto_config outside
sysopt connection permit-ipsec
sysopt connection permit-pptp 

None of these is necessary and may be causing a problem.  I would remove
these and see if it resolves anything for you.  Also, be sure to cycle the
power on the PIX.  I have to do this more and more on Cisco boxes as they
get more complex and bloated with functionality.  

I have seen weirdness with PIXes before.  One such time I saved the config,
erased and rebooted the PIX, and then pasted the config back in to have it
work fine at that time.  Re-flashing the code has also fixed oddball
problems for most of us on this list from time to time.

Using show interface will give you a bunch of info including addressing
you're getting from the ISP and show route will give you the default route
you supposedly pull down from them.  Are you sure you're not using PPPOE?
If so, this requires a totally different config.  Otherwise, with the
exception of the 3 lines I mentioned earlier, your config looks good.

One question - why did you turn off fixup on SMTP?  This is generally a good
thing.  I would check this features out unless you already know that you
need it turned off.

Good luck!

Rik

-Original Message-
From: Mark W. Odette II [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 4:30 PM
To: [EMAIL PROTECTED]
Subject: RE: Can get it to work (Pix 515 behind cable modem [7:49744]


From what I can see, you've initiated NAT, but didn't define a NAT Pool of
addresses.  So, I can only deduce that the PIX is defaulting to PAT
operation rather than just not allowing traffic across the PIX at all.
(wasn't that nice of Cisco :-] )

I'm just starting to study the ins/outs of PIX, so I could be wrong.

Try defining a NAT Pool, and see what happens; let us know!

Mark

-Original Message-
From: Kevin O'Gilvie [mailto:[EMAIL PROTECTED]] 
Sent: Friday, July 26, 2002 12:20 AM
To: [EMAIL PROTECTED]
Subject: Can get it to work (Pix 515 behind cable modem) [7:49744]

Dear All,

Below is my config.
Can someone tell me why ckients on the inside interface cant get to the 
internet (browwse, ping, nothing)
Yet show xlate shows clients Pat(ing) to outside address..
I am so frustrated, dont know whats the issue???!!!

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
hostname pixfirewall
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
pager lines 24
logging on
logging trap debugging
logging host inside 192.168.0.2
interface ethernet0 100full
interface ethernet1 100full
interface ethernet2 100full
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside dhcp setroute
ip address inside 192.168.0.1 255.255.255.0
ip address dmz 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
timeout xlate 0:30:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 
0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
no snmp-server 

RE: Quick Vlan question [7:49533]

[Rik Guyler]

There are some router models that have 10Mb interfaces that support trunking
(Dot1Q).  What differentiates them is the IOS feature set.  You need IP+ on
some of the older models whereas most of the newer models have 100Mb
interfaces and support trunking with just the IP feature set.

If your router is a Cisco device and it turns out it will support trunking,
then once you setup the trunking parameters, you would then create
sub-interfaces for each VLAN.

Rik

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, July 24, 2002 6:33 PM
To: [EMAIL PROTECTED]
Subject: RE: Quick Vlan question [7:49533]


=?iso-8859-1?q?maine=20dude?= wrote:
 
 Hi,
 
 If I have two Vlans and want to route between them using an external 
 router, but the router has only 10mb ports, how can it be done? I 
 can't use ISL or 802.1q because it isn't supported on 10mb/s ports,
 correct? Does every Vlan need a separate physical connection?
 or do i use sub interfaces?

You say 10mb ports, i.e. plural. If the router has two ports, use them both,
one for one VLAN and one for the other. It's as simple as that.

I have this same problem in my home lab due to ancient equipment. I simply
put e0 on the router in subnet 172.16.10.0 and e1 on the router in subnet
172.16.50.0.

I connect one of my switches to the router using two ports on the switch,
one going to e0 and one going to e1 on the router. These don't even have to
be trunk ports, just any old ports.

On the switch I have some devices in VLAN 1 (172.16.10.0) and some in VLAN 2
(172.16.50.0). The devices use the appropriate router address for their
default gateway.

I have the swtich connected to another switch in a redundant fashion to get
some practice with trunking, etc., but the router just acts like an ordinary
router from the pre-VLAN days when life was simple. ;-)


Priscilla Oppenheimer
http://www.priscilla.com


 
 please advise.
 
 thank you
 
 -DJ
 
 
 
 
 -
 Get a bigger mailbox -- choose a size that fits your needs.
 
 http://uk.docs.yahoo.com/mail_storage.html




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49597t=49533
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Security hazard?? [7:45731]

[Rik Guyler]

Pete, bear in mind that this document is 2 years old.  The IOS version on
the switch was 11.2.  Anybody care to speculate on how much has changed
since 11.2?  How about the changes in Dot1Q since then?

Nonetheless, I don't get a warm and fuzzy feeling with separating external
and internal traffic with VLANs.  I like physical separation coupled with
firewall protection.  I believe it's not just protecting what has been
hacked already but minimizing what can be hacked in the future.

Rik

-Original Message-
From: Peter van Oene [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 1:18 PM
To: [EMAIL PROTECTED]
Subject: RE: Security hazard?? [7:45731]


Interesting indeed.  I hadn't seen that before. This is obviously an 
architecturally flawed implementation.  Ideally, the CAM (MAC) table should 
be fully isolated to prevent unwanted forwarding and ports not considered 
trunks shouldn't accept tagged packets.  I assume folks are working on 
this, but at this time, it would look like securing a topology of this 
nature requires some additional effort.

Thanks for the link

Pete


At 12:31 PM 6/4/2002 -0400, Eric Rivard wrote:
if you do not have Ip routing on the VLANs you can still hope from one VLAN
to another. See this artical for more info:
http://www.sans.org/newlook/resources/IDFAQ/vlan.htm

-Original Message-
From: Peter van Oene [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, June 04, 2002 8:41 AM
To: [EMAIL PROTECTED]
Subject: RE: Security hazard?? [7:45731]


Assuming the untrusted VLAN offers no IP connectivity to it's control
engine (ie the routed aspects are not reachable therein) what
vulnerabilities exist here?   With no routing on the VLAN, I'm not exactly
sure how one gets from untrusted to trusted without traversing the
Firewall.  The only limitation I see here would be one of either poorly
implemented VLAN technology on the part of the vendor, and fat fingering on
the part of the admimistrator.

Pete




At 11:06 AM 6/4/2002 -0400, Robert A. McIntire wrote:
 If I understand what you're describing, it sounds like you've pretty well
 by-passed the firewall.  As a general comment, it seems pointless to have
a
 firewall if you're not going to utilize it with sound network security
 design.
 I think I understand what you're trying to do, but you may want to
rethink
 the reasoning.
 You're VLANs ( on the same devices ) are a very thin security veil
between
 the trusted and untrusted networks.  Without a net diagram, we can only
 speculate.  But, I'm guessing that the most secure you can be with this
 physical config is to pin strong ACLs to the outside interfaces of the
3640
 access routers.  You could also pin ACLs to the VLAN interfaces to filter
 unwanted traffic.  What kind of capability do these switches have?  Have
you
 considered the IOS firewall ( CBAC ) for the edge routers?
 
 I think a tech support call to your firewall vendor may be an eye-opening
 experience.  Send them a diagram of what you've got and see if it's a
 network design scenario that they support.  I assume the 2 3640s are
being
 used redundantly with HSRP?  If so, why not consider a second, redundant
 firewall and place them both in-line between the edge routers and the
 internal LANs?
 
  HTH,  Bob McIntire
 
 
 -Original Message-
 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
 Craig Columbus
 Sent: Tuesday, June 04, 2002 9:42 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Security hazard?? [7:45731]
 
 
 Do I understand you correctly that your 6808s have both internal (secure)
 and external (unsecure) traffic on them, separated only by VLAN?
 
 At 09:30 PM 6/3/2002 -0400, you wrote:
  All,
  
  We have two 3640's and two Extreme Black Diamond 6808's (aka 6509's).
  The two 3640's are doing IBGP between them on each of their eth0's.  I
  have created a vlan on the Extremes called 'unsecure'(there are only 2
  ports on each Extreme in this vlan... one coming in from the 3640 and
  the other going into the firewall).  I am getting some complaints from
  the 'uppers' that bringing the 3640's into the Extreme's is a security
  hazard.
  
  I am sure someone is now working on a way to hack from one vlan to the
  next, but for now, I don't see the difference between putting a hub in
  there and using a couple of ports on these monster
  'almost-never-go-down' switches.  I just don't want another unmanaged
  piece of equipment in the flow.
  
  Has anyone ever heard of this being a leak.  I worked in a datacenter
  before and this is what we did with 6509's and we didn't blink!  I know
  these are Extreme switches... which is probably taboo in the group, but
  I am pretty sure this would be platform independent... right
  
  Thanks,
  
  bk




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45768t=45731
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and 

RE: VLANS [7:42932]

[Rik Guyler]

Well, you can, just like you can put 2 physical segments in the same logical
(IP) network.  Of course, the question begs to be asked, why? as this
doesn't give you anything.  You won't be able to do much with it except
bridge the traffic and then you kill the entire rationale behind VLANs.
After all, without VLANs, aren't you just bridging/switching the traffic to
begin with?

I suggest you read up on VLANs on CCO.  You will find that they really act
like physical segments (with a few arcane exceptions) and shouldn't be
treated any other way, including routing between them.

Rik

-Original Message-
From: Rizzo, Damian [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 8:11 PM
To: [EMAIL PROTECTED]
Subject: VLANS [7:42932]


Hey all, got a quick question regarding VLANS. Can you create multiple
VLANS in the same subnet? 
 
For instance if you have RouterA--VLAN1-- VLAN2--etc... Can both VLAN 1
and 2 be in the same subnet?
 
 Thank you.
 
   
  
 
 
This electronic mail transmission contains confidential information intended
only for the person(s) named.  Any use, distribution, copying or disclosure
by any other person is strictly prohibited.  If you received this
transmission in error, please notify the sender by reply e-mail and then
destroy the message.  Opinions, conclusions, and other information in this
message, that do not relate to the official business of MARAKON ASSOCIATES
shall be understood to be neither given nor endorsed by the Company.  When
addressed to MARAKON clients, any information contained in this e-mail is
subject to the terms and conditions in the governing client contract.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42960t=42932
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Trunking over Aironet bridge? [7:42833]

[Rik Guyler]

I agree.  Change the MTU on the bridges.  I have a customer with 5 remote
sites connected via 802.11b and trunking across all 5 and I have to increase
the MTU.  

What I would love to see is an update to the Aironet code that supports the
actual trunking header so my bridge management interfaces could be on a
non-native VLAN.  I tend to make the native VLAN (Dot1Q) the most active
VLAN and not the default VLAN 1.  Unfortunately, in this scenario, the
bridges won't communicate in VLAN 1 as these frames will be tagged and the
bridges don't understand the tags.

Maybe some day...

Rik

-Original Message-
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 29, 2002 9:19 PM
To: [EMAIL PROTECTED]
Subject: RE: Trunking over Aironet bridge? [7:42833]


An ISL frame can be as big as 1518 + 30 = 1548 bytes. The original frame is 
encapsulated in a 26-byte header and a 4-byte CRC.

An 802.1Q frame can be as big as 1522 bytes. 802.1Q inserts a 4-byte header 
immediately the destination and source MAC addresses (and source-routing 
information, if present) of the frame to be transmitted, which could have 
already been 1518 bytes.

Priscilla

At 05:24 PM 4/29/02, Marko Milivojevic wrote:
  yes, you must change the default frame size on the ethernet
  side of both
  bridges to 1522 (default 1518). As far as the radio is
  concern it will pass
  the frames out over the wireless. You will need a switch on
  the other end of
  the bridge to recieve the frames and break out the vlans.

 That would be required for ISL, but 802.1q should go with no
changes?


Marko.


Priscilla Oppenheimer
http://www.priscilla.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42872t=42833
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Gigabit GBIC for 3550 [7:42680]

[Rik Guyler]

Geez...all you guys had to do was ask!  ;-}

Rik

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED]]
Sent: Friday, April 26, 2002 5:44 PM
To: [EMAIL PROTECTED]
Subject: Re: Gigabit GBIC for 3550 [7:42680]


do great minds think alike, or what ;-

( see my response to the same question )

Chuck

P.S. happy Friday, everyone.


MADMAN  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think the answer is in here:


http://www.cisco.com/warp/public/cc/pd/si/casi/ca3500xl/prodlit/gbic_ds.htm

   Dave

 Brian Zeitz wrote:
 
  If I wanted to connect 2 Cisco 3550 switches together, would I need 1
  Gigabit stacking GBIC or 2? I think I need 2 of them. I am trying to
  find out exactly what I need to hook together (2) 3350 (24 port) with 2
  GIG ports.  The part number im looking at is CIS-WS-X3500-XL, is this
  all I would need? Any help would be appreciated...
 
  Brian
 --
 David Madland
 Sr. Network Engineer
 CCIE# 2016
 Qwest Communications Int. Inc.
 [EMAIL PROTECTED]
 612-664-3367

 Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42726t=42680
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: SSH RSA key [7:40297]

[Rik Guyler]

Don't forget the ca save all command to save the key once you generate it.
Otherwise it will go away when you reboot the PIX.

Rik

-Original Message-
From: Mark Odette II [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 03, 2002 2:21 AM
To: [EMAIL PROTECTED]
Subject: RE: SSH RSA key [7:40297]


John, I have some new info, but also some info that we were told via the
list response last yesterday.

1. From the Cisco PIX FW Command Reference for 6.1:
 The 'ca generate rsa' command is not saved in the PIX Firewall
configuration.  However, the keys generated by this command are saved in a
persistent data file in Flash memory, which can be viewed with the 'show ca
mypubkey rsa' command. Page 3-10
-- the 'show ca mypubkey rsa' command is what you issue to view your SSH RSA
key.  It should actually show you two keys, which are labeled : General
Purpos Key, and Encryption Key i.e., Public/Private key pair.

2. From the same reference:
Note- You must generate an RSA Key-Pair for the PIX Firewall before clients
can connect to the PIX Firewall Console.  To use SSH, your PIX Firewall must
hae a DES or 3DES activation key installed. Page 7-17

3.From the same reference:
The 'SHOW FLASHFS' command displays the size in bytes of each filesystem
sector and the current state of the filessystem.  The data in each sector is
as follows:

*file 0 - PIX FW binare image, wher ethe .bin file is stored.
*file 1 - PIX FW config data that you can view with the 'show config'
command.
*file 2 - PIX FW datafile that stores IPSec key and certificate information.
*file 3 - 'FlashFs downgrade' information for the 'show flashfs' command.
Page 4-34

Now interestingly enough, it doesn't mention anything about what File 4
is, as shown by the following output on my personal PIX:

cisco-pix# show flashfs
flash file system:  version:2  magic:0x12345679
  file 0: origin:   0 length:2469944
  file 1: origin: 2490368 length:4183
  file 2: origin:   0 length:0
  file 3: origin: 2621440 length:3528136
  file 4: origin: 7864320 length:280
cisco-pix#

.. and if you notice, File 2 seems blank, yet I have generated
an RSA key, and then reconnected to my PIX with an SSH client to get the
output of the Show FlashFS command.  I suspect the RSA key data is being
kept in the File 4 of my PIX Flash filesystem.

for a Cisco Router, I'm not sure where the RSA key data is kept, but I would
not be surprised if it is kept on the Flash Filesystem there too.  Of
course, watch me be wrong, and it's kept in NVRAM.

Hope that answered your questions.

-Mark Odette II
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
John Green
Sent: Wednesday, April 03, 2002 12:16 AM
To: [EMAIL PROTECTED]
Subject: SSH RSA key [7:40297]


how to read the SSH RSA key in pix and a cisco router
?

what is the command and where is it stored ? nvram ?

__
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40397t=40297
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Radius and Win2K IAS [7:40336]

[Rik Guyler]

James, I have done this with NT 4.0 and doubt that it really differs much
with Windows 2000.  In my opinion, the MS RADIUS product is very basic but
if all you want is authentication then it should work just fine for you,
especially as it's free and lightweight.  Different devices are setup in a
different fashion for RADIUS so there is no magic one command fits all
method.

Rik

-Original Message-
From: Fraasch James [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 03, 2002 11:35 AM
To: [EMAIL PROTECTED]
Subject: Radius and Win2K IAS [7:40336]


I have a quick question about Radius Authentication and the Win2K Server
Internet Authentication Service (IAS). We have finally decided to go with
Radius authentication for our network equipment.  This after my boss asked
me to change all the passwords and add usernames to every switch and router
in the network (over 300 devices) and I was supposed to do this every 90
days.  So I asked him if we could look into Radius Authentication.  It looks
quite simple but I am not sure if there are any tips or tricks that I need
to know about Cisco devices authenticating to a Win2K IAS service.  I am
sure someone in this group has come across this and was hoping you could
tell me of any pitfalls or 'gotchas' before I get started.

Thanks in advance!

James




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40399t=40336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX VS CheckPoint [7:40136]

[Rik Guyler]

One point I believe should be mentioned is the different levels of
awareness each product brings to the table.  One of the strengths of the
PIX becomes its primary weakness: the lack of true integrated
application-level awareness.  While this lack makes the PIX much faster than
say Checkpoint, you don't have nearly as many options such as virus
scanning, content scanning, etc.  Rather, you are required to rely upon
additional products to handle what Checkpoint has built-in.  I know that the
PIX has a few built-in features (such as MailGuard), the selection is rather
slim.

With that said, I'm really a PIX person so don't get the wrong impression.
;-)

Rik  

-Original Message-
From: nrf [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 02, 2002 7:08 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX VS CheckPoint [7:40136]


On the other hand, there's a distinct third option, which is to run
Checkpoint on a dedicated hardware appliance, for example the Nokia Ipso
line of gear.  This removes one of the Checkpoint disadvantages (don't need
to know Unix or NT), but introduces another disadvantage (less flexible -
you should have included in your advantages that regular Checkpoint is more
flexible than Pix because you can integrate it with Unix and enjoy all the
features of Unix, but of course with a Nokia, you don't have that).  In
fact, the Pix and the Nokia Checkpoint are so close that it's almost a wash.
I believe the Pix is faster, but the Nokia Checkpoint is still more flexible
(but not as flexible as Checkpoint software).



Nurudeen Aderinto  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Dear x,

 I love your presentation. You spoke well.

 Nurudeen
 x  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I have setup and managed both PIX and Checkpoint in a
  variety of environments.  I think they are both solid
  options in different situations.  Here is how I market
  these products.
 
  PIX
  - more cost effective
  - fast
  - you can have fail over
  - Can be more complicated to setup the CLI, but PIX
  has a nice feature of allowing all traffic out and
  none in by default.
 
  Who would I market this for?
  I would target this as an ideal candidate for small
  companies with rulesets that don't change much.  They
  also need a Cisco savy person to manage it, usually a
  consultant.  I am guessing you would fill this role.
  I have only made minor changes in the firewall I have
  managed for almost two years.
 
  Checkpoint
  - nice GUI for ruleset management
  - more expensive
  - required to know Unix or NT ( for the love of God
  don't use NT.  Its security is very poor out of the
  box and requires a great deal of configuration to
  become mildly secure )
 
  Who would I market this toward?
  I would target larger companies with Checkpoint.  It
  is easier to manage the ruleset, but more setup time
  and more costly.  I would also say this solution is
  slightly slower and more prone to security issues
  since you have to patch the OS and the firewall
  software.
 
 
  --- Jeffrey Reed  wrote:
   Has anyone performed or seen an in depth study of
   PIX vs Checkpoint? I have
   a customer who is looking at both. Ive read various
   magazine articles, but
   nothing from real people such as this group! :)
  
   Thanks!!
  
   Jeffrey Reed
   Classic Networking, Inc.
   Cell 717-805-5536
   Office 717-737-8586
   FAX 717-737-0290
  [EMAIL PROTECTED]
 
 
  __
  Do You Yahoo!?
  Yahoo! Tax Center - online filing with TurboTax
  http://http://taxes.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40262t=40136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: root switch [7:39975]

[Rik Guyler]

I agree...always enter a specific value.  

Yonghai, there is one thing I want to clear up after reading your posts.
MAC address only comes into the root election process AFTER the bridge ID
selection process.  Since the default bridge ID on a Cisco switch will
always be the same value, MAC addresses are the only DEFAULT value that will
be unique.  Once you specify a given bridge ID, the MAC address is no longer
used for root election.

Rik

-Original Message-
From: Kris Keen [mailto:[EMAIL PROTECTED]]
Sent: Monday, April 01, 2002 2:11 AM
To: [EMAIL PROTECTED]
Subject: RE: root switch [7:39975]


How about setting your priority to 1?

That will make it the root :D or even 0!
Default is 32768.

We always make ours 0 or 1, I never use set spantree root..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=40024t=39975
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: If it's a 2611, you're out of luck [7:39788]

[Rik Guyler]

Mayo, I humbly must disagree with you.  The 2600 series does indeed require
IP Plus.  The newer 1700s (1721, 1760 probably) only require IP (I setup
trunking on a 1721 w/IP a couple of weeks ago), which makes them a perfect
choice for low-cost InterVLAN routing.

I have attempted to use IP but found the necessary configs missing.

Rik

-Original Message-
From: Mayo, Simer [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 29, 2002 9:37 PM
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]


It should work with IP feature. IP Plus is not mandatory but recommended.

-Original Message-
From: Cisco Nuts [mailto:[EMAIL PROTECTED]]
Sent: Friday, March 29, 2002 11:57 AM
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]


So if I understand, a 2620 router with a Fast Ethernet intf. with IP Plus 
feature set is reqd. to get trunking working, either isl or dotqIs this 
absolutely true that you need IP PlusHas anyone got it working with just

the IP feature set with ISL trunking? The reason I ask is the IP Plus 
feature set requires more than 24Mb of mem. and I only have 24Mb on my 
2620Moreover, there are no feature sets for 11.3x on Cisco's site. That 
could have helped :-)
Thank you.


From: James Wilson 
Reply-To: James Wilson 
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]
Date: Fri, 29 Mar 2002 10:35:59 -0500

I have a 1751 trunked to my c2924XL running IP/FW/IDS/PLUS/IPSEC/3DES and 
it
only supports dot1q trunking on the 100Mb interface.  Works like a champ,
though.

--
James D. Wilson, CCDA, MCP
Sr. Network/Security Engineer
non sunt multiplicanda entia praeter necessitatem
William of Ockham (1285-1347/49)


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Rik Guyler
Sent: Thursday, March 28, 2002 5:44 PM
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]


Another bit of good info to know:

Traditionally, the 1700 series would not support trunking, either ISL or
Dot1Q.  That includes both the 1720 and 1750.  In these cases, you had to
purchase a 2600 with IP Plus, which is an expensive proposition to avoid 
the
necessity of 2 or more E/FE interfaces.

I just setup for a client a 1721 router which DOES support both trunking
encapsulations and does it with IP only IOS!  This is a huge savings over
the traditional options for inter-VLAN routing.  There are also new 1751 
and
1760 models which I believe also support both modes of trunks.

Rik

-Original Message-
From: Larry Letterman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]


apparently last week some one on the list made the ethernets work
in a 2600 router at 10mb




Larry Letterman
Cisco Systems
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 10:15 AM
To: [EMAIL PROTECTED]
Subject: If it's a 2611, you're out of luck [7:39788]


Vlan trunking requires a fast ethernet connection.  It cannot be trunked
with a 261X.  You'd need a 262X.

If you have to deal with a 2611, your options become much more limited.  
You
could replace the 2611 with a 2620.  Or you could get a ethernet module for
the 2611.  Unfortunately, last time I checked (whish was a couple years 
ago,
given) those ethernet modules came in two models, 1 and 4 port, and cost
about $1000 per port.

Another option would be to replace the 2611 with a 1750.  It's got one fast
ethernet port.  If this network is as small as it sounds, it'd be a viable
option.

Oh, and about trunking, the way it works is you define the switch port
connected to the router as a trunk.  This allows multiple (in your case,
all) vlans to use the one port.  The router is configured with 
subinterfaces
on the fastethernet port, one for each vlan.  The router can then route
between these vlans.
_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39985t=39788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: AS5301 modem question [7:39917]

[Rik Guyler]

Michael, I have not worked on a 5301, only a 5300 so I will tell you what I
know and maybe it will carry over.  Since nobody else has any ideas, maybe
this will help.

In a 5300, the T1 card is a different card than the modem card(s).  You said
this is a quad T1 card so you should see 4 T1 ports on a card by themselves
with maybe a couple of various other ports like console, etc.  The modem
cards, again on my 5300, had no ports to speak of.  They were accessed
directly via the backplane of the device.  In order to gather modem
information, type show modem at the enable prompt and this will output
individual modem stats as well as tell you how many modems you have.

If the 5301 is like the 5300, there are different modem options depending on
the options you ordered.  The 5300 could have up to 96 modems per card and
held up to 2 cards for a total of 192 modems in a single chassis.

Hope this helps!

Rik

-Original Message-
From: Michael Douglas [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 31, 2002 12:32 PM
To: [EMAIL PROTECTED]
Subject: RE: AS5301 modem question [7:39917]


Does anyone have any ideas?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=3t=39917
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: If it's a 2611, you're out of luck [7:39788]

[Rik Guyler]

Another bit of good info to know:

Traditionally, the 1700 series would not support trunking, either ISL or
Dot1Q.  That includes both the 1720 and 1750.  In these cases, you had to
purchase a 2600 with IP Plus, which is an expensive proposition to avoid the
necessity of 2 or more E/FE interfaces.

I just setup for a client a 1721 router which DOES support both trunking
encapsulations and does it with IP only IOS!  This is a huge savings over
the traditional options for inter-VLAN routing.  There are also new 1751 and
1760 models which I believe also support both modes of trunks.

Rik

-Original Message-
From: Larry Letterman [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: If it's a 2611, you're out of luck [7:39788]


apparently last week some one on the list made the ethernets work
in a 2600 router at 10mb




Larry Letterman
Cisco Systems
[EMAIL PROTECTED] 


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 10:15 AM
To: [EMAIL PROTECTED]
Subject: If it's a 2611, you're out of luck [7:39788]


Vlan trunking requires a fast ethernet connection.  It cannot be trunked
with a 261X.  You'd need a 262X.

If you have to deal with a 2611, your options become much more limited.  You
could replace the 2611 with a 2620.  Or you could get a ethernet module for
the 2611.  Unfortunately, last time I checked (whish was a couple years ago,
given) those ethernet modules came in two models, 1 and 4 port, and cost
about $1000 per port.

Another option would be to replace the 2611 with a 1750.  It's got one fast
ethernet port.  If this network is as small as it sounds, it'd be a viable
option.

Oh, and about trunking, the way it works is you define the switch port
connected to the router as a trunk.  This allows multiple (in your case,
all) vlans to use the one port.  The router is configured with subinterfaces
on the fastethernet port, one for each vlan.  The router can then route
between these vlans.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39866t=39788
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Designated Port/Switch and Root Port?? [7:39811]

[Rik Guyler]

I'll try to explain this:

Think of a root port as the closest port to the root bridge on a given
BRIDGE.  Think of a designated port as the closest port to the root bridge
on a given SEGMENT.  This is the port used by all bridges on a given segment
to get to the ROOT.  Consider the following basic diagram to explain this
further with 1 root bridge, 3 non-root bridges and 3 segments:

|ROOT|--segment 1--|A|--segment 2--|B|--segment 3--|C|

The root port on bridge A is the closet int to ROOT - the int on the left.
The designated port on segment 1 is actually the int on ROOT that's in
segment 1.  The root port on Bridge B is the closest int to ROOT - the int
on the left.  The designated port on segment 2 is the closet interface to
ROOT in segment 2 - the int on the right side of bridge A.  The root port on
bridge C is the the closest int to ROOT - the int on the left.  The
designated port on segment 3 is the port closest to ROOT - the int on the
right side of bridge B.

So, you wind up with something like a consistent and logical topology:

ROOT(DP)--(RP)A(DP)--(RP)B(DP)--(RP)C

The real distinction is knowing that a root port is a designation specific
to a switch and a designated port is specific to a segment.  To show this,
we can make the following modification to the above topology:

ROOT(DP)--(RP)A(DP)--(RP)B(DP)--(RP)C
|
|--(RP)D(DP)--(RP)E

In this case, there are 2 root ports in segment 2 but there will always be
ONLY 1 designated port per segment.  This is one of the foundational
concepts of STP.  Also, the ROOT will never have a root port, all non-root
bridges will have ONLY 1 root port (per VLAN) and there will ONLY be 1
designated port per segment (per VLAN).  Root ports send BPDUs and
designated ports receive BPDUs.

Hope this helps,

Rik

-Original Message-
From: Lomker, Michael [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 28, 2002 2:44 PM
To: [EMAIL PROTECTED]
Subject: RE: Designated Port/Switch and Root Port?? [7:39811]


 Hello,If every non-root bridge elects one  root port to get to the
 root-bridge, then why do we still need a designated switch/port per
 segment? Do these two have different functions altogether?Thank you. 

I did a few searches on cisco.com and google and they appear to be different
works for the same thing.  I'll agree that the explanation I read in my
Examcram wasn't that explicit.

http://netcert.tripod.com/ccna/switches/2switch.html

Ports that have the lowest cost to the root bridge are called designated
ports.  The other ports on the bridge are considered non designated and will
not send or receive traffic, (blocking mode).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39870t=39811
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Gigastack Etherchannel [7:39033]

[Rik Guyler]

Yes and no.  Gigastacks are FD when only one port is used.  When you truly
stack with these GBICs, meaning one port is used for inbound and the other
for outbound, a show int will reveal a HD connection.  As you notice in
ole's output, only one port is in use.

GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down

Rik

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 12:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


GigaStack GBIC's are Full Duplex:

ELVIS#show int gigabitEthernet 0/1
GigabitEthernet0/1 is up, line protocol is up
  Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia
0002.fd13.52f1)
  MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Auto-duplex (Full), link type is autonegotiation, media type is
CX_GIGASTACK
  output flow-control is off, input flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down
  Last input 00:00:06, output 00:00:01, output hang never
  Last clearing of show interface counters 11w1d
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 107000 bits/sec, 15 packets/sec
  5 minute output rate 91000 bits/sec, 16 packets/sec
 122086095 packets input, 1719966070 bytes, 0 no buffer
 Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog, 163799 multicast, 0 pause input
 165588418 packets output, 149633091 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier, 0 pause output
 0 output buffer failures, 0 output buffers swapped out

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: Jeffrey Reed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 10:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


I'm not sure, but I thought I read somewhere that the GigaStack GBICs are
half duplex. I think I read somewhere that you shouldn't use them in an
environment that requires QOS. If this is true, your throughput would be
better with 1000B-T GBICs or Fiber GBICs running at full duplex.

Jeffrey Reed
Classic Networking, Inc.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gaz
Sent: Thursday, March 21, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: Gigastack Etherchannel [7:39033]

Hi all,

Been searching all over CCO for this infoanybody know for sure?


Using Gigastack, can both slots be used as Gigastack Etherchannel (ie all
four ports (two on each module)) to provide 4Gb link.

Scenario would be a 3508 with two Gigastack modules and 3548 with two
Gigastack modules - connected with four gigastack cables.
Various web pages show 2Gb full duplex using Gigastack and also mention 4Gb
Full Duplex using Gigabit Ethernet. Even though the latter was on a
Gigastack data sheet, it was worded as though (or could mean) an alternative
was to use Gigabit Ethernet at 4Gb.

Hopefully I've got the question over - Basically, I know 4Gb is possible
with fibre SX/LX etc, but what about Gigastack?

Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39488t=39033
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Gigastack Etherchannel [7:39033]

[Rik Guyler]

The answer is yes.  The FD/HD issue isn't switch port dependent but GBIC
port dependent.  If you're only using a single Gigastack port, even if you
have 2 Gigastack GBICs in the same switch, then the GBIC will set up a FD
connection both upstream and downstream.

Rik

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 25, 2002 8:43 PM
To: 'Rik Guyler'; [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


Hi Rik,

You're correct, and if you continue to read the rest of the e-mails
regarding this question, another question pop's up - what if only one port
on each module is used, and instead two modules are installed in each switch
- would that allow a stack  2 in full duplex?

Ole


 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
 http://www.RouterChief.com

 NEED A JOB ???
 http://www.oledrews.com/job




-Original Message-
From: Rik Guyler [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 25, 2002 6:50 PM
To: [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


Yes and no.  Gigastacks are FD when only one port is used.  When you truly
stack with these GBICs, meaning one port is used for inbound and the other
for outbound, a show int will reveal a HD connection.  As you notice in
ole's output, only one port is in use.

GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down

Rik

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 12:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


GigaStack GBIC's are Full Duplex:

ELVIS#show int gigabitEthernet 0/1
GigabitEthernet0/1 is up, line protocol is up
  Hardware is Gigabit Ethernet, address is 0002.fd13.52f1 (bia
0002.fd13.52f1)
  MTU 1500 bytes, BW 100 Kbit, DLY 10 usec,
 reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive not set
  Auto-duplex (Full), link type is autonegotiation, media type is
CX_GIGASTACK
  output flow-control is off, input flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  GigaStack module(0.2) in GBIC slot. link1 is up, link2 is down
  Last input 00:00:06, output 00:00:01, output hang never
  Last clearing of show interface counters 11w1d
  Queueing strategy: fifo
  Output queue 0/40, 0 drops; input queue 0/75, 0 drops
  5 minute input rate 107000 bits/sec, 15 packets/sec
  5 minute output rate 91000 bits/sec, 16 packets/sec
 122086095 packets input, 1719966070 bytes, 0 no buffer
 Received 3149732 broadcasts, 0 runts, 0 giants, 0 throttles
 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
 0 watchdog, 163799 multicast, 0 pause input
 165588418 packets output, 149633091 bytes, 0 underruns
 0 output errors, 0 collisions, 0 interface resets
 0 babbles, 0 late collision, 0 deferred
 0 lost carrier, 0 no carrier, 0 pause output
 0 output buffer failures, 0 output buffers swapped out

Hth,

Ole

~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~
 http://www.RouterChief.com
~
 Need a Job?
 http://www.OleDrews.com/job
~




-Original Message-
From: Jeffrey Reed [mailto:[EMAIL PROTECTED]]
Sent: Thursday, March 21, 2002 10:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Gigastack Etherchannel [7:39033]


I'm not sure, but I thought I read somewhere that the GigaStack GBICs are
half duplex. I think I read somewhere that you shouldn't use them in an
environment that requires QOS. If this is true, your throughput would be
better with 1000B-T GBICs or Fiber GBICs running at full duplex.

Jeffrey Reed
Classic Networking, Inc.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Gaz
Sent: Thursday, March 21, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: Gigastack Etherchannel [7:39033]

Hi all,

Been searching all over CCO for this infoanybody know for sure?


Using Gigastack, can both slots be used as Gigastack Etherchannel (ie all
four ports (two on each module)) to provide 4Gb link.

Scenario would be a 3508 with two Gigastack modules and 3548 with two
Gigastack modules - connected with four gigastack cables.
Various web pages show 2Gb full duplex using Gigastack and also mention 4Gb
Full Duplex using Gigabit Ethernet. Even though the latter was on a
Gigastack data sheet, it was worded as though (or could mean) an alternative
was to use Gigabit Ethernet at 4Gb.

Hopefully I've got the question over - Basically, I know 4Gb is possible
with fibre SX/LX etc, but what about Gigastack?

Thanks,

Gaz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=39508t=39033

RE: CCIE#8903 [7:37490]

[Rik Guyler]

George, you are an inspiration to us all.  Thanks for the description of
your journey and congratulations!

Rik

-Original Message-
From: George Zhang [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 06, 2002 6:01 PM
To: [EMAIL PROTECTED]
Subject: CCIE#8903 [7:37490]


All,

The title says it all.  I took my first attempt at the CCIE lab test 
yesterday (March 5) in Halifax and received the Congratulations on Passing 
the CCIE Lab! this morning.

I was the only person taking the lab test in Halifax yesterday.  I was told 
that there was another person scheduled yesterday but did not show up.  My 
test started about 8:15 AM in the morning.  We broke for lunch at about 
12:20PM.  By then, I only finished all the IGP stuff and felt some pressure 
on time.  But I have already reviewed rest of the test and knew that I could

go through the rest quickly.  After the 15 min lunch break, I worked through

rest of the test very quickly.  By about 3:00 PM, I finished every thing 
except one small requirement that I had no clue how to do it.  I decided to 
skip that item.  Then, I started reviewing and checking my config.  Along 
the way of reviewing/checking, I spotted and fixed a few issues.  Just about

the time I finished reviewing every thing, the proctor walked in and told me

that it' time.  I looked at the watch.  It was 4:30 PM.  My proctor was 
Steve.  Steve is a great proctor.  He answered quite a few of my questions 
and cleared my mis-understanding and confusion about the requirements of the

test.

I would like to take this opportunity to thank all people who helped me to 
achieve my goal.  First, I would like to thank my wife for her support and 
understanding.  Without her support, there is no way I could achieve my 
goal.  Next, I will give my thanks to Bruce, Val, and Fred of 
NetMasterClass.  As I said earlier, the NMC1 class is the most important 
part of my final preparation.  Thanks to Katie Wong of Cisco who scheduled 
me to access the ASET racks.  Thats my primary resource for hands-on 
practices for the past couple of months.  Thanks to Eric Fairfield for 
lending me a few routers when I was in Wisconsin.  Also thanks to those that

I've either studied with or have helped me one way or another.  Thanks also 
to Paul for putting this great list together.

As far as my story, I started my quest of the Cisco certifications a little 
over two and half years ago.  I got my CCNA and CCNP in the first year.  
Three months later, I passed the CCIE written test.  I wanted to take the 
lab a year ago.  However, due to work and personal reasons, I did not get 
time to do it until now.  Last year, I was too busy to do much study.  At 
work, as a consultant, I was billing at least 40 hours/week for the whole 
year.  At home, my second child was born in February, my wife finished 
school in July, and we moved to New Jersey from Wisconsin in September.  In 
October of last year, I foresaw a window of opportunity for me to take the 
lab test early this year.  Then, I lobbed my manager to let me go to the 
ECP1 class.  By the time my manager approved my training request, I found 
that Mentor Technologies went belly up.  However, I learned that Bruce and 
Val founded a new company called NetMasterClass, LLC 
(www.netmasterclass.net) and offering the NMC1 and NMC2 classes.  I 
registered and took the NMC1 class by the end January.  By the end of last 
year, the project I worked on finished.  So since the beginning of this year

I got a lot of time to study.  For the past couple of months, I have studied

8-10 hours every day.

As far as how I prepared, I have read most of the books (Doyle I  II, 
Caslow, Halabi, Tam-Nam-Kee, Solie, Satterlee, etc.) recommended by people 
on this list.  Among this long list of books, the only one I dont like is 
Solies book because there are too many errors in the book.  There are a few

topics I was more confused after reading the book.  I dont have a home lab.

  So my primary resource for hands-on practice is remote labs such as Mentor

Technologies vlabs (not available any more), Cisco ASET lab.  Because I 
dont have a home lab, my preparation included more reading than hands-on 
practice.  That actually worked out very well for me.  Above all, the most 
important part of my preparation is the NMC1 class taught by Bruce, Val and 
Fred.  IF I HAD NOT TAKEN THE NMC1 CLASS, IT PROBABLY WOULD HAVE TAKEN ME 
ONE OR TWO MORE ATTEMPTS BEFORE I COULD GET MY NUMBER.  There are a lot of 
things that just cannot be learned from reading books or practicing.  So the

NMC1 class helped me to fill in that gap very well.  It also helped me to 
access my strength and weakness.  So I know what to study on the last few 
weeks.  I strongly recommend taking the NMC1 class a few weeks before your 
lab date.

Thanks again.

George Zhang
CCIE#8903, CCNA, CCNP
Sr. Network Architect
Compuware Corpration
1 Meadowlands Plaza, Suite 1050
East Rutherford, NJ 07073
732-494-0288

RE: Catalyst 3508G XL , 2950T-24 [7:37098]

[Rik Guyler]

You will need the updated IOS for this GBIC.  Being a newer GBIC, the older
IOS won't recognize it so run the upgrade and it will work.  To confirm
this, type sh int g0/1 (g0/2, etc..) and the output will tell you if the
GBIC is recognized or not.

Rik

-Original Message-
From: Chuck Collins [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 04, 2002 8:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098]


I wouldn't upgrade the IOS.  We had a 3550 that was doing the same thing
(GBIC not blinking at all). We called into TAC and got a replacement.
We did the upgrade first and when the switch would boot it would no
recognize the Ethernet controller.  It may be different for you since
you have a 3508.  I guess you would need to ask yourself do I feel
lucky?

Good Luck,

Chuck Collins
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 03, 2002 10:33 AM
To: [EMAIL PROTECTED]
Subject: Catalyst 3508G XL , 2950T-24 [7:37098]


Dear all
I need clarification regarding these two points thanking your help in
proceed, 

First point: 
We have Catalyst 3508G XL , 8 GBIC slots ,  12.0(5.2)XU IOS software. We
tried to make operate it but the GBIC was not blinking at all , as I had
read this document
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/1000gbic/ins
tnot
e.htm , I got conclusion that the switches detect and enable the GBIC
only
when they are running the minimum software releases which  in case of
Catalyst 3508G XL  Cisco the minimum IOS Release is  12.0(5)XW , so in
order
to enable the GBIC we have to upgrade the IOS software from 12.0(5.2)XU
to
12.0(5)XW .

Second point:
we have Catalyst 2950T-24 Switch-24 10/100 ports and 2 fixed
10/100/1000BaseT uplink ports, IOS available 12.0(5.3)WC(1).
As I had read this document
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/1169
303.
htm , I got conclusion that we do not have to upgrade the ios image
because
the ios will support the following: Catalyst 2950T-24
24 fixed autosensing 10/100 ports and
2 fixed autosensing 10/100/1000 Ethernet ports.

please tell me if there is something missing here , the equipment is
placed
far away from our office we need to put the network on there  as soon as
possible , in case we have to upgrade the ios of the any platform then
please let us go ahead solving this issue.

Warm regards, 
Ismail Al-shelh
Network Engineer

[GroupStudy.com removed an attachment of type application/ms-tnef]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37218t=37098
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Catalyst 3508G XL , 2950T-24 [7:37098]

[Rik Guyler]

That's not good advice.  An LX GBIC uses a laser transmitter, which is
powerful enough to burn a hole in your retina as a coworker of mine found
out.  Besides, this is a copper GBIC so no light to see.

12.0(5.3) is a new enough IOS to recognize the copper GBIC so this version
will work on all of your 3500 switches.

Rik

-Original Message-
From: Kaminski, Shawn G [mailto:[EMAIL PROTECTED]]
Sent: Monday, March 04, 2002 10:07 AM
To: [EMAIL PROTECTED]
Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098]


I don't believe that it's the IOS on the 3508. First, check to make sure
your fiber is connected correctly. When the switch is powered up, you can
see which side the laser is on in the GBIC connector. Then, if you cup the
fiber in your hands, briefly (very briefly) look to see which connector the
laser is on. Then make sure that the connector with the laser goes to the
connector on the switch without the laser. If this isn't the problem,
there's a good chance it's probably a bad GBIC.

Shawn K.

-Original Message-
From: Chuck Collins [mailto:[EMAIL PROTECTED]] 
Sent: Monday, March 04, 2002 8:22 AM
To: [EMAIL PROTECTED]
Subject: RE: Catalyst 3508G XL , 2950T-24 [7:37098]


I wouldn't upgrade the IOS.  We had a 3550 that was doing the same thing
(GBIC not blinking at all). We called into TAC and got a replacement. We did
the upgrade first and when the switch would boot it would no recognize the
Ethernet controller.  It may be different for you since you have a 3508.  I
guess you would need to ask yourself do I feel lucky?

Good Luck,

Chuck Collins
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, March 03, 2002 10:33 AM
To: [EMAIL PROTECTED]
Subject: Catalyst 3508G XL , 2950T-24 [7:37098]


Dear all
I need clarification regarding these two points thanking your help in
proceed, 

First point: 
We have Catalyst 3508G XL , 8 GBIC slots ,  12.0(5.2)XU IOS software. We
tried to make operate it but the GBIC was not blinking at all , as I had
read this document
http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/1000gbic/ins
tnot
e.htm , I got conclusion that the switches detect and enable the GBIC only
when they are running the minimum software releases which  in case of
Catalyst 3508G XL  Cisco the minimum IOS Release is  12.0(5)XW , so in order
to enable the GBIC we have to upgrade the IOS software from 12.0(5.2)XU to
12.0(5)XW .

Second point:
we have Catalyst 2950T-24 Switch-24 10/100 ports and 2 fixed
10/100/1000BaseT uplink ports, IOS available 12.0(5.3)WC(1). As I had read
this document
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/2950_wc/1169
303.
htm , I got conclusion that we do not have to upgrade the ios image because
the ios will support the following: Catalyst 2950T-24 24 fixed autosensing
10/100 ports and 2 fixed autosensing 10/100/1000 Ethernet ports.

please tell me if there is something missing here , the equipment is placed
far away from our office we need to put the network on there  as soon as
possible , in case we have to upgrade the ios of the any platform then
please let us go ahead solving this issue.

Warm regards, 
Ismail Al-shelh
Network Engineer

[GroupStudy.com removed an attachment of type application/ms-tnef]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37219t=37098
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX PAT Problem!! Urgent [7:37052]

[Rik Guyler]

Yes but there are caveats.  You cannot do an all inclusive static mapping to
a PAT interface but you can redirect certain traffic based on port to
specific inside hosts.

For example, if you only have a single outside address and you are using it
on your outside interface, not only can you use PAT with the interface
command, but you can then redirect traffic to a specific host(s) depending
on requested TCP/UDP port.  In other words, you can redirect all inbound
traffic destined for TCP port 25 to your mail host inside while all other
traffic inbound is denied while still using PAT for all of your outbound
traffic.

If you want more info, search for port redirection on CCO.

Rik

-Original Message-
From: Ivan [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 02, 2002 2:31 AM
To: [EMAIL PROTECTED]
Subject: PIX PAT Problem!! Urgent [7:37052]


Hi all,

That is Very very Urgent!!!Please Help!!!
Does anyone know that Can Cisco Pix Pat Ouside address to Inside address?
for exampe:

|---205.11.1.0---|
|
|
(outside Security  L 0)
(--PIX--)
(-Inside security L100)
 |
 |
|--10.1.1.0---|

can 205.11.1.0 255.255.255.0   PAT to 10.1.1.100??

Thank you very much for your kindly help

ivan




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=37085t=37052
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Firewall authentication [7:35947]

[Rik Guyler]

Another option would be Websense for PIX.  This product will not only
authenticate the user but provide URL filtering and detailed reporting,
which the Proxy box doesn't do too well.  I install this product frequently
and hear nothing but good about it from our customers.

Check out www.websense.com for more info.

Rik

-Original Message-
From: Rafay Aslam [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 20, 2002 2:11 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX Firewall authentication [7:35947]


You can do authentication against Windows NT or Windows 2000 user database
Via PIX using Windows 2000 Radius Server, called Internet Authentication
Service, or Install RADIUS on Windows NT server, or If you wanna spend $2000
you can buy Cisco ACS software.

sajith nair  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,
 I have a customer with Proxy server and he want to
 replace it with PIX.The customer want to authenticate
 all users before they access internet.Whether the PIX
 can support authentication thru a normal Windows NT
 server than going thru a Radius/Tacacs server?I talked
 with Cisco TAC and they told it is possible.But I am
 confused.Can anyone of you can guide me please.
 Thanks in advance.
 Saj

 __
 Do You Yahoo!?
 Yahoo! Sports - Coverage of the 2002 Olympic Games
 http://sports.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36008t=35947
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VTP and gigastack connectors [7:35971]

[Rik Guyler]

I have seen this before.  I don't remember the IOS versions in question but
it was an IOS bug.  Try upgrading the IOS on the 35xx switches to the latest
version.  Also, VTP domain is case sensitive, so when you set it on the
client, make sure you enter it correctly.

Rik

-Original Message-
From: dildog . [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 20, 2002 2:48 PM
To: [EMAIL PROTECTED]
Subject: VTP and gigastack connectors [7:35971]


All,

I have a 3 3548's on a floor, the top and bottom ones are connected to 
the core 6509's by fiber GBIC's.  The middle one however is only connected 
via a giga stack connector to the top and bottom switch.

Configuration for Gig0/1 (the Gigastack connector)

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,7,1002-1005
switchport mode trunk
end



The middle switch does not have any VTP updates coming to it.

VTP Version : 2
Configuration Revision  : 1
Maximum VLANs supported locally : 254
Number of existing VLANs: 5
VTP Operating Mode  : Client
VTP Domain Name : XX
VTP Pruning Mode: Disabled
VTP V2 Mode : Enabled
VTP Traps Generation: Disabled
MD5 digest  : 0x49 0x95
Configuration last modified by x.x.1.249 at 2-5-02 20:01:45
switch#

Has anyone out ther passed VTP information via the gigastack connectors?  If

so, is there a secret to get it to work correctly?  The switches that are 
connected to the 6509 do have updated VTP information.

Thanks.



_
Send and receive Hotmail on your mobile device: http://mobile.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36009t=35971
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Blocking ICQ and other Instant Messengers [7:35976]

[Rik Guyler]

I wouldn't say this covers all of them but the most widely used IM apps.
This is used on a PIX and applied to the inside interface so modify as
necessary to fit your needs.

access-list inside deny tcp any any eq 1863
access-list inside deny tcp any any eq 5000
access-list inside deny tcp any any eq 5001
access-list inside deny tcp any any eq 5050
access-list inside deny tcp any any eq 5100
access-list inside deny tcp any any eq 1214
access-list inside deny tcp any any range 6665 6669
access-list inside deny udp any any eq 5000
access-list inside deny udp any any eq 5001
access-list inside deny udp any any eq 5050
access-list inside deny udp any any eq 5100
access-list inside deny udp any any eq 1214
access-list inside deny ip any host 64.12.161.153
access-list inside deny ip any 206.142.53.0 255.255.255.0
access-list inside deny ip any 64.245.58.0 255.255.254.0
access-list inside deny ip any 213.248.107.0 255.255.255.0
access-list inside deny ip any host 205.188.179.233


Rik

-Original Message-
From: Paul Pavlicko [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 20, 2002 3:06 PM
To: [EMAIL PROTECTED]
Subject: Blocking ICQ and other Instant Messengers [7:35976]


Has anyone created an ACL to block all the Instant Messengers? If so, could
you send all the IP Addresses (or the ACL) that you use to block them.


Thanks,


Paul Pavlicko


**
Privileged/Confidential Information may be contained in this message. 
Unless you are the addressee (or authorized to receive for the 
addressee), you may not use, copy, deliver or disclose to anyone the 
message or any information contained in the message.  If you have 
received the message in error, please advise the sender by reply 
e-mail and delete the message.
**




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=36011t=35976
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VOIP Certification [7:35879]

[Rik Guyler]

I took the CIPT test and thought it not too difficult.  This exam covers
primarily Call Manager and general voice technology.  Fortunately for you
there are finally resources being published for Call Manager but hands-on
with the product will go a long way.  CCO offers a demo version you can
download.

I haven't taken the QOS test yet but will soon.  I'm in the KnowledgeNet
placeware (online) class and I have to say it's very good, which surprises
me.  If you work for a partner I believe you can get special pricing.

Rik

-Original Message-
From: Logan, Harold [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 19, 2002 4:18 PM
To: [EMAIL PROTECTED]
Subject: RE: VOIP Certification [7:35879]


That's true, the CCNP Specializations are retired. There is however the
Cisco IP Telephony Specialist (CIPTS???) which has CCNP certification as
a prerequisite.

I took the old CVoice exam (VoFR, VoATM, VoIP) to get the CCNP Voice
Specialization about a year ago. I used Global Knowledge's Configuring
Cisco Voice over IP by Elliot Lewis, edited by Keith O'Brien, ISBN
1-928994-03-2. I used it in conjunction with various docs on cisco's
page, and that was enough to pass the exam, combined with the experience
I had at the time. There are probably better publications out there
nowadays, if nothing else because they're more up-to-date.

I haven't taken the CIPT or QOS exams, and I don't know if the current
CVoice is the same exam as the old one. I thought about taking the other
two exams to get the Telephony specialization, but my CCNP Voice
specialization doesn't expire for another year, and my lab date is in
July.

Good luck,
Hal



-Original Message-
From: Jason [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 19, 2002 3:16 PM
To: [EMAIL PROTECTED]
Subject: Re: VOIP Certification [7:35879]


Last I check, there is any CCNP specialisation track anymore !! ;-)

Kelley Allen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Has anyone out there attempted the CIPT, CVOICE, and QOS tests yet for
the
 CCNP / Voice Specialization certification?  If so, what training did
you
use
 and what was the tone of the tests?

 Thanks,
 Kelley.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35911t=35879
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Easy ways to pick up a few extra minutes on th [7:35580]

[Rik Guyler]

A proctor graced our presence at my last ASET meeting and I asked him this
very question about which terminal emulator is used in the lab (I prefer
TeraTerm myself and am accustomed to the shortcuts).  His response was that
they use Hyper Terminal exclusively so everybody better get to know it very
well.

Rik

-Original Message-
From: Chuck [mailto:[EMAIL PROTECTED]]
Sent: Saturday, February 16, 2002 11:30 AM
To: [EMAIL PROTECTED]
Subject: Re: Easy ways to pick up a few extra minutes on th [7:35580]


for some reason, the Lab proctors frown on people installing their own
software on their terminals. ;-

I've been told that they frown on people even saving things like their
notepad files to the computers in the lab. I don't recall any instruction
one way or another on this one. I do vaguely recall one proctor saying that
if somehow you hack your way to the internet, and they catch you, you will
be disqualified immediately.

Chuck




Ozzie Sutcliffe  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Can you use terraTerm instead of hyperterm ?
 If so set the scroll buffer to 10,000 lines this way you have a complete
 history by scrolling up the gui in terra term

 oz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35697t=35580
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Easy ways to pick up a few extra minutes on th [7:35580]

[Rik Guyler]

You will get Windows boxes with the MS telnet client and Hyper Terminal.

Rik

-Original Message-
From: Ozzie Sutcliffe [mailto:[EMAIL PROTECTED]]
Sent: Saturday, February 16, 2002 12:08 PM
To: [EMAIL PROTECTED]
Subject: Re: Easy ways to pick up a few extra minutes on th [7:35580]


So everthing is telnet then I guess..If so which telnet client..
Ok troops we need to get Cisco to put terra term on the docs CD rom hey it's
freeware.
Also the terminals are *nix windoze sparky or ???

Oz




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35698t=35580
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Flash upgrade disaster [7:35184]

[Rik Guyler]

Did you format the new flash?  I've had issues with corruption adding flash
while existing flash is still installed.  Try to boot to rommon mode and
format the flash.  You should be able to do this with both sticks installed
without too much problem.  Then install IOS, build the config, etc.

Rik

-Original Message-
From: Wilson, Christian [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, February 12, 2002 9:26 AM
To: [EMAIL PROTECTED]
Subject: Flash upgrade disaster [7:35184]


Begging for help once again . . . 

I have upgraded the flash in a 3640 from the 8 Mb chip to a 16 Mb chip.  I
did this by installing the second, 16 Mb chip into slot 1 of the
motherboard, leaving the original 8 Mb in slot 1, for a total of 24 Mb of
flash memory.  I then installed 12.1, which was the reason I needed to
upgrade the flash.  12.1 went on without a hitch, but when the router was
reloaded, it would run for about 30 minutes and then go into rommon mode. It
did this repeatedly, so I removed the 8 Mb chip, installed the 16 Mb chip
into slot 0, and then used xmodem to transfer 12.1 through the console, a
painstaking two hour task.  Now the file is on flash, but at reload the file
is unable to decompress, returning these errors:

Error: Uncompression of the image failed.
invalid compressed data-format violated

Error: zip decompress failed

***System received a software forced crash ***
signal = 0x17, code = 0x7, context = 0x0
PC = 0x80008094, cause = 0x20, Status Reg = 0x3041f003


The crc checks are the same as displayed on the software centers web page. I
have downloaded a new copy of the file and it still did not work.  I put the
original 8 Mb chip in slot 0 and removed the 16 Mb chip, reloaded a fresh
11.3 image, and received the same errors.  What have I done??




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=35196t=35184
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VOIP for CCIE [7:34849]

[Rik Guyler]

I considered those for my lab as well but Brad Ellis mentioned that they
won't run Enterprise IOS, which limits their value in your lab.

Rik

-Original Message-
From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] 
Sent: Friday, February 08, 2002 10:51 AM
To: [EMAIL PROTECTED]
Subject: Re: VOIP for CCIE [7:34849]


try a 1750 or 1751.
Woods, Randall, SOBUS  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,
 I was wondering if anyone could give me some recommendations of 
 what equipment would be best suited for adding VOIP to my home lab. I 
 am considering getting the 2600 series but wanted some advise on if there
was
 anything smaller or better suited for the job.   Thanks for the help.

 Woody




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34903t=34849
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 3DES [7:34754]

[Rik Guyler]

Unless this is a brand new change, the 515R certainly does support 3DES as I
have installed it many times on this firewall.  The DES license is the only
FREE license but you can pay for the 3DES.  The difference between the R
and U versions has to do primarily with interfaces (R=3, U=6) and failover
(R=no, U=yes).

Rik

-Original Message-
From: Brian Zeitz [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 07, 2002 10:39 AM
To: [EMAIL PROTECTED]
Subject: 3DES [7:34754]


I have been looking at routers/firewalls. I am thinking of going with the
2611 with a ADSL card, I also want to get a 515. Our office is not that big
yet, but I want to plan for the future. I see that the Pix 515R only does
DES, but doesn't do 3DES. But when I buy the router, I can get it with 3DES.
I am just kinda confused, where is the best place to use 3DES, on the
firewall, or on the router? Or it doesn't matter. The way I see it, if I
wanted to do 3DES on the firewall with the 515, I would have to buy the
515UR, which is about 10K. I don't really need the thoughput for 100,000
users just yet though. Any suggestions on this?



Thanks in advance...



Brian Zee MCSE, CCNA, A+




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34791t=34754
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: GBIC's for single mode fiber [7:34699]

[Rik Guyler]

I can tell you that the last I knew, there were 3 companies manufacturing
GBICs for Cisco.  You can buy from them direct as my company has done on
occasion.  I was told that the difference in price was incredible but there
is a minimum order required.  Unfortunately I don't know where we bought
them.

Rik

-Original Message-
From: Doug Korell [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 06, 2002 6:40 PM
To: [EMAIL PROTECTED]
Subject: GBIC's for single mode fiber [7:34699]


I need some GBIC's for single mode fiber that will reach 40km. Cisco's GBIC
(GBIC-ZX) will go up to 70km and needs a 5-dB in-line optical attenuator to
lower the power. It is also quite pricey.

Are there other manufacturers out there that make GBIC's that work in Cisco
gear? If so, has anyone used them? Thanks.

Doug




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34711t=34699
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix and vlan [7:34663]

[Rik Guyler]

Well, you're close.  The tag will get removed if the VLAN information is
necessary in a given location (switch).  In other words, the tag is only
permanently removed by the last switch to touch it before the frame
actually arrives at the final destination.  If a given switch is not the
last switch to touch the frame, the tag will be reapplied to the frame
before it leaves the fabric and gets forwarded to the next switch in line.

Since routing (Layer 3 switching, etc.) is the mechanism to move packets
back and forth from the PIX, the 6509 will be the last switch to touch the
frame so the tag would be removed by the time it reaches the PIX.  In any
case, since the PIX uses routing to discriminate between networks, not VLAN
tagging, it would have no knowledge of the tag.  A layer 2 bridge will
forward the tagged frame and maybe not recognize the tag but the PIX being a
Layer 3/4 device may not even pass a tagged frame, let alone recognize the
tag.  

I would think that your best chance for the PIX to forward tagged frames
would be with Dot1Q as it embeds the tag inside of the frame whereas ISL
encapsulates the frame, which the PIX might take exception.  Of course,
stateful inspection might not like a Dot1Q frame either.

I am curious about what scenario you have that you would want to pass tagged
packets outside of the PIX?  The only scenario I can think of is you are
using a PIX between LANs.  Is this correct?  

Rik

-Original Message-
From: Robert [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 06, 2002 7:50 PM
To: [EMAIL PROTECTED]
Subject: Re: Pix and vlan [7:34663]


I have my PIX 520 interfaces hanging of a 6509 in multiple VLANs with no
issues.

But doesn't traffic get tagged only when it crosses a trunk or the switch
fabric? I thought that once it left the switch fabric, the tagging is
removed.

Robert

Bates, Steven (SIGNAL)  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 No I was referring to when a PIX is being hung off a switch, and if the
PIX
 can pass tagged traffic, (i.e. frames) in switched network.  Sorry about
the
 confusion

 -Original Message-
 From: Patrick Ramsey [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, February 06, 2002 2:39 PM
 To: [EMAIL PROTECTED]
 Subject: Re: Pix and vlan [7:34663]


 I never knew the pix was even capable of VLAN's

  Bates, Steven (SIGNAL)  02/06/02 03:03PM 
 Has anyone heard of the PIX having problems passing tagged packets as in
 dot1q and how about ISL?  I did some testing before with the Lucent Brick
 and it could not deal with tagged packets.  I know the the new Bricks will
 handle it, but don't know about the PIX.  Specifically 6.0

 Steven Kell Bates
   Confidentiality DisclaimerThis email and any files
transmitted with it may contain confidential and
 /or proprietary information in the possession of WellStar Health System,
 Inc. (WellStar) and is intended only for the individual or entity to
whom
 addressed.  This email may contain information that is held to be
 privileged, confidential and exempt from disclosure under applicable law.
If
 the reader of this message is not the intended recipient, you are hereby
 notified that any unauthorized access, dissemination, distribution or
 copying of any information from this email is strictly prohibited, and may
 subject you to criminal and/or civil liability. If you have received this
 email in error, please notify the sender by reply email and then delete
this
 email and its attachments from your computer. Thank you.

 




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34712t=34663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VLan Ooops Part 2 [7:34687]

[Rik Guyler]

You will also need IP-Plus IOS for the trunking feature on the 2600.

Rik

-Original Message-
From: Erick B. [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 06, 2002 8:19 PM
To: [EMAIL PROTECTED]
Subject: Re: VLan Ooops Part 2 [7:34687]


802.1q (dot1q) works on 10meg interfaces. I'm doing it
on a 2600 here...

--- Nisus  wrote:
 Ok so I understand the trunk feature now after
 talking to a good CCIE friend
 of mine.
 
 (he runs http://www.IPexpert.net shameless plug)
 
 And he explained the trunking feature.
 
 Here is my dilemma.  I am going into a 2610 router
 which DOES NOT have a
 fast Ethernet interface.
 From what I have been told 10Mb Ethernet doesn't
 support tunking.
 
 Ahhh Crap.
 
 Any one know a way around this?  And if so where can
 I learn how to do it
 ???
 
 Thanks again, you all are great,
 Steven M Aiello


__
Do You Yahoo!?
Send FREE Valentine eCards with Yahoo! Greetings!
http://greetings.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34717t=34687
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX activation key [7:34450]

[Rik Guyler]

Well, I've seen an R version and a U version but never a UR version.
I have always been under the assumption that they were mutually exclusive.
As for the lack of an activation key, that is odd.  What is the current
version of the OS?  Have you tried to run an upgrade?  When you apply for a
feature license, such as the free 56-bit (DES) encryption feature, you will
be given a new activation key generated via the serial number.  

I would apply for the 56-bit key and then do an upgrade to the latest code
(6.1.1), which will prompt you for a new key if needed.

Rik

-Original Message-
From: Radford Dion [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 05, 2002 5:28 AM
To: [EMAIL PROTECTED]
Subject: PIX activation key [7:34450]


I've just got a hold of a PIX 515UR and I want to upgrade to the lastest
software, but when I do a show ver there is no activation key. 

Is this normal, or do I have to obtain one from somewhere?

Dion Radford
Mellon Site Services - Europe
71 Queen Victoria Street, London, EC4V 4DR 
+44 (0) 20 7653 2850 - Work
+44 (0) 20 7653 2227 - Fax
+44 (0) 794 092 8809 - Mobile
Email: [EMAIL PROTECTED]

*
DISCLAIMER:   The information contained in this e-mail may be confidential
and is intended solely for the use of the named addressee.  Access, copying
or re-use of the e-mail or any information contained therein by any other
person is not authorized.  If you are not the intended recipient please
notify us immediately by returning the e-mail to the originator.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34453t=34450
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 4000 Series switch [7:34449]

[Rik Guyler]

The 4000 uses a very similar CLI to the 5000.  The 4000 series is much newer
so some of the features are different plus the 5000 was considered a core
switch and the 4000 a closet switch.  However, the 4000 is coming out of the
closet and some cool new features are being released such as Layer 3
switching, making it something of a baby core switch.  ;-}

Rik



-Original Message-
From: Nisus [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 05, 2002 5:22 AM
To: [EMAIL PROTECTED]
Subject: 4000 Series switch [7:34449]


First of all I would like to thank you who replied to my questions about
VLans and how to set them up.

Second.  In the information I have been reading about VLans usually 2
classes of switches are referenced.
The first being a lower model or switch 1900 series.  The Vlan setup is
mostly menu driven as I found out from my Cisco instructor in class
yesterday.  There were some problems we encountered when setting up a VLan
on this type of switch.

Third.  Usually when ever I read about VLans and setting them up it uses a
5000 series switch as a reference, using the OSI command interface.

Does the 4000 switch use the same setup or interface as the 5000?

Does any one know ?

Thank you very much,
Steven M Aiello




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34454t=34449
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: info on blocking aol im [7:34459]

[Rik Guyler]

Block both TCP and UDP port 5190.  Check it out:

http://www.chebucto.ns.ca/~rakerman/port-table.html

Rik

-Original Message-
From: Walls Matthew [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 05, 2002 10:13 AM
To: [EMAIL PROTECTED]
Subject: info on blocking aol im [7:34459]


Looking to block aol im with pix and 2600s router.  Seems to use multiple
ports, etc

Any advice on blocking this?...

 

 

Matthew J. Walls
Sr. Systems Engineer, Systems Development
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34578t=34459
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Duplicates [7:33955]

[Rik Guyler]

Tom, I had this issue a few weeks ago and I tracked it down to Outlook inbox
rules.  I deleted my rules and recreated them and now I only receive single
posts.

Rik

-Original Message-
From: Tom Lisa [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 31, 2002 7:23 PM
To: [EMAIL PROTECTED]
Subject: Re: Duplicates [7:33955]


Ole,

I just got two copies of your message.  Very Interrresting!!!

Prof. Tom Lisa, CCAI
Community College of Southern Nevada
Cisco ATC/Regional Networking Academy



Ole Drews Jensen wrote:

 FYI, I am only getting singlecate messages (or whatever it's called) -
only
 one copy of each message. It might be your end Tom, unless you are a
 double/trible member.

 Hth,

 Ole

 ~~~
  Ole Drews Jensen
  Systems Network Manager
  CCNP, MCSE, MCP+I
  RWR Enterprises, Inc.
  [EMAIL PROTECTED]
 ~~~
  http://www.RouterChief.com
 ~~~
  NEED A JOB ???
  http://www.oledrews.com/job
 ~~~

 -Original Message-
 From: Tom Lisa [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, January 31, 2002 3:48 PM
 To: [EMAIL PROTECTED]
 Subject: Duplicates [7:33955]

 Paul,

 It might be just me, but we seem to be suffering once again from
 duplicate/triplicate and more, message transmission disease.

 Prof. Tom Lisa, CCAI
 Community College of Southern Nevada
 Cisco ATC/Regional Networking Academy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=33999t=33955
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISDN simulator [7:33841]

[Rik Guyler]

Shameless plug?  Absolutely!  No shame in how Brad does business. :-}

Maybe he does have a financial interest but who cares?  I have learned over
the years to listen to him...he is usually right.  His simulator is as
inexpensive as you will find and I know he wouldn't offer it if it didn't do
the job just fine.  

I have no financial interest here.  I'm just a very satisfied customer
standing up for my preferred vendor!

Rik

-Original Message-
From: c1sc0k1d [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 31, 2002 4:41 PM
To: [EMAIL PROTECTED]
Subject: Re: ISDN simulator [7:33841]


Of course Brad forgot to mention he has a financial interest in his
recommendation as he is affiliated with the company so his recommendation is
not without bias.  Here's some of your options.  I'll leave out his as he
already made a shameless plug.

ISDN emulator on the NET
http://208.1.40.80/ica/isdnsim.nsf
www.brooktrout.com/pages/product_info/pi_data_wan/pdf/multiport.pdf
www.diem.com/BT90001.htm
http://www.tele-products.com/
http://www.arca-technologies.com/solohome.html
http://www.conway-engineering.com/   5105307682
http://www.acacia-net.com/
http://www.taskit.com/
http://www.monitor.co.at/monitor/498/story/isdnsim.html
http://www.digitechinc.com
http://www.ertmsales.com/products/search/viewcart.cfm?Page=1QtyNA=



Brad Ellis  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Ronald,

 If you want the lowest price simulator available, you should go with the
 simline2.  It has S/T interfaces so it goes nicely with 2503s, 2504s, etc.
 Paul B. (the owner of groupstudy) also bought one of these for his home
lab.
 I believe he posted about it somewhere.  Check the archives:
 www.groupstudy.com  If you want more detailed information  on the simline2
 you can visit www.cheapisdn.com

 thanks,
 -Brad Ellis
 CCIE#5796 (RS / Security)
 Network Learning Inc

 Ronald James  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  just wondering anybody knows which isdn simulator is best for home lab
in
  terms of functionalities and pricing? hope this is not violating
nda,
  but very interest to see whether real ccie lab use isdn simulator or
isdn
  lines??  if it's a simulator, which brand?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=34000t=33841
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 6509 roaming disconnects part2 [7:32449]

[Rik Guyler]

Larry, you haven't given us much but maybe you don't have much.  One thing
that may help ease the symptoms is to turn on portfast on the ports the
servers are connected.  When the port does flap, it won't take so long for
it to begin forwarding again.

You didn't mention what type of cards the servers are using.  Are these
100mbs or gig cards and who makes the cards?  There are known issues with
certain cards and certain drivers.  Are you using the latest drivers
downloaded from the vendor's website?  If these are gig cards, are they
fiber or copper?  If copper, could you have bad or old cable or maybe the
cables are routed over something causing EMI?  What about the OS on the Cat?
Is it the latest available (it's up to 7.x now)?  Is flow control turned on
or off?  You can set this separately for transmit and receive.  Did you try
moving the server(s) to a different port on the switch?  Did you get the
same results?  Is it possible to move ther server(s) to a different blade in
the Cat?  What about to a different switch?  Your logs indicate the port is
going up and down and Spanning Tree is doing its job and not much else.

You can see when troubleshooting issues on the list, we need more info.
This is just a small list to check but maybe it will be helpful.

Rik

-Original Message-
From: Puckette, Larry (TIFPC) [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 18, 2002 10:10 AM
To: [EMAIL PROTECTED]
Subject: 6509 roaming disconnects part2 [7:32449]


Hello again group. I have another question to propose to you. But first an
updated history of the issue at hand. We have a 6509 that serves as the core
to a server farm that has both NT and Unix boxes on it. In the beginning
there were infrequent link drops between servers and the switch that had no
pattern to isolate a card or VLAN, etc...   and then frequency increased to
be a constant problem. Sniffer information gave very little to hang our hat
on, with 99% of it's findings being 2 messages. Too many retransmissions TCP
and octets/s: current value 932,384. High Threshold=500,000. An example of
the logging buffer on the switch's interesting messages were;
IPPS6509 (enable) show logging buffer
2002 Jan 16 02:15:44 %PAGP-5-PORTFROMSTP:Port 8/23 left bridge port 8/23
2002 Jan 16 02:15:49 %PAGP-5-PORTTOSTP:Port 8/22 joined bridge port 8/22
2002 Jan 16 02:15:49 %PAGP-5-PORTFROMSTP:Port 6/23 left bridge port 6/23
2002 Jan 16 02:15:50 %SPANTREE-6-PORTFWD: Port 8/22 state in VLAN 172
changed to forwarding 2002 Jan 16 02:16:01 %PAGP-5-PORTTOSTP:Port 8/23
joined bridge port 8/23 2002 Jan 16 02:16:02 %SPANTREE-6-PORTFWD: Port 8/23
state in VLAN 172 changed to forwarding 2002 Jan 16 02:16:06
%PAGP-5-PORTTOSTP:Port 6/23 joined bridge port 6/23 2002 Jan 16 02:16:07
%SPANTREE-6-PORTFWD: Port 6/23 state in VLAN 172 changed to forwarding 2002
Jan 16 03:41:28 %PAGP-5-PORTFROMSTP:Port 8/17 left bridge port 8/17 2002 Jan
16 03:41:29 %PAGP-5-PORTFROMSTP:Port 7/16 left bridge port 7/16 2002 Jan 16
03:41:35 %SYS-6-CFG_CHG:Global block changed by SNMP/216.141.33.71/ 2002 Jan
16 03:41:47 %PAGP-5-PORTTOSTP:Port 8/17 joined bridge port 8/17 2002 Jan 16
03:41:47 %PAGP-5-PORTTOSTP:Port 7/16 joined bridge port 7/16 2002 Jan 16
03:41:48 %SPANTREE-6-PORTFWD: Port 7/16 state in VLAN 172 changed to
forwarding 2002 Jan 16 03:41:48 %SPANTREE-6-PORTFWD: Port 8/17 state in VLAN
172 changed to forwarding 2002 Jan 16 03:44:27 %PAGP-5-PORTFROMSTP:Port 8/17
left bridge port 8/17 2002 Jan 16 03:44:43 %PAGP-5-PORTTOSTP:Port 8/17
joined bridge port 8/17 2002 Jan 16 03:44:44 %SPANTREE-6-PORTFWD: Port 8/17
state in VLAN 172 changed to forwarding

but these had no consistency over time as to what port or group of ports
were experiencing this.

some interesting 'show tech' information was;
udp:
0 incomplete headers
0 bad data length fields
2 bad checksums
20839 socket overflows
108568195 no such ports

tcp: 111664 completely duplicate packets (6407 bytes) 
29 keepalive timeouts

Ok, if you're still with me... It was dictated that we REPLACE the switch by
the customer but of course Cisco did not go for that and we did a scheduled
reboot on the switch and all problems have cleared. Now the customer wants a
bi-monthly reboot of this switch scheduled to prevent the problem from
occurring. My questions are: Is there any technical reason that these
scheduled reboots would be a bad idea? (politics dictate that logical
reasons don't apply) Does anyone know of  a previously proven fix for this
problem that has documentation that could be used in discussions of whether
these scheduled reboots are necessary?

Thank you all for any help,, in advance.


Larry Puckette
Network Analyst CCNA,MCP,LANCP
Temple Inland
[EMAIL PROTECTED]
512/434-1838




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32472t=32449
--
FAQ, list archives, and subscription info: 

RE: Dose PBX has a E1 interface? [7:32404]

[Rik Guyler]

Most PBXs are modular, at least to a degree and so you would most likely
have the choice to add a linecard to support E1 circuits.

Rik

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] 
Sent: Friday, January 18, 2002 11:02 AM
To: [EMAIL PROTECTED]
Subject: Re: Dose PBX has a E1 interface? [7:32404]


call up your PBX vendor and ask.

or take a close look at the cards in the PBX - they might be labeled. (
which would be how the Cisco guy made the determination )

There is no reason that most PBX's would not support E1 - the vendors want
to sell in Europe too. Some of the low end stuff and key systems might not
support E1 in particular lines or models.

HTH


qin jonson  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 The ciscoman told me the PBX had a E1 interface,but I asked 
 somebody
if
 it was real. They told me any type of PBXs had NOT a E1 interface.Who 
 know the correct answer?Please tell me,appreciate your help.
regards,
 jonsonqin




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32489t=32404
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Multiple posts [7:32204]

[Rik Guyler]

A few days ago I started receiving duplicate emails from the Groupstudy.
Now I am receiving triplicate emails.  Anyone else experiencing this?

---
Rik Guyler




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=32204t=32204
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Autosense this ... (add to your knowledgebase) [7:30446]

[Rik Guyler]

It's been more than once when I've encountered autonegotiation/autosense
issues between a Cisco router and Cisco switch.  I've even seen problems
when both interfaces were 10/100 and both hard-coded to 100/full and the
link wouldn't come up.  This may a chink in the Cisco armor as I rarely
encounter issues with autonegotiation/autosense with other equipment but
when I install a new Cisco network, one thing I ALWAYS have to do is go
through the 10/100 ports of every switch and look for duplex (and sometimes
speed) mismatches.  Crazy...

Rik

-Original Message-
From: Kane, Christopher A. [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, December 29, 2001 11:02 PM
To: [EMAIL PROTECTED]
Subject: RE: Autosense this ... (add to your knowledgebase) [7:30446]


It's unfortunate that sometimes when things break, they don't perform in
expected ways. Rather it truly was an Autosense problem or not, who knows.
But it brings up a chance to talk about Autosense. I've had it bite me more
than once. I've had problems with Autosense that didn't show up until months
after installation. It doesn't matter if its Cisco to Cisco or Cisco to
another vendor, I've had to lock down ports at certain speeds and modes to
solve problems on several occasions. Just to pass along some experience, you
may always be better off hard setting your options. Nice persistence Mr.
Jensen, it's cool to stick with something until you can make it work.

Chris

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, December 29, 2001 6:14 PM
To: [EMAIL PROTECTED]
Subject: Re: Autosense this ... (add to your knowledgebase) [7:30446]


An interesting read, particularly since I am reviewing Kennedy clark's cisco
Lan Switching book prior to reviewing Cat5K and Cat 3920 configuration.

I am somewhat surprised at both the phenomenon and the concludion. Spanning
tree blocks for particular reasons.

when you concluded that your configurations were identical at all offices,
does that mean that your port negotiations were set to auto everywhere else?
both on the routers and on the local switches? if so, I would expect to see
similar problems elsewhere.

is it possible that there was a duplicate mac someplace in another part of
the bridged network, one that was being picked up by STP and interpreted as
a loop? You mention changing macs of interfaces as part of your
experimentation. Are you certain that this process was not part of the
solution?

To be frank, I'm hard pressed to come up with a reason why the FE port on
the router would go into blocking. I can see that hapening on the serial
port for reasons that have been discussed on this group in the past. I can't
come up with a rationale as to why hard setting of speed and duplex would
make a difference. I suppose one MIGHT conclude that if the port is in full
duplex, the STP process MIGHT see a loop occuring over the two different
wire pairs. that's about the only wild rationale I can come up with. And
that one is really stretching the point / bug / whatever.

In any case, thanks for the good read.

Chuck


Ole Drews Jensen  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 After a fun evening last night, I have decided not to trust the
autosensing
 on ethernet interfaces anymore.

 I was at a branch office where the users could not access the 
 corporate network. The router, a 1720 setup as a bridge with the same 
 IP address for the FastEthernet as the Serial subinterface, both 
 configured for bridge-group 1. It was connected to a 2620 at the 
 corporate office via a Fractional Frame Relay connection.

 I changed the switch out with an old spare hub I had lying around, and 
 connected only one workstation from the local network. After starting 
 the router up, I could ping the local workstation, and I could ping 
 devices on the corporate network, so both my FastEthernet and Serial 
 interfaces were working fine. However, I could not ping anything on 
 the corporate network from my workstation, nor could I from a telnet 
 connection to my corporate router ping the workstation, so traffic was 
 not being passed through
between
 the interfaces.

 That looked like a typical routing problem, but the only problem was 
 that
I
 was not routing, I was bridging, so ?

 I did a show bridge 1 group and saw that the FastEthernet was in a 
 blocking state by the spanning tree, so something was wrong here. I
cleared
 the arp table on the router and on all other routers and switches. I 
 tried to assign a different mac address to the FE interface. I tried a 
 different workstation. No matter what I did, it kept being in a 
 blocking state.

 I went in and did a bridge-group 1 spanning-disabled on the 
 interface,
and
 it changed to forwarding state, but I could still not pass traffic
through.

 This is when I called TAC, but after I guided them through to a telnet 
 connection to my routers, they decided after three hours that 
 something weird was going on with the 

RE: Lab Attempt #2 - no go :- [7:28142]

[Rik Guyler]

Chuck, I can read the frustration in your post...I feel your pain.  I have
to say I am surprised to hear that your experience with the new lab was not
a good one.  If there is anybody I would say that about, it is you.  

I hope you are planning a vacation from Cisco.  Certainly you are tired.  A
rested mind will make the choice to take the lab again (and take no
prisoners).  A rested mind will identify the objectives more clearly.  And
of course a rested mind will focus, comprehend and retain the required
information more completely.

Keep up the good work dude!

Rik

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, December 04, 2001 8:35 PM
To: [EMAIL PROTECTED]
Subject: Lab Attempt #2 - no go :- [7:28142]


I wish I could say it took so long to get my results back because my
excruciatingly sophisticated solutions to the problems presented required
detailed and intimate analysis. Alas, that was not the case.

For those ninnies who complain that the one day lab devalues the process,
all I can say is WRONG! The lab I saw was far more difficult than I remember
from my previous attempt, and my previous attempt was NOT easy. In my first
attempt, I did not see anything I couldn't do. This time, although FAR
better prepared, I saw LOTS of things I couldn't do. IMHO, the one day
format, with the elimination of the monkey tasks, allows Cisco to demand a
lot more. The 26 points previously allocated to terminal server setup,
cabling, and troubleshooting all go someplace. WOW! The places they went!
Previous topics that were glossed over appeared in depth. Cisco continues to
up the ante, and not always in ways one might expect. Some things I wouldn't
have expected were there in spades. Probably THE major factor continues to
be reachability. If you don't understand the implications of the given
network topology, and given interactions, you will be screwed.

The topology presented was interesting. Amazing what one can do on a six
router / two switch pod to wreak havoc and let you know what an idiot you
are. Devious doesn't begin to describe it. Bootcamp and IPExpert - it ain't
the number of routers, boys!

The e-mail feedback is amusing, but not particularly informative. I failed
with a score greater than 20, meaning I can go back in 30 days for more
humiliation, if I so desire. the breakdown percentages ( not scores ) would
be of more interest if I were sitting with the proctor discussing the whys
and the expectations. Otherwise it does me no god at all. for example, I
solved a particular problem doing something a particular way. It worked just
fine in terms of the results. Yet on that section I scored very poorly. What
were they looking for?

Fat fingers are still the major enemy for me, at least. It's no fun fat
fingering on a Cat 5K. Not by any means. It also helps to be certain layer
two stuff is done correctly.

Well, debriefing will be fun. I have the topology duplicated in my home lab,
and I will enjoy analyzing the problems I saw in the real lab. No you
can't telnet in to look. DON'T ASK!

In terms of seating, it appears to me that there are now more racks in the
lab, in San Jose, anyway. Half the seats are taken by those testing. The
other half seem to be those used the previous day. the proctors crank
through the idle racks, grading the previous day's results.

One last thing. I know what CCO says, and I know what IOS I saw on my rack.
Rats. The advertised IOS would have gone a long way towards eliminating a
particular problem I had. Not complaining, because any CCIE should have been
able to solve the particular puzzle no matter what the IOS involved. Just
observing that some things are still in the process of change.

The proctors are still the good folks I remember from last time. Too bad we
are not given the opportunity for more interaction afterwards. I would
really have enjoyed discussing my results.

Whelp, another time.

Chuck




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=28244t=28142
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Ohio [7:26942]

[Rik Guyler]

Dayton

Rik

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 20, 2001 6:04 PM
To: [EMAIL PROTECTED]
Subject: Ohio [7:26942]


I would like to know if there are any user on this board from Central Ohio.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26948t=26942
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCIE#8387 [7:26309]

[Rik Guyler]

Dude, you are SOOO the man!  Congrats!

Rik

-Original Message-
From: Nigel Taylor [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 14, 2001 7:55 PM
To: [EMAIL PROTECTED]
Subject: CCIE#8387 [7:26309]


Well as it would turn out it's my turn to write that awesome email...  I
just got back from RTP today where after checking my email, I was awarded
CCIE#8387. What a journey/process this has been and I must say that I'm
relieved that it's now over.  After countless hours of study and practicing
on the rack the reward was most definitely worth the sacrifice.

I didn't sleep a any last night as I awaited the results of my lab score
which I was unable to check until 12 noon today. So on that note I'm off to
catch up on the sleep that escaped me last night.

More to follow once I get rested up..

Nigel Taylor
CCIE#8387 and all that other stuff.. :-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26325t=26309
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: 2 sets of Gigabit Ethernet Channels. [7:26317]

[Rik Guyler]

Sure it's possible.  No problemo.  This is no different than connecting the
Cats together via single Gig links.

Rik

-Original Message-
From: Washington Rico [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, November 14, 2001 9:30 PM
To: [EMAIL PROTECTED]
Subject: 2 sets of Gigabit Ethernet Channels. [7:26317]


As always I appreciate your input on anything you cisco people can give me.

Question:

If you have 3 cat6500's...

Cat 1 and 2 are already channeled by Gigabit ethernet.  Can I channel Cat 3 
to Cat2 by Gigabit as well?  This will obligate Cat 2 to have 2 sets of 
channels all are Gigabit...is this possible??





Subject: Re: Gigabit Ethernet Channels. [7:26077]
Date: Tue, 13 Nov 2001 13:45:56 -0500

I wouldn't create 2 etherchannels between the switches, as this creates 
a loop, and with STP enabled, one of the channels would be disabled.  
Use
all
4 ports, or 2 of the ports; one from each supervisor engine.  The 
commands to accomplish this would be as follows:

set port chan 1/1,2/1 on (2 port etherchannel, one from each supervisor
engine)
set port chan 1/1-2/2 on (4-port etherchannel)

-Brant.

- Original Message -
From: Washington Rico
To: 
Sent: Tuesday, November 13, 2001 1:28 AM
Subject: Gigabit Ethernet Channels. [7:26077]


  As always I appreciate your input on anything you cisco people can 
  give
me.
 
  Question..
  I am trying to create a Gigabit ethernet channel from two Cat 6500s.
Cat
A
  Gigabit pors 1/1-2 and 2/1-2.  Cat B Gigabit ports 1/1-2 and 2/1-2.
Can I
  create a channel were Cat A ports 1/1,2/1 are on the same channel or 
  am
I
  forced to use contiguous ports as 1/1-2 as one channel group?
 
  Cat software 5.5.7
 
 
  _
  $B$+$o(B 
$B;H$($k%V%i%%6$G!%$%s%?!  http://explorer.msn.co.jp/
_
$B$+$o(B 
$B;H$($k%V%i%%6$G!%$%s%?!%M%C%H@83h$b$C$H3Z$7$/$J$k!*(B
http://explorer.msn.co.jp/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=26327t=26317
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Convert Voice T1 to Fram-Relay T1? [7:25063]

[Rik Guyler]

Yes, but not by you.  If the Voice provider is the same as the FR provider,
then the T1 could possibly be reprovisioned for a FR data circuit.  In this
case, however, I would think most providers would prefer to just run another
circuit into your facility and then turn off the old one.  

Rik

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent: Friday, November 02, 2001 10:14 AM
To: [EMAIL PROTECTED]
Subject: Convert Voice T1 to Fram-Relay T1? [7:25063]


Is it possible to convert a voice T1 to a frame-relay
T1 ? 

Thanks

__
Do You Yahoo!?
Find a job, post your resume.
http://careers.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=25085t=25063
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: MAC address and VLANs [7:23950]

[Rik Guyler]

Priscilla, I'm going to open my mouth wide in preparation for my size 11
foot.  while I agree with your core message, I tend to believe that you may
be looking at a typical modern network through rose colored glasses.  For
example, I have been working with 3 small/medium (700-1000+ hosts) sized
networks recently.  All 3 flat and all 3 suffering from excessive
broadcasts.

I agree that in an ideal situation, the PCs have 1000Mhz+ processors,
100Mb full-duplex connections, and only IP across the wire.  However, while
a commendable vision, I just don't see it that way in the field.  There are
always older PCs on the network, substandard cabling, a myriad of protocols
(typically from network printers operating with the default protocols),
and/or other issues that just can't be easily and quickly fixed.  In the
cases of my clients previously mentioned, VLANs are the immediate cure.

Priscilla, I surely mean absolutely no disrespect, so I guess we'll just
have to agree to disagree that VLANs are still a good thing!  Besides, I
don't believe we can ever say they won't be useful but rather we'll just
need fewer and fewer of them as the size of our well designed IP networks
grow because of the reasons you already mentioned.

Rik

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 24, 2001 7:52 PM
To: [EMAIL PROTECTED]
Subject: RE: MAC address and VLANs [7:23950]


hooray for you, PO! you are absolutely correct.

In military science, it is well known that military establishments enter any
war prepared to fight the previous one. In these days of DSL to the home
desktop, 100 megabit to the office desktop, ATM backbone WANS, and HTML
based applications, we networking students study various means of eking out
another packet or two on 56K links. Anyone here see the point of ISDN backup
for DS3 links? ;-

Your forward thinking is commendable.

Chuck

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Priscilla Oppenheimer
Sent: Wednesday, October 24, 2001 11:51 AM
To: [EMAIL PROTECTED]
Subject: Re: MAC address and VLANs [7:23950]


The multi-VLAN feature that Leigh Anne mentioned might solve your problem.
The Cisco switch port could be associated with two VLANs that way. You
didn't say which switch you have, and this feature may not be available on
all Cisco switches, though.

Assuming that you don't want to upgrade the little switch to one that does
802.1Q or ISL, another somewhat radical fix to the problem might be to not
use VLANs. My philosophy is that once VLANs get to the point of causing more
problems then they fix, I eliminate them. ;-)

One of the main things VLANs were supposed to fix was excessive broadcasts
causing too many CPU interruptions on numerous workstations in a large,
flat, switched network.

Lately I have taken to making the controversial statement that this problem
doesn't exist on many modern networks. These days workstations have
amazingly fast CPUs. They are not bogged down by processing broadcasts.
Also, as we eliminate older desktop protocols such as AppleTalk and IPX,
what is still sending broadcasts? An ARP here or there is not a big problem.
And ARPs don't actually happen that often. A PC keeps the data-link-layer
address of its default gateway and other communication partners for a long
time.

Also, a lot of PC NICs used to be stupid about multicasts and interrupt the
CPU for irrelevant multicasts for which the PC was not registered to listen.
I bet that bug has been fixed by now.

VLANs have other benefits (security, dividing up management and
administrative domains, etc.) But if broadcasts are the issue, one should
ask:

Which protocol send broadcasts and how often?
How fast are the CPUs?

And that is my latest harangue against my least favorite LAN technology
(VLANs!)

Priscilla

At 09:52 AM 10/24/01, NetEng wrote:
Thanks for the replies. The two MAC addresses would come from the two 
PC's in an office. The would both connect in to a hub and then the hub 
would uplink to the cisco switch. I need one pc in VLAN1 and one pc in 
VLAN2,
from
what you and Dennis stated this will not work. I appreciate the 
comments though.

Collin

Leigh Anne Chisholm  wrote in message 
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Actually, that's not correct.  The original specification for VLANs 
  from what I understand mandates that only one VLAN can be assigned 
  to a port,
but
  manufacturers such as 3COM decided to do otherwise and support 
  multiple VLANs per port.  Cisco responded by creating (on certain 
  switches such
as
  the Catalyst 2900XL) an administrator to configure a port to be a 
  member
of
  more than one VLAN at a time when using a membership mode known as 
  Multi-VLAN. A Multi-VLAN port can belong to up to 250 VLANs; the
actual
  number of VLANs to which the port can belong depends on the 
  capability
of
  the switch itself. Although the concept is similar, this membership 
  mode
is
  

RE: help with troubleshooting Cisco VPN connection [7:23695]

[Rik Guyler]

Using a different IP subnet is the way to do it.  The PIX treats this like a
virtual interface and has the intelligence built in to forward traffic
between the inside and the VPN address range.

Looking at your config, I agree with removing the conduit statement but I
don't believe that is causing the issue.  Really, besides some unexpected
things (such as no NAT for Internet access), I don't see anything glaringly
obvious that would cause your issue.  The one thing I know I have had issues
with is using numbers for access lists on a PIX.  Recently, I lost track of
what I was configurin and used numbered (extended IP) access lists on a PIX.
Nothing worked right!  I noticed my mistake, changed the access lists to my
normal names and eveything worked again.  I suggest trying this.  Also, if
the access list 80 is not needed, which doesn't look to be in this config, I
would remove it as well.  Other than that, I might suspect that you have a
hardware issue since this same config works on a similar PIX with the same
OS.

Rik

-Original Message-
From: chris [mailto:[EMAIL PROTECTED]] 
Sent: Monday, October 22, 2001 11:36 PM
To: [EMAIL PROTECTED]
Subject: Re: help with troubleshooting Cisco VPN connection [7:23695]


In your config below the vpn client is being assigned an address that is on
a different subnet than the inside interface of the pix and there is no sign
of a router on that subnet (no default inside route to a router).

BTW, you may want to get rid of the conduit permit any any!

Chris

Anh Lam  wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Can someone in this group help me with this problem?

 I am trying to setup VPN connections for remote users (people who use 
 laptops on the road or when people to who are on their own corporate 
 network) to connect to my home network  using IPSec.  I am using a 
 PIX515-UR Firewall at my home network. The external IP address 
 (outside) of the PIX is 66.61.46.240 while the internal IP address 
 (inside) of the PIX is 172.16.1.254.

 On the PIX, I also setup an IP pool so that the PIX will assign IP 
 address to remote clients when they connect to my home network.  This 
 ip pool has ip range of 172.16.2.1-172.16.2.254.

 On the clients side, everyone is running Cisco VPN client software 
 version 3.0.6.rel2-k9 which I download from Cisco website.  The 
 clients are running either WinNT 4.0 workstation, or Win2k 
 Professional or RedHat Linux 7.1 with kernel 2.4.10.

 When a client attempts to make a VPN connection to the PIX 
 (66.61.46.240), the connection is successfully and the client is also 
 assigned an IP address of 172.16.2.1.  So what is the problem you ask?  
 Well, even though the client is successfully authenticated to my home 
 network, he/she can NOT ping any of the devices in the 172.16.1.0/24 
 network.  From the client, I can see the packet gets encrypted before 
 sending out but nothing coming back (the counter on the packet 
 decrypted on the client is zero).  Rebooting the PIX several times 
 didnot resolve the situation either.

 At this point, I decided to replace the PIX515 with a PIX520 with the 
 exact configuration.  With the PIX520, everything WORKS. Client can 
 access devices on the 172.16.1.0/24 network. I am running the same PIX 
 IOS code on both the 515 and 520.  Am I missing something in the 
 PIX515?  I thought since I am running the
 Un-Restricted(UR) license, VPN is supported.  Below is the 
 configuration of the PIX515.  Please help.

 Thanks.
 Anh

 ciscopix#sh ver

 Cisco PIX Firewall Version 6.1(1)
 Cisco PIX Device Manager Version 1.0(2)

 Compiled on Tue 11-Sep-01 07:45 by morlee

 ciscopix up 9 hours 37 mins

 Hardware:   PIX-515, 96 MB RAM, CPU Pentium 200 MHz
 Flash i28F640J5 @ 0x300, 16MB
 BIOS Flash AT29C257 @ 0xfffd8000, 32KB

 0: ethernet0: address is 0050.54ff.7a24, irq 10
 1: ethernet1: address is 0050.54ff.7a25, irq 7
 2: ethernet2: address is 00aa.00bc.ba87, irq 11

 Licensed Features:
 Failover:   Enabled
 VPN-DES:Enabled
 VPN-3DES:   Disabled
 Maximum Interfaces: 6
 Cut-through Proxy:  Enabled
 Guards: Enabled
 Websense:   Enabled
 Inside Hosts:   Unlimited
 Throughput: Unlimited
 ISAKMP peers:   Unlimited

 ciscopix# wr t
 Building configuration...
 : Saved
 :
 PIX Version 6.1(1)
 nameif ethernet0 outside security0
 nameif ethernet1 inside security100
 nameif ethernet2 dmz security99
 enable password xxx encrypted
 passwd x encrypted
 hostname ciscopix
 domain-name micronet.com
 fixup protocol ftp 21
 fixup protocol http 80
 fixup protocol h323 1720
 fixup protocol rsh 514
 fixup protocol rtsp 554
 fixup protocol smtp 25
 fixup protocol sqlnet 1521
 fixup protocol sip 5060
 fixup protocol skinny 2000
 no names
 access-list 101 permit ip 172.16.1.0 255.255.255.0 172.16.2.0
255.255.255.0
 access-list 101 permit ip host 66.61.46.240 172.16.2.0 255.255.255.0 
 access-list 80 permit ip 172.16.1.0 255.255.255.0 172.16.2.0 
 

RE: CCIE written exam format [7:23970]

[Rik Guyler]

Yes to both.  In the future, please check the archives at www.groupstudy.com
for the answers to such questions - they get asked many times over on a
regular basis.

Thanks,

Rik

-Original Message-
From: juno vtv [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, October 23, 2001 9:30 PM
To: [EMAIL PROTECTED]
Subject: CCIE written exam format [7:23970]


Hi everybody!

Can someone tell me what the format is for the CCIE written?  I've heard
that you can go back and change you answers.  I've also heard that they
don't tell you how many answers there are on the multiple choice.  Thanks!

-junovtv




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23977t=23970
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: fast switching [7:23969]

[Rik Guyler]

Gosh Jenny, I don't have a clue but in the past I've had to reboot equipment
at times to make a few rare changes take full effect so maybe you're
correct.  How much pain is involved in rebooting it?

Rik

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]

Sent: Tuesday, October 23, 2001 9:07 PM
To: [EMAIL PROTECTED]
Subject: fast switching [7:23969]


Something odd is happening on my network... (not that that's unusual...)

I have a couple of 7507s connected by two E1 links.  For various reasons,
the links are set up with fast switching disabled (mainly because there are
single sessions with enough traffic to flood a single link).  The 7507 on
one side is running IOS 11.2.  Last weekend the 7507 on the other side was
upgraded to 12.1(10). According to 'show ip int', fast switching and flow
switching are disabled (on both links at both ends).  However, MRTG shows
that the traffic from the 12.1 router to the 11.2 router is not balanced
evenly across the two links.  Traffic from the 11.2 router to the 12.1
router is balanced.

Any guesses as to why this is so?  Bug (surely not, this is Cisco...:-)? Is
a reboot or shut/no shut required to change switching states (I didn't do
the upgrade myself and I'm not sure what exact configuration sequence was
used)?  Something really obvious I'm missing here?

Ta,
JMcL




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23978t=23969
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: GBIC: WS-G5484 / WS-G5486 [7:22675]

[Rik Guyler]

Ole, I apologize for getting back so late!  I went out of town after
originally responding and just returned back.

Actually the 3500 switches support the copper GBIC as well, just make sure
you put a newer IOS on the switch or it won't recognize it.  That's the
beauty of the GBIC design - all are supported in any GBIC slot, which makes
everything so modular.  Going the way you described would be expensive and
I'm not sure even possible.  I have not seen a Gb media converter but that
doesn't mean they don't exist.  In any case, I would stay with the coppper
stuff and save your money.

Rik

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 11, 2001 9:14 AM
To: 'Rik Guyler'; [EMAIL PROTECTED]
Subject: RE: GBIC: WS-G5484 / WS-G5486 [7:22675]


Rik,

I appologize if this question is terribly stupid, but I have zero experience
with fiber communication (yet).

As far as I can see, the available Gigabit modules for the 3500 series are
all fiber, so I assume that I will have to go with fiber, and then get some
kind of a fiber to copper converter too if I wish to use CAT5 (or better)
for the media.

How does your installation look regarding this?

Thanks in advance,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job ~~~


-Original Message-
From: Rik Guyler [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, October 10, 2001 7:29 PM
To: [EMAIL PROTECTED]
Subject: RE: GBIC: WS-G5484 / WS-G5486 [7:22675]


Ole, I have installed several Gb Intel cards (no other however) and have had
no real issues.  If you do use these cards, don't use the shipping drivers
(at least for NT) - they are bad news.  Download the latest from their site
and all will be good.  CCO has several papers descibing the issue if you
feel the need.

If you compare the prices of the copper versus the fiber Gb cards, the price
difference is huge - $500-$600 for the fiber cards and less than $200 for
the copper version.  I have installed a few of the fiber variety but
typically the client wants the cheaper alternative.  I have had nothing but
success using existing Cat5 cable.  Cat5e might the preferred variety but
the plain ol' Cat5, provided it's terminated, installed, etc. well, should
work fine.

Rik

-Original Message-
From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 10, 2001 3:11 PM
To: [EMAIL PROTECTED]
Subject: GBIC: WS-G5484 / WS-G5486 [7:22675]


Any success stories about a Catalyst with either of these two GBIC's and an
NT 4.0 server equipped with a Gigabit NIC (brand/model).

Most of the NIC's are around $500.- to $600.-, but there are some around
$100.- to $200.- Are they okay, or just cheap crap with a lot of lost frames
and incompatible drivers?

Also, any happy experiences with Gigabit running over existing CAT5 cables?

I thought that since it has been almost two years since I got my last
speeding ticket, I might as well accelerate a bit (or actually all the
bit's).

Thanks,

Ole

~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNP, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
~~~ 
 http://www.RouterChief.com
~~~
 NEED A JOB ???
 http://www.oledrews.com/job ~~~




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23668t=22675
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Word of Caution [7:23363]

[Rik Guyler]

While I don't judge people by their mistakes, I do tend to judge them by how
they correct them.  Was it Debbie's fault your systems went down?  No.  I
don't pretend to live in a world where malfunctions don't happen, but when
your systems take a crap you should be ready to deal with the fallout.  

Seems to me that just eating the $500 would have been cheaper than having to
now clean up the mess and deal with the lost revenue of many, such as
myself, that will never buy anything from you.  Besides, it would appear
that Debbie's bad experience was hardly the first according to other members
of our group and we just don't need crap like that to deal with, especially
since we have quality vendors like Brad Ellis (Big Brad!) to work with
instead.  Before you ask, I don't work with Brad in any way...I am a
customer only.

Rik Buy Only From Brad Guyler

-Original Message-
From: Robert Davie [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, October 18, 2001 10:43 AM
To: [EMAIL PROTECTED]
Subject: Re: Word of Caution [7:23363]


I would like to respond to a message (below) that went out over a GroupStudy
mailing list regarding our company.

When our system is functioning properly (99%) we have two mechanisms that
work that were not working when Debbie placed her order:
  1.. A guard against low-ball offers for items that have sale prices.  This
guard prevents offers of less than 80% of the sale price.  (Debbie's offer
was $100 for a $600 item.)
  2.. Order Acceptance.  This was malfunctioning and accepting orders that
were being declined. After explaining this to Debbie, who appears to be a
very knowledgeable and market savvy person, we felt that the system
malfunction would garner her understanding.

She threatened to send out an email to the GroupStudy mailing list if we did
not fulfill the order, and we indicated that we would respond to her email
message.

Having been in sales all my life and career and with happy customers ranging
from ATT to Sun Microsystems, I feel this is a very unfortunate occurrence.

Robert Davie
EVP
Ph: 919-388-9993 x3102
Fax: 919-388-9992
ITParade.com, Inc.


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Debbie Westall
Sent: Wednesday, October 17, 2001 9:08 AM
To: [EMAIL PROTECTED]
Subject: OT: A Word of Caution about Vendor [7:23244]

Greetings,

I wanted to give everyone a heads-up on the list about
a vendor I recently dealt with over the Internet.

The web site is www.itparade.com.

They are a site that acts as a middleman for sellers
of equipment.

Last week I put an offer on a router (2501). I admit
the offer was very low, but I had never used this site
so I figured why not. A couple of hours later I
received an email from them saying that my offer was
accepted by the seller and I was to log on to another
site to make payment arrangements. I logged into
PitNeyPay.com to add my credit card info as requested.
The next day I received a phone call from a person at
itparade, saying they have pulled my offer, that the
seller actually rejected my offer but itparade's web
site was broken so the email went out incorrectly.
The person at itparade, also mentioned that the seller
would be more than happy to sell me that piece of
equipment for 600.00 rather than my offer. Which would
have been more than double my initial offer. Needless
to say, I rejected that.

I spoke to the Executive VP and the CEO of the company
to no avail. They will not stand behind the email that
came to me that my offer was accepted.

Just wanted to give everyone a heads-up to STAY AWAY
from this site. If it sounds to good to be true, it
probably is..

Has anyone used them before or heard of them.

Thanks

Debbie


__
Do You Yahoo!?
Make a great connection at Yahoo! Personals. http://personals.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=23677t=23363
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: route cache? [7:22262]

[Rik Guyler]

I agree with the pretty much always except when you want to load balance
over multiple paths.  When multiple paths exist, fast switching moves data
on a per-destination basis and not a per-packet basis as process switching
does.  Given different amounts of data will most likely be sent to different
destinations, it would be possible to saturate one link while another goes
relatively unused with fast switching.

Of course, who am I to challenge a Madman?  ;-}

Rik

-Original Message-
From: MADMAN [mailto:[EMAIL PROTECTED]] 
Sent: Friday, October 05, 2001 5:47 PM
To: [EMAIL PROTECTED]
Subject: Re: route cache? [7:22262]


Pretty much always, it's default, AKA fast switching.  The command no ip
route-cache enables process switching which is very CPU intensive. 

  Dave

george gittins wrote:
 
 when is it a good idea to enable route-cache
-- 
David Madland
Sr. Network Engineer
CCIE# 2016
Qwest Communications Int. Inc.
[EMAIL PROTECTED]
612-664-3367

Emotion should reflect reason not guide it




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=22304t=22262
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco PIX Websense (Accounting) ? [7:21850]

[Rik Guyler]

No.  A quick look through the documentation reveals that bytes transferred
is not supported with the PIX.

Rik

-Original Message-
From: Hans Schimek [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 03, 2001 10:50 AM
To: [EMAIL PROTECTED]
Subject: Cisco PIX  Websense (Accounting) ? [7:21850]


We are using a combination of Cisco PIX and Websense Devices. What we want
to achieve is, getting accounting informations out 
of this websense application.
There is a section called Bytes Transfered - which acctually remains 0 -
although the URLs are filtered and logged in the reporter.. Is there a
possibility to get this informations out of the Cisco PIX  ?
resp.- Does this device provide any interface-statistics per connection. (
like : bytes transfered from an IP Adress or User ?


thx
hans

---
Hans Schimek
Systems Engineer
NTS Netzwerk Telekom Service
Gesellschaft m.b.H  Co KG
Lembvckgasse 49
1230 Wien
Tel: +43/1/867 67 76-0, Fax: +43/1/867 67 76-56
Web: ,  [EMAIL PROTECTED]

NTS Vertrieb:  [EMAIL PROTECTED]
NTS Support: [EMAIL PROTECTED]
NTS Training:   [EMAIL PROTECTED]





Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=22160t=21850
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: guidance needed for CCIE written exam [7:21807]

[Rik Guyler]

I like Bruce's book - coverage of a very broad range of technologies.  If
your only goal is to pass a test then this book may be all you really need.
If, however, yopu desire to learn how things work, then you will need to
supplement it.  I suggest using Kennedy Clark's CCIE Switching book and of
course Jeff Doyle's Routing TCP/IP.  I also suggest the Cisco Press BCRAN
book for WAN technologies, Lou Rossi's whitepaper on Token Ring (Clark's
book covers TR pretty well but I like Rossi's paper), and CCO for various
whitepapers on the different frame formats and standards (802.x stuff).

Rik

-Original Message-
From: kruegel kurt [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 03, 2001 2:01 PM
To: [EMAIL PROTECTED]
Subject: RE: guidance needed for CCIE written exam [7:21807]


personally i am using bridges router and switches for ccie's by caslow and
boson #1 for prep i'd also like input from anyone else who has passed cciew




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=22163t=21807
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CID - WAN switching design resource [7:21810]

[Rik Guyler]

Check the archives on www.groupstudy.com  Some time ago, Chuck Larrieu
posted a CCO link for the Stratacom stuff you might need.

Rik

-Original Message-
From: Donny Mateo [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 03, 2001 3:52 AM
To: [EMAIL PROTECTED]
Subject: CID - WAN switching design resource [7:21810]


Dear List,

I'm taking my CID tomorrow, and still feel a bit uncomfortable with the WAN 
switching stuff (IGX, MGX, BPX).
Can anybody pin point me on the resource that I can use to learn design 
consideration on this stuff ?

tia

Donny

_
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21951t=21810
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cat 6000 [7:21845]

[Rik Guyler]

Strange behavior indeed!  I don't know if it's the same thing, but an old,
well-known bug with NT/Win2k and Catalysts is very similar.  By connecting
an NT/Win2k serial port to the console port of a Cat when the PC is booting
will reset or freeze the switch.  I have witnessed (in other words done)
this on several different models of switches.  I've heard that it has to do
with the way NT/Win2k polls the serial port but I haven't confirmed it.
Nowadays, I make sure my notebook is all the way up and my terminal emulator
(Teraterm usually) is up as well.  Funny, but it doesn't seem to affect
routers, firewalls, etc...only the switches.

Rik

-Original Message-
From: Patrick Donlon [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 03, 2001 10:29 AM
To: [EMAIL PROTECTED]
Subject: Cat 6000 [7:21845]


We have a couple of Cat 6Ks running IOS, when CRT terminal software is
starting from a PC with the console cable connected it goes into rom monitor
mode. Anyone know the reason for this, I haven't found anything on the CCO
yet

regards




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21952t=21845
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: T1 install; line protocol going down and up every 30 [7:21955]

[Rik Guyler]

In my area, telcos always provide the clock source.  I have never had to
provide any form of clocking whatsoever.  I am curious what type of router
is on the other side.  If it's not Cisco, are you running PPP?  If you had a
protocol mismatch, I wouldn't think layer 2 would even limp to up for 30
seconds, but then again, I've never dealt with an HDLC mismatch.

I also have had similar issues with very small local telco's equipment and a
real lack of knowledge in troubleshooting anything more than the 1s and 0s
flying by.  My issues in one situation in particular were all a result of
either bad equipment or inexperience on the local provider's part.  Does the
smartjack give any evidence of the issue?  Any red lights to be seen?  Have
you replaced the cable from the smartjack to the router or tried another DSU
and V.35 cable?

Here's what I would do at this point: if you have another router, DSU,
cables, etc try moving them in place of the current ones.  This will help
rule out a hardware issue.  Also try a slightly different IOS version.  This
helps rule out buggy IOS and a corrupted image in flash.  If you do these
and still nothing, I would open a case with TAC and ask them for some
troubleshooting assistance.  Once they confirm everything for you, you will
be loaded for bear when taking on the telco.

Good luck!

Rik

-Original Message-
From: Stephen Hoover [mailto:[EMAIL PROTECTED]] 
Sent: Wednesday, October 03, 2001 10:47 AM
To: [EMAIL PROTECTED]
Subject: T1 install; line protocol going down and up every 30 seconds
[7:21848]


I am working on point to point T1 install at a small office. The line
protocol keeps going up and down every 30 seconds and I cannot ping myself.
My keepalive timers are not incrementing. The telco provider says that they
are not providing the clock on this line and that we need to do so
ourselves. My condition remains the same whether I set my clock to line or
internal. The router on the remote end however seems to be ready to go when
they set their clock source to line. When they set to internal, the telco
provider sees framing errors on the line.

Does it seem feasible that there is a clock source somewhere back towards
there end of the line that their router can receive and mine cannot? I am
working with the IT staff on the remote end of the link, but none of us seem
to have any idea where else to go with this problem.

My system works fine when I put my DSU in local loopback and it works when I
put their DSU in remote loopback - so I *think* the hardware is sound.

Any help is appreciated!

Thanks,
Stephen Hoover




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=21955t=21955
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 515 firewall sample config .... [7:20654]

[Rik Guyler]

You have to instal the HTML content.  The PDM (PIX Device Manager) is a
separate install from the OS.

---
Rik Guyler

-Original Message-
From: Kevin McIntyre [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 21, 2001 7:48 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX 515 firewall sample config  [7:20654]


I  have tried to enable this on my 506 with version 6 software with the
following two
lines:

http server enable
http 0.0.0.0 0.0.0.0 inside

But...nothing is available when you hit the pix with a web browser.  ie no
server
running.  Did I miss something??

Kevin


Dennis H wrote:

 You might want to think about upgrading to PIX6 and using the gui client.
 It's very similar to checkpoint...

 RAJESH AGNIHOTRI  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Greeting to you all techi guys ..
 
 
  My name is Rajesh ... i have a new project to implement. Basically i am
  checkpoint guy .. I need to implement cisco PIX firewall 515 at one of
our
  customer place . All i need from you guys is a sample config with nat
 enable
  with static mappings ..
 
 
  Thanks
 
  Regard
 
  Rajesh
 
  _
  Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=20754t=20654
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Alert: Some sort of IIS worm seems to be propagating [7:20388]

[Rik Guyler]

I was doing battle with this beastie last night until midnight.  This one's
very bad as it overwrites files with various .eml files, typically seen is
readme.eml.  If you do a search on the local drives for the extension, you
will find numerous files (over 1600 in my case last night) found.

How does this relate to Cisco?  Well, I was originally called for a router
problem as the Internet browsing and email transfer was very slow and of
course the client's first thought was that there was a telco, router, DSU,
etc. issue.  I checked the router and the console (and VTY) was VERY slow.
I ran a show processor cpu and discovered the processor utilization was
nearly 100% and was staying there, which explains why the console was so
slow.  Upon deeper scrutiny, I found that IP input was the process using
most of the processor, which indicates that IP traffic is jamming the
router.  With this knowledge, I went after the worm, which unfortunately,
has no simple fix, at least at this time.  When I removed the server from
the network, the router was fine.

So, all of the engineers that are so Cisco focused that a mere virus doesn't
matter take heed - not everything can be judged on first impressions.

---
Rik Guyler

-Original Message-
From: Brad Ellis [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 2:30 AM
To: [EMAIL PROTECTED]
Subject: Re: Alert: Some sort of IIS worm seems to be propagating
[7:20366]


John Kaberna, ([EMAIL PROTECTED]), sent me the following info:

  This may be what you are experiencing:

http://www.cert.org/current/current_activity.html#port80


Make sure you patch IIS if you haven't done so already.  Check to see
if you're already infected with Code Red and follow the instructions
to get rid of it.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/sec
urity/bulletin/MS01-044.asp


You can also use NBAR to block Red Worm if you haven't done so
already.

http://www.cisco.com/warp/customer/63/nbar_acl_codered.shtml   

-Brad Ellis
CCIE#5796
Network Learning Inc
[EMAIL PROTECTED]
used Cisco:  www.optsys.net
Farhan Ahmed  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 -Original Message-
 From: Simon Clausen [mailto:[EMAIL PROTECTED]]
 Sent: Wednesday, September 19, 2001 12:49 AM
 To: [EMAIL PROTECTED]
 Subject: Re: Alert: Some sort of IIS worm seems to be propagating


 Sent on behalf of Rich Zuris ([EMAIL PROTECTED]) due to his network
 being taken offline by the worm.

 Following is a list of recorded changes made to NT4 SP6a with Q299444
 rollup security patches.

 The following is appended to EVERY HTML file on the machine:
 window.open(readme.eml, null,
 resizable=no,top=6000,left=6000)

 Just about every directory on the machine has one or more files with
 extension .eml, mostly readme.eml but also other names that seem to
 correspond to directory or other filenames.  Total of 1234 .eml files
 created, totalling 98Mb (about 78Kb each).  Also got 55 files with
 extension .nws, containing exact same content.  Both .eml and .nws files
 can be opened by Outlook Express.

 Virus makes numerous outbound connections to port 80 to propagate itself
 to other servers.

 Virus sets IE5 to IE4 compatibility mode (apparently to circumvent
 security) and crashes Explorer.exe when IE is launched.  IExplore.exe
 appears to be hacked, and there is now a hidden IExplore .exe (note the
 space before the extension) in same directory.

 Virus code in stealth executable file with name tftp###, where ### is
 any numeric string.  File has no extension, but it is definitely a
 Windows executable.  This file is placed into \Program Files\Common
 Files\System\MSADC, and in same directory, Admin.dll appears to be
 hacked.

 IIS console hacked:  New MMC.EXE placed in \WINNT directory, which may
 override original version in \WINNT\System32.

 EXE files placed into TEMP directory.  Note that most/all hacked EXE
 files are flagged Hidden.

 Riched20.dll files placed in random directories (not on PATH, not
 containing executables).

 NT Account Guest was made a member of the NT Administrators group!

 Regards,

 Simon Clausen

 -Original Message-
 From: Windows NTBugtraq Mailing List
 [mailto:[EMAIL PROTECTED]] On Behalf Of Russ
 Sent: Wednesday, 19 September 2001 1:21 AM
 To: [EMAIL PROTECTED]
 Subject: Alert: Some sort of IIS worm seems to be propagating


 -BEGIN PGP SIGNED MESSAGE-

 There have been numerous reports of IIS attacks being generated by
 machines over a broad range of IP addresses. These infected machines
 are using a wide variety of attacks which attempt to exploit already
 known and patched vulnerabilities against IIS.

 It appears that the attacks can come both from email and from the
 network.

 A new worm, being called w32.nimda.amm, is being sent around. The
 attachment is called README.EXE and comes as a MIME-type of
 audio/x-wav together with some html parts. There appears to be no text
 in this mess

RE: Dial in/Dial Out modem bank [7:17929]

[Rik Guyler]

I have had to support this type of activity in the past as well and I agree
that an AS5300 (or newer) will do the job well.  However, that's a fairly
expensive box.  Cheaper alternatives would include a 2511/2513 router with
octal cable(s) and external modems or maybe a 3600 series router.  These
both can provide this type of access.  In my office, for engineers providing
remote dialup support, we use a 2509 with an octal cable and external
modems.  Works well and is a fraction of the cost of an AS box.

Good luck!

---
Rik Guyler

-Original Message-
From: Brian Whalen [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 6:44 PM
To: [EMAIL PROTECTED]
Subject: RE: Dial in/Dial Out modem bank [7:17929]


You actually allow users to dial out from their desktops, while connected
to a lan??

The horror of it..

Brian Sonic Whalen
Success = Preparation + Opportunity


On Thu, 30 Aug 2001, Jim Dixon wrote:

 Cisco AS5300 should handled your needs nicely.


 -Original Message-
 From: Mike Momb [mailto:[EMAIL PROTECTED]]
 Sent: Thursday, August 30, 2001 2:56 PM
 To: [EMAIL PROTECTED]
 Subject: Dial in/Dial Out modem bank [7:17929]


 To all you cisco wizards,

 What Cisco product would you recommend for dial in/dial out capability on
a
 LAN.  We have many users who dial into our network and do work from home.
 We also have users that would like to dial out from their desktop without
 using stand alone modems.  Something that would handle at least 16
 simultaneous users.  We currently use a product that is slow and sometimes
 it locks up.  Any advice/input would be appreciated.

 Mike




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=18012t=17929
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Connect 6509 with CONSOLE [7:17983]

[Rik Guyler]

Hmm...I don't know what the little hole is but accessing the console on a
6509 is just like any other device.  Set your stop bits to 1 and give that a
try.  1 is the default setting for Cisco consoles.

Remember: 9600, 8, none, 1

---
Rik Guyler

-Original Message-
From: Thomas N. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 30, 2001 7:27 PM
To: [EMAIL PROTECTED]
Subject: Connect 6509 with CONSOLE [7:17983]


Hi All,

I attempted to access to the CAT 6509 with the CONSOLE port today.  This
6509 is in production.  It appeared that I didn't get any output on my
HyperTerminal.  My HyperTerminal setting is:  9600 bits per second, Data
bits = 8, Parity = none, Stope bit = 2 (as indicated on Cisco.com), Flow
control = none.

There's also a little hidden hole right next to the CONSOLE port labelled as
Console mode  I don't know if I have to change something to access the
console? Also, if I have to press that hidden hole to access the Console
mode, will it affect the production enviroment?  Thanks All in advance!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=18014t=17983
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Adding NIC to the PIX ?? [7:17691]

[Rik Guyler]

Well, Smartnet may be one reason, but another reason Cisco sells these cards
as official is because they are.  You used to be able to tell by looking
but I don't know if that is still the case, but the Cisco cards come with
custom firmware.  One of the differences I know of is that the official
cards cannot be forced into promiscuous mode.

---
Rik Guyler

-Original Message-
From: Ed Horley [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 12:09 PM
To: [EMAIL PROTECTED]
Subject: Re: Adding NIC to the PIX ?? [7:17691]


Here is the link for the hardware portion:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/install/boa
rd.htm

Watch the wrap.  This covers the 535, 525, 520, 515 for upgrading circuit
boards (NICs).  In a pinch I have used standard Intel NICs in the PIX 520 to
get it up and going and swapped them out after the offical parts came in.
I believe to keep your SmartNET contract it requires that you have Cisco
purchased parts.  They give you Intel NICs in the PIX anyway so you should
be safe.  I have no idea if there is a change in licensing or not.

Regards,
Ed


Rodney Jackson  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I have search the Cisco web site for information on adding interfaces to
the
 PIX firewall but have come up short.  Do you guys know how to (what
changes
 I need to make to the config) or where I can find the info?

 Rodney Jackson
 Dallas Semiconductor
 Network Engineer
 (972) 371-4824
  

 [GroupStudy.com removed an attachment of type application/octet-stream
which
 had a name of Rodney Jackson.vcf]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17779t=17691
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Work-related ACL problem [7:17695]

[Rik Guyler]

Right!  The source port in this case is inconsequential as it can be random,
typically 1024 or above.  It is the destination port that we are interested
in in this case as that is the port the destination host will accept the
specified request.  Since modern access lists are created in a source first
- destination second manner, the eq www statement after the second any
indicates the destination port.

One other minor note: while it doesn't hurt anything, having the
access-list 101 permit ip any 172.0.0.0 0.255.255.255 statement is
irrelevant as the following statement covers the permission to the 172.0.0
network as well.  In this case it's not a big deal but if you use several
dozen or hundred access lists, having unnecessary extras may add noticeable
overhead.

---
Rik Guyler

-Original Message-
From: ron [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 10:09 PM
To: [EMAIL PROTECTED]
Subject: Re: Work-related ACL problem [7:17695]


isn't it supposed to be:

access-list 101 deny tcp any any eq www

ron
- Original Message -
From:  Wilson, Bradley 
To:  [EMAIL PROTECTED]
Sent: Wed, 29 Aug 2001 12:03:33 -0400
Subject:  Work-related ACL problem [7:17695]
Okay gang, this one's work-related so don't feel obligated to help. ;-)  I
think it's an interesting thought problem though:

The Problem I'm Trying To Solve: allow access to a particular website
(2.2.2.2) from users on a particular subnet.  Do NOT allow them to access
any *other* website.  Allow them to access other resources within your
internal network (172.0.0.0).

Here's the ACL I came up with:

access-list 101 permit ip any host 167.216.138.4
access-list 101 deny tcp any eq www any
access-list 101 permit ip any 172.0.0.0 0.255.255.255
access-list 101 permit ip any any

This list was created on an MSFC card running in a 6509 chassis, and has
been applied to interface Vlan1 inbound (I tried outbound as well just for
kicks).  The (unintended) result is that users can access both the target
website, as well as other websites on the Internet.  Any ideas?



Bradley J. Wilson
CCNP CCDP MCSE NNCSS CNX MCT CTT
EDS/Boston Scientific Account
(508) 650-8739
[EMAIL PROTECTED]
--
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]



Check any e-mail over the Web for free at MailBreeze
(http://www.mailbreeze.com)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17796t=17695
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: vpn through pix [7:17782]

[Rik Guyler]

Phil, can you elaborate on the whereabouts of this info?  A link maybe?

Thanks

---
Rik Guyler

-Original Message-
From: Circusnuts [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 29, 2001 10:40 PM
To: [EMAIL PROTECTED]
Subject: Re: vpn through pix [7:17782]


If you have the time this is covered in the Networkers stream off of the
CCO (under Understanding Firewall Technology  Troubleshooting the
Implementation of IPsec VPNs).

Phil

- Original Message -
From: r r 
To: 
Sent: Wednesday, August 29, 2001 9:19 PM
Subject: vpn through pix [7:17782]


 does anybody have ideas on what is needed to use a vpn
 client through a pix running nat?  another way to put
 it: i have users inside the pix wanting to vpn to
 another host across the internet through our pix
 running nat/pat.  the vpn client says it gets
 connected but disconnects after a couple of minutes.
 i dont know if it really connects or just says it does
 but it doesnt seem to work.  any ideas?

 D

 __
 Do You Yahoo!?
 Get email alerts  NEW webcam video instant messaging with Yahoo!
Messenger
 http://im.yahoo.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17797t=17782
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: What's the diameter of your switched network? [7:17489]

[Rik Guyler]

Of course, how often is the root physically in the center?  ;-}

---
Rik Guyler

-Original Message-
From: Gareth Hinton [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 28, 2001 7:28 PM
To: [EMAIL PROTECTED]
Subject: Re: What's the diameter of your switched network? [7:17489]


Always thought that Diameter was a misleading term.
If the root bridge is physically in the centre of the bridged network, the
diameter is actually the radius.
Hmmm - more coffee - it's late.



Leigh Anne Chisholm  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Here's something funky I've just started researching.  Thought many of you
 might not be aware of this...

 Awkward STP Parameter Tuning and Diameter Issues

 We already saw that an aggressive value for the max-age parameter and the
 forward-delay could lead to a very unstable STP. The loss of some BPDUs
can
 then cause a loop to appear. Another issue, not very known, is related to
 the diameter of the bridged network. The conservative default values for
the
 STP impose a maximum network diameter of seven. This means that two
distinct
 bridges in the network should not be more than seven hops away the one to
 the other. Part of this restriction is coming from the age field BPDU
carry:
 when a BPDU is propagated from the root bridge towards the leaves of the
 tree, the age field is incremented each time it goes though a bridge.
 Eventually, when the age field of a BPDU goes beyond max age, it is
 discarded. Typically, this will occur if the root is too far away from
some
 bridges of the network. This issue will impact convergence of the spanning
 tree.


 This came from: http://www.cisco.com/warp/public/473/16.html#2f




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=17610t=17489
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN to PIX using Win2000 or Millennium?? [7:16452]

[Rik Guyler]

Yes, PIX supports PPTP acording to CCO.  However, I became frustrated with
PPTP as each version of Windows offers different options and interacts with
the PIX in a different manner.  In other words, I have set this up and made
it work most of the times I tried, but this one time, in band camp

Now, my experience is with the 5.x code and maybe, just maybe, it's better
with the 6.x code as this now seems to be the trendy way to provide remote
access.  Despite this, I really recommend purchasing the VPN client.  The
100-user license retails for around $250.

BTW - It used to be that the PPTP configs for the PIX on CCO were flawed.
Maybe this is still the same, maybe not.

---
Rik Guyler

-Original Message-
From: Andy [mailto:[EMAIL PROTECTED]]
Sent: Saturday, August 18, 2001 6:48 AM
To: [EMAIL PROTECTED]
Subject: VPN to PIX using Win2000 or Millennium?? [7:16452]


Hi

Does anyone know if it is possible to set up a VPN using either Windows 2000
or Millennium to connect to a corporate PIX without using any Cisco client
software?

I believe it is possible but haven't had any luck in getting it to work.

I have it working great using NT with the Cisco Secure VPN client, which
unfortunately doesn't run on the newer versions of Windows. I've also been
told this is because the newer versions of Windows don't need it as they
have this capability built in.

I've done the usual setting up the VPN part on Windows but to my mind there
seems to be a lot of options missing that would allow you to get it to work
properly, such as ESP and AHP settings, etc.

Any help would be greatly appreciated.

Andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16454t=16452
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Thanks to all who have contributed... [7:15994]

[Rik Guyler]

Chuck, that's an excellent compilation of lab advice!  I notice that most of
the esteemed contributors had common threads to offer, which I'll  surely
heed when my time comes.  Are you getting close to taking another stab at
the lab soon?  I know I'd like to get a 4-digit number... ;-}

---
Rik Guyler

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 14, 2001 10:48 AM
To: [EMAIL PROTECTED]
Subject: RE: Thanks to all who have contributed... [7:15994]


for anyone who is interested, I have collected some good advice from CCIE's,
and posted it at:

www.chuck.to/CCIEAdvice.htm

Chuck

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Donald B Johnson jr
Sent: Tuesday, August 14, 2001 7:03 AM
To: [EMAIL PROTECTED]
Subject: Re: Thanks to all who have contributed... [7:15994]


Could you share your experience with us. What you covered, training
methodolgy equipment used, classes taken, things like that. Things that were
useful along, wastes of time. Of course with the NDA in mind. Not what was
on the test but what you did before you opened the door to the Lab center.


- Original Message -
From: Johns, John A.
To:
Sent: Tuesday, August 14, 2001 4:57 AM
Subject: Thanks to all who have contributed... [7:15994]


 Hello all,

 I would like to thank the people who have contributed to the list, I have
 used the list for probably two plus years.
 I passed my CCIE Lab on Friday and really appreciate all the help over the
 years.
 Thanks to all who have made this list great.

 John A. Johns, CCIE #7983, CCDP, CCNP, MCSE, MCP+I, CCA, A+
 [EMAIL PROTECTED]



 The information contained in and transmitted with this e-mail is
 confidential.  It is intended only for the individual or entity so
 designated above.  You are hereby notified that any dissemination,
 distribution, copying, or the use of or reliance upon the information
 contained in and transmitted with this e-mail by or to anyone other than
the
 recipient(s) designated above is unauthorized and strictly prohibited.  If
 you have received this e-mail in error, please notify us immediately by
 telephone at (412) 338-3535.  Thank you.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=16101t=15994
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Question [7:15518]

[Rik Guyler]

PAT itself won't help you...Pat is only for outbound connections.  You
didn't mention what version of PIX you have so I'll give you some insight.

If you are running PIX 6.01 or can upgrade to it, then things are looking
up.  I believe that this version of PIX supports port redirection, which can
accept a variety of traffic on a single address and forward to various
internal addresses based on TCP/UDP port used.  A coworker told me that you
can even do this on a single address that is also used for outbound PAT but
I haven't confirmed this yet.  It may also be possible that some of the 5.x
versions of PIX support port redirection, but again, I haven't confirmed
this.

Anyway, check them out.

---
Rik Guyler

-Original Message-
From: Bruce Williams [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 09, 2001 3:35 PM
To: [EMAIL PROTECTED]
Subject: PIX Question [7:15518]


I have many devices on the inside (most secure) interface of my PIX that I
need to allow telnet and ftp access to users from the outside (least secure)
interface of the PIX. I know that I can create a static map to the inside IP
addresses, but I dont have enough outside IP addresses to support all of the
devices on the inside. I am using PAT to allow users from the inside (most
secure) interface to get access to the outside (less secure) interface.  Can
I use PAT the same way to allow outside users to access the inside servers
on one address or is there a way to open the PIX up for all users from the
outside to get in on a temporary basis?

Bruce Williams
215-275-2723
[EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15572t=15518
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Pix static NAT error UPDATE [7:15169]

[Rik Guyler]

I've setup several PIX boxes with 6.x and have had no problems whatsoever,
certainly never had to use a port in a static statement.  I tend to use
basic configurations on firewalls...the simpler the better, and setup my
statics first, and then apply the ACL(s) or conduits next.

If you're sure you can't add a static without ports, I would suspect
corruption, possibly the image, flash, or whatever.  Try imaging the box
with a fresh download of the PIXOS.

---
Rik Guyler

-Original Message-
From: Patrick Ramsey [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 08, 2001 7:22 PM
To: 
Subject: Re: Pix static NAT error UPDATE [7:15169]


ok,

this is straight from Cisco's web site for code 6.0 on the pix.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_60/config/conf
ig.htm 

It does indeed show this example:

static (inside,outside) 10.42.1.0 10.3.1.0

which should work...

-Patrick

 Kevin McIntyre  08/08/01 07:01PM 
I am using Pix software ver 6.0(1) and it won't allow me to not specify a
port.  I seem
to be forced into specifying the smtp in the command line.

It did sound like a good idea though.

Kevin

Patrick Ramsey wrote:

 try doing a normal static mapping, then use acl's to allow smtp traffic
 through...ie:

 static (inside,outside) 192.168.250.16 10.2.48.50 netmask 255.255.255.255
0 0

 -Patrick

  Kevin McIntyre  08/07/01 06:12PM 
 I have the following line in a PIX 506 for static natting to an inside
 server.

 static (inside,outside) tcp interface smtp 172.16.1.21 smtp netmask
 255.255.255.255 0 0

 When the Pix is started this will work for a short period of time and
 then will stop answering to connections on port 25 at all.  The log on
 the server that it actually connects to says an unsuccessful attempt was
 made to connect but won't accept messages.

 When I try to send mail using the server from inside the PIX, directly
 to 172.16.1.21, the server itself is running fine.

 There is a 3640 router between the pix and the smtp server both with
 static routes.

 Any ideas?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15399t=15169
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Can't ping outside of PIX [7:15205]---- FIXED [7:15205]

[Rik Guyler]

Experience.  Those of us that have worked on the PIX line for a number of
years think this new-fangled idea of using the outside interface for PAT is
pretty slick.  We never had that option in the past.

One thing looking at your config:  I don't know how big your company is, but
I would set the xlate timeout to something a little more reasonable than 24
hours.  Something like 30 or 60 minutes or even 10 minutes (my choice).
Keeping all of those translations around just ties up memory.

---
Rik Guyler

-Original Message-
From: Pierre-Alex [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 08, 2001 8:14 PM
To: [EMAIL PROTECTED]
Subject: RE: Can't ping outside of PIX [7:15205] FIXED [7:15316]


I changed the global statement to another IP address and the PC was able to
ping on the Internet.

I also removed the inside route and the  PC was still able to ping ...

I am curious. Where did you find this information? I used:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v4/pixcfg/pixc
ncfg.htm

Pierre-Alex

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
cheekin
Sent: Wednesday, August 08, 2001 8:27 AM
To: [EMAIL PROTECTED]
Subject: Re: Can't ping outside of PIX [7:15205]


I think you will need to give a different range of IP address for the global
statement.  The global statement and the outside interface are using the
same ip address.

I also think that the route inside statement is not necessary in this case.
You can use sh route to display the routing table.

PIX gurus, correct me if I am wrong.


cheekin

- Original Message -
From: Pierre-Alex
To:
Sent: Wednesday, August 08, 2001 11:34
Subject: Can't ping outside of PIX [7:15205]


 I have spent the all day on the problem below and I still can't see what I
 did wrong.

 Can you help?

 The PC can ping the inside ip address of the firewall
 The Firewall can ping the default-gateway and anything on the Internet
 But I cannot get the PC to ping the outside IP address of the firewall
 (208.136.247.214)
 or anything outside like (206.26.90.8).


 |PC|(1)--(2)|PIX|(3)-(4)--DSL MODEM

 PC (1): ip address 10.1.1.12
 subnet mask: 255.255.255.0
   default gateway: 10.1.1.10

 PIX (2): ip adddress 10.1.1.10
subnet mask: 255.255.255.0

 PIX (3i ip address 208.136.247.214
 subnet mask: 255.255.255.0

 DSL MODEM (4): ip address 208.136.247.1
 subnet mask: 255.255.255.0



 PIX Version 4.0.7
 enable password 8Ry2YjIyt7RRXU24 encrypted
 passwd kIQggKv8.UiICW/r encrypted
 hostname pixfirewall
 failover
 names
 syslog output 20.3
 no syslog console
 interface ethernet outside 10baset
 interface ethernet inside 10baset
 ip address inside 10.1.1.10 255.255.255.0
 ip address outside 208.136.247.214 255.255.255.0
 arp timeout 14400
 global 1 208.136.247.214-208.136.247.214
 nat 1 0.0.0.0 0.0.0.0
 age 10
 no rip outside passive
 no rip outside default
 no rip inside passive
 no rip inside default
 route outside 0.0.0.0 0.0.0.0 208.136.247.1 1
 route inside  0.0.0.0 0.0.0.0 10.1.1.12
 timeout xlate 24:00:00 conn 12:00:00 udp 0:02:00
 timeout rpc 0:10:00 h323 0:05:00 uauth 0:05:00
 no snmp-server location
 no snmp-server contact
 mtu outside 1500
 mtu inside 1500
 : end
 [OK]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15400t=15205
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco Call Manager [7:15402]

[Rik Guyler]

If you have a CCO account with the correct permissions, you can download it.
Otherwise, talk to your local Cisco Account Manager for a demo or NFR
version.

---
Rik Guyler

-Original Message-
From: Rick Holden [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 08, 2001 9:04 PM
To: [EMAIL PROTECTED]
Subject: Cisco Call Manager [7:15402]


I am looking to pass the CIPT exam and would like to get a copy of Call
Manager. Does anyone know where I can get a copy or maybe a shareware voice
or an eval? Thanks.
/Rick




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15415t=15402
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCDA after CCNP, How tough???? [7:10960]

[Rik Guyler]

Why not do both?

If you can complete the CCNP track, then technically speaking, you will have
no trouble with the CCDA exam.  You must understand, however, that the CCDA
exam is not one to test you on technical understanding but rather on your
communication skills.  If you have not dealt with non-technical mamangement
making technical decisions, such as you will see as a consultant, then I
would advise you to read a design book or 2 (Top Down Network Design is
EXCELLENT) and then get some practice tests, such as Boson.  These will help
you understand and cope with the format of the test.

---
Rik Guyler

-Original Message-
From: Mohamed El Komy [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 10, 2001 5:51 AM
To: [EMAIL PROTECTED]
Subject: Re: CCDA after CCNP, How tough [7:10960]


I also have same situation.I just finished my CCNP and i still whether it
worth to go through the desidn track or not.
I want advice from u all whether the design track 'll add to me or is it
better to go through CCNP Specialization.

Oletu Hosea Godswill CCNP, CCNA.  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi,

 Please tell me more about the CCDA exam, I recently got my CCNP, I want to
 get
 my CCDP before going for the CCIE written, I gather that despite my CCNP,
I
 would have to do CCDA.

 Am preparing for the CCDA now to write it sometime this week. Am using
CCDA
 by
 Todd Lammle(Sybex). I found alot of CCNA and BCSN stuffs in the book, I
only
 have about one or two chapters dealing with hardware and other stuffs.

 Please can someone tell me whether the sybex book is enough or I need some
 other materials. A friend was once telling me to read up SOHO and other
 remote/Home office devices covered in BCRAN nothing was mentioned about
these
 in the sybex book. Do I need these additional knowledge? Please help.

 Thanks.

 Regards.
 Oletu




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11686t=10960
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCO questions [7:11275]

[Rik Guyler]

Unfortunately, having a reseller/partner account does not grant you the
permissions to download software such as IOS, PIX OS, CAT OS, etc.  Now, I'm
not saying that you absolutely can't get these rights with this account, but
it's not the default.  According to Cisco, if you're a reseller/partner, the
way to download software is to use the customer's account that was setup
with their SmartNet contract or a special download access code provided by
TAC.

---
Rik Guyler

-Original Message-
From: Sam Deckert [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 08, 2001 1:00 AM
To: [EMAIL PROTECTED]
Subject: Re: CCO questions [7:11275]


Hey all

Does anyone know what is involved for a Cisco Authorised Reseller to obtain
access to download router images etc from CCO?  What level of access or
partner status is required to be able to download the software?

Thanks!

Sam.

- Original Message -
From: Rik Guyler 
To: 
Sent: Sunday, July 08, 2001 12:50 PM
Subject: RE: CCO questions [7:11275]


 Guys (or gals - don't want to offend the female members!), I hate to break
 it to you, but being a CCNP doesn't get you a CCO account.  Being a CCIE
 does, but that's a different matter.  Instead, why don't you sign up with
 the consultant program?  It's free and you will get a CCO account.  You
 can't download any software with this account but you will gain access to
 the private documents, resources, etc.

 ---
 Rik Guyler

 -Original Message-
 From: Michael L. Williams [mailto:[EMAIL PROTECTED]]
 Sent: Saturday, July 07, 2001 9:14 PM
 To: [EMAIL PROTECTED]
 Subject: Re: CCO questions [7:11275]


 How long after finishing CCNP, etc does it usually take to get the CCO
 account?  Just wondering. I finished CCNP and am eager to get my CCO
 login.

 Mike W.

 DNT  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I think in order to obtain an account on CCO, you must be a CCNP, CCIE,
or
  reseller.
 
  Denny
 
 
 
  Preston Kilburn  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   I have a newbie question here.  What ways can one get a CCO login to
   the CCO sight?  Do you have to own equipment or be a CCIE?
   -P.Kil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11332t=11275
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX recommendations !!! [7:11336]

[Rik Guyler]

Remember that the Proxy server doesn't really provide security as such but
rather content caching.  Unfortunately the benefit is not that great for big
pipes to the Internet and so its value is questionable.  If you are using a
somewhat slow link or your link is rather oversubscribed, than I would keep
the proxy server to reduce the bandwidth requirements via caching.

For your situation, I might consider keeping the proxy server in place
regardless of your circuit bandwidth.  You say you already have filtering
software in place so why buy something else to handle the same requirement
you're already fulfilling?  Websense filters URL (HTTP only) content plus
provides authentication via the NT database and creates a variety of
reports.  For the money, this is one of the best products out there (I
know...I install this product quite frequently).  A cache engine is a great
product also but neither one comes cheap.  Since you can already handle the
caching and filtering, I wouldn't waste the money replacing them.

You can use the MS RADIUS server, which is free (IIS option pack), but you
still would be giving up the caching and URL filtering capabilities of your
current Proxy server.  I like John's overall solution the best but if the
budget is limited, stay with the Proxy box and integrate it into the PIX
solution.

If you want content filtering, then go with 

---
Rik Guyler

-Original Message-
From: John Hardman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, July 08, 2001 1:23 PM
To: [EMAIL PROTECTED]
Subject: Re: PIX recommendations !!! [7:11336]


Hi

I had a very similar problem to solve at work myself.

The recommendation I finally came up with to meet the business needs of...

1) Content filtering
2) Logging of Internet activity
3) Improved usage of Internet bandwidth

So we used...

1) PIX 520 UR with fail-over
2) WebSense content filtering
3) And add a cache engine using WCCP
4) Added a Private I syslog server/analyzer for detailed usage reports

If I also had the need to do authentication against an NT domain I would
have also added Cisco Secure ACS and had it use the NT SAM as it's database.
I guess you could also use the MS RADUIS server to authenticate against the
domain, but I have never used this so I can not guarantee that it will work.

HTH
--
John Hardman CCNP MCSE


Raees Ahmed Shaikh  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hi all,

 I just need some of the recommendations to install a PIX box 525 in our
 network, currently we have MS proxy in our network, Should I replace proxy
 with the PIX, or use two level of defense, comprising of PIXProxy.  We
have
 some application level url filtering software running on that proxy as
well.
 Moreover the MS-proxy is using the NT Domain Security Model and thus using
 cut-through proxy feature, can that security be available if I go on, with
 PIX. Without the Ms-proxy is it possible to use the same NT database for
 cut-through authentication.

 Some helpful tips please which will help me in the designing process.

 Thanks in advance and Best Regards,

 Shaikh Raees,

 CCNP,CCNA,CCDA,MCSE,MCP,CNE,CCIE Written.

 [GroupStudy.com removed an attachment of type image/jpeg which had a name
of
 Glacier Bkgrd.jpg]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11371t=11336
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCO questions [7:11275]

[Rik Guyler]

Guys (or gals - don't want to offend the female members!), I hate to break
it to you, but being a CCNP doesn't get you a CCO account.  Being a CCIE
does, but that's a different matter.  Instead, why don't you sign up with
the consultant program?  It's free and you will get a CCO account.  You
can't download any software with this account but you will gain access to
the private documents, resources, etc.

---
Rik Guyler

-Original Message-
From: Michael L. Williams [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 9:14 PM
To: [EMAIL PROTECTED]
Subject: Re: CCO questions [7:11275]


How long after finishing CCNP, etc does it usually take to get the CCO
account?  Just wondering. I finished CCNP and am eager to get my CCO
login.

Mike W.

DNT  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think in order to obtain an account on CCO, you must be a CCNP, CCIE, or
 reseller.

 Denny



 Preston Kilburn  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I have a newbie question here.  What ways can one get a CCO login to
  the CCO sight?  Do you have to own equipment or be a CCIE?
  -P.Kil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11290t=11275
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX authentication [7:11265]

[Rik Guyler]

I assume you are using the PIX to terminate a VPN tunnel?  If that's the
case, then you can setup local accounts for this purpose.  Look into the
vpdn ... commands.  You didn't mention the PIX OS version so I'll assume
5.x at least.

By the way, Microsoft offers a free (yes, I said FREE!) RADIUS server.  It
comes as part of the IIS option pack for NT 4.0.  I don't know where it's
setup on Win2k but I'm sure it's there somewhere as well.  With this, you
could setup a backup RADIUS server.

---
Rik Guyler

-Original Message-
From: Jim Bond [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 4:40 PM
To: [EMAIL PROTECTED]
Subject: PIX authentication [7:11265]


Hello,

I'm trying to set up PIX for a client. I would use
RADIUS as authentication. The concern I have is if
RADIUS server is down, all authentication requests
will be denied. On routers, I can create a local
account as last resort, something like aaa
authentication default radius local, but on PIX,
there is no local option, how do I do then?

By the way, my client has only 1 RADIUS sever.

Thanks in advance.

Jim

__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11291t=11265
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCO questions [7:11275]

[Rik Guyler]

Come to think of it, I haven't received anything for awhile either but to be
honest, haven't really missed it as I too work for a partner.  It may no
longer be active but it would be worth it for the listers that don't work
for a partner to check it out.

I have heard of a CCO guest account.  I don't know what it gets you but it
exists.  Before anybody asks, I don't have a clue how to get it, what it
gets you, etc.  I just know it's available.

How do these things get started...?  ;-}

---
Rik Guyler

-Original Message-
From: Chuck Larrieu [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 11:06 PM
To: 
Subject: RE: CCO questions [7:11275]


gotta wonder how these rumors get started.

does the consultant's program still exist? and do you still get anything
from it? I haven't seen the quarterly goody bag in almost a year.

Chuck

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Rik Guyler
Sent: Saturday, July 07, 2001 7:50 PM
To: [EMAIL PROTECTED]
Subject: RE: CCO questions [7:11275]


Guys (or gals - don't want to offend the female members!), I hate to break
it to you, but being a CCNP doesn't get you a CCO account.  Being a CCIE
does, but that's a different matter.  Instead, why don't you sign up with
the consultant program?  It's free and you will get a CCO account.  You
can't download any software with this account but you will gain access to
the private documents, resources, etc.

---
Rik Guyler

-Original Message-
From: Michael L. Williams [mailto:[EMAIL PROTECTED]]
Sent: Saturday, July 07, 2001 9:14 PM
To: [EMAIL PROTECTED]
Subject: Re: CCO questions [7:11275]


How long after finishing CCNP, etc does it usually take to get the CCO
account?  Just wondering. I finished CCNP and am eager to get my CCO
login.

Mike W.

DNT  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 I think in order to obtain an account on CCO, you must be a CCNP, CCIE, or
 reseller.

 Denny



 Preston Kilburn  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  I have a newbie question here.  What ways can one get a CCO login to
  the CCO sight?  Do you have to own equipment or be a CCIE?
  -P.Kil




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11300t=11275
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

OT: 3000 Console cable help [7:11143]

[Rik Guyler]

Hey gang, I'm admittedly not much of a serial cable guru and this is beating
my brains out!

I have a couple of 3000 routers with DB25 console ports (the pinout below
was taken from CCO).  I wired this to a DB9-RJ45 plug but I'm not doing
something right.  For example, do I need to cross the TD and RD signals?
When it says shorted, does that mean the wire is cut going back to the
other end and the 2 local wires are basically looped together?  Do RTS and
CTS go straight through?

I could buy these for $50-something each or make them for $5...not much of a
choice if I can get this to work.

Any help would be really appreciated!


Cisco 3000 series router - Console Port Pinouts (DB-25)

Pin Signal  Input/Output  
1   Frame GND   -
2   TD  Input
3   RD  Output
4   RTS Shorted to pin 5
5   CTS Shorted to pin 4
6   Shorted to pin 8Output
7   GND -
8   CD  Output
20  DTR Input

---
Rik Guyler

Ciscofucious say: If you haven't checked the archives first, don't ask!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=11143t=11143
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Still having problems with Inter-vlan routing! Help! [7:10945]

[Rik Guyler]

Step back from things and think about this for a minute and try to discover
what you're missing.  Intervlan routing is no different from any other
routing - just try to think about it like it's physically separate broadcast
domains, with separate switches, router ports, etc.  

You didn't say, but did you put the port PC2 is on in a different vlan
(whichever vlan the second sub-interface is in)?  If PC2 is in vlan 1, this
won't work.  Even though layer 2 will allow the ping, layer 3, where ping
operates, will fail because your PC addresses are in different layer 3
networks.

Other than that, it sounds like you did most things right.  If you stil
can't get it down, you might try posting your configs so the esteemed group
members may check 'em out!

---
Rik Guyler

Ciscofucious say: If you haven't checked the archives first, don't ask!

-Original Message-
From: cisco guru [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, July 03, 2001 9:50 PM
To: [EMAIL PROTECTED]
Subject: Still having problems with Inter-vlan routing! Help! [7:10936]


Hi,
I am still not able to get inter-vlan routing b/w 2 pc's connected to a Cat 
5 switch and a 2620 router.
Basically, I have 2 pc's connected to a Cat 5000, ip's,  30.1.1.30. def. 
gwy. 30.1.1.100 and 40.1.1.10 and def. gwy. 40.1.1.100
The sc0 on the swich is 30.1.1.50 and def. gwy. 30.1.1.100
On the 2620, I have 2 subif's, f0/0.1 at 30.1.1.100 and f0/0.40 at 
40.1.1.100 and  isl encap enabled.
Port 2/11 on the Cat 5 has trunking enabled for the 2620.
Ping works from pc1 (30.1.1.30). Can ping the Cat 5 and the 2620 router.( I 
assumed since the pc and the switch were in Vlan 1 by default, it worked). 
Ditto from the Cat5 itself and the router back to the pc.
BUT cannot ping 40.1.1.100 from the 2nd pc and vice-versa from the router.
Reloaded the router to see if it works. No luck.
What is it I am missing on the switch to get this working??
Any help/advise would be gratefully accepted.
Sincerely.


_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10945t=10945
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: access servers? [7:10449]

[Rik Guyler]

These are generally remote access servers.  Some call them RAS, some call
them NAS (network AS) but they're all the same thing for the most part.  In
short, they provide access to the LAN via dial-up technology.  These boxes
usually have digital modem cards (the better ones do anyway), which provides
high port density and support for 56k analog dial-up since there is one less
digital-to-analog conversion as a result of the modems being of the digital
variety. 

The AS5300, just a fantastic box, has the T1 controllers built right in so
you don't need a DSU.  Just plug the T!(s) into the controller ports and
away you go.  With this technology, you can get either 23 or 24 dial-up
circuits per T1 depending on whether the T1 is channelized (CAS=in-band
signaling for 24-56k connections) or Primary Rate Interface (PRI=out-of-band
signaling for 23-64k connections such as BRI ISDN).

Hope this helps!

Rik

-Original Message-
From: Magenta Bloom [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 29, 2001 5:22 PM
To: [EMAIL PROTECTED]
Subject: access servers? [7:10449]


I went to the Cisco homepage and looked at the list of products.
I saw Cisco Access Servers.  What kind of hardware are those?
_
Get your FREE download of MSN Explorer at http://explorer.msn.com




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10455t=10449
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Strange situation with NAT and telnet [7:10387]

[Rik Guyler]

Is this an Internet router or just an internal router running translation?

Unless you have static translates setup, NAT overload (PAT) will most likely
not allow inbound connections as it tracks ports for outbound and
established connections, not inbound connections.  This is how you are able
to create 64k sessions on a single IP address.  A perfect example of this is
the PIX, which only allows inbound connections on a static translation
throught the use of a conduit.  The PIX will not allow an inbound connection
on a PATed address(es) as it is for outbound connections only.

Is it possible to put a secondary address on the interface and not translate
with that address?  Port redirection might work if you are running IOS FW.
You could redirect telnet requests to the inside interface address.  If
you're not running IOS FW, then there must be some mechanism blocking your
session.

Rik

-Original Message-
From: nrf [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 29, 2001 6:21 PM
To: [EMAIL PROTECTED]
Subject: Re: Strange situation with NAT and telnet [7:10387]


Well, to answer your question, I don't want to telnet to the outside
interface from the inside.  I want to telnet to the outside interface from
the outside, and clearly due to the NAT, the outside interface is the only
interface I can telnet to, and because of this stupid bug, I cannot.  So
basically what it boils down to is that nobody from the outside can ever
telnet into the router, which bites.

And somebody asked what OS and what router I am using.  It is 12.2(1), on a
2514.






Allen May  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 OK I don't have the real answer but it seems that NAT overload is on the
 same IP address that you're trying to telnet to.  That would be kind of
 weird for the box to receive a telnet request from  to the same IP.

 No flames but I'll just throw a suggestion to try (let me know if it
works).
 Try settting up an access-list for NONAT when going to that IP address.
 That will leave the source address alone.  And it looks like you've set up
 an access-list to allow telnet to that interface already but double check
 that.

 I have to ask...why telnet to the outside interface from inside?

 Allen


 - Original Message -
 From: nrf
 To:
 Sent: Friday, June 29, 2001 4:01 AM
 Subject: Strange situation with NAT and telnet [7:10387]


  Hey all:
 
  I have this strange situation where I cannot telnet into my router.
This
 is
  what happens.
 
  I am successfully running NAT (with overload), with no problem.  I can
  telnet into the interface that is the inside NAT with no problem.  I can
  also telnet into any non-NAT interface with no problem.  The problem
 occurs
  when I try to telnet into the interface that is the designated outside
NAT
  interface.  For example, when I fire up telnet from Windows and telnet
to
  that outside NAT interface, it just shows that it is trying to connect,
 but
  it never connects.
 
  Now, I can assure you that connectivity is fine.  I can ping that
 interface.
  People from the inside can get to the outside, with no problem.  So it's
 not
  a routing issue, I am sure.
 
  I have monitored what happens when I try to telnet, as I have an
  access-class on the vty line that allows anything in (permit ip any
any),
  but is set for logging.  So I notice that telnet packets are indeed
being
  permitted by the access-list, meaning the telnet request is hitting the
  router successfully.  On the console, I even get a message saying that
the
  access-list is allowing a telnet packet in.  So everything seems cool.
 But
  somehow the router doesn't want to acknowledge the telnet request.
 
  Does anybody know what is up with that?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10467t=10387
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: back-to-back [7:10469]

[Rik Guyler]

That's because the crossover for a T1 is different than 56k.  I believe that
the crossover you need is 1,2 - 7,8 but I'm not sure if my memory is working
all that well or not.  Maybe someone else can confirm or deny this for us.
Or, if you really want to score points with the list, search on Google for
56k crossover and report your findings.  ;-}

Rik

-Original Message-
From: Michelle Sanderson [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 29, 2001 9:09 PM
To: [EMAIL PROTECTED]
Subject: back-to-back [7:10469]


I'm trying to get two 1602's and a couple of 2500's (2524/2501) setup into
some kind of lab.  I can't get the 1602's to see each other on the built-in
56k modules.  I've tried service-module settings for clock source
line/internal, speed, network-type, but nothing works.  I made a cable with
pins 1,2 to 4,5 and that works for the T1 modules that I have in the 1602's
and 2524, but not on the built in 56k (in the 1602's).  What am I doing
wrong?  Please tell me how I should make my cable or correct config, or
point me to where it is on the CD.  Thanks for any help, Dave


-
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35 a year!
http://personal.mail.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10475t=10469
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: T1 concept? [7:10300]

[Rik Guyler]

Well, it's not necessarily true that a T1 circuit is a frame circuit.  A T1
is simply the layer 1 technology.  In other words, just a piece of wire more
or less.  Frame relay on the other hand is a layer 2 technology.  It will
typically run on T1 layer 1 technology but not always.  There is a 56k
flavor of frame available and this is not run on a T-carrier circuit.  

What layer 2 encapsulation does a standard T1 use if not frame relay you
ask?  Usually HDLC.  In fact, when setting up a serial interface on a Cisco
router in preparation for a T1, full or fractional, the default layer 2
encapsulation is HDLC and not frame relay.  You can run PPP on a T1.  This
is typically used when your upstream router is a non-Cisco router as Cisco's
HDLC is proprietary and not compatible with another vendor such as Nortel.

When somebody says I have a T1 to the Internet, they are usually bragging
about the size of their pipe, which is roughly 1.5Mbs for a full T1.  The
fact that it's a circuit providing access to the Internet has nothing to do
with the layer 2 encapsulation as it could be FR, HDLC, or PPP.  That was
not always the case as the frame relay cloud was just recently introduced
to the Internet cloud, so now many ISPs will provide access via their
private frame relay network.

Good luck!

Rik

-Original Message-
From: Sam [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 28, 2001 7:06 PM
To: 
Subject: Re: T1 concept? [7:10300]


There really is no difference between a T1 to your ISP or a T1 to a branch
office (in the scenario you outlined).
Of course the one obvious difference is that the T1 to your HQ is part of
your corporate frame relay cloud and the T1 to the internet is part of
your ISPs frame relay cloud.
T1 are usually frame relay connections, therefore they use frame-relay
encapsulation.

RJ  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Hello,

 What is the difference between a frame connection to a branch office (I
have
 configured this) and T1 to the internet (I don't know how this is
 configured).
 I have heard that our company has a T1 from a (HQ)Atlanta to
 (backoffice)Tampa.
 Also they have a T1 to the internet.
 They also have numerous frame connections to small offices through out the
 country.

 When somebody says that they have a T1 to the internet what exactly does
 this mean?  What protocols (encapsulation) are they running? Is it PPP or
is
 it a frame connection? How does one connect to the ISP?

 I am sure these questions have simple answers. Can somebody please explain
 this concept?

 Thanks in advance.

 Regards,

 RJ.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=10366t=10300
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: supervisor engine [7:9902]

[Rik Guyler]

The ports on a sup engine are like any other comparable port - they can be
trunked.

Rik

-Original Message-
From: Joe Morabito [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 25, 2001 10:45 PM
To: [EMAIL PROTECTED]
Subject: supervisor engine [7:9902]


Does anyone know if you can use the ports of a supervisor engine (which ever
model) for trunking?

Or do you always need to use a port from the chasis...Assuming you have no
rsm.

Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=9909t=9902
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: supervisor engine [7:9902]

[Rik Guyler]

Ummm...this is describing etherchannel, but you can do that also.

Rik

-Original Message-
From: jackxu [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 25, 2001 11:10 PM
To: [EMAIL PROTECTED]
Subject: Re: supervisor engine [7:9902]


certainly u can,cisco 6509's supervisor engine provide two gigabit ethernet
port in this module, so two 6509 can be combined together by thrunking
through the GE port.

Joe Morabito  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Does anyone know if you can use the ports of a supervisor engine (which
ever
 model) for trunking?

 Or do you always need to use a port from the chasis...Assuming you have no
 rsm.

 Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=9913t=9902
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Setting up Sub-interfaces on serial interface for Frame [7:9704]

[Rik Guyler]

Well, since you say you have everything else accounted for, have you tried
rebooting the router?  Subinterfaces and loopbacks tend to be rather
troublesome once setup.  Deleting and changing these virtual interfaces
typically requires a reboot for the changes to take effect completely.

You might also check that ip subnet-zero is turned on.  If not, you will
get that very message if you try to use the zero subnet.

Rik

-Original Message-
From: tazman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 24, 2001 5:10 PM
To: [EMAIL PROTECTED]
Subject: Setting up Sub-interfaces on serial interface for Frame Relay
[7:9697]


I am having a problem when attempting to configure sub-interfaces for a
Frame Relay connection and was wondering if anyone has ever seen this
problem before. I configured two routers for a point-to-point Frame Relay
circuit with sub-interfaces and performed a test and turn-up with ATT which
worked fine. The problem I am having is I realized after I configured the
interfaces on both routers that I had used the wrong IP addresses. I setup
both ends of the circuit with a subnet address of 255.255.255.252 but when I
attempted to change the address I get a bad subnet mask error. I have both
routers configured as IP Classless and was able to assign a /30 address to
both  earlier. I removed the IP address from the interfaces and tried to add
a new address and I get the same thing. Is there something special with
sub-interfaces or Frame Relay which is causing this problem? Any suggestions
would be greatly appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=9704t=9704
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Linux Console program (Hypterminal equivlant)? [7:7188]

[Rik Guyler]

Teraterm Pro is among the favorites of this group, myself included.  Plus
it's free.  Just search on Google for teraterm and you'll get to the site
easily.

Rik

-Original Message-
From: Stephen Dunn [mailto:[EMAIL PROTECTED]]
Sent: Monday, June 04, 2001 9:51 PM
To: 
Subject: Re: Linux Console program (Hypterminal equivlant)? [7:7188]


minicom works like a champ.   http://www.pp.clinet.fi/~walker/minicom.html

Steve

nethacker711 wrote:

 I was searching the archives and could not find this one. Does anyone know
 of or can recommend a good HyperTerminal like program that will let me
 console into Cisco routers and other devices on Linux (RedHat)?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=7203t=7188
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CIT - Now a CCNP!! [7:6725]

[Rik Guyler]

Dude, great job!

-Original Message-
From: Andrew Larkins [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 01, 2001 3:14 AM
To: [EMAIL PROTECTED]
Subject: Passed CIT - Now a CCNP!! [7:6725]


I passed my final exam yesterday - CIT with a score of 919.
At last I have my CCNP.

Many thanks to everyone on this list for all the informative threads and
help with problems I have had over this pass period.

Now to do my CCDP and security specialisation - anyone have any tips for
these

Thanks again


Andrew Larkins
BCom, CCNP, CCDA
Bytes Technology Group Limited
Tel :  +27 11 800 9467
Fax : +27 11 800 9496
Mobile : +27 83 656 7214
Email :  [EMAIL PROTECTED]
OR  [EMAIL PROTECTED]
   

This message may contain information which is confidential and subject to
legal privilege.  If you are not the intended recipient, you may not peruse,
use, disseminate, distribute or copy this message.  If you have received
this message in error, please notify the sender immediately by email,
facsimile or telephone and return and/or destroy the original message.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6736t=6725
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PASSED: CCNP SWITCHING 2.0 (BCMSN) [7:6501]

[Rik Guyler]

Great job!

-Original Message-
From: Hire, Ejay [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 30, 2001 3:50 PM
To: [EMAIL PROTECTED]
Subject: PASSED: CCNP SWITCHING 2.0 (BCMSN) [7:6501]


Passed today at 3:00 with a score of 879.  64 questions in  30 minutes.
Scoring Range 300-1000, Minimum Passing Score 699.

YEAH!!

BTW, regarding Atm/lane's presence on the Exam Blueprint, It was accurate.
(minimally)
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6536t=6501
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Help on Cisco 4000 Switch [7:6191]

[Rik Guyler]

Friend, eh?!?  Oh the humanity...  ;-}

Well, you could set a static entry but why?  The ARP table is designed to be
dynamic so that it doesn't grow to a large size and really create additional
overhead.  Remember, before ARP does its broadcast search, the switch will
check the ARP cache.  The bad news: the ARP cache is parsed from the top
down.  So if the table becomes large, static entries may actually slow
things down.  I wouldn't get into the habit of adding static entries, but if
his little heart desires it so badly...

BTW - removing the router's entry from the ARP table will not disconnect it
from the switch.  All that it really does is force the switch to broadcast
for the MAC address of the router if it's not in the table and that really
doesn't take much time at all.  If a disconnect is really happening, then
you...I mean he...has other issues to contend with.

Rik

-Original Message-
From: Joseph Cheng [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 29, 2001 3:23 AM
To: [EMAIL PROTECTED]
Subject: Help on Cisco 4000 Switch [7:6191]


Hi,

My friend has a question on the Cisco 4000 switch, can
anyone please help?  Thanks in advance.

==
When a Cisco 1720 is hookup to the switch, if there is
no traffice from the 1720, it will be disconnected
from the Cisco catalyte 4000 switch after a preset 300
seconds.

The mac-address of 1720 will be disappeared from the
Cisco 4000 switch arp table.

Is this OK to use set arp static-address to
permantly write the 1720 mac-address and IP into the
4000 switch arp table?
==

Thanks,
JC

__
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices
http://auctions.yahoo.com/
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6356t=6191
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Passed CCIE Written [7:6113]

[Rik Guyler]

Congrats dude!

Rik

-Original Message-
From: thangavel vishnukumar mudaliar [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 28, 2001 10:47 AM
To: [EMAIL PROTECTED]
Subject: Passed CCIE Written [7:6113]


Hi all,

I passed CCIE written,Just narrowly escaped.Anyhow cleared it.Now left with
the difficult part to go,The LAB.

Can someone suggest me how to proceed for preparing the Lab.

Also I am from India and to my knowledge there is no company which offers a
practise setup on rental.If anyone has come across,pls let me know.

Kind Regards /Thangavel

 

_
Chat with your friends as soon as they come online. Get Rediff Bol at
http://bol.rediff.com
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6122t=6113
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: What do interVLAN routing and Layer 3 switching mean [7:6124]

[Rik Guyler]

I think that what you have described is multi-layer switching.  

As Howard has mentioned in past posts, L3S is simply a marketing term as is
wire-speed switching.  Layer 3 Switching is simply a line card, typically in
a chassis-based system, that can make routing decisions (layer 3) using
hardware-based technology (layer 2).  By not relying on the fundamentally
slow software decision making, this process greatly enhances the speed at
which the decisions are made.  

There are other types of L3S devices, such as a 2948G-L3.  This switch uses
ASICs to make routing decisions within hardware.  When you purchase one of
these beasts, you basically have a 48-port gigabit router!

Inter-VLAN routing is just routing.  Basically, it can be performed with any
routing-capable device so long as you have the appropriate interfaces.  The
difference between Inter-VLAn routing and legacy routing really has nothing
to do with routing at all.  The real difference is how the LANs have been
broken out: either Layer 2 (VLANs) or Layer 3 (IP subnetting).  

If you know something about routing, then you know something about
Inter-VLAN routing.  Read up on VLANs (I suggest the Kenndy Clark CCIE
switching book) and all will become clear.

Rik

-Original Message-
From: Gareth Hinton [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 28, 2001 6:09 AM
To: [EMAIL PROTECTED]
Subject: Re: What do interVLAN routing and Layer 3 switching  mean
[7:6104]


Hi Frank,

I think the best description for Layer 3 Switching is Route once - Switch
many.
The first time a packet in a particular flow passes through, a routing
function will be used (on a different card, or even in a different device).
But to speed up the processing of any further packets in that flow, a cache
is created in the switch to remember this flow. The next time a packet comes
through which matches this flow it will be switched without using the router
functionality, therefore speeding things up.
The definition of a flow can differ depending on configuration.  For
instance, normally a flow may be any packet to a particular destination, but
if , for example, an extended access list is configured, the criteria for
the flow may tighten up i.e. to be considered part of a flow, the source and
destination are compared.
Inter-VLAN routing means a packet gets routed every time.

Regards,

Gaz




frank  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What does the following mean ?it's cut from a description of WS-X4232-L3
on
 cisco website.


 The Catalyst 4003 and 4006 Layer 3 Services module provides interVLAN
 routing for the Catalyst 4000 family switch and provides Layer 3 switching
 between the Gigabit Ethernet interfaces.

 John Hardman  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi
 
  OK I'll bite...
 
  Yes there is a difference. It gets a little convoluted, but there is a
  difference.
 
  L3 switching: Think of a L3 switch as a multi port router that operates
at
  wire speed. The 2948G-L3 is an example. It is just a 50 port Ethernet
  router. So L3 switching is routing traffic at wire speeds. You could use
 one
  of these to route between VLANs, or route between networks.
 
  Inter-VLAN routing: This is a technique, technology that is only used to
  route traffic from one VLAN to other VLAN(s). It generally takes place
at
  wire speeds inside a Cat switch with a L3 switch option, but is often
see
  with routers that do not work at wire speeds.
 
  So the bottom line... think of a L3 switch as a device, and Inter-VLAN
  routing as a technology.
 
  HTH
  --
  John Hardman CCNP MCSE
 
 
  frank  wrote in message
  [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
   Any difference?
  
   frank  wrote in message
   [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Thanks,
   
   
Frank
FAQ, list archives, and subscription info:
   http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to
[EMAIL PROTECTED]
   FAQ, list archives, and subscription info:
  http://www.groupstudy.com/list/cisco.html
   Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
 FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
 Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6124t=6124
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: ISL and MTU [7:6059]

[Rik Guyler]

Well George, since nobody else answered, I'll help here.

Your logic is a little backwards here.  by lowering your MTU, you may remove
the label of baby giants on some of your data (now maybe they'll be giants),
but that is all.  Actually, by doing this, you will cause (at least in
theory) additional issues.  ISL will actually add 30 bytes, so by moving the
MTU DOWN 30, you are compounding the issue by now possibly having frames
that are 60 bytes too big to be passed.  If you are running ISL, I would
bump the MTU up to 1548, not lower it.  This way, if the interface sees
what was formerly considered a giant frame (1518 byte frame + ISL), then
it will still be allowed to be forwarded as it is now an acceptable sive
based on your specified MTU of 1548.

Think of it this way: MTU is an absolute value.  This means that the
interface will look at the entire frame size including the ISL portion, not
just the original data only.

Rik

-Original Message-
From: George Yiannibas [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 27, 2001 6:05 AM
To: [EMAIL PROTECTED]
Subject: ISL and MTU [7:6059]


Hi group
I am currently studying for BCMSN 640-504 and I thought of this question: If
you reduce MTU from the default 1518 byte size to 1488 you will not get baby
giant frames if using ISL True or False ?
This is not a question from any book or any exam and I had it since I was
studying for CCNA. Any input is welcome.
PS Thank you all in advance this is a great forum and I learn something new
every day !

George Yiannibas MCSE CCNA
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=6150t=6059
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: what's the RSM utilization and what slow down network?

[Rik Guyler]

It is considered good form to leave VLAN1 only for management, although in
small networks, it may not be as "critical".  In a large network, however,
doing this becomes very important.  Here's some reasons why:

1) Keeps most/all SNMP traffic off of data VLANs
2) Adds an extra level of security, especially if you don't route to VLAN1
3) Most important - keeps all of the host-generated broadcasts from the
switches, which serves to reduce CPU load on the switches by not having to
look at every single broadcast

There are other reasons, but these are compelling enough to support this
philosophy.

Rik

""David spalding"" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 What? you want move ALL workstations of VLAN 1 as this is amanagment VLAN
 and only switch/routers should use this. For your info, I have assigned
 quite a lot of PC to VLAN 1 ports and I used VLAN 1 ports to connect to
the
 WAN via routers too.  Will it slow down the network?? why??

 somenosuke sh vlan
 VLAN Name StatusIfIndex Mod/Ports, Vlans
   - ---
 
 1default  active5   1/1-2
 3/5-17
 4/1-6
 5/1-6
 2VLAN0002 active83  3/18-19
 4/7-17
 5/7-17
 3VLAN0003 active84  3/20-21
 4/18-24
 5/18-24
 
 Below are the sh int output, VLAN 2 have been discommisioned.  Is that
 normal??

 SOMENOSUKEsh int
 Vlan1 is up, line protocol is up
   Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia
 0090.92fd.9400)
   Description: ""
   Internet address is 100.100.45.253/24
   MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255
   Encapsulation ARPA, loopback not set, keepalive set (10 sec)
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:00, output hang never
   Last clearing of "show interface" counters never
   Queueing strategy: fifo
   Output queue 0/40, 0 drops; input queue 0/75, 0 drops
   5 minute input rate 115000 bits/sec, 43 packets/sec
   5 minute output rate 125000 bits/sec, 41 packets/sec
  331535286 packets input, 3135729531 bytes, 0 no buffer
  Received 7547855 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  451577502 packets output, 4089081283 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets
  0 output buffer failures, 0 output buffers swapped out
 Vlan2 is up, line protocol is up
   Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia
 0090.92fd.9400)
   Internet address is 100.100.170.253/24
   MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255
   Encapsulation ARPA, loopback not set, keepalive set (10 sec)
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:02, output hang never
   Last clearing of "show interface" counters never
   Queueing strategy: fifo
   Output queue 0/40, 0 drops; input queue 0/75, 0 drops
   5 minute input rate 0 bits/sec, 0 packets/sec
   5 minute output rate 0 bits/sec, 0 packets/sec
  33157120 packets input, 103412590 bytes, 0 no buffer
  Received 533647 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  33438811 packets output, 2522506402 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets
  0 output buffer failures, 0 output buffers swapped out
 Vlan3 is up, line protocol is up
   Hardware is Cat5k Virtual Ethernet, address is 0090.92fd.9400 (bia
 0090.92fd.9400)
   Internet address is 100.100.171.253/24
   MTU 1500 bytes, BW 10 Kbit, DLY 100 usec, rely 255/255, load 1/255
   Encapsulation ARPA, loopback not set, keepalive set (10 sec)
   ARP type: ARPA, ARP Timeout 04:00:00
   Last input 00:00:00, output 00:00:03, output hang never
   Last clearing of "show interface" counters never
   Queueing strategy: fifo
   Output queue 0/40, 0 drops; input queue 0/75, 0 drops
   5 minute input rate 125000 bits/sec, 42 packets/sec
   5 minute output rate 11 bits/sec, 40 packets/sec
  409420811 packets input, 1385306767 bytes, 0 no buffer
  Received 1232865 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  277329303 packets output, 3156818548 bytes, 0 underruns
  0 output errors, 0 collisions, 1 interface resets
 

RE: Performance Comparision between Linux OS Firewall and Cisco PIX 525

[Rik Guyler]

But that just proves my point - you *can't* setup DNS server on a PIX, so it
becomes a non-issue with a PIX.  Besides, I think everybody I know has done
something that they know not to be the best thing but do it because it is a
quick and easy solution.

Don't get me wrong - I like Linux.  The real problem I see with network
security is not so much technology, but with human nature.  The PIX by
design removes many of the holes that human nature can drag us into.  A
simple case of less is more.

Rik

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 24, 2001 11:02 PM
To: [EMAIL PROTECTED]; Rik
Subject: Re: Performance Comparision between Linux OS Firewall and Cisco
PIX 525


While I agree that for an enterprise I would choose PIX over Linux 
for firewall purposes, if your friends configured a Linux firewall and 
ran other services on it, they may be good Linux admins but they 
don't know much about security. 

There is _no_ good reason to run unnecessary services on a 
firewall. Period.  Wintel hardware is too inexpensive to use any 
argument that a box serving as a firewall needs to run DNS, FTP, 
SMTP, etc.

The only service other than ipchains that a Linux firewall should run 
is SSH.  This gives you all the remote administration of the box 
you need and makes the box very secure.  

-Kent


On 23 Mar 2001, at 9:24, Rik wrote:

 I have seen way too many Linux firewalls hacked as a result of
 mis-administration.  Now, I'm not assuming anything about your
 abilities as the last confirmed hack that I was notified about was a
 Linux FW setup by 2 guys that I know to be excellent Linux admins. 
 The problem is the inherent nature of the beast.  A PIX is totally
 secure right out of the box.  The last Linux hack I speak of was
 hacked based on an exploit within BIND and had nothing to do with the
 FW policy.
 
 I also find the PIX to be MUCH easier to configure and setup.  I can
 do in only a few lines of code what could possibly take pages and
 pages of code in Linux.  When talking about firewalls, simplicity is a
 critically important concern.  One compromise could easily remove any
 upfront cost advantage Linux has over Cisco.  Also, you don't have to
 be concerned with shutting down unused services on a PIX as you would
 on Linux.
 
 Go with the PIX.  It was designed from the ground up to do just what
 it does: protect your network.  Cisco claims that a properly
 configured PIX has never been compromised.  I believe them.
 
 Rik
 
 
 ""Sean Young"" [EMAIL PROTECTED] wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi Everyone,
 
  My company is putting me in charge in implementing a Firewall for
  our company.  One guy in my networking group is recommending PIX
  Firewall. Furthermore, he also recommends a Cisco Web-caching
  engine.  His reason is that not only Cisco is good Firewall but it
  also provides VPN connectivity to our remote sites.  Myself, on the
  other hand, would like to implement Linux-based OS firewall along
  with FreeS/WAN VPN features set.  My reason is that a linux firewall
  can provide everything a Cisco PIX does and even more.  In term of
  hardware, the linux Firewall/ VPN/IPSec box will be running a
  dual-processor (800MHz) with 1GB of RAM. I just feel that I can get
  a lot more for the amount that we are going to spend with linux than
  with Cisco PIX.  I also feel that I tweak the source code on the
  LINUX kernel to increase the performance and security. Also, instead
  of purchasing the Cisco web-caching engine, I am thinking of
  building another linux box that will be running squid (web-caching)
  server.  Don't get me wrong, I think Cisco has a lot of good
  products in the area of routing; however, I just don't think it is
  necessary to throw away money at Cisco when I know that Linux or BSD
  can do the same job that PIX and Cisco web-caching engine do but for
  much less and also I can control the source code.  Has anyone has
  experiences with both the Linux/BSD, Squid and Cisco PIX, Cisco
  web-caching engine so that you can give advice on what I should do. 
  I am open to your suggestions.
 
  Many thanks.
  Sean
  _
  Get your FREE download of MSN Explorer at http://explorer.msn.com
 
  _
  FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html
  Report misconduct and Nondisclosure violations to
  [EMAIL PROTECTED]
 
 
 
 _
 FAQ, list archives, and subscription info:
 http://www.groupstudy.com/list/cisco.html Report misconduct and
 Nondisclosure violations to [EMAIL PROTECTED]




This mail was processed by Mail essentials for Exchange/SMTP, 
the email security  management gateway. Mail essentials adds 
content checking, email encryption, anti spam, anti virus, 
attachment compression, personalised auto responders, archiving 
and more to 

certificationzone.com

[Rik Guyler]

I'm having problems getting to the certificationzone website.  Anybody else
experiencing this?

Rik


,

This mail was processed by Mail essentials for Exchange/SMTP, 
the email security  management gateway. Mail essentials adds 
content checking, email encryption, anti spam, anti virus, 
attachment compression, personalised auto responders, archiving 
and more to your Microsoft Exchange Server or SMTP mail server. 
For more information visit http://www.mailessentials.com

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]