Re: IDS 4210 help [7:35940]

[Rob Webber]

You will need to connect to the console of the IDS.  Log in as netrangr
(note: NO "e" in netrangr). Default Passord: "attack"  Then enter:
#sysconfig-sensor

You will see a menu:

1 - IP Address

2 - IP Netmask

3 - IP Host Name

4 - Default Route

5 - Network Access Control

6 - Communications Infrastructure

7 - Date/Time and Timezone

8 - Passwords

9 - Secure Communications

x - Exit

At a minimum you will need to configure 1, 2, 4, 5 and 6 (for #5 enter the
network that the CSPM server resides on. If its 192.168.15.0/24, enter
192.168.15.) For #6, write down the info you assign the IDS. You will need
this for the CSPM. You will need org. number (such as "1"), Node # (such as
"1") and org name (like your domain name).

HTH, Rob.

CCIE 6922

""Shane Stockman""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I am currently setting up a IDS sensor 4210 and would like to know how to
> set up the command interface and the monitoring interface as I would like
to
> manage it from my CSPM server.
>
> I need to get the command interface to talk to the switch but I don't know
> where to set an ip address for it so that my CSPM software cna find it.
>
> Thanks in advance.
>
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=35956&t=35940
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TWO ISP AND ONE FAILURE [7:36371]

[Rob Webber]

For the outbound connectivity, use the HSRP track feature. That "watches" an
interface (the WAN link to your ISP). If that interface goes down, the HSRP
priority of that router gets reduced, making the other router (with the good
ISP link) the HSRP primary. HSRP will make it so no changes are required at
your server.

As mentioned if you have Internet facing servers (mail server, web server),
you really need BGP. However many ISPs will now accept advertisements as
small as /24. So if you have a class C of registered addresses (or if you
can get that) you can advertise it to both ISPs via BGP (even if it was
assigned to you by one of the ISPs).

Rob.
CCIE 6922

""Chris Charlebois""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Depends alot on what kind of connection you want.  If you are just talking
> about outbound access from your site, that isn't a problem.  Setup the two
> routers on the same subnet and use HSRP.  Best practive would be to set up
> two HSRP address; each router will be primarary for one address and backup
> for the other.  That way you can direct traffic over a specific connection
> when it's all up, but traffic will failover to one connection if the other
> goes down.
>
> If, on the other hand, you want to maintain public services during an
outage
> (ie, web pages, FTP sites, incoming e-mail), that is a gorilla of a
> completly different color.  If you're site is big enough, you could
justify
> a /19 public address, which can be routed via BGP.  That would solve alot
of
> you're problems, but it's unlikely that you'd be asking the question if
you
> had a /19.  Some protocols will allow you to specifiy a backup via DNS
(I'm
> thinking SMTP), but that only helps with mail.  Otherwise, you're options
> are co-locateing the equipment you always want available, or switching
both
> your WAN connections to the same ISP.  THere is no really easy solution.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36378&t=36371
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Fiber optic interface question [7:36366]

[Rob Webber]

I am not completely sure, but I do not believe these two cards will
interoperate. The PA-POS is a packet-over-Sonet module. Thus that box will
look to frame the layer 2 frames as POS frames - and it will use the entire
OC-3 for the one POS connection. The PA-A3 is an ATM module. It is looking
to fill it with ATM 53-byte ATM cells, and it is expecting to divide the
OC-3 bandwidth between whatever SVCs or PVCs have been created.

Just my thoughts - Rob.

""Alejandro Acosta""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,
>   I am about to purchase a Fiber Optic Interface; because this kind of
> cards are pretty expensive I prefer to ask you in order do not buy the
wrong
> interface.
>   Can I connect this two cards: PA-POS-OC3SMI and PA-A3-OC3SMI?. We are
> going to use single mode fiber and it is Mid Range.
>
> Thanks in advanced.
>
> Alejandro Acosta




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36412&t=36366
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: TWO ISP AND ONE FAILURE [7:36371]

[Rob Webber]

I agree that this configuration - with HSRP and tracking - could work well
for connections that are initiaed outbound. You would not necessarily need
BGP. R1 could do an outbound NAT to whatever IP address space had been
assigned by ISP 1. R2 could do an outbound NAT to whatever IP address space
had been assigned by ISP 2. The return traffic would use the correct ISP
based on that address space - without any BGP.

However if you do need inbound connections - and chances are you do, BGP is
the most realistic way to do it.

BGP on 2500's is fine. If you are only taking the default route its probably
easier on the box than running OSPF.

Rob.

""John Neiberger""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I'm not sure I understand your point.  Assume the following topology:
>
> [R1] [R2]
>||
>||
>\--/
>   |
>   [HOST]
>
> The two border routers are R1 and R2 and each have a connection to an
> ISP.  HSRP is configured to track the WAN link.  The default gateway on
> the host is the HSRP standby ip address.  If either WAN link goes down,
> the relevant router--because it is tracking the WAN link--will notify
> the other router that it is no longer eligible and the other router will
> take over.
>
> Why are you saying that the perceived uptime to the host would not
> increase using this method?  As I see it, unless both links go down, the
> downtime would be quite minimal.
>
> Thanks,
> John
>
> >>> "Hire, Ejay"  2/25/02 11:24:23 AM >>>
> Come on guys, Think about it for a minute.  Do you really think the
> router
> is failing, or is his downtime caused by the wan link?  HSRP won't
> significantly increase your uptime if the wan link is failing and he
> has to
> manually change his server's IP/default gateway to switch to the other
> link.
>
> A diferent way to think of it...  If you had a car with no brakes and
> a
> broken tail-light, which would you fix first?
>
> -Ejay
>
>
> -Original Message-
> From: Ladrach, Daniel E. [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 25, 2002 11:48 AM
> To: [EMAIL PROTECTED]
> Subject: RE: TWO ISP AND ONE FAILURE [7:36371]
>
>
> Run HSRP between the two cisco routers and then point your default
> gateway
> to the VIP address.
>
> Daniel Ladrach
> CCNA, CCNP
> WorldCom
>
>
> -Original Message-
> From: Yassel Omar Izquierdo Souchay [mailto:[EMAIL PROTECTED]]
> Sent: Monday, February 25, 2002 10:11 AM
> To: [EMAIL PROTECTED]
> Subject: TWO ISP AND ONE FAILURE [7:36371]
>
>
> Hello i have a frecuent porblem with one of my isp, i have two cisco
> routers
> and each one to different isp. Frequentily i have to change the gateway
> of
> one of my servers, because one isp is failure.
> I want to know if with one of BGP, OSPF, RIP, NAT or other protocol i
> could
> do the change automatically to the other active isp.
> It happening me right now. And when i have to do that i have to reset
> one of
> my servers.. :S. Is a costs operatrion its a mail server.
> So if somebody knows how to resolve between routers with different isp
> each
> one, how to route accross the other good gateway.
>
> Thnx in advance
> Yassl




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36430&t=36371
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Where is Bruce Caslow ECP1 Class? [7:36501]

[Rob Webber]

Now called "RS-NMC-1 (Routing and Switching Net Master Class)"

Rob.

""Will K.""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Does anyone know where information about this class can be found? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36513&t=36501
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Where is Bruce Caslow ECP1 Class? [7:36501]

[Rob Webber]

Oops - apparently the link did not come through for some reason. It is:

www.netmasterclass.net/nmc/

Rob.

""Will K.""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Does anyone know where information about this class can be found? Thanks.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36515&t=36501
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: MPLS in the Enterprise [7:36670]

[Rob Webber]

I see your point on security, but I don't completely agree. Your current
Frame Relay network is only as secure as your carrier. If someone at your
carrier maps a PVC between you and company X, real traffic can flow
(assuming your router picks it up and places on the physical interface,
which it likely would). Granted, the only way someone could probably use
this to hack into your network was if they had a route to you (which they
could add) and if you had a route back to them (unlikely unless you are
running a routing protocol and they pick up on it).

It seems to me you could make MPLS fairly secure by using a routing protocol
with authentication and a simple access list.

To answer John's original question, I have only seen MPLS deployed in one
organization - they are using Equant as their carrier. They are happy with
it, but its hardly widespread.

I'm curious why they said they could not give John any-any connectivity if
he kept his addressing?? That's basically exactly what MPLS was meant to
do...perhaps its an implementation issue...? It also curious why they even
suggested changing the addressing. On a network as big as John's (100 site)
its a ridiculous idea, and as Joseph mentioned they are going to add a
unique VRF, so it doesn't matter if the carrier has 100 customers that all
use 192.168.1.0...

Rob.

""Joseph Brunner""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> i was pitched this very thing recently by wcom and qwest.. basically it is
> only as secure as your carriers.. if some "f*cks up" and imports something
> into your VRF, either a default, another vpn, or whatever you security
> is finished.. plug banks are supposed to encrypt over IPSEC, so why bother
> running MPLS (come one how much diff-serv can do you on frac T-1's anyway)
> if you are just going to IPSEC the packets between pix's or vpn
> concentrators
> anyway.. MPLS right now for 100 sites, just can't be trusted. I used to
work
> for ISP's, everyone there was a perp.. trust my vpn security to some loser
> ISP.
> No thanks
>
> read this
>
> http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/mxinf_ds.htm
>
>
>
> Joseph Brunner
> ASN 21572
> MortgageIT MITLending
> New York, NY 10038
> (212) 651 - 7695 Voice
> (212) 651 - 7795 Fax
>
>
>
> -Original Message-
> From: John Neiberger [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 27, 2002 12:24 PM
> To: [EMAIL PROTECTED]
> Subject: MPLS in the Enterprise [7:36670]
>
>
> Okay, I'm about to show how clueless I am when it comes to MPLS
>
> I've been getting calls from multiple providers lately all trying to
> suggest that I migrate our 100-site frame relay network to their MPLS
> network, suggesting that we'll have any-to-any connectivity and the
> ability to prioritize traffic classes within the MPLS network.
>
> Are any of you doing something like this?  I'm going to read up on it
> but I'm having trouble visualizing it.  Does this basically turn our
> network into a giant multipoint network?  Do our branch routers need to
> be aware of MPLS or do providers make this transparent somehow?  How
> does this affect routing?
>
> It seems that if we have any-to-any connectivity then the branch
> routers don't even need to run a routing protocol; every router would
> have one exit point to get to any destination.  But, how would the MPLS
> cloud know where to route packets?  The more I think about it it seems
> like our branch routers would have to participate in MPLS to provide the
> necessary destination info for the MPLS cloud.
>
> See how clueless I am?  Ugh...  Time to do some studying on this.
> Since we already do a little video conferencing over IP and are working
> on getting VoIP working, it might be beneficial to get away from the
> frame relay network.  But since I don't understand this new technology,
> I don't know if it's  a viable solution for us or not.
>
> Off to CCO I go!
>
> Thanks,
> John




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=36694&t=36670
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: blocking spanning tre ports [7:37663]

[Rob Webber]

If I understand your topology correctly, switches 3 and 4 share an Ethernet
segment. If I remember Spanning Tree correctly, one of these two will be the
"designated bridge" for that segment. That bridge will be forwarding packets
toward the root. All other bridges on that segment (in this case, the other
switch) will block their link if it creates a loop.

I believe the designated bridge is the one on that segment with the lowest
priority. If the priority is the same, the one with the lowest bridge ID
(mac address) becomes the designated bridge.

Changing the path cost on the link between 3 and 4 shouldn't have much
affect on the switch that is the designated bridge - it will be forwarding
anyway. Changing the path cost on the other switch should affect which of
its links are forwarding and which are blocked.

My guess is you don't have to actually change the path cost on both switches
on floor 1 and floor 4. I think if you change the path cost on one of those
two switches (the designated bridge) it actually won't have any affect (and
thus you really don't need to...). You can also try setting which bridge is
the designated one by making its priority lower than the other one - but
DON'T make its priority lower than the root!

Rob.
CCIE 6922

""steve skinner""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> guys,
>
> another question ..
>
> in on of my sites i have clusters of 3548 switches ..
> At each end of the cluster i have a link to the distribution layer...
> i have multiple uplink to each switch (6 in cluster)..
> and in the middle we have set the spanning-tree cost on one interface of
the
> uplinks to much higher than default ...(that way switch 1 -3 use
> distribution link 1 and switch 4-6 use distribution link 6 )..what i am
> finding odd is that on switches 3 and 4 (the middle of my cluster) i have
to
> increase the cost on both switches`uplinks sometimes
> and others just 1 switch, other times.(to force it into blocking)...
>
> floor 1 i had to do both
> floor 2 just switch 3
> floor 4 both
> floor 5 just switch 3
> floor 6 just switch 3
>
> what i dont understand is why...???
>
> i should have to set the uplink ports from 3 to 4 to
> both having high costs ...
>
> why does it sometimes work with just one...
>
> any idea`s..
>
> _
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37879&t=37663
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: BGP using AS_PATH attribute [7:37749]

[Rob Webber]

I haven't seen the lab, either, but how did you perform the filtering of
AS65000? When I read your post I was thinking of the neighbor
remove-private-as command. That should allow R3's loopback network to
propagate, just that R1 won't see the 65000 AS. Feel free to post your
configs and anything else relevant, I'll take a look.

Rob.
CCIE 6922

""Mike Sweeney""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I've been studying BGP using several books and papers. One of which is the
> Cisco Academy Semester 5 lab companion. So far it's been pretty good but
Lab
> 8-3 drives me nuts.
>
> 3 routers.. 3 AS
>
> R1R2R3
> AS100AS300  AS65000
>
> The idea is to have everyone share routes(did that) and then to filter off
> the AS65000 number as the update is sent ot R1(did that)
>
> The kicker was I was *supposed* be able to ping R3 from R1 after this.. no
> way.. wasnt going to happen. The only network statements were the
loopbacks
> for each router.. I was able to ping r3 AFTER I added the network
statement
> to R2 that id'ed the interface IP between R2 and R1. That was not in the
lab..
>
> If someone who has this lab take a look and explain why the ping should or
> should not work?
>
> Thanks
>
> MikeS
> PS- I really am learning to dislike BGP right now ;)
>
> ---lab configs used
>
>
> hostname R1
> !
> !
> memory-size iomem 10
> ip subnet-zero
> !
> interface Loopback0
>  ip address 201.1.1.1 255.255.255.0
>  ip directed-broadcast
> !
> interface FastEthernet0/0
>  no ip address
>  no ip directed-broadcast
> !
> interface Serial0/0
>  ip address 192.168.1.5 255.255.255.252
>  no ip directed-broadcast
>  no ip mroute-cache
>  no fair-queue
> !
> router bgp 100
>  no synchronization
>  network 201.1.1.0
>  neighbor 192.168.1.6 remote-as 300
>  neighbor 202.2.2.2 remote-as 300
> !
> no ip classless
> no ip http server
> !
> !
> !
> line con 0
>  transport input none
> line aux 0
> line vty 0 4
>  login
> !
> no scheduler allocate
> end
>
> R1#
>
>
> hostname R2
> !
> !
> ip subnet-zero
> !
> !
> !
> interface Loopback0
>  ip address 202.2.2.2 255.255.255.0
>  no ip directed-broadcast
> !
> interface Ethernet0
>  no ip address
>  no ip directed-broadcast
>  shutdown
>  media-type 10BaseT
> !
> interface Serial0
>  ip address 172.24.1.17 255.255.255.252
>  no ip directed-broadcast
>  no ip mroute-cache
>  clockrate 56000
> !
> interface Serial3
>  ip address 192.168.1.6 255.255.255.252
>  no ip directed-broadcast
>  clockrate 100
> !
> router bgp 300
>  no synchronization
>  network 202.2.2.0
>  neighbor 172.24.1.18 remote-as 65000
>  neighbor 192.168.1.5 remote-as 100
>  neighbor 192.168.1.5 remove-private-AS
> !
> !if I add network 192.168.1.0, I can ping R3 from R1. Without it..no go
> no ip classless
> !
> !
> line con 0
>  transport input none
> line aux 0
> line vty 0 4
>  login
> !
> end
>
> R2#
>
>
> hostname R3
> !
> !
> no ip subnet-zero
> !
> !
> process-max-time 200
> !
> interface Loopback0
>  ip address 203.3.3.3 255.255.255.0
>  ip directed-broadcast
> !
> interface Ethernet0
>  no ip address
>  no ip directed-broadcast
>  shutdown
> !
> interface Serial0
>  ip address 172.24.1.18 255.255.255.252
>  no ip directed-broadcast
> !
> router bgp 65000
>  no synchronization
>  network 203.3.3.0
>  neighbor 172.24.1.17 remote-as 300
> !
> no ip classless
> !
> !
> line con 0
>  transport input none
> line aux 0
> line vty 0 4
> !
> end
>
> R3#




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=37881&t=37749
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Is this possible? [7:38098]

[Rob Webber]

As far as getting the PIX to prompt for authentication, it can be done,
however it needs to be done by a browser (since the browser has the ability
to "pop up" a username/password box, but Citrix doesn't have this
capability). You can simply have them go to a static web page that you
create which will ask for authentication. Once authenticated, they can (and
only then) get to Citrix on 1494:

In this example 10.20.10.51 would be your Citrix server and 10.20.10.4 would
be your web server. Obviously they could be the same box...

aaa authentication http inbound 10.20.10.4 255.255.255.255 0.0.0.0 0.0.0.0
tacacs+

aaa authorization tcp/1494 inbound 10.20.10.51 255.255.255.255 0.0.0.0
0.0.0.0

aaa authorization udp/1604 inbound 10.20.10.51 255.255.255.255 0.0.0.0
0.0.0.0

The TACACS+ or Radius server would then have a rule that states when address
x.x.x.x authenticates via HTTP, it is allowed to connect to server y.y.y.y
via 1494 and/or 1604.

Rob.

""Johnson, Richard (NY Int)""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi All,
>
> Is it possible to do the following.I have a Citrix server on my
> internal network which has an outside address via NAT. On the PIX port
1494,
> ICA client, is open and is obviously allowed to come in. The user is then
> prompted for a user name and password. Upon entering this information,
they
> are then prompted for the pin and secure ID by our RSA server. My question
> is this, as opposed to having the Citrix server prompt them for their RSA
> info I would love for them to prompted by the firewall. Any ideas if it
can?
>
>
> Thanks,
>
>
> Rich




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38427&t=38098
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: cisco switches (with MSFC) arp timer question [7:38635]

[Rob Webber]

For step 3, it depends whether the link between core 1 and core 2 is a
routed link or a trunk (ISL or 802.1Q) link. If its a routed link (such as
VLAN 3, with all VLANs running OSPF), core 1 will route the packet to core 2
and core 2 will route the packet to client 2.

For step 4, client 2 will not ARP for client 1. Since client 1 and client 2
are on different VLANs, client 2 will ARP for its default gateway - core 2.
When core 2 receives the packet it will send it via core 1. Again, depending
on whether this is a routed or trunked link will dictate exactly how this
packet is sent from core 2 to core 1.

Anytime a router (MSFC) needs to forward a packet to a client, if it does
not have an ARP entry, it will ARP for the client.

If a switch ages a MAC address out from its CAM table, it will flood (to all
ports on the VLAN) the very first frame that has a destination of the
"unknown" MAC address. Due to the flooding, the frame will reach the correct
destination. Once that station replies with the very first packet, the CAM
table will be updated and no more flooding will occur.

Hope that helps - Rob.
CCIE 6922

""z z""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi
>
> One interesting scenario here. Two core switches (with
> MSFC) running HSRP. Core 1 is the master for vlan 1,
> and core 2 is the master for vlan 2. Understand MSFC
> arp timer is 4 hours, but switch CAM timer is 300
> seconds. So there will be one problem:
>
>
> 1. Client 1 (vlan 1) wants to talk to client 2
> (vlan2). It will send one frame to client 2 using Core
> 1s mac address as the destination mac, because Core 1
> is its gw.
> 2. Core 1 will check its routing table and forward the
> packet to client 2. Meantime, it will change the
> frames source mac address to its own mac and the des
> mac to client 2s mac address.
> 3. Core 2 will just simply switch the frame to client
> 2, because core 1 has done the routing. To core 2, its
> arp table and aft table wont contains client 1s mac
> address so far, since core 1 has translated the
> frames source mac address.
> 4. When client 2 wants to reply, it will send the
> replying packets to core 2. Core 2 will arp for client
> 1s mac address. When client 1 reply this arp request,
> core 2 will add its mac address to both its arp table
> and aft table.
> 5. this is working fine so far.
> 6. after 300 seconds, core 2s aft table time out.
> However its arp table is still valid, so it wont do
> any more arp request. When client 2 wants to talk to
> client 1, core 2 will do the routing correctly, but
> then flood the frames to all the switch ports.
>
> Is my theory correct?
>
>
> __
> Do You Yahoo!?
> Yahoo! Sports - live college hoops coverage
> http://sports.yahoo.com/




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38701&t=38635
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Appreciate Your Expertise On This Strange ARP Problem [7:38828]

[Rob Webber]

Alec,

This is quite an interesting scenario you ran into. I think I can explain
what happened.

As you mentioned Cisco enables proxy-arp by default. Usually this is a good
thing - in this case it was the cause of the problems.

Before the change when a 10.67.7.* DHCP client wanted to connect to a
10.67.1.* server, the client would issue an ARP request for the 10.67.1.*
address. This ARP request would reach the actual server as well as the A
router. The A router would see that the request was for an address that it
believed was on a completely different subnet (10.67.1.0). Since proxy ARP
was enabled (by default), the router would answer the ARP request using its
own mac address as the destination mac address. At this point there would be
a race between the server responding (correctly) to the ARP request and the
A router responding to the ARP request.

When the server's ARP response won that race, everything worked fine. When
the A router won the ARP response race, it would receive the packets
destined for the server from the client. The A router would then attempt to
route those packets to the correct destination. Its default route said to
route them to router B, which it would do. Router B would then know to
forward those packets right back out the same interface to the server. In
this scenario traffic was taking a strange path, but still working (its
likely router B would actually also send an ICMP packet which may have taken
router A out of the loop).

When the default route for router A was removed, the same race still
occurred. Except now when router A won the race it had no route to correctly
send the packet. Thus the packets would never make it to router B and/or the
server and communication was lost.

You correctly fixed the problem, though it would have been interesting to
see if disabling proxy arp on router A also would have fixed the problem. My
guess is it would have...

Rob.
 wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi there
>
> This is my first time to post a question.
>
> Here is a real scenario which happened a few days ago. Though the problem
> has been resolved, i still cannot understand what the cause is.
>
> Customer A has a partner connection to B's network. due to lack of
> capability on B's Router/Firewall, one of A's router is plugged directly
> onto B's internal LAN(sounds silly, but it is true).
>
> B's LAN use 10.67.0.0/16 address, of which 10.67.1.x is for servers,
> 10.67.2.x for routers/switches, 10.67.7.x and 10.67.8.x for DHCP clients.
> B's router has 10.67.2.1 addr.
>
> A's router on B's LAN gets assigned an ip addr 10.67.2.2,but a wrong /24
> mask was given by B. since A's users need to talk to B's server, a static
> route(ip route 10.67.1.0 255.255.255.0 10.67.2.1) was added.
>
> A default route is also configured(ip route 0.0.0.0 0.0.0.0 10.67.2.1) on
> the A's router.
>
> when this default route was taken off(no obvious reason to point a default
> route to B's default router), all B's dhcp clients cannot talk to their
own
> servers(10.67.1.x) any more even they are on the same subnet.
>
> B's network support was called in, and they found that the A's router is
> incorrectly answering ARP requests(by default ip proxy-arp is enabled on
the
> LAN interface). and somehow the arp respone reaches the client before the
> server's, so the client cannot talk to the servers.
>
> the problem later was resolved by rectifying the subnet mask on A's
router.
> but i still cannot figure out what went wrong when the default route on
A's
> router was removed.
>
> I'll be much appreciated if anyone can shed some lights on this.
>
> regards
>
> Alec Shi
>
>
> Senior Support Engineer
> Axon Computertime
> Auckland
> NZ
>
>
>
> --
> The information contained in this e-mail message is intended only for the
> use of the person or entity to whom it is addressed and may contain
> information that is CONFIDENTIAL and may be exempt from disclosure under
> applicable laws.
>
> If you read this message and are not the addressee you are notified that
> use, dissemination, distribution, or reproduction of this message is
> prohibited. If you have received this message in error, please notify us
> immediately and delete the original message. You should scan this message
> and any attached files for viruses.
>
> Axon Computertime accepts no liability for any loss caused either directly
> or indirectly by a virus arising from the use of this message or any
> attached file.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=38828&t=38828
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Classful Prefix-list [7:39113]

[Rob Webber]

I believe this will do what you are looking for. I did a little testing and
it seemed to work well:

ip prefix-list classful seq 5 permit 0.0.0.0/1 ge 8 le 8
ip prefix-list classful seq 10 permit 128.0.0.0/2 ge 16 le 16
ip prefix-list classful seq 15 permit 192.0.0.0/3 ge 24 le 24

Hope that helps, Rob.
CCIE 6922

""William Lijewski""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Can someone tell me how to create a Prefix-list to only alow classful
routes
> for BGP.  I know you can do the following with an extended access-list:
>
> access-list 100 permit ip 0.0.0.0 127.0.0.0 host 255.0.0.0
> access-list 100 permit ip 128.0.0.0 63.255.0.0 host 255.255.0.0
> access-list 100 permit ip 192.0.0.0 31.255.255.0 host 255.255.255.0
>
> Is there way to do it?  Any good reading material on Prefix-lists?
>
> Thanks in advance.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39187&t=39113
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Classful Prefix-list [7:39113]

[Rob Webber]

To better understand why this works:

In the very first octet, the following applies:

class A addresses start with the first bit = 0

class B addresses start with the first two bits = 10

class C addresses start with the first three bits = 110

So the 0.0.0.0/1 means look for a network address of 0.0.0.0, but only pay
attention to the very first bit (and make sure that it is a zero). So
0.0.0.0/1 identifies all class A networks - from 0.0.0.0 to 127.255.255.255.
The ge 8 le 8 says only accept routes with a mask of 255.0.0.0. The
combination of these two identifies all classful class A networks (0.0.0.0/8
to 127.0.0.0/8).

Same with the 128.0.0.0/2 - that means make sure the first two bits are 10,
but then ignore everything else. So this includes all class B addresses -
from 128.0.0.0 to 191.255.255.255.

Rob.

""Rob Webber""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> I believe this will do what you are looking for. I did a little testing
and
> it seemed to work well:
>
> ip prefix-list classful seq 5 permit 0.0.0.0/1 ge 8 le 8
> ip prefix-list classful seq 10 permit 128.0.0.0/2 ge 16 le 16
> ip prefix-list classful seq 15 permit 192.0.0.0/3 ge 24 le 24
>
> Hope that helps, Rob.
> CCIE 6922
>
> ""William Lijewski""  wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Can someone tell me how to create a Prefix-list to only alow classful
> routes
> > for BGP.  I know you can do the following with an extended access-list:
> >
> > access-list 100 permit ip 0.0.0.0 127.0.0.0 host 255.0.0.0
> > access-list 100 permit ip 128.0.0.0 63.255.0.0 host 255.255.0.0
> > access-list 100 permit ip 192.0.0.0 31.255.255.0 host 255.255.255.0
> >
> > Is there way to do it?  Any good reading material on Prefix-lists?
> >
> > Thanks in advance.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=39204&t=39113
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Reverse telnet [7:32206]

[Rob Webber]

Try configuring "speed 9600" under the line aux 0. I do not believe you can
use a straight cable, I thiink it has to be rolled.

Also, are you sure port 2065 is the right port number? It sounds high, but
that may be correct...

Rob.

""Joaquim Lopes""  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hi, i'm trying to configure a switch without ip remotely.
>
> I have the router AUX port connected to the switch Console port via
> Roll-cable
> When i try to connect i've got :
>
> RouterXPTO#1.1.1.1 2065
> Trying 1.1.1.1, 2065 ... Open
>
>
> But i can't type anything (newbie problems )
>
> --
> Router configuration
> interface Loopback0
>  ip address 1.1.1.1 255.255.255.0
>  no ip directed-broadcast
> line aux 0
>  no exec
>  no activation-character
>  terminal-type VT100
>  transport preferred none
>  transport input all
>
>
> One last thing, can i use a straigth cable to do the connectio ?
> Thanks




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=32236&t=32206
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]