Re: CCIE Lab - what's wrong with this picture? [7:55288]
The Long and Winding Road wrote in message news:200210101602.QAA07447;groupstudy.com... Following my own advice, I regularly check CCO to see what's up with the CCIE Lab. http://www.cisco.com/warp/public/625/ccie/certifications/routing.html#45 Looks what's new! - Equipment List 2500 series routers 2600 series routers 3600 series routers 3900 series Token Ring switches Catalyst 5000 series switches Catalyst 3500 series switches Well technically this is correct... The roll out of 3550s to replace the 5000s and removal of Token Ring from the lab are scheduled to be completed Nov 4th... So 5000s and 3900 TR switches are still valid lab equipment for the next 3 weeks or so... -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55486t=55288 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: MPPP Question [7:54691]
Tim Benner wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Any one running MPPP out there? Specifically on mulitple point-to-point T-1 interfaces? I am doing some research on using MPPP to bundle mulitple T-1s together to look like 1 fat pipe. I have some documentation that states there is 12.5% overhead. I was wondering if anyone else has played around with it. MPPP can increase the encapsulation overhead, but it does so only when it fragments a packet. The standard PPP encapsulation is 48bits (32bit header + 16bit FCS), with MPPP fragments an additional fragment header (16 or 32bit) is added. The amount that this increases the overhead compared to standard PPP would depend on your average packet size. I would imagine that it's going to be considerably less than 12.5% though. A more relevant thing to consider is the way that IOS deals with the packets. With MPPP the router first looks up the packet's destination in the route-cache, hands the packet to the virtual interface, the virtual interface code then decides whether to fragment the packet and passes the fragments to the physical interface(s) for encapsulation. If you use equal cost load balancing, the packet is passed directly to the physical interface without virtual interface processing. Also, traditionally cisco's HDLC implementation was more efficient than the PPP implementation, but take that with a pinch of salt, as software changes, and IOS PPP may have improved by now. Here's a sample config from CCO doing exactly what you're talking about. Personally I'd probably go with equal cost load balancing over HDLC encapsulation if it's an all cisco network though. It makes the config simpler, and I'm a big believer in Occam's Razor :) http://www.cisco.com/warp/public/131/7.html -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54699t=54691 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF for ISPs [7:54540]
Say, for example, that a customer has a small block of IP's and a distribution router knows where that block is, via a connected route, like a /30 on a serial link. But later down the line the customer requests an additional block of 64 IP addresses, what is the best way to send this block to the customer? Do I need to run OSPF on the customer equipment? If the customer router is not running OSPF, how do the routers know how to get to this destination? I assume via static routing??? Easiest way to do this without running OSPF on the CPE is to put a static route on the router at your end of the link, and redistribute the static route into OSPF. How are you getting the /30 into OSPF at the moment? If you are using a network statement make sure that you have set the customer interface as passive - the last thing you want is a customer tinkering with the router and injecting bad routes into your network. Alternatively you could redistribute connected routes into OSPF, removing the need for the network statement. -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54543t=54540 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: unusual BGP question. [7:54429]
Casey, Paul (6822) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, Anyone any thought on the following lab Im working on, AS 1 and AS2 are connected to AS3 via EBGP as well as each other. (Triangular fashion) AS1 and AS2 both originate and advertise the network 81.0.0.0/8 in to EBGP to AS3 Objective: Ensure that AS3 routes to 81.0.0.0/8 via AS 1. Local preference or AS-path attributes may NOT be modified. OK, so you can't set local-pref or prepend the AS string... Things that spring immediately to mind in no particular order are: 1) If both ebgp peerings in AS3 are on the same router, then just set a weight preferencing the AS1 route over the AS2 route. If there are multiple peering routers you could set the weight and a community, and use that community to set a weight on the other BGP routers via a route-map on the iBGP peering. 2) You could set a med, and use the bgp always-compare-med option. 3) You could use a filter/prefix list to refuse accepting that prefix from AS2 in the first place. I'm thinking to do this, to use policy routing, or is there another way to deal with a situation like this. There are a lot of ways to do most things in BGP. local-pref and as-prepend are the most common ways to do this particular type of traffic management, but if you know the decision algorithm and the various prefix-list/distribute-list/filter-list/route-map options that can be applied to a peering there are plenty of other answers to be found. Any help appreciated. Kind regards. Paul. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54438t=54429 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF LSAs [7:54293]
The second is definitely correct. The first is also correct if you consider the cost of the path to the ASBR as the cost of the path from the destination network to the ASBR, but not if you consider it as the cost to get to the ASBR across the OSPF network. E1 cost = external metric + OSPF path cost E2 cost = external metric E1 is always preferred to E2 if both exist, regardless of the individual metrics. Hope this helps... -- Russell Heilling http://www.ccie.org.uk/ Matthew Webster wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I studying the CiscoPress CCNP Routing Book at the moment. There appears to be a contradiction on page 294 and 295. on page 294: the path to another AS can be calculated in one of two ways. The second way (E2) states that the cost of the path to the ASBR is all that is considered in the equation. However in table 6-2 on p.295 it states that LSA type 5, in relatino to E2 dopes not compute the internal cost - it just reports the external cost to eh remote destination. This seems to be the opposite of the previosu statement. Can any advise which way round it is (although I think it is the cost to the ASBR, and not the cost from the ASBR to the remote destination). Cheers, Matthew. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54305t=54293 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
Arni V. Skarphedinsson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Do I have to have the hostname of each router in each other, if I am calling an ISP I just get a username and password, that I send the ISP router, I dont get any hostname or password to put in my router to authenticate the ISP router Or do I What you are describing is what happens in PAP authentication (as used with most single user dial ISP accounts), with CHAP *both* routers need to authenticate with each other, so you will need to put the username and password for the ISP router into your config. In CHAP the password is never sent across the link, the authentication relies on both ends having the same password and using it to generate and verify cryptographic hashes that can be sent across the link without the risk of giving the password away to anyone snooping on the line. As the password is the same at each end... You should use the same password for the entry in the local users database as you have configured for your end of the link. Hope this helps clear it up... -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54310t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: chap authentication LONG !!! [7:54234]
Magondo, Michael wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Russell Are you saying that CHAP is not capable of one way authentication?? And to do this one has to use PAP??? Almost, but not quite... CHAP can operate in 2 modes, if you use ppp authentication chap then your router will issue CHAP challenges both on dial in and dial out, on the other hand you can use ppp authentication chap callin which will only issue challenges to a device that calls in, and won't issue challenges when the port is used to dial out. However, the authentication in both these cases is a 2 way process... one router issues a challenge, the other router responds with a cryptographic hash generated from the shared secret and the challenger checks this against it's database to check that the response is as expected. Reading over my previous email I wasn't particularly clear on this... I probably should have just said that both routers need a username entry in the local login database (or TAC+/Radius) to authenticate with each other, as even when CHAP is configured for one way authentication, it is still a 2 way process. Take a look at this CCO page for a diagram illustrating the CHAP authentication process... http://www.cisco.com/warp/public/131/ppp_callin_hostname.html Hopefully this response is more accurate than my earlier one :) -- Russell Heilling http://www.ccie.org.uk/ Michael -Original Message- From: Russell Heilling [mailto:[EMAIL PROTECTED]] Sent: 27 September 2002 12:10 PM To: [EMAIL PROTECTED] Subject: Re: chap authentication LONG !!! [7:54234] Arni V. Skarphedinsson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Do I have to have the hostname of each router in each other, if I am calling an ISP I just get a username and password, that I send the ISP router, I dont get any hostname or password to put in my router to authenticate the ISP router Or do I What you are describing is what happens in PAP authentication (as used with most single user dial ISP accounts), with CHAP *both* routers need to authenticate with each other, so you will need to put the username and password for the ISP router into your config. In CHAP the password is never sent across the link, the authentication relies on both ends having the same password and using it to generate and verify cryptographic hashes that can be sent across the link without the risk of giving the password away to anyone snooping on the line. As the password is the same at each end... You should use the same password for the entry in the local users database as you have configured for your end of the link. Hope this helps clear it up... -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54318t=54234 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN Question [7:54356]
Christopher Dumais wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello all, I have an ISDN line set up for vendor support. It is dedicated to one vendor. They are always the one to initiate the call, their system does not allow incoming calls. They are telling me that I have to set the thresholds on my router(Cisco 2620). I have never heard of the receiving side asking for the second connection and can't find any commands either. The only command I see is the dialer load-threshold command and that's for dial out. Am I missing something? Any thought? Thanks in advance! This sort of thing is possible using Bandwidth Allocation Protocol (RFC2125). Try this CCO URL for config info (mind the wrap)... The option you're interested in is ppp bap callback request. http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_ c/dcbacp.htm This is assuming that they are configured for BAP/BACP at their end though, they may just be plain wrong in what they're asking you to do :) -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54361t=54356 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 8510 and VLAN Configuration [7:54217]
OK, I'll take a stab at question 4 and see if that sorts out the others on the way... I would by no means class myself as an expert on the 8500 series, but here's my understanding of how this should work. In 8500 terminology a bridge group is a switch local broadcast domain. i.e. all ports in bridge group 2 are in the same broadcast domain. Most people would generally consider this the definition of a VLAN, but on the 8500 a VLAN is only present on a trunk - and you map bridge groups to vlans by putting a trunked subinterface into a specific bridge group. e.g. If switch 1 has a bridge group 1 and switch 2 has a bridge group 2. You could join these broadcast domains by running a cable between switch 1 and switch 2, creating a subinterface on each switch port, you then set each subinterface to use the same trunk type and vlan number (e.g. 'encapsulation dot1q 10') You also add these ports to the relevant bridge group. You then have a VLAN 10, which consists of all ports in switch 1 bridge group 1, plus the ports in switch 2 bridge group 2. In your example, you only have one 8500, so you can just consider a bridge group to be identical to a VLAN. To route packets from one bridge group to another you either use IRB, or you have an external router connected to all 3 bridge groups (either on individual ports, or by way of a trunk). Take a look at this CCO link for more details on how to configure this: (mind the wrap) http://www.cisco.com/univercd/cc/td/doc/product/l3sw/8540/rel_12_0/w5_6e/sof tcnfg/4cfg8500.htm Hope this helps. -- Russell Heilling http://www.ccie.org.uk/ Chris Watson wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Nortel D5000 core switch is more or less one giant broadcast domain with 3 subnets and 3 logical collison domains (back in the day you simply divided the hub into logical port groups to keep the collisions down).All of the downstream switches are 10bFL uplinks. There are three Nortel 350F switches that I can connect via Cu. We want to replace the D5000 with a Cisco 8510 that has 16 ports of FA and 8 ports of 100bFL and an E0 on the Sup. I figured out today that I can't get a VLAN on any of the ports (okay, I can trunk but w/o switches downstream it does me no good and, no, I didn't buy the box as someone else chose it for price:rolleyes:). 1. Do I need to include all ports in the router as a bridge group to talk to each other? 2. Are VLANs an option with an 8510? (So far the answer is no, but that's one reason why I'm posting) 3 Do I need IRB to allow all 3+ disparate bridge groups to talk to each other? 4. Explain (hopefully better than I did) the difference between a VLAN and a Bridge Group. I would love to hear any suggestions/ideas/questions you may have for this replacement. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54220t=54217 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 8510 and VLAN Configuration [7:54217]
e.g. If switch 1 has a bridge group 1 and switch 2 has a bridge group 2. You could join these broadcast domains by running a cable between switch 1 and switch 2, creating a subinterface on each switch port, you then set each subinterface to use the same trunk type and vlan number (e.g. 'encapsulation dot1q 10') You also add these ports to the relevant bridge group. You then have a VLAN 10, which consists of all ports in switch 1 bridge group 1, plus the ports in switch 2 bridge group 2. Small correction... When I said add these *ports* to the relevant bridge group, I meant add these *subinterfaces* to the relevant bridge group :) -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54222t=54217 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Route Reflector Question [7:54187]
wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... On your RR router, you will need to have: A, D or E (Depending on which IP is Router B), F or G (depending which one is Router B IP). Also, although you could peer IBGP routers on directly connected interfaces, I assume that you are using Lo0 interfaces. If this is the case, then dont forget that you also need these commands: neighbor x.x.x.x update-source Loopback0 neighbor x.x.x.x ebgp-multihop 2 Whoa there... iBGP peerings don't need ebgp-multihop, even if you are updating using the loopback0 IP address. You can peer with any address configured on the iBGP neighbor, as long as it's in the IGP. ebgp-multihop is only needed if you wanted to do eBGP using loopbacks, or other non-connected interfaces (e.g. if you wanted to load balance across 2 parallel connections to the same eBGP neighbor). -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54227t=54187 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access-list question? [7:54112]
Cisco Nuts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, What does this command actually do: #access-list 101 permit tcp any eq bgp any gt 1023? It adds a line to access-list 101, that permits any TCP connections sourced on the BGP port (179) to destination ports above 1023 (non-inclusive). -- Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54115t=54112 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: URGENT: problem with load balancing accross two internet [7:53900]
afshin wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have got two internet links from two ISPs boths of which are directly connected to the lan . I would like to set the default gateway of my clients to the 3660 router I have on my network so that it will load balance the outgoing traffic accross the two seperate internet links. I though maybe two equal cost default routes would result in load balancing between equal cost paths . but it didn't work. Is there a command to allow load-balancing between equal cost static routes , that I am missing ? Policy routing is not quite what I want because the load will not be quite balanced. Any clues ? Default load balancing is per destination, so if you are testing from a single workstation you will always hit the same link. To get a more even load sharing you'll want to enable per packet load sharing. To do this globally enable CEF (ip cef in global config mode), and then add the following command to the interface config on the interfaces connecting to the ISPs: ip load-sharing per-packet. Hope this helps. Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53900t=53900 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Caslow Book [7:53654]
Ben W wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Does anybody know if Caslow's book Cisco Certification: Bridges, Routers and Switches for CCIE's is going to be updated for new CCIE topics in a 3rd edition? And if so when it will come out? Is the 2nd edition good enough? Prentice Hall have a Cisco Professional Resource Kit by Bruce Caslow and Valeriy Pavlichenko scheduled for release in December... http://vig.prenhall.com/catalog/academic/product/1,4096,0130873497,00.html There's no summary info up yet though, so I'm not sure if this is a box set with the 2nd edition and some extra resources, or if it'll be a new book in there (it's also possible that it won't even be a CCIE book, but with the same authors as Bridges, Routers and Switches I hope it is :) ) Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53700t=53654 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Caslow Book [7:53654]
As an addendum to my earlier post, I found the following comment on http://www.networkmasterclass.net/ Caslow and Pavlichenko are the authors of Cisco Certification, Bridges, Routers and Switches for CCIE's ... Now in its second edition with the third edition to be released this year ... Looks like that box set due for release in December could well be the 3rd edition of Caslow. Russell Heilling http://www.ccie.org.uk/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53705t=53654 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]