LF: CCIE partner in Ottawa, Canada [7:73264]
any body in Ottawa, Canada for CCIE ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=73264t=73264 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CSS Switches... [7:71292]
Used CSS11152's in datacenter with SSL. Worked good. Herlocker, Tim wrote in message news:[EMAIL PROTECTED] Hi, Just wondering if anybody has worked with the CSS 11000 switches at all. We are looking at purchasing one or two but would like to make sure SSL sticky works on them first Thanks in advance! - Tim Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71315t=71292 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: religious wars [7:70274]
Since when is FreeBSD a flavor of Linux??? Would you say Solaris is a flavor of Linux as well??? All *nix's are not the same. Black Jack wrote in message news:[EMAIL PROTECTED] Old timers will remember Mac vs DOS/Windows. Or UNIX vs DOS. Or Beta vs VHS. More recent is Linux vs FreeBSD, or one flavor of Linux distribution vs another. (See http://ars.userfriendly.org/cartoons/?id=19990301 for example. By the way, if you are not familiar with www.userfriendly.org, you gotta check it out. Funniest geek-oriented comic strip this side of dilbert) Anyway, try asking network types what their favorite TFTP server is... then step back! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=70310t=70274 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:65769]
Hey there Mostly, firewall design includes a dmz. In most companies, within this DMZ, is it more likely to see the servers directly being given registered public IP's, OR Is it more likely to see the servers being given private IP's and then a nat translation created for internet users to access the servers. Also, what are the pros and cons for the above two situations? thx Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65769t=65769 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Simple IP address question [7:65597]
Hey there I had a simple question. I came across this router which had an ip address of 199.66.15.252/27 I wonder how that is possible because it doesn't seem a legal address. With a subnet mask of 27, you get 6 subnets as follows: 32-64 64-96 96-128 128-160 160-192 192-224 Thx, Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65597t=65597 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
test msg [7:65200]
test msg test msg Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65200t=65200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Posting directly from news client [7:65061]
Yes I do using outlook express with no problems. the news server is news.groupstudy.com Troy Leliard wrote in message news:[EMAIL PROTECTED] A bit off topic, but wondering if any of you send posts directly to this group through you nntp clients? I have tried (using mozilla mail news) and am failing. At the moment I have to nake all my posts via the WWW front end. Any ideas, recommmendations! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65071t=65061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 10 half or 100 full [7:64931]
Are these Sun or Microsoft Intel servers you're running into? Its been my experience with Sun servers to NEVER set them to auto. They almost never work properly with auto set with both Cisco and Extreme switches. Manaully setting them, to full 100Mbits does wonders to clear this problem up. John Neiberger wrote in message news:[EMAIL PROTECTED] Elijah Savage wrote: I have been trying to follow this, and I still do not see why we should get away from the old Cisco switch courses that if you set both sides to 100 full duplex if they are capable you will be fine. I have not seen any situation where hard setting both sides caused problems (am I missing something?). Question I ask is why even fool with the unpredictable auto negotiate. Setting both sides manually to 100 full works (as long as you don't have Cat 3 cabling), but it's not a maintainable solution. Say you get laid off (heaven forbid) without a chance to document your procedures. Your replacement, fresh out of the newer Cisco courses, has the job of replacing a NIC in a workstation or server. She doesn't set the speed and duplex manually, since there *should* be no need. The switch is set to manual. This means, as John has said, that it may not participate in autonegotiation. Why should it? It knows what it should be since you manually configured it. The behavior is undefined in the specs, but that would be OK behavior and is something we see in the real world. The new NIC doesn't see any autonegotiation going on and decides that the device at the other end must be so old that it doesn't support autonegotiation and, in fact, if it's that old, it must be 10 half. The NIC sets itself to 10 half. You have a mismatch. Priscilla It's actually even worse than this! Let's say you currently have a 2924XL switch and all attached hosts are manually set to 100/Full on both the switch and the end device. If you replace the 2924XL with a 2950 using the EXACT same configuration, you might run into problems because the 2950 disables autonegotiation completely when you manually configure the speed, which might cause an end device to assume it's connected to a hub and downgrade its connection to 10/Half. So, with a 2924XL things might be running just fine with both sides manually configured, but if you upgrade to a 2950 you might end up with speed/duplex mismatches. I've seen this more times than I can count in the last six months. I'm not exaggerating when I say that at least two or three times a week we run into another device that is having problems, and about 97% of the time setting both sides to auto clears up the problem. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65090t=64931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 10 half or 100 full [7:64931]
I see interesting, most of my sun servers are over 2 years old. You say newer cisco switches should be set to auto first then manual if you have problems. Do you mean newer as in version of IOS, OS or newer physical hardware? John Neiberger wrote in message news:[EMAIL PROTECTED] We have quite a mix of NT/Novell/Sun servers. As for the Sun servers, over half are set to auto. With those, we've only changed the settings when we had an issue. With the Intel-based servers and workstations we've moved most of them to auto. We've had a few machines with older NICs where auto just wasn't working right, but if your NICs are relatively new and you have updated drivers you shouldn't have a problem, at least with autonegotiation. We've had other issues, primarily with 3COM NICs on Dell workstations, but those have been resolved. Sam Sneed 3/11/03 1:45:43 PM Are these Sun or Microsoft Intel servers you're running into? Its been my experience with Sun servers to NEVER set them to auto. They almost never work properly with auto set with both Cisco and Extreme switches. Manaully setting them, to full 100Mbits does wonders to clear this problem up. John Neiberger wrote in message news:[EMAIL PROTECTED] Elijah Savage wrote: I have been trying to follow this, and I still do not see why we should get away from the old Cisco switch courses that if you set both sides to 100 full duplex if they are capable you will be fine. I have not seen any situation where hard setting both sides caused problems (am I missing something?). Question I ask is why even fool with the unpredictable auto negotiate. Setting both sides manually to 100 full works (as long as you don't have Cat 3 cabling), but it's not a maintainable solution. Say you get laid off (heaven forbid) without a chance to document your procedures. Your replacement, fresh out of the newer Cisco courses, has the job of replacing a NIC in a workstation or server. She doesn't set the speed and duplex manually, since there *should* be no need. The switch is set to manual. This means, as John has said, that it may not participate in autonegotiation. Why should it? It knows what it should be since you manually configured it. The behavior is undefined in the specs, but that would be OK behavior and is something we see in the real world. The new NIC doesn't see any autonegotiation going on and decides that the device at the other end must be so old that it doesn't support autonegotiation and, in fact, if it's that old, it must be 10 half. The NIC sets itself to 10 half. You have a mismatch. Priscilla It's actually even worse than this! Let's say you currently have a 2924XL switch and all attached hosts are manually set to 100/Full on both the switch and the end device. If you replace the 2924XL with a 2950 using the EXACT same configuration, you might run into problems because the 2950 disables autonegotiation completely when you manually configure the speed, which might cause an end device to assume it's connected to a hub and downgrade its connection to 10/Half. So, with a 2924XL things might be running just fine with both sides manually configured, but if you upgrade to a 2950 you might end up with speed/duplex mismatches. I've seen this more times than I can count in the last six months. I'm not exaggerating when I say that at least two or three times a week we run into another device that is having problems, and about 97% of the time setting both sides to auto clears up the problem. John Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=65108t=64931 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer on Catalyst 6509 [7:64894]
Yes and here is how you configure it: http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration _guide_chapter09186a00800c65f8.html Eduardo Perestrelo wrote in message news:[EMAIL PROTECTED] Hi, I have a Catalyst 6509 and need to sniff network. If possible enable one port to read all traffic to sniff ?! Thanks, Eduardo Perestrelo CCNA / CCAI Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64953t=64894 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Anonymous Posting to this newsgroup [7:64749]
Ive seen some people posting here and when you check the email properties, their email address shows up as: [EMAIL PROTECTED] I need to do this too to avoid spam. How do i do it? Im using outlook express program and each time i change my email id, groupstudy sends me an email asking me to verify my email addy. Now, if i give the wrong id, i would never get this email and hence my message wont appear at all thank you Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64749t=64749 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco Networkers Links [7:64652]
Karen E Young wrote in message news:[EMAIL PROTECTED] Greetings! I've recently gathered up all my links for Cisco Networkers and it amounts to a fair amount of stuff. I just thought that everyone should have the benefit of this stuff so here it is. There's some good stuff on Network Design in the 1999 General Sessions. Look at the bottom half of grid on that page. BTW - I AM including links to the Power Sessions. If I'm missing anything that you have a link for, let me know! Karen Networkers 1998 -- General Networking Topics http://www.cisco.com/networkers/presentations/general/index.html Layer 3 http://www.cisco.com/networkers/presentations/layer3/index.html Dial-Access http://www.cisco.com/networkers/presentations/dialaccess/index.html Voice http://www.cisco.com/networkers/presentations/voice/index.html Security http://www.cisco.com/networkers/presentations/security/index.html QoS / Multimedia http://www.cisco.com/networkers/presentations/qos/index.html Net Management http://www.cisco.com/networkers/presentations/netmanagement/index.html IBM http://www.cisco.com/networkers/presentations/ibm/index.html Networkers General Session (except 1998) -- 1999 http://www.cisco.com/networkers/nw99_pres/index.htm 2000 http://www.cisco.com/networkers/nw00/pres/pdf2000.htm 2001 http://www.cisco.com/networkers/nw01/pres/ 2002 http://www.cisco.com/networkers/nw02/post/presentations.html Networkers 2000 Power Sessions -- #3300 ILEC Networkers Power Session http://www.cisco.com/networkers/nw00/pres/3300/3300.htm #3301 CLEC Networkers Power Session http://www.cisco.com/networkers/nw00/pres/3301/3301.htm #3302 ISP Essentials - Best Practice IOS Techniques to Scale the Internet http://www.cisco.com/networkers/nw00/pres/3302/3302.htm #3303 Essentials for Residential Cable ISP's http://www.cisco.com/networkers/nw00/pres/3303/3303.htm #3304 CCIE Power Session http://www.cisco.com/networkers/nw00/pres/3304/3304.htm Networkers 2001 Power Sessions -- PS-510 Content Delivery Network Essentials http://www.cisco.com/networkers/nw01/pres/pr/510/ PS-511 Problems and Solutions for Large Scale Enterprise Network Management http://www.cisco.com/networkers/nw01/pres/pr/511/ PS-520 Optical Technologies and Their Deployment http://www.cisco.com/networkers/nw01/pres/pr/520/ PS-530 Enterprise IP Telephony Planning and Deployment http://www.cisco.com/networkers/nw01/pres/pr/530/ PS-540 Router and Switch Internal Architecture and Operation http://www.cisco.com/networkers/nw01/pres/pr/540/ PS-541 IP Multicast Networking http://www.cisco.com/networkers/nw01/pres/pr/541/ PS-542 MPLS Technology Options and Applications http://www.cisco.com/networkers/nw01/pres/pr/542/ PS-543 ISP Essentials Best Practice IOS Techniques to Scale the Internet (Updated) http://www.cisco.com/networkers/nw01/pres/pr/543/ PS-544 High Availability Networks http://www.cisco.com/networkers/nw01/pres/pr/544/ PS-545 Deploying BGP for Enterprises and ISPs http://www.cisco.com/networkers/nw01/pres/pr/545/ PS-550 Designing Secure Networks: Do's and Don'ts http://www.cisco.com/networkers/nw01/pres/pr/550/ PS-560 Quality of Service (QoS) Essentials http://www.cisco.com/networkers/nw01/pres/pr/560/ PS-570 CCIE Power Session http://www.cisco.com/networkers/nw01/pres/pr/570/ Networkers 2002 Power Sessions -- PS-510 Implementing a Network Operations Center - (4.28 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-510.pdf PS-520 Deploying 802.11 Wireless Technology - (1.49 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-520.pdf PS-530 Building an End-to-End IP Telephony Network - (8.5 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-530.pdf PS-540 Router Architecture and Switching - (8.61 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-540.pdf PS-542 Network Mechanics - (4.38 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-542.pdf PS-543 Enterprise Network Design Principles - (1.29 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-543.pdf PS-544 Catalyst Switch Architecture and Troubleshooting - (1.89 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-544.pdf PS-545 Deploying BGP in Enterprise and ISP Networks - (4.98 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-545.pdf PS-550 Securing Your Enterprise Network - (1.87 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-550.pdf PS-570 CCIE Power Session - (10.6 MB .pdf) http://www.cisco.com/networkers/nw02/presos/pws/docs/PS-570.pdf Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64653t=64652
forwarding udp broadcast over GRE tunnel [7:64654]
This sounds like a strange scenario but it is necessary. Lets say I have network A 192.168.100.0/24 and network B 10.10.10.0/24 . There is an application running on server on network. It delivers data to clients via UDP braodcast. It can't be configured to do multicast or unicast. I have clients on network B that need to get these broadcasts. I can't afford a dedicated link like a t1. So this feed needs to go over internet. If I put a 2500 router on each network, could I create a GRE tunnel and forward the UDP broadcasts from Network A to network B? Lets assume the application takes care of the reliability problem posed by UDP. /-/ net a 192.168.100.0/24 | Router A | | (Internet) | | Router B | // net b 10.10.10.0/24 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64654t=64654 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: HSRP timer dispute [7:64658]
The overall bandwidth used by hello packets is negligible. The only thing I'd worry about is if the routers are really busy you may have premature failovers.This is probably not very likely but would be the only valid argument I could see against changing timers default value. Vajira Wijesinghe wrote in message news:[EMAIL PROTECTED] Hi group, Let me apologise first for forwarding this stupid question as a networking engineer. But i need you guy's answers just to show to my client who doesnot believe what i'm saying. We have two 6509's connected by 4-gig etherchannel and configured HSRP groups in them for the default gateway redundancy of each VLAN. As you all know, default hello time is 3 sec and hold time is 10 sec. I have reconfigured these timers to hello 1 sec and hold 4 sec. Now client is unhappy because effectively I have increased the rate of hello packet sending by 3 times. He is worrying about the amount of hello traffic I have infused to this gigabit network. Does any one of you have any comment? Thanks - (on postoffice) The information contained in this email is confidential and is meant to be read only by the person to whom it is addressed.Please visit http://www.millenniumit.com/legal/email.htm to read the entire confidentiality clause. - Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64659t=64658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Forwarding UDP broadcast over GRE Tunnel. [7:64647]
This sounds like a strange scenario but it is necessary. Lets say I have network A 192.168.100.0/24 and network B 10.10.10.0/24 . There is an application running on server on network. It delivers data to clients via UDP braodcast. It can't be configured to do multicast or unicast. I have clients on network B that need to get these broadcasts. I can't afford a dedicated link like a t1. So this feed needs to go over internet. If I put a 2500 router on each network, could I create a GRE tunnel and forward the UDP broadcasts from Network A to network B? Lets assume the application takes care of the reliability problem posed by UDP. /-/ net a 192.168.100.0/24 | Router A | | (Internet) | | Router B | // net b 10.10.10.0/24 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64647t=64647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT on PIX [7:64476]
Hey Guys. These questions are regarding NAT in reference to PIX only. 1)Static NAT works both ways. From outside to inside and vice versa. However, You need an access-list configured if you are accessing from a lower-security interface to a higher-security one. 2)Dynamic NAT on the contrary doesn't work both ways. Connections can be initiated only from one interface to another and the other can only reply statefully. Am I right? Eg: If I configure an internal network(10.0.1.0) to translate to 64.4.4.10-64.4.4.30, 30 connections can be initiated towards the internet and they would work fine. Replies can be sent back to those initiated connections but no connections can be initiated from the Internet to the internal network. Hence, I call it stateful. Am I right about this full statement? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64476t=64476 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PATCH PANEL stuff [7:64503]
Hey Guys, In my wiring closet, I have about 3 racks and about 10 patch panels(The Racks got capacity for at least 30 PP's) I need to move a patch panel out and to the rack next to the one it currently is on. What is the best way to do this? Do i have to follow this kind of procedure: -remove all the cables connected to the back of this patch panel and then label the cables -move the patch panel to the other rack -looking at the labels, again punch-down these cables to their appropriate locations. Would this be the normal way of doing it? Or can I simply unscrew the patch panel from the rack and then somehow move it with the cables still connected to the other rack. This way, the cables won't be sorted as good as they would be normally but it should be ok i think.. My other question is how long does it take on an average to punch down a single cable(4pairs) onto the back of the patch panel? I've never done it, though I think after I buy the tools, I would be able to figure it out. Please give me an approximation. For eg. Making a straight-cable takes about 4-6 minutes Thx Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64503t=64503 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
daron.wilson@lhmorris.com [7:64504]
Hey Daron. thanks for that wonderful reply. I however am confused about the wire ladder. What part is that exactly? I wish to move this patch panel not to a location on the same rack but another rack. I hope your idea works out for me. thx,sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64504t=64504 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
creating console cable for cs11152 [7:64368]
Has anyone done this before? I have a few CSS but don't have the adapters for console ports. I'm hoping I can create my own cable using cat5. If someone could enlighten me on how to do this that'd be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64368t=64368 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: direway dsl via satelite and the vpn [7:64390]
Try lowering the MTU on your Windows machine. The parameter is in the registry. DJ W wrote in message news:[EMAIL PROTECTED] I am trying to find anyone who has successfully configured the windows checkpoint vpn client accessing a citrix site over a direcway satelite dsl. When I run the client, it appears as though we lose the connection to the internet. Direcway and Checkpoint are baffled and claim to have never heard about the issue. Any constructive input is welcome! Dave Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64392t=64390 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
NAT ON PIX QUESTION [7:64398]
Hey Guys. First of all, there aren't any words to express my appreciation for this list and all the guys who are always so helpful in here. These questions are regarding NAT in reference to PIX only. 1)Static NAT works both ways. From outside to inside and vice versa. However, You need an access-list configured if you are accessing from a lower-security interface to a higher-security one. 2)Dynamic NAT on the contrary doesn't work both ways. Connections can be initiated only from one interface to another and the other can only reply statefully. Am I right? Eg: If I configure an internal network(10.0.1.0) to translate to 64.4.4.10-64.4.4.30, 30 connections can be initiated towards the internet and they would work fine. Replies can be sent back to those initiated connections but no connections can be initiated from the Internet to the internal network. Hence, I call it stateful. Am I right about this full statement? Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64398t=64398 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: creating console cable for cs11152 [7:64368]
Actually its not. You need a special adapter to console into these switches. They come with them but I only have 1, I need 4. On Cisco's site they have the following but it looks like a typo http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_ guide_chapter09186a00800df9d6.html#xtocid3 if you look at the table they RXD and DSR both going to to pin 3. Scott Roberts wrote in message news:[EMAIL PROTECTED] the console port is identical to every other cisco router (eia-232, 9600 baud). http://www.cisco.com/en/US/products/hw/accessor/ps107/products_tech_note0918 6a0080094ce6.shtml scott Sam Sneed wrote in message news:[EMAIL PROTECTED] Has anyone done this before? I have a few CSS but don't have the adapters for console ports. I'm hoping I can create my own cable using cat5. If someone could enlighten me on how to do this that'd be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64399t=64368 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: creating console cable for cs11152 [7:64368]
When i plug rollover cable that i use for routers into routers console it works. When I plug it into CSS11152 console it doesn't work When I use the CS11152 adapter on rollover it does work. What I'm trying to figure out is what do I have to do to a cat5 cable to make it work without the CSS11152 adapter. Scott Roberts wrote in message news:[EMAIL PROTECTED] hopefully this time priscilla doesn't chastise me for helping out with CCO material!! ;) the link you supplied clearly states that its 9600 baud rs-232 and the table below it doesn't say anything in regards to pinouts for any console port. the rs-232 specification IS the pinout specification. CSS 11050 Front Panel Connectors and LEDs All front panels of the CSS 11050 models contain connectors and LEDs that vary according to their model number. For example, the CSS 11051 in Figure 2-3 has: a.. 1 RS-232 Console connector (9600 baud) b.. 1 RS-232 Diag connector, reserved for field service use only (115,200 baud) c.. 8 10/100-Mbps auto-sensing Fast Ethernet connectors and their associated Link/Activity status, 10/100 (Mbps), and Duplex (Half or Full) LEDs d.. Power, Status, and Ready LEDs Sam Sneed wrote in message news:[EMAIL PROTECTED] Actually its not. You need a special adapter to console into these switches. They come with them but I only have 1, I need 4. On Cisco's site they have the following but it looks like a typo http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_installation_ guide_chapter09186a00800df9d6.html#xtocid3 if you look at the table they RXD and DSR both going to to pin 3. Scott Roberts wrote in message news:[EMAIL PROTECTED] the console port is identical to every other cisco router (eia-232, 9600 baud). http://www.cisco.com/en/US/products/hw/accessor/ps107/products_tech_note0918 6a0080094ce6.shtml scott Sam Sneed wrote in message news:[EMAIL PROTECTED] Has anyone done this before? I have a few CSS but don't have the adapters for console ports. I'm hoping I can create my own cable using cat5. If someone could enlighten me on how to do this that'd be great. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64412t=64368 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
2 questions [7:64263]
1) Do some private networks use public ip's sometimes in their router configurations,etc. Or is that rare? 2) Can i use my pix as a router? I simply want to connect two networks 10.1.1.0 and 192.168.1.0 to two ethernet ports on the pix and do routing between them. I dont want to use any NAT,etc. Can i do that? thank you. Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64263t=64263 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX question [7:64289]
e0(outside)64.5.5.1 (internet IP) e2(dmz)172.16.1.50 I issued this command static (dmz,outside) 64.5.5.10 172.16.1.50 1) This means that outside hosts would be able to telnet to 64.5.5.10 and they would in-turn be actually accessing 172.16.1.50. Of course i would have the access list configured. 2) Does it also mean that when 172.16.1.50 accesses websites, would the websites log the ip 64.5.5.10 or 172.16.1.50 When I tried out the above, Condition 1 above is working fine. Condition 2 doesn't seem to work. The hosts are actually logging the actual IP 172.16.1.50 while I was under the impression that the IP logged would be 64.5.5.10 Any ideas? Thank You Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64289t=64289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Switch Port Traffic [7:64105]
Is there any way to find out what kind of traffic is passing through a switch port in terms of input/output packets? Or some kind of historical traffic statistics? Or if i could set up an smtp monitoring station. Anything would do...i need some ideas Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=64105t=64105 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Practice Labs [7:63902]
Hey there. I have access to a 65xx,55xx and another layer2. I wish to try my hands on sample labs and practice some stuff. I have already done things like end-to-end vlans. What else can I try. Thanks Sam Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63902t=63902 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 MIB's [7:63300]
got em. thanks alot John Neiberger wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I believe the MIBs are on the CSS itself. Use an FTP client to browse the box and you'll find them somewhere. I'm at home at the moment and I can't remember which directory they're in but it seems like it's fairly clear when you see it. John Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Anyone know where I can download these? I couldn't find them on Cisco site. I'd like to get CPU stats on my CSS11152 via snmp. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63383t=63300 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Switch Port [7:63275]
You need to change the speed first, then you can change the duplex. It has to be in that order. SamN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... switch1 (enable) set port duplex 6/8 half Port 6/8 is in auto-sensing mode. The above switch is a 6500. AS i understand, the ports can be set to full,half or auto but when i try setting it to half, it doesn't allow me to. thank you Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63279t=63275 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Firewall/PIX help.... [7:63167]
PIX does not have Antivirus, IDS, or content filtering bultin. I don't think I know of any hardware based firewalls that do. You may have to look into a software based solution. Maybe computer associates or Symantec make such a suite. Gunjan Mathur wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I'm looking for firewall solution for my company, we have two WAN connections and currently my users are connected thru two proxy m/c to Internet. Which PIX model would server the needs. I also need content filtering, Intrustion detection and Anti-virus protection on firewall itself. Is all these things are possible on PIX? TIA __ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63280t=63167 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
clearing conduit [7:63278]
Lets say you are administering a PIX remotely. You SSH into a machine on the PIX's internal network and from there you telnet into the PIX. Security is via conduits and it might look like this: conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any No I want to put conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any in between the top 2 statements. Why it needs to be there is not important, this is a theoreitcal question. How can I do this without blocking myself out of the PIX? I imagine I would have to do a clear conduit and then enter the whole new list in again since you can't add a statement in the middle of a conduit. Once I do clear conduit I'd suspect I'd be blocked out before I can add the new conduit. Is this true? I know I could probably use access-lists to do this but I'm speaking strictly about conduits when I ask this question. The main question is if I'm administering the PIX remotely and need to add a conduit anywhere except the end of the list then how can I do that without locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63278t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: clearing conduit [7:63278]
I've thought of this and will have this in place as well. So then I guess that there is no way to add to middle of conduit without locking yourself out. Daniel Cotts wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Look at the problem from another direction. How about a modem connected to a terminal server. The TS connects to the PIX console port. That way your connection is out-of-band. I'd agree that the modem should be powered off except when needed. Local admin staff would have to hit the big red switch. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 18, 2003 11:32 AM To: [EMAIL PROTECTED] Subject: clearing conduit [7:63278] Lets say you are administering a PIX remotely. You SSH into a machine on the PIX's internal network and from there you telnet into the PIX. Security is via conduits and it might look like this: conduit permit tcp 192.168.43.0 255.255.255.255 eq 22 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 80 any conduit permit tcp 192.168.43.0 255.255.255.255 eq 443 any No I want to put conduit permit tcp 192.168.43.0 255.255.255.255 eq 21 any in between the top 2 statements. Why it needs to be there is not important, this is a theoreitcal question. How can I do this without blocking myself out of the PIX? I imagine I would have to do a clear conduit and then enter the whole new list in again since you can't add a statement in the middle of a conduit. Once I do clear conduit I'd suspect I'd be blocked out before I can add the new conduit. Is this true? I know I could probably use access-lists to do this but I'm speaking strictly about conduits when I ask this question. The main question is if I'm administering the PIX remotely and need to add a conduit anywhere except the end of the list then how can I do that without locking myself out. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63288t=63278 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CS11152 MIB's [7:63300]
Anyone know where I can download these? I couldn't find them on Cisco site. I'd like to get CPU stats on my CSS11152 via snmp. thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63300t=63300 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dropped Packet on 6506 switch [7:63053]
If the port is no connected why would it attempt to send unicasts packets through it? Passing packets to a switchport in the diconnected state would not make sense. I imagine that the logic built into the siwtch would not do this. I have other switches, Extreme networks, that do not register any dropped packets for unplugged interfaces. Neither do Cisco 2924XL aor 3548XL. I believe for some reason its dropping valid packets. It would be hard to confirm this but it seems TCP connections are being dropped on some servers. Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED]... If nothing's plugged in, it has to drop the packets!?! :-) Are you sure this isn't normal? Being a switch, it shouldn't be sending any unicasts out the port, because it couldn't have learned a MAC address that is out that port, but it could still send broadcasts and multicasts. Sorry, if that's a clueless answer, but it is a common sense answer from someone who doesn't work with 6505 switches.. :-) Priscilla Sam Sneed wrote: I'm not sure what you mean by hybrid mode. I have the sh ver, sh mod, sh ver for MSFC and below. I have nothing plugged into at leat 3 ports which still report dropped packets. 800,000 daily. Whats strange is that the 800,000 is almost the same on all 3 ports. I have disabled them since then but would like to know why I was getting those numbers. The MSFC does the layer 3 routing, but the dropped packets were at L2 I believe. Any ideas? Console1 sh ver WS-C6509 Software, Version NmpSW: 7.1(2) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Feb 7 2002, 16:06:00 System Bootstrap Version: 5.3(1) Hardware Version: 2.0 Model: WS-C6509 Serial #: PS1 Module: WS-CAC-2500WSerial #: PS2 Module: WS-CAC-1300WSerial #: Mod Port Model Serial #Versions --- --- --- - 1 2WS-X6K-SUP1A-2GESA Hw : 3.1 Fw : 5.3(1) Fw1: 5.1(1)CSX Sw : 7.1(2) Sw1: 7.1(2) WS-F6K-PFC SHw : 1.1 2 2WS-X6K-SUP1A-2GESAxx Hw : 3.1 Fw : 5.3(1) Fw1: 5.1(1)CSX Sw : 7.1(2) Sw1: 7.1(2) WS-F6K-PFC Sxx Hw : 1.1 3 48 WS-X6348-RJ-45 SAx Hw : 1.4 Fw : 5.4(2) Sw : 7.1(2) 4 48 WS-X6348-RJ-45 Hw : 6.0 Fw : 5.4(2) Sw : 7.1(2) WS-F6K-VPWR Hw : 1.0 5 48 WS-X6348-RJ-45 SAL0422 Hw : 6.0 Fw : 5.4(2) Sw : 7.1(2) WS-F6K-VPWR Hw : 1.0 6 16 WS-X6416-GBIC SAx0JUW Hw : 1.2 Fw : 5.4(2) Sw : 7.1(2) 7 48 WS-X6248-TELSAD0x48 Hw : 1.0 Fw : 4.2(0.24)VAI78 Sw : 7.1(2) 8 48 WS-X6248A-TEL SADxx0S Hw : 2.0 Fw : 5.4(2) Sw : 7.1(2) 9 48 WS-X6248A-TEL SADxxRZ Hw : 2.0 Fw : 5.4(2) Sw : 7.1(2) 15 1WS-F6K-MSFC SAD04xx0DSF Hw : 1.4 Fw : 12.1(3a)E4 Sw : 12.1(3a)E4 16 1WS-F6K-MSFC SAD04xx0BHV Hw : 1.4 Fw : 12.1(3a)E4 Sw : 12.1(3a)E4 DRAMFLASH NVRAM Module Total UsedFreeTotal UsedFreeTotal U -- --- --- --- --- --- --- - - 1 65408K 44172K 21236K 16384K 9786K 6598K 512K Uptime is 352 days, 4 hours, 30 minutes Console1 sh mod Mod Slot Ports Module-Type Model Sub Status --- - - --- --- -- 1 12 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes ok 15 11 Multilayer Switch Feature WS-F6K-MSFC no ok 2 22 1000BaseX Supervisor WS-X6K-SUP1A-2GE yes standb 16 21 Multilayer Switch Feature WS-F6K-MSFC no ok 3 34810/100BaseTX Ethernet WS-X6348-RJ-45
Re: Dropped Packet on 6506 switch [7:63053]
There are no static routes to these ports. I guess I am in Hybrid mode. I need to enter session 15 command to connect to router module. Then its IOS interface. The dropped packets don't appear when doing sh int on router. I'm starting to wonder if it could be a bad card. The Long and Winding Road wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Priscilla Oppenheimer wrote in message news:[EMAIL PROTECTED]... If nothing's plugged in, it has to drop the packets!?! :-) Are you sure this isn't normal? Being a switch, it shouldn't be sending any unicasts out the port, because it couldn't have learned a MAC address that is out that port, but it could still send broadcasts and multicasts. Sorry, if that's a clueless answer, but it is a common sense answer from someone who doesn't work with 6505 switches.. :-) not at all clueless. I did not see a spot among all the show outputs where packets dropped is indicated. I'm thinking show interface I'm also thinking that maybe there are static routes pointing out those ports, and someone somewhere is generating traffic destined for those ports. Maybe the author of the original post could supply some more specific information - such as extensive outputs from the show run ?? for those unfamiliar with the higer end boxes, hyrid mode refers to running Cat OS and and IOS on the same box. The lower end boxes - 2950, 3550, and 4xxx with sup 3 or better, run IOS native mode. cat 4xxx with the sup 2 run Cat OS mode. 65xx without the MSFC card run Cat OS mode. Add the MSCF card, and you have hybrid mode. unless somethng has changed recently, you cannot run a 65xx in native IOS mode only - it has to be an L2 box alone, or a hybrid box, running IOS and Cat OS. Priscilla Sam Sneed wrote: I'm not sure what you mean by hybrid mode. I have the sh ver, sh mod, sh ver for MSFC and below. I have nothing plugged into at leat 3 ports which still report dropped packets. 800,000 daily. Whats strange is that the 800,000 is almost the same on all 3 ports. I have disabled them since then but would like to know why I was getting those numbers. The MSFC does the layer 3 routing, but the dropped packets were at L2 I believe. Any ideas? Console1 sh ver WS-C6509 Software, Version NmpSW: 7.1(2) Copyright (c) 1995-2002 by Cisco Systems NMP S/W compiled on Feb 7 2002, 16:06:00 System Bootstrap Version: 5.3(1) Hardware Version: 2.0 Model: WS-C6509 Serial #: PS1 Module: WS-CAC-2500WSerial #: PS2 Module: WS-CAC-1300WSerial #: Mod Port Model Serial #Versions --- --- --- - 1 2WS-X6K-SUP1A-2GESA Hw : 3.1 Fw : 5.3(1) Fw1: 5.1(1)CSX Sw : 7.1(2) Sw1: 7.1(2) WS-F6K-PFC SHw : 1.1 2 2WS-X6K-SUP1A-2GESAxx Hw : 3.1 Fw : 5.3(1) Fw1: 5.1(1)CSX Sw : 7.1(2) Sw1: 7.1(2) WS-F6K-PFC Sxx Hw : 1.1 3 48 WS-X6348-RJ-45 SAx Hw : 1.4 Fw : 5.4(2) Sw : 7.1(2) 4 48 WS-X6348-RJ-45 Hw : 6.0 Fw : 5.4(2) Sw : 7.1(2) WS-F6K-VPWR Hw : 1.0 5 48 WS-X6348-RJ-45 SAL0422 Hw : 6.0 Fw : 5.4(2) Sw : 7.1(2) WS-F6K-VPWR Hw : 1.0 6 16 WS-X6416-GBIC SAx0JUW Hw : 1.2 Fw : 5.4(2) Sw : 7.1(2) 7 48 WS-X6248-TELSAD0x48 Hw : 1.0 Fw : 4.2(0.24)VAI78 Sw : 7.1(2) 8 48 WS-X6248A-TEL SADxx0S Hw : 2.0 Fw : 5.4(2) Sw : 7.1(2) 9 48 WS-X6248A-TEL SADxxRZ Hw : 2.0 Fw : 5.4(2) Sw : 7.1(2) 15 1WS-F6K-MSFC SAD04xx0DSF Hw : 1.4 Fw : 12.1(3a)E4 Sw : 12.1(3a)E4 16 1WS-F6K-MSFC SAD04xx0BHV Hw : 1.4 Fw : 12
Dropped Packet on 6506 switch [7:63053]
Hello, I'm seeing strange things on a 6500 switch. I see dropped pakets and int errors on interfaces with no servers plugged in. These are of signifcant amounts and I believe tis causing problems.We're talking about 800,000 in 24 hours. Does anyone have any idea on what this happens on INT that aren't even active? This switch has a layer3 sup1a card that does the routing for it. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63053t=63053 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dropped Packet on 6506 switch [7:63053]
-on Bridging software. X.25 software, Version 3.0.0. 6 Virtual Ethernet/IEEE 802.3 interface(s) 123K bytes of non-volatile configuration memory. 4096K bytes of packet SRAM memory. 16384K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x102 6509 MADMAN wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Not real clear on your description. You see dropped packets on interfaces with nothing plugged in!? Since you refer to the 6500 as a switch I assume your running hybrid mode. You also mention there is an MSFC. I ASSume again that your seeing drops on the L2 interface but with nothing plugged into it is a bit strange indeed! Can you send more info? Dave Sam Sneed wrote: Hello, I'm seeing strange things on a 6500 switch. I see dropped pakets and int errors on interfaces with no servers plugged in. These are of signifcant amounts and I believe tis causing problems.We're talking about 800,000 in 24 hours. Does anyone have any idea on what this happens on INT that aren't even active? This switch has a layer3 sup1a card that does the routing for it. -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications 612-664-3367 You don't make the poor richer by making the rich poorer. --Winston Churchill Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=63066t=63053 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CS11152 port channel? [7:62831]
just heard from Cisco and this is not possible. They're looking to implement it in future releases. Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I want to connect a cs11152 to a cisco switch. I want to have over 100MB over the link. Is there anyway to do the equivalent of prot channeling on 2 links? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62896t=62831 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Internet Connections [7:62863]
If both links go to smae provider they're the ones responsible for returning traffic. Contact them and I'm sure they could help you out. DeVoe, Charles (PKI) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a class B network subnetted using a 21 bit mask. This network has 2 connections to the internet, 1 is by a T3 the other is a 512K T1. Each connection to the internet comes out of a subnet, goes through a firewall, and then through a Cisco 7200 router. We have static routes in place to assure that the returning packets go to the proper firewall. I don't know for sure if the routers connecting to the internet are running BGP or some thing else. We have seen packets go out one interface and return on the other. I suspect that something is not right with the border routers. Any thoughts or suggestions? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62923t=62863 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CS11152 port channel? [7:62831]
I want to connect a cs11152 to a cisco switch. I want to have over 100MB over the link. Is there anyway to do the equivalent of prot channeling on 2 links? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62831t=62831 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco VPN client [7:62665]
I was thinking of using Cisco VPN client for RAS solution. I need to use digital certificates. With MS PPTP solution once someone has the certificate they can log in. Thats all thats needed. What I want to do is have client use certificate and still have to be prompted for username and password to log into VPN. This is not possible with MS solution. Is it possible with cisco? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62665t=62665 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: question [7:62655]
No, its because Gary Crouch is god. Disclaimer: This wise ass comment will be ironically punished with another autoreply from Gary Crouch. Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is it not because he belongs to the list, and he has gracefully decided to let us know that he is out of the office until the 10th? -Original Message- From: Jason Steig [mailto:[EMAIL PROTECTED]] Sent: 07 February 2003 18:48 To: [EMAIL PROTECTED] Subject: RE: question [7:62655] cause he is the moderator. he's moderating = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62666t=62655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX firewall simultaneous connections [7:62575]
These are TCP and UDP connections. Keep in mind that PIX must keep a state table for these connections so thats probably where it gets the limit from. I really can't see how you could have 2 million users internally going through 1 firewall so I assume you mean 2 million people hitting a webserver behind the PIX. I really can't see 2 million people hitting a webiste at the same time going through a single PIX. But if your are big time like that you would have more than one PIX handling it. Kenan Ahmed Siddiqi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello groupies, I was reading the PIX book and it apparently said that the no. of connection supported by a PIX firewall (higher order) is 500,000. Does this mean that upto 500,000 sessions can be established or something else? If so, what do I do if I have a thoroughput of say 2 million users? Thanks in adv. Cheers, Kenan Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62583t=62575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Switch Port Healthy [7:62567]
No, too many errors. The are caused by the having the router set to half duplex. On 2600 routers you can set the interfaces to full duplex. You should do this on the router and on the switch for that port. Steiven Poh-(Jaring MailBox) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Group, This port is connected to my 2600 router, can anyone comment whether the bandwidth is healthy? Thanks FastEthernet0/48 is up, line protocol is up Hardware is Fast Ethernet, address is 000a.f477.662c (bia 000a.f477.662c) MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 2/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Half-duplex, 10Mb/s input flow-control is off, output flow-control is off ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:06, output 00:00:00, output hang never Last clearing of show interface counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 82000 bits/sec, 19 packets/sec 5 minute output rate 52000 bits/sec, 55 packets/sec 76531109 packets input, 2985431130 bytes, 0 no buffer Received 4019174 broadcasts, 4440080 runts, 0 giants, 0 throttles 4440080 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 986257 multicast, 0 pause input 0 input packets with dribble condition detected 139742667 packets output, 3729299934 bytes, 2417684 underruns 0 output errors, 1999663 collisions, 1 interface resets 0 babbles, 0 late collision, 513798 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 2417684 output buffer failures, 0 output buffers swapped out Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62586t=62567 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: More PIX fun and games :) [7:62605]
Do you have the hardware to support an upgrade? Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Another thing I found that is disturbing about the PIX is that I can't seem to do Port redirection on it (5.1(5)). I found a document that says you can from 6.0 onwards, but what do the zillions of people who had/have PIX with less than 6.0 code do when they needed to do some port redirection? I wanted to redirect incoming smtp to a dmz box on port 2500 (it has another SMTP server on port 25). Symon Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62606t=62605 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX Licensing [7:62233]
A failover PIX will reload every 24 hours until primary is back up. J.D. Chaiken wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, Maybe this is a naive question, but if the primary PIX goes down and fails over to the failover PIX doesn't that make it a standalone unit? What makes the Failover a failover? did Cisco completly diable the console port so the only way to configure it is with write standby? Jarett Claudio Spescha wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi In a Pix 515 with restricted license you can have a max of 3 interfaces, with a PIX 515 unrestricted license up to 6 interfaces For failover you always need an unrestricted license. You can not run a PIX with failover license as standalone box. A PIX with failover license is only a quarter of the price of a standalone PIX. With show version you can see what type of license you have. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62543t=62233 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: List of ip protocols [7:62460]
more /etc/protocols has some: ip 0 IP # internet protocol, pseudo protocol number icmp1 ICMP# internet control message protocol ggp 3 GGP # gateway-gateway protocol tcp 6 TCP # transmission control protocol egp 8 EGP # exterior gateway protocol pup 12 PUP # PARC universal packet protocol udp 17 UDP # user datagram protocol hmp 20 HMP # host monitoring protocol xns-idp 22 XNS-IDP # Xerox NS IDP rdp 27 RDP # reliable datagram protocol # # Internet (IPv6) extension headers # ipv641 IPv6# IPv6 in IP encapsulation ipv6-route 43 IPv6-Route # Routing header for IPv6 ipv6-frag 44 IPv6-Frag # Fragment header for IPv6 esp 50 ESP # Encap Security Payload for IPv6 ah 51 AH # Authentication Header for IPv6 ipv6-icmp 58 IPv6-ICMP # IPv6 internet control message protocol ipv6-nonxt 59 IPv6-NoNxt # No next header extension header for IP v6 ipv6-opts 60 IPv6-Opts # Destination Options for IPv6 Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Does anyone know of a reference list of ip protocols and their numbers For example gre = 47, tcp = 6? Etc Cheers, Symon Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62468t=62460 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN Gateway and Firewall [7:62358]
Inside the firewall. I haven;t worked with the concentrators before, but have used Cisco rotuer for RAS VPN. All it needs is one interface for this fucntion, real nice. Putting it behind FW ensures only stateful TCP sessions are used and protects it from outsiders. Paulo Roque wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, A have a Checkpoint FW-1 and a VPN concentrator in a new design. Where is the best place to put the VPN concentrator related to firewall? a) before the firewall (in the outside network) b) after the firewall(in the inside network) c) in parallel with the firewall d) in a separated firewall interface Paulo -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62360t=62358 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
bridging over WAN link [7:62362]
Lets say I have 1 office that I will be connecting to another via t1 link. I want to use only 1 subnet so basically I want the 2 offices to behave as if they are switched not routed. Is this possible with Cisco routers? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62362t=62362 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Thanks Gary [7:62364]
In case anyone didn't hear yet, Gary's gonna be out of the office for another week. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62364t=62364 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Self-Employment [7:62367]
The 1099 is an easy way to go but you lose out on a lot of tax breaks. I'm a 1099 now and am kicking myself in the ass for not setting up as small business. I'm working in NYC now. $6 just to take the bridge into NYC from jersey and $25 day parking. Never mind 40 minutes each way traffic to commute 10 miles. If you're set up as a small business you have more flexiblity in writing off expenses like these. Chuck Church wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yes. Money will depend on your skill level with both Cisco and other products as well, such as Unix, NW, MS, etc. It could be $30/hour, could be $100. Location is probably almost as important. NYC pays pretty well, but it cost's $50 to park a car for 4 hours! The thing about consulting like this is you need be a salesperson at times. Personally, I hate salespeople, and therefore don't make a good one myself. There's also more responsibility, as far as finding your own insurance, paying taxes, etc. If you can find a headhunter who will place you as a 1099 employee, that's usually pretty good, but I haven't heard from my headhunter in months :(I was on an indefinite project for a year, but that ended when they outsourced. Since then it's all been small projects, mostly complicated installs involving layer 3 switching. It's a tough market, and getting a name for yourself can be difficult. Personally, I'm looking for a full time position now. Chuck Church CCIE #8776, MCNE, MCSE - Original Message - From: Jay Greenberg To: ; Sent: Monday, February 03, 2003 12:14 PM Subject: CCIE Self-Employment Any CCIEs on the list in business for themselves? What's the money like, what sort of companies do you work for? Do you do short-term or long term contracts? Hourly work? Thanks, -- Jason Greenberg, CCIE #11021 . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62371t=62367 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX and Trunk [7:62383]
No, PIX doesn't support subinterfaces or secondary interfaces either. Subinterfaces are required for trunking on routers. Paulo Roque wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Does PIX support VLAN trunk? Paulo -- Eng. Paulo Roque Network Engineer Cisco Certified Network Associate [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62384t=62383 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE or a masters degree? [7:62287]
Oh well, If I ever get working I'll post the config's and an explanation. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... sorry, i dont know mate :( not my strong point dude! -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: 31 January 2003 21:55 To: [EMAIL PROTECTED] Subject: CCIE or a masters degree? [7:62287] I was wondering, should I go for. haha fooled you. If it takes trickery to get this question answered so be it. don't take this post the wrong way... I have a 3600 router that current supports PPTP win2K clients using win2K client. I do not wnat to use Cisco client for VPN. What I am trying to do is authenticate using digital certificates. The Cert server is Win2K certificate server. I used a MS machine as VPN server with certificates and it works. I now need to get the Cisco router to do the same. Currently VPN users connecting to 3640 router and are authenticated via IAS using domain logons and it works fine this way. Has anyone implemented this? The router has certificate and it all looks OK. I'm not sure how to configure the router to use digital certificates to authenticate the users instead of username/password. When I try to login I get verifying username and password and then error 619 : the specifoed port is not connected. Here is config: aaa new-model aaa authentication login default group tacacs+ local line none aaa authentication ppp default group radius aaa authorization network default group radius none enable secret 5 $1$2MGM$ttPEfWBYGVf.Hc78TEuwn0 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group 2 ! ! crypto ca identity mscert enrollment mode ra enrollment url http://99.17.4.20:80/certsrv/mscep/mscep.dll crypto ca certificate chain mscert certificate 61285CC90004 ... ... 1CAC37AB 61BDC6 quit certificate ra-sign 6144F5320002 .. quit certificate ra-encrypt 6144F7EF0003 . . certificate ca 1B36F87430D2D4AC47DC9C0E1C4D9320 interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip nat inside ip mroute-cache no keepalive peer default ip address pool vpn ppp encrypt mppe 128 required ppp authentication ms-chap ppp timeout authentication 5 ! ip local pool vpn 123.17.10.31 123.17.10.254 . For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62316t=62287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN with Cisco router and digital certificates [7:62213]
I guess no one has ever set this up before. Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have a 3600 router that current supports PPTP win2K clients using win2K client. I do not wnat to use Cisco client for VPN. What I am trying to do is authenticate using digital certificates. The Cert server is Win2K certificate server. I used a MS machine as VPN server with certificates and it works. I now need to get the Cisco router to do the same. Currently VPN users connecting to 3640 router and are authenticated via IAS using domain logons and it works fine this way. Has anyone implemented this? The router has certificate and it all looks OK. I'm not sure how to configure the router to use digital certificates to authenticate the users instead of username/password. When I try to login I get verifying username and password and then error 619 : the specifoed port is not connected. Here is config: aaa new-model aaa authentication login default group tacacs+ local line none aaa authentication ppp default group radius aaa authorization network default group radius none enable secret 5 $1$2MGM$ttPEfWBYGVf.Hc78TEuwn0 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group 2 ! ! crypto ca identity mscert enrollment mode ra enrollment url http://99.17.4.20:80/certsrv/mscep/mscep.dll crypto ca certificate chain mscert certificate 61285CC90004 ... ... 1CAC37AB 61BDC6 quit certificate ra-sign 6144F5320002 .. quit certificate ra-encrypt 6144F7EF0003 . . certificate ca 1B36F87430D2D4AC47DC9C0E1C4D9320 interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip nat inside ip mroute-cache no keepalive peer default ip address pool vpn ppp encrypt mppe 128 required ppp authentication ms-chap ppp timeout authentication 5 ! ip local pool vpn 123.17.10.31 123.17.10.254 . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62278t=62213 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CCIE or a masters degree? [7:62287]
I was wondering, should I go for. haha fooled you. If it takes trickery to get this question answered so be it. don't take this post the wrong way... I have a 3600 router that current supports PPTP win2K clients using win2K client. I do not wnat to use Cisco client for VPN. What I am trying to do is authenticate using digital certificates. The Cert server is Win2K certificate server. I used a MS machine as VPN server with certificates and it works. I now need to get the Cisco router to do the same. Currently VPN users connecting to 3640 router and are authenticated via IAS using domain logons and it works fine this way. Has anyone implemented this? The router has certificate and it all looks OK. I'm not sure how to configure the router to use digital certificates to authenticate the users instead of username/password. When I try to login I get verifying username and password and then error 619 : the specifoed port is not connected. Here is config: aaa new-model aaa authentication login default group tacacs+ local line none aaa authentication ppp default group radius aaa authorization network default group radius none enable secret 5 $1$2MGM$ttPEfWBYGVf.Hc78TEuwn0 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group 2 ! ! crypto ca identity mscert enrollment mode ra enrollment url http://99.17.4.20:80/certsrv/mscep/mscep.dll crypto ca certificate chain mscert certificate 61285CC90004 ... ... 1CAC37AB 61BDC6 quit certificate ra-sign 6144F5320002 .. quit certificate ra-encrypt 6144F7EF0003 . . certificate ca 1B36F87430D2D4AC47DC9C0E1C4D9320 interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip nat inside ip mroute-cache no keepalive peer default ip address pool vpn ppp encrypt mppe 128 required ppp authentication ms-chap ppp timeout authentication 5 ! ip local pool vpn 123.17.10.31 123.17.10.254 . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62287t=62287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what the h... - strange problem - Cisco doesn't like [7:62180]
Yes. As long as Charles knows he's not doing any filtering within his architecture, the filtering must be done at his ISP. But like I said earlier, the only way to be sure is running debug on the router and tcpdump on the host while downloading to see where the packets are dropped. Mossburg, Geoff (MAN-Corporate) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... When you say, sounds like someone's content filtering upstream, are you talking about the frame provider? Geoff Mossburg -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 5:50 PM To: [EMAIL PROTECTED] Subject: Re: what the h... - strange problem - Cisco doesn't like [7:62149] That HUB doesn't know the difference between the various file name extensions and neither does the router. UNIX comes with tcpdump so there's no need to load the sniffer. Also run the debug command on the router to see if the packets are going through it if you don't see them getting to the UNIX box in tcpdump outputs. sounds like someone's content filtering upstream. Most admins will block .zip and exe but aren't concerned with the UNIX .tar and .gz variants. You'll know this for sure when you run the debug command on the router, Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry, should have mentioned. I get the same result whether the user system is UNIX, Mac, or Windows...it plays havoc with .exe and .zip. That is a good suggestion, though, about the sniffer...that is about the only thing I haven't tried yet. The Kmart bluelight special hub is making me a little suspicious... Thanks, Charles Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... load a packet sniffer on the laptop and see what really happens. If you don't have one I know of a good free one . You install libpcap first, reboot and then install analyzer. http://winpcap.polito.it/install/default.htm http://analyzer.polito.it/install/default.htm Then you can see if the packets are coming back to you and if windows is dropping them for some reason. Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I ran across a strange problem with one of our POPs the other day, and am in the process of researching/troubleshooting it. We have a configuration something like this: Internet---2500---AS5300---D/U Users Not shown is a LAN connected to the 2nd Ethernet on the 2500. All connections to the shared Ethernet are via a Kmart bluelight special hub. The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 is anywhere close to being overloaded. We are not doing any content filtering, nor have any access lists been applied, nor are any sites blocked. The connection works great...email, web browsing, etc. all work just fine. The only problem is that users can only download UNIX and Mac flavored files, but not anything that smacks of Windows. For example, they can down the .gz/tar and .sft files for a SSH client for example, but can not download its .exe or .zip counterpart for Windows! Take the same .exe and .zip file, and rename it with a UNIX or Mac filename extension, and you can download it. Surprisingly enough, the problem does not lie with the users. I took a clean laptop to the site, and encountered the same results. Has anyone ever experienced a problem like this? Could this be a bug in the IOS on the 2500? Any suggestions would be welcome. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62180t=62180 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN with Cisco router and digital certificates [7:62213]
I have a 3600 router that current supports PPTP win2K clients using win2K client. I do not wnat to use Cisco client for VPN. What I am trying to do is authenticate using digital certificates. The Cert server is Win2K certificate server. I used a MS machine as VPN server with certificates and it works. I now need to get the Cisco router to do the same. Currently VPN users connecting to 3640 router and are authenticated via IAS using domain logons and it works fine this way. Has anyone implemented this? The router has certificate and it all looks OK. I'm not sure how to configure the router to use digital certificates to authenticate the users instead of username/password. When I try to login I get verifying username and password and then error 619 : the specifoed port is not connected. Here is config: aaa new-model aaa authentication login default group tacacs+ local line none aaa authentication ppp default group radius aaa authorization network default group radius none enable secret 5 $1$2MGM$ttPEfWBYGVf.Hc78TEuwn0 vpdn enable ! vpdn-group 1 ! Default PPTP VPDN group accept-dialin protocol pptp virtual-template 1 ! vpdn-group 2 ! ! crypto ca identity mscert enrollment mode ra enrollment url http://99.17.4.20:80/certsrv/mscep/mscep.dll crypto ca certificate chain mscert certificate 61285CC90004 ... ... 1CAC37AB 61BDC6 quit certificate ra-sign 6144F5320002 .. quit certificate ra-encrypt 6144F7EF0003 . . certificate ca 1B36F87430D2D4AC47DC9C0E1C4D9320 interface Virtual-Template1 ip unnumbered FastEthernet0/0 ip nat inside ip mroute-cache no keepalive peer default ip address pool vpn ppp encrypt mppe 128 required ppp authentication ms-chap ppp timeout authentication 5 ! ip local pool vpn 123.17.10.31 123.17.10.254 . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62213t=62213 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
debug commands [7:62107]
If I want to see all IP traffic from host 10.10.10.1 on a cisco router, what would the debug command look like? I looked at the help menu and I think its debug ip packet but then the options are: Access list Access list (expanded range) Do I have to create an access-list for the hosts I want to monitor? I'm used to using tcpdump and snoop so the debug commands are awkward for me. Its a production router so I know I can crash it if I'm not careful with this. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62107t=62107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: debug commands [7:62107]
I see, so if I want to debug for certain tcp protocols can I use extended access-lists? Maccubbin, Duncan wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Just make a permit ACL for that host and the debug will only report on that one host. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: debug commands [7:62107] If I want to see all IP traffic from host 10.10.10.1 on a cisco router, what would the debug command look like? I looked at the help menu and I think its debug ip packet but then the options are: Access list Access list (expanded range) Do I have to create an access-list for the hosts I want to monitor? I'm used to using tcpdump and snoop so the debug commands are awkward for me. Its a production router so I know I can crash it if I'm not careful with this. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62111t=62107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: debug commands [7:62107]
nice, not as nice as tcpdump, but nice ;-) Maccubbin, Duncan wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... You are correct. Very nice feature eh? -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 12:14 PM To: [EMAIL PROTECTED] Subject: Re: debug commands [7:62107] I see, so if I want to debug for certain tcp protocols can I use extended access-lists? Maccubbin, Duncan wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Just make a permit ACL for that host and the debug will only report on that one host. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 29, 2003 11:49 AM To: [EMAIL PROTECTED] Subject: debug commands [7:62107] If I want to see all IP traffic from host 10.10.10.1 on a cisco router, what would the debug command look like? I looked at the help menu and I think its debug ip packet but then the options are: Access list Access list (expanded range) Do I have to create an access-list for the hosts I want to monitor? I'm used to using tcpdump and snoop so the debug commands are awkward for me. Its a production router so I know I can crash it if I'm not careful with this. Thanks. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62115t=62107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what the h... - strange problem - Cisco doesn't like [7:62147]
load a packet sniffer on the laptop and see what really happens. If you don't have one I know of a good free one . You install libpcap first, reboot and then install analyzer. http://winpcap.polito.it/install/default.htm http://analyzer.polito.it/install/default.htm Then you can see if the packets are coming back to you and if windows is dropping them for some reason. Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I ran across a strange problem with one of our POPs the other day, and am in the process of researching/troubleshooting it. We have a configuration something like this: Internet---2500---AS5300---D/U Users Not shown is a LAN connected to the 2nd Ethernet on the 2500. All connections to the shared Ethernet are via a Kmart bluelight special hub. The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 is anywhere close to being overloaded. We are not doing any content filtering, nor have any access lists been applied, nor are any sites blocked. The connection works great...email, web browsing, etc. all work just fine. The only problem is that users can only download UNIX and Mac flavored files, but not anything that smacks of Windows. For example, they can down the .gz/tar and .sft files for a SSH client for example, but can not download its .exe or .zip counterpart for Windows! Take the same .exe and .zip file, and rename it with a UNIX or Mac filename extension, and you can download it. Surprisingly enough, the problem does not lie with the users. I took a clean laptop to the site, and encountered the same results. Has anyone ever experienced a problem like this? Could this be a bug in the IOS on the 2500? Any suggestions would be welcome. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62147t=62147 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: what the h... - strange problem - Cisco doesn't like [7:62149]
That HUB doesn't know the difference between the various file name extensions and neither does the router. UNIX comes with tcpdump so there's no need to load the sniffer. Also run the debug command on the router to see if the packets are going through it if you don't see them getting to the UNIX box in tcpdump outputs. sounds like someone's content filtering upstream. Most admins will block .zip and exe but aren't concerned with the UNIX .tar and .gz variants. You'll know this for sure when you run the debug command on the router, Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sorry, should have mentioned. I get the same result whether the user system is UNIX, Mac, or Windows...it plays havoc with .exe and .zip. That is a good suggestion, though, about the sniffer...that is about the only thing I haven't tried yet. The Kmart bluelight special hub is making me a little suspicious... Thanks, Charles Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... load a packet sniffer on the laptop and see what really happens. If you don't have one I know of a good free one . You install libpcap first, reboot and then install analyzer. http://winpcap.polito.it/install/default.htm http://analyzer.polito.it/install/default.htm Then you can see if the packets are coming back to you and if windows is dropping them for some reason. Charles Riley wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I ran across a strange problem with one of our POPs the other day, and am in the process of researching/troubleshooting it. We have a configuration something like this: Internet---2500---AS5300---D/U Users Not shown is a LAN connected to the 2nd Ethernet on the 2500. All connections to the shared Ethernet are via a Kmart bluelight special hub. The connection to the Internet is a T-1 FR. Neither the 2500 nor the T-1 is anywhere close to being overloaded. We are not doing any content filtering, nor have any access lists been applied, nor are any sites blocked. The connection works great...email, web browsing, etc. all work just fine. The only problem is that users can only download UNIX and Mac flavored files, but not anything that smacks of Windows. For example, they can down the .gz/tar and .sft files for a SSH client for example, but can not download its .exe or .zip counterpart for Windows! Take the same .exe and .zip file, and rename it with a UNIX or Mac filename extension, and you can download it. Surprisingly enough, the problem does not lie with the users. I took a clean laptop to the site, and encountered the same results. Has anyone ever experienced a problem like this? Could this be a bug in the IOS on the 2500? Any suggestions would be welcome. TIA, Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62149t=62149 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Richard A. Deal Books [7:62027]
His PIX firewall book is OK. It does have a lot of errors in it though. Hope his other books have proofreaders. Joseph R. Taylor wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Everyone, I'm interested in knowing how good Richard A. Deal's books are. Especially in reference to MCNS. Thank you in advance. Joseph R. Taylor MCSE, CCNP Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=62030t=62027 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routing Software [7:61668]
www.zebra.org Shane Stockman wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am looking for free routing software (RIP,OSPF,ISIS,BGP,DVMRP) for a linux box.I would like to know as well where can I get X.21 serial cards and PCMCIA card slots for a PC as I would like to build a small network for practice. Any notes would be appreciated if anyone has done something like this. Thanks _ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61677t=61668 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Too much Security Overkill on wireless network??? [7:61685]
Are these users the same regular users that are allowed to log in wired workstations today? Or is it for outsourced consultants? If its for everday users then its overkill. What I'd do for that situation is created a new VLAN behind firewall for these users uses PEAP to authenitcate between the wireless users and device and create access lists on the VLAN restricting access to network for whatever protocols you need. Once you're in that VLAN I don't think there's any need for encrtyption. I could see why you would use encryption in the DMZ since by design its the most vulnerable part of your network so thats why I'd setup the VLAN behind the higher security level interface. Your design is not going to scale well for certain. Your time is better spent paying more attention to other security needs on the wired network which is always a concern as well. eric nguyen wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi, I have assigned the task of setting up a wireless network for my company and I am wondering that I use too much security for the wireless. Currently, I am setting a test wireless network for about 5 users. Eventually, this network will have about 50 users. My set up is as follows: 1) The wireless network is sitting on the DMZ network. This DMZ network is hang off an interface of a pix firewall (Pix-525). Wireless users are required to use Protected Extensible Authentication Protocol (PEAP) in order to log onto the wireless DMZ network. 2) In order to access the company iternal network which hang off the inside interface of the pix firewall, wireless users must use Cisco VPN Client IPSec to establish a secure VPN tunnel between their device and the Pix firewall. 3) After succesfully establish the VPN tunnel between the wireless device and the Pix firewall, wireless can only access the company internal network applications via SSL, SSH, POP3s and IMAPs. I have a few users that tunnel X-application via SSH connections. Applications such as POP3, telnet and IMAP are not allowed from the DMZ network into the company internal network. So far the test is going well. However, my concern is that this will not scale well for a large number of wireless users. For example, let say for SSH connection, the traffic is encrypted by SSH. Below that, it is encrypted via IPSec. Finally, it is encrypted by PEAP. I've not done any analysis yet but it is possible that 50% of the traffic is just overhead traffic for encryption. Anyone has successfully implemented a secure wireless network on large scale? I would like to get your advise on this. I have to present a recommendation to my CTO in a next few days. By the way, my company did hire a CCIE security consultant to work with me on this project; however, this CCIE security is a f_cking moron. Not only he doesn't know anything about PEAP, but he even suggested that we use Cisco LEAP because LEAP is much more secure than PEAP. After he couldn't get PEAP to work, the SOB suggested that we switch to Cisco LEAP. When we don't want to use Cisco LEAP, he suggested that we just use shared (aka STATIC WEP) authentication because we are using IPSec and Secure applications to access the company internal network anyway. The problem with this idea is that once wireless users are on the dmz wireless network, they can surf the Internet without restrictions. I don't want strangers (if they get a hold of the STATIC WEP KEY) to use my company bandwith to use the Internet. I want PEAP because it is safe and secure. I am also testing EAP-TTLS but haven't had much luck with it. I am sure the CCIE security consultant that turned out to be a f_cking moron, pardon my language, is more of an exception rather than the rule. However, I am suprised that someone like that can pass the CCIE security lab. By the way, I checked with Cisco and he does have a CCIE Security certification #. Enough of me venting out my frustration. Please advise. Eric - Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61691t=61685 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT well, sort of - IDS [7:61523]
Snort is free and works great. Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks for your reply, I should have mentioned that the best solution need not be the cheapest. Cheers, Symon -Original Message- From: charles riley [mailto:[EMAIL PROTECTED]] Sent: 22 January 2003 03:39 To: [EMAIL PROTECTED] Subject: Re: OT well, sort of - IDS [7:61523] I like the various SNORT products...non-proprietary (or as close as this field gets). SNORT looks good (www.snort.org) And if you don't have time to build your own, try: www.sourcfire.com www.silicondefense.com Heck, even Packet Alarm may be an option though you will not find any contact information for them: which could speak volumes for their post sale support philosophy: www.packetalarm.com The ISS IDS product is SNORT compatible meaning SNORT rules can be used on it. http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=ISSoid=20602 HTH, Charles Symon Thurlow wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all, Just looking for a heads up with regards to IDS in a Cisco PIX environment, ie, what works, what doesn't, and good resources online to read etc. TIA Symon = This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. = Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61577t=61523 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Sniffer software: [7:61566]
I like this one better than ethereal and it is free http://analyzer.polito.it/ Peri Sophos wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi all , I wonder if anyone can help me :) , I am looking for software where I can load it on my laptop , and have it available , in case I have to use a sniffer at a particular site. I have a proper sniffer at my head office , however I do travel , and don't want to bring that huge thing every time I go some where. Some help will be much appreciated. Thanks guy's and girls :) Cheers!! NOTICE - This message contains privileged and confidential information intended only for the use of the addressee named above. Any review, retransmission, dissemination, copying, disclosure or other use of, or taking of any action in reliance upon, this information by person or entities other than the intended recipient is prohibited. If you have received this message in error, please notify the sender by return email and delete this message. This message should not be copied or used for any purpose other than intended, nor should it be disclosed to any other person. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the view of Investec Group, its subsidiaries or associates. The Investec Group is not liable for the security of information sent by e-mail at your request, nor for the proper and complete transmission of the information contained in the communication nor for any delay in its receipt. Please note that the recipient must scan this e-mail and any attached files for viruses and the like. The Investec Group accepts no liability of whatever nature for any loss, liability, damage or expense resulting directly or indirectly from the access of any files which are attached to this message. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61580t=61566 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN client: Cisco or Microsoft? [7:61500]
Which do most of you use for Remote Access VPN? Pro's and cons? Thanks alot. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61500t=61500 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CSS11152 VIP question [7:61229]
what does the IP opportunistic do? Clayton Price wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... That is correct, your vip does not have to be a part of one of the VLAN's. Make sure you have ip opportunistic enabled, and that you are routing that VIP towards the CSS. Clayton Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... quick typo correction : ip on service svc-w2.web2 should be ip address 10.20.20.11 port 80 keepalive type http keepalive uri /test.html active Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Lets say I have the following scenario. CSS11152 with ethernet e0 IP address 192.168.1.1 VLAN outside. I have 2 sets of servers addresses 10.10.10.0/24 on eth5 VLAN server1 and 10.20.20.20/24 on eth6 VLAN server2. I configure services as per below. On my content rules can a make a VIP on the 192.168.1.0 network and on another 192.168.100.0 network. Since VIP is NAT'ing I am thinking that you do not need a VIP address that has the same network as any VLAN's on the CSS. Is this true? content cnt-www.web1 balance aca url /* service svc-w1.web1 service svc-w2.web1 vip address 192.168.1.50 active content cnt-www.web1 balance aca url /* service svc-w1.web2 service svc-w2.web2 vip address 192.168.100.50 active service svc-w1.web1 ip address 10.10.10.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web1 ip address 10.10.10.11 port 80 keepalive type http keepalive uri /test.html active and service svc-w1.web2 ip address 10.20.20.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web2 ip address 10.10.20.11 port 80 keepalive type http keepalive uri /test.html active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61263t=61229 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
DES license on PIX free? [7:61201]
I read in PIX book all PIX's come with the 56 bit DES license free. Can anyone verfiy this before I spend money? I'm looking at a 501 or 506E. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61201t=61201 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CSS11152 VIP question [7:61229]
Lets say I have the following scenario. CSS11152 with ethernet e0 IP address 192.168.1.1 VLAN outside. I have 2 sets of servers addresses 10.10.10.0/24 on eth5 VLAN server1 and 10.20.20.20/24 on eth6 VLAN server2. I configure services as per below. On my content rules can a make a VIP on the 192.168.1.0 network and on another 192.168.100.0 network. Since VIP is NAT'ing I am thinking that you do not need a VIP address that has the same network as any VLAN's on the CSS. Is this true? content cnt-www.web1 balance aca url /* service svc-w1.web1 service svc-w2.web1 vip address 192.168.1.50 active content cnt-www.web1 balance aca url /* service svc-w1.web2 service svc-w2.web2 vip address 192.168.100.50 active service svc-w1.web1 ip address 10.10.10.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web1 ip address 10.10.10.11 port 80 keepalive type http keepalive uri /test.html active and service svc-w1.web2 ip address 10.20.20.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web2 ip address 10.10.20.11 port 80 keepalive type http keepalive uri /test.html active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61229t=61229 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CSS11152 VIP question [7:61229]
quick typo correction : ip on service svc-w2.web2 should be ip address 10.20.20.11 port 80 keepalive type http keepalive uri /test.html active Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Lets say I have the following scenario. CSS11152 with ethernet e0 IP address 192.168.1.1 VLAN outside. I have 2 sets of servers addresses 10.10.10.0/24 on eth5 VLAN server1 and 10.20.20.20/24 on eth6 VLAN server2. I configure services as per below. On my content rules can a make a VIP on the 192.168.1.0 network and on another 192.168.100.0 network. Since VIP is NAT'ing I am thinking that you do not need a VIP address that has the same network as any VLAN's on the CSS. Is this true? content cnt-www.web1 balance aca url /* service svc-w1.web1 service svc-w2.web1 vip address 192.168.1.50 active content cnt-www.web1 balance aca url /* service svc-w1.web2 service svc-w2.web2 vip address 192.168.100.50 active service svc-w1.web1 ip address 10.10.10.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web1 ip address 10.10.10.11 port 80 keepalive type http keepalive uri /test.html active and service svc-w1.web2 ip address 10.20.20.10 port 80 keepalive type http keepalive uri /test.html active service svc-w2.web2 ip address 10.10.20.11 port 80 keepalive type http keepalive uri /test.html active Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61230t=61229 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX access-list problem [7:61043]
That all looks good. I'm wondering if it is a bad NIC on the PIX at this point. Evans, TJ (BearingPoint) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Is your outside link up, and plugged into an enabled switch port that is on the correct vlan/segment and set to correct speed/duplex? Can other devices on same switch communicate with anyone else? Thanks! TJ [EMAIL PROTECTED] -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 3:43 PM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] This type of NAT is required for incoming connections. I can't get access going out so I haven't even looked at that yet. Even worse is from 83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is outside of the PIX. If you look at my access-list , this should not be a problem. I am stumped on this. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61093t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX access-list problem [7:61043]
Found problem. I had the 2 PIX's configured for failover. The problem was that the failover cable was loose on one end so they both flip flopped each taking control as master. Thanks for the help. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61097t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX access-list problem [7:61043]
Yeah I noticed I also had the inside interfaces on each PIX on different VLAN's. Thats was another kick in the balls when I noticed it this morning. This wasn't the original problem since it happened when I moved the PIX's to another switch but did aggravate me for enough time. Evans, TJ (BearingPoint) wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Nice... FYI - Another painful thing like this can happen if you have an interface disabled on one but not the other, or even worse - different #'s of ports (i.e. - one with 6 ports and one with 4 ... doh!) Thanks! TJ -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 15, 2003 10:20 AM To: [EMAIL PROTECTED] Subject: Re: PIX access-list problem [7:61043] Found problem. I had the 2 PIX's configured for failover. The problem was that the failover cable was loose on one end so they both flip flopped each taking control as master. Thanks for the help. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** ** The information in this email is confidential and may be legally privileged. Access to this email by anyone other than the intended addressee is unauthorized. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61112t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX user level VPN [7:61154]
Does anyone one know if PIX 501 supports user level VPN client for remote access? Thanks!!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61154t=61154 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
applying PIX access-lists [7:61033]
I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61033t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX access-list problem [7:61043]
I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61043t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX access-list problem [7:61043]
This type of NAT is required for incoming connections. I can't get access going out so I haven't even looked at that yet. Even worse is from 83.23.44.60 (outside interface of PIX) I can't ping 83.23.44.50 which is outside of the PIX. If you look at my access-list , this should not be a problem. I am stumped on this. Waters, Kristina wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Sam, Do you have any sort of statement that's translating the addresses in your DMZ? For example, static (DMZ,outside) 141.152.135.23 141.152.135.23 netmask 255.255.255.255 If you aren't nat'ing I believe you still have to translate the address. HTH, Kris. -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 14, 2003 2:08 PM To: [EMAIL PROTECTED] Subject: PIX access-list problem [7:61043] I cannot seem to get the following config to work and am clueless why. My incoming access lists for DMZ and outside are wide open. The goal is not to NAT DMZ ever since its public addressing. I can't even ping hosts on the outside network from PIX. Why am I having these problems? nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 access-list internal permit ip 172.19.90.0 255.255.255.0 any access-list test permit ip any any access-list test permit icmp any any access-list int-dmz permit ip 172.19.90.0 255.255.255.0 83.23.43.0 255.255.255.0 ip address outside 83.23.44.60 255.255.255.192 ip address inside 172.19.90.1 255.255.255.0 ip address dmz 83.23.43.250 255.255.255.0 global (outside) 1 83.23.44.58 nat (inside) 0 access-list int-dmz nat (inside) 1 172.19.90.0 255.255.255.0 0 0 nat (dmz) 0 0.0.0.0 0.0.0.0 0 0 access-group test in interface outside access-group test in interface dmz route outside 0.0.0.0 0.0.0.0 83.23.44.1 1 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by email, delete and destroy this message and its attachments. ** Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61054t=61043 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: applying PIX access-lists [7:61033]
The deny statement is there implicitly but if you put it in as well when you do a show access-list command you will see the staitisticsof how many times it was hit as far as your suggestion goes, it may not work as well if you have over 100 access-lists and you need to put one in lets say 8th spot. Emilia Lambros wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Why don't you try removing the line you want it to be below (as well as the deny ip any any at the end) then put in the new line, the next line(s) and the deny line? ie no access-list from-internet permit ip any host 10.10.10.4 no access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 no access-list from-internet deny ip any any That should leave you with access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any Its a little shuffling but it gets you there ;) Is there any reason other than numerical order that the 10.10.10.2 line needs to be above the 10.10.10.2 line since they're all permits anyway? Also, for my own interest, is the deny ip any any required? I was of the impression that everything was closed until you opened it which means there should already be an implicit deny ip any any.. ? Em -Original Message- From: Sam Sneed [mailto:[EMAIL PROTECTED]] Sent: Wednesday, 15 January 2003 3:29 AM To: [EMAIL PROTECTED] Subject: applying PIX access-lists [7:61033] I am new to PIX and have a simple question. What methods do you (PIX Admins) use to change and apply access-lists. Unlike IOS access-lists it seems you can remove statements from the middle of the list. When you do this does the change occur immediately or do you have to reapply the access-group? Do you need to do clear xlate after changing access-lists? how about the following scenatio: I have PIX that has interface outside with the follwoing access-list: access-list from-internet permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.4 access-list from-internet permit ip any host 10.10.10.5 access-list from-internet deny ip any any and access-group from-internet in interface outside now I want to add access-list from-internet permit ip any host 10.10.10.2 before access-list from-internet permit ip any host 10.10.10.4. What is the best way to do this? I thought maybe I would create a new list : access-list from-internet2 permit ip any host 10.10.10.1 access-list from-internet permit ip any host 10.10.10.2 access-list from-internet2 permit ip any host 10.10.10.4 access-list from-internet2 permit ip any host 10.10.10.5 access-list from-internet2 deny ip any any than remove the old and apply the new one in successive commands. Is this the standard way of amking changes or do you more experienced admins have a better way. I'm migrating from a checkpoint environment so this wasn't an issue when administering them. How about this for a good question Why aren't the access-lists on the PIX numbered like prefix-lists in BGP. Wouldn't that be very intuitive and easy to work with? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=61062t=61033 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: response time between PIX with VPN [7:60981]
Check for duplex and speed settings on switch as well as interface errors and collisions. Mike Sweeney wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... In answer to Eric, there is not any DNS involved as the traceroute is IP only... no name resolution needed. In answer Ed's comments, I have both plugged into a switch and so it's not *back to back* in the normal sense of the word. MikeS Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60985t=60981 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 2501 dot1q encapsulation ? [7:60699]
This is not true. ISL is onlly supported on FastEthernet. Dot1Q cna be run on a 2610 with 10BT ethernet. Francisco Sedano/Inf-Pronet wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi thomas; AFAIK Dot1q is only supported in (some) FastEthernet interfaces, and 2501 has only Ethernet, so it isn't supported. Thomas Muller Enviado por: [EMAIL PROTECTED] 09/01/2003 16:21 Por favor, responda a Thomas Muller Para: [EMAIL PROTECTED] cc: Asunto: Cisco 2501 dot1q encapsulation ? [7:60699] Hi, I've tried to configure dot1q on the LAN interface on my Cisco 2501 running 12.2 (IP Plus) but it doesn't seem to know the encapsulation dot1q command. Does anyone know if the 2500 series supports dot1q ? Thanks, Thomas [EMAIL PROTECTED] -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f|r 1 ct/ Min. surfen! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60755t=60699 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 2501 dot1q encapsulation ? [7:60699]
A 2610 with IOS 12.1(3)T should work. I don't own one but I've seen several people post the config's and they verified that it did work. Francisco Sedano/Inf-Pronet wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... 4000? Could you expand on it? Which model/IOS? I have a plain 4000 with 12.1(11) and it doesn't support it.. cebuano Enviado por: [EMAIL PROTECTED] 09/01/2003 22:04 Por favor, responda a cebuano Para: [EMAIL PROTECTED] cc: Asunto: RE: Cisco 2501 dot1q encapsulation ? [7:60699] This is possible with certain models of the 2600 series, and the cheapest router to support this with 10Mb Ethernet is the 4000 series. HTH. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Larry Letterman Sent: Thursday, January 09, 2003 12:32 PM To: [EMAIL PROTECTED] Subject: RE: Cisco 2501 dot1q encapsulation ? [7:60699] I dont believe so either, since they only support a 10BT ethernet connection... Larry Letterman Network Engineer San Jose Transport Cisco Systems Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of John Neiberger Sent: Thursday, January 09, 2003 7:43 AM To: [EMAIL PROTECTED] Subject: Re: Cisco 2501 dot1q encapsulation ? [7:60699] I don't believe that any of the 2500 series routers support trunking of any variety. If I'm wrong someone will surely correct me. John Thomas Muller 1/9/03 8:21:59 AM Hi, I've tried to configure dot1q on the LAN interface on my Cisco 2501 running 12.2 (IP Plus) but it doesn't seem to know the encapsulation dot1q command. Does anyone know if the 2500 series supports dot1q ? Thanks, Thomas [EMAIL PROTECTED] -- +++ GMX - Mail, Messaging more http://www.gmx.net +++ NEU: Mit GMX ins Internet. Rund um die Uhr f|r 1 ct/ Min. surfen! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60763t=60699 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Type escape sequence to abort [7:60502]
hit (shift+ctrl+6) then x Arnis Cirulis wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi! I have terminal connection to my cisco 1721 router. For example I use ping or traceroute and I want to cancel. What should I do? Ctrl+c doesn't work. Arnis Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60505t=60502 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE versus BS or MS degree [7:60424]
great, thanks for forwarding us your spam considering we don't get enough of our own. JIm McDowell wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Yesterday, I received this from a spamer. I do believe some of the folks on this list could be millionaires...if it is true. * Get Paid For Your Opinions! Earn up to $150 For an Hour of Work! Find out how your ideas and insight can work for you! * Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60426t=60424 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
PIX 501 VPN Peers limit [7:60430]
Does anyone know the limit of VPN peers a PIX 501 with 3des is? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60430t=60430 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Grace period for slackers... [7:60046]
which version of CCNA is about to expire? Anthony Mann wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am a CCNA that has talked about getting the NP for almost two years now. Well, my NA is about to expire and I have two months to crank out four tests. I was talking with another slacker friend that mentioned a 6 month grace period if I have completed two of the four tests. I am still planning to do the tests in the 2 months, however it really is a bad time for me where the six month extension would really help. Anyone aware of this? Thanks Tony Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60102t=60046 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Good PIX book? [7:60039]
Can anyone recommend a good PIX book for a PIX beginner. i ve got good understanding of TCP/IP and firewalls/pack filters but no PIX experience. Thanks P.S. HAPPY NEW YEARS from NYC! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=60039t=60039 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Possible Attack???? [7:59813]
Do you run SNMP and mrtg on theswitch? You can than graphically see which host has been pouring out all the traffic with ease. wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Thanks Priscilla. I figure it was some sort of spoofing which is what I ended up reporting last night. The traffic on the edge router is under controll. I was able to narrow down which VLAN on the switch it was coming in on. There is someone going onsite this morning and we are going to work on narrawing down the actual culprit PC. It should not be difficult to spot by looking at the LED on the switch (I hope). The attack seems to come in spurts but when it comes, I see anywhere from about 3000-15000 packets per second that last about 10 seconds. The weird thing is that when I remove the access-list that is currently filtering the 127 address, the attack last much longer. It is almost like it knows that the access-list has been removed. Since the traffic that I am filtering is not related to ICMP then I know that I am not sending out any Unreachable message back to the source. Thanks, Mario Puras SoluNet Technical Support Mailto: [EMAIL PROTECTED] Direct: (321) 309-1410 888.449.5766 (USA) / 888.SOLUNET (Canada) -Original Message- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 26, 2002 10:57 PM To: [EMAIL PROTECTED] Subject: RE: Possible Attack [7:59813] Sending with a source address of 127.x.x.x is often used in IP spoofing. You should try to find out which station is doing this. It could be compromised. Of course, it will be hard to find, but if the packets haven't crossed a router, the MAC address will have a clue. The first six bytes of the MAC address are a vendor code. Of course, if all your equipment is from one vendor, that doesn't help much! The destination address of 108.122.0.0 is strange also. I looked it up in the ARIN Whois database and it says it's part of a range reserved by IANA. I'm not sure why it's reserved, but it seems like a suspicious address to use. So, you're doing the right thing to filter out these packets. But you said the problem remained. The other thing I noticed that's strange is probably unrelated to a possible attack. Why are 75% of your packets in the 1-32 byte range? Those are illegal runt frames on Ethernet. Could you have a duplex mismatch problem?? You should check the output of show int Fa0/1. Good luck! Priscilla [EMAIL PROTECTED] wrote: Hi all. I was wondering if someone can share some light on a wierd issues that I am seeing. This perhaps maybe an attack from an internal or infected host within the network or simply a malfunctioning NIC. Basically, I have a Cisco 3662 with 2 Satellite links. I noticed that the main WAN link (1.544mb) was bursting outbound to sometimes 20mb. I noticed a lot of output drops and the links started to flap and as a result BGP sessions starting going down causing huge problems. Once I was able to get the BGP under control, I enabled Netflow on the inbound interface (FE0/1) to see what type of traffic could be causing this issue and this is when I noticed the below: Here is the output of the Netflow: cisco_3600_one#show ip cache flow IP packet size distribution (4096357 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .753 .167 .017 .005 .001 .002 .001 .001 .001 .001 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .001 .008 .005 .027 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 278544 bytes 978 active, 3118 inactive, 121929 added 2503952 ager polls, 0 flow alloc failures last clearing of statistics never Protocol TotalFlows Packets Bytes Packets Active(Sec) Idle(Sec) Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 41 0.05040 0.0 31.3 14.4 TCP-FTP 87 0.0 765 0.0 17.0 12.1 TCP-FTPD27 0.0 135 211 0.0 83.0 3.5 TCP-WWW 43121 0.3 8 335 2.8 3.6 2.7 TCP-SMTP 1137 0.0 6 173 0.0 9.8 9.7 TCP-BGP 1 0.0 67368 0.0 1796.8 3.6 TCP-Frag 2 0.0 140 0.0 0.0 15.5 TCP-other33285 0.214 246 3.7 24.0 10.3 UDP-DNS 6005 0.0 173 0.0 1.3 15.4 UDP-NTP 10 0.0 176 0.0 0.0 15.4 UDP-other13772 0.1 678 0.7 1.2 15.5 ICMP 2904 0.0 372 0.0 19.1 15.4 IP-other 20559 0.1 14820 24.5 6.8 15.4 Total:
Re: Very Strange Problem....Any Ideas? [7:59682]
Another thing you may want to do is have MRTG poll the switch and/or routers. This way you may be able to notice if one of the one of the servers or netowrk devices is sending out unexpected large amounts of data. Craig Columbus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I worked on a network move for a brokerage company last week and encountered a VERY strange problem. We moved a bunch of equipment to a new office building. During the process, we changed the internal network from 192.168.100.0/24 to 172.31.4.0/22. There company has 4 Cisco 3500XL 48 port switches, with no VLANs and plain vanilla configurations. The fanciest thing is portfast on the client machine ports. Switches are linked via GBICs in a cascade. There is one client maintained router that sits before the firewall with only static routes and no routing protocols. There are multiple outside vendor routers for specific applications (real-time quotes, clearinghouse mainframe, etc.), but these too also have only static routes and no routing protocols. After installing all of the network equipment and servers, we started to turn on clients and get new DHCP addresses. Since the new network was 172.31.4.0/22, 172.31.4.1 - 172.31.4.255 was reserved for servers, printers, switches, and routers. The remaining 172.31.5.0 - 172.31.7.254 was reserved for clients...though there are only about 100 clients at the moment and thus they only took 5.0 - 5.100 or so in DHCP. After installing maybe 20 clients or so, we started to see mass slowdowns on the network. Pings between clients and servers were very irregular and intermittent. There was no discernable pattern to when pings would succeed and when they'd fail. We exhaustively went through all devices and made sure that they'd been correctly set to the new mask and that all server functions (DNS, WINS, AD, etc.) had been correctly setup for the new subnet. Everything looked fine. In an effort to troubleshoot, we unhooked the switch stack and put core servers and a few clients on a single switch. Again, communication was irregular and unpredictable, whether with static or DHCP addresses on the clients. Sometimes things would be fine, other times clients could ping the server, but not the switch to which they were attached. Sometimes clients could ping the switch, but not the server. Sometimes the clients could ping neither. Again, there seemed to be no pattern. Thinking there might have been some IOS bug, we erased nvram, upgraded the switches to current IOS code, and put in a completely plain configuration. This had no effect on the problem. After 4 of us (with probably 50 years of industry experience between us) spent 15 hours or so trying to resolve the issue, I finally suggested we try moving the clients from the 172.31.5.x/22 block to the 172.31.4.x/22 block. This solved all problems, and all clients were able to ping both switches and servers 100% of the time. Again, we didn't change the mask on anything, only the third octet of the client ip range. We then went back and triple checked every device attached to the networkservers, routers, switches, printers, clients, etc. Every single device had the correct mask (/22) except for two vendor maintained UNIX boxes...they had 172.31.4.x/24. We suspected as much earlier since clients couldn't communicate with the UNIX boxes from the beginning, but the other servers could communicate with the UNIX boxes without issue. These UNIX servers weren't running RIP(or any other RP)...and besides, there aren't any other network devices listening for RIPso we weren't really concerned about them causing the network connectivity issues. At the time, I couldn't see how a bad mask on these boxes could effectively make the whole network unusable, so I didn't bother correcting it early in the day. At this point, I've had a week to think about the issue and I still don't have a logical reason for why this problem might have occurred. Anyone out there have any thoughts? I'm going back to put in a 3550EMI as the core in a couple of weeks. At that point, we're going to investigate more and try to move the clients back to the 172.31.5.x range. I'd like to test theories at that time if anyone can put one forward that we didn't already testas I said, we spent a lot of time on this and I didn't put every test we did in this email. All I can offer is that it wasn't IOS code (we tried more than one version), it wasn't the switches (we tried several, including non-Cisco), it wasn't DNS, WINS, DHCP, or any other server side issue (we thoroughly examined and ruled those out...beside, this was even happening at the IP level between switches). Everything had worked correctly at the old building...the only two things that changed significantly during the move were the IP range and the building wiring. AND, the wiring in the new building was brand new
Re: RE: CCIE Vs. BS or MS dergree [7:59481]
This forum is not a purely techincal forum and thats where you're wrong. The group is groupstusy.cisco if you hadn't notice and its primary focus its studying for Cisco certification. CCIE is a certification. So I believe a discussion on peoples' opinions whether a going for a CCIE or MS, MBA would be a better for their situation and is a great question for the group. I think it provides the group with more useful and helpful information than a question like My customer needs a VPN setup. I have no experience in this so please send me the configs so I can set it up and collect my consulting fee. or I need to recover a password on my cisco 2500 series router. I'm to lazy to go to Cisco's site and type password recovery 2500, so could some one in the group go to Cisco's site find it for me and send me the link. If you want only a technical discussion try comp.dcom.sys.cisco . Mr piyush shah wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Dear friends It has been quite long that I have been hearing whether CCIE is superior or MS. I thing it is high time we should wrap the topic.I dont understand ,whether why this forum for ? It should b a purely technical. For a typically type of questioning like this, there are resposes which lasts for weeks but there are some questions for whom nobody seems to be bothered ? There was a queation which was thrown on this on TACACS ACS whether What could the issue that I am able to authenticate and not authorisation ,not a single person on this site bothered to answered ,not even Priscilla . Which sounds to be very starnge. There are so many people who r new to networking tech ,hence comes with some querry which might b stupid to some of our colleages but pls ensure that u were also like them during your initial phase ,hence try to rectify the querry rather than spending your precious time on stupid questions like ccie is superior or MS , what is the salary of CCIE ? I hope the message is clear to everybody Regards PIYUSH Note: forwarded message attached. Missed your favourite TV serial last night? Try the new, Yahoo! TV. visit http://in.tv.yahoo.com X-Apparently-To: [EMAIL PROTECTED] via web8002.mail.in.yahoo.com; 20 Dec 2002 07:36:38 +0500 (IST) Return-Path: X-Track: 1: 100 Return-Path: Received: from groupstudy.com (66.220.63.9) by mta102.in.mail.yahoo.com with SMTP; 20 Dec 2002 07:34:44 +0500 (IST) Received: from localhost (mail@localhost) by groupstudy.com (8.9.3/8.9.3) with SMTP id CAA32069; Fri, 20 Dec 2002 02:04:32 GMT Received: by groupstudy.com (bulk_mailer v1.13); Fri, 20 Dec 2002 01:26:50 + Received: (from listserver@localhost) by groupstudy.com (8.9.3/8.9.3) id BAA23691 GroupStudy Mailer; Fri, 20 Dec 2002 01:26:48 GMT Received: (from nobody@localhost) by groupstudy.com (8.9.3/8.9.3) id BAA23686 GroupStudy Mailer; Fri, 20 Dec 2002 01:26:48 GMT Date: Fri, 20 Dec 2002 01:26:48 GMT From: Charlie Wehner X-GroupStudy-Version: 3.1.1a X-GroupStudy: Network Technical To: [EMAIL PROTECTED] Subject: RE: CCIE Vs. BS or MS dergree [7:59481] Sender: [EMAIL PROTECTED] Reply-To: Charlie Wehner Precedence: bulk Content-Length: 925 What's more difficult? a) Memorizing configuration scenerios and commands on a Cisco router b) Understanding Calculus, Differential Equations, Numerical Analysis, Chemistry, Physics and Electrical Engineering well enough to create a meaningful experiment. One of my friends is working on his masters in Physics right now. What he's working on makes the CCIE look like a walk through the park. Seriously, what if the recommended reading list for the CCIE exam looked like this: Physics I and II Calculus I,II,III Differential Equations Mechanics Circuit Analysis I and II Linear Systems Thermodynamics Quantum Mechanics Optics Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59613t=59481 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routers multicast address 224.0.0.2 ?! [7:59609]
Could you post your config's for those 2 routers and possibly sh int output? Mohannad Khuffash wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi ... I have tried to configure HSRP on two 3660 routers, I configured them straight forward where only a little commands needed.But HSRP don't worked well ! The reason simply was that they are not seeing the HSRP hello messages so every one act as the active one ! When I checked the problem more, I discovered that both of them are not seeing the 224.0.0.2 messages by using the SHOW IP INTERFACE command where none of the interfaces of the two routers are joined for this multicast group ! My question now is how I can make them joined to 224.0.0.2 which should be the default configuration ? Or may be I'm wrong in my investigation ?! Thanks for your help -- Mohannad Khuffash Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59626t=59609 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routers multicast address 224.0.0.2 ?! [7:59609]
The interface configs look fine. Can you ping each others IP address? Do show int to see if there's any interface errors as well. Why is your broadcast address showing 0.0.0.0 on R1? interface FastEthernet1/0 ip address 172.16.0.2 255.255.0.0 ip broadcast-address 0.0.0.0 It should be 255.255.255.255, this could be a problem. Maybe you need ip subnet-zero command for this to work. I see you have no access lists set so that can;t be the problem. I have a pair of 7200's doing hsrp and both of them show they've joined the multicast group of 224.0.0.2 and both have broadcast 255.255.255.255. showing. Mohannad Khuffash wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Sam, Here is the configuration and the output of the show commands, please note the first router is showing it's joining to the multicast group 224.0.0.2 while the other not ! R1 interface FastEthernet1/0 ip address 172.16.0.2 255.255.0.0 ip broadcast-address 0.0.0.0 no ip redirects standby 10 ip 172.16.0.37 R2 ip address 172.16.0.36 255.255.0.0 ip directed-broadcast duplex auto speed auto standby 10 ip 172.16.0.37 R1#show ip interface fastEthernet 1/0 FastEthernet1/0 is up, line protocol is up Internet address is 172.16.0.2/16 Broadcast address is 0.0.0.0 Address determined by non-volatile memory MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Multicast reserved groups joined: 224.0.0.10 224.0.0.2 Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are never sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP multicast fast switching is enabled Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Gateway Discovery is disabled Policy routing is disabled Network address translation is disabled R2#show ip interface fastEthernet 0/0 FastEthernet0/0 is up, line protocol is up Internet address is 172.16.0.36/16 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is enabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP Feature Fast switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Sam Sneed wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Could you post your config's for those 2 routers and possibly sh int output? Mohannad Khuffash wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi ... I have tried to configure HSRP on two 3660 routers, I configured them straight forward where only a little commands needed.But HSRP don't worked well ! The reason simply was that they are not seeing the HSRP hello messages so every one act as the active one ! When I checked the problem more, I discovered that both of them are not seeing the 224.0.0.2 messages by using the SHOW IP INTERFACE command where none of the interfaces of the two routers are joined for this multicast group ! My question now is how I can make them joined to 224.0.0.2 which should be the default configuration ? Or may be I'm wrong in my investigation ?! Thanks for your help -- Mohannad Khuffash Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59628t=59609 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Firewalls [7:59183]
On the 3600's, for ethernets connecting the PIX and the routers use HSRP. Give the Pix's the default gateway of the HSRP adress. Then use BGP on the serial interfaces of 3600's to peer with your provider. Brian Zeitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... OK I figured this one out with some help :) I just need to get the 4 Port DMZ card and designate two of the interfaces as IN using security levels. The failover has a DMZ card too, so I can failover all 4 interfaces in an emergency. Plus 1 Port for the failover. Thanks to the people helping me offline, these scenarios are getting really complex. My next task is figuring how to take two T1s and make them act as a single unit while providing redundancy. Thanks :) -Original Message- From: Brian Zeitz Sent: Friday, December 13, 2002 2:02 PM To: [EMAIL PROTECTED] Subject: RE: Load Balancing Firewalls [7:59183] Actually, management change the diagram on me :( T1---3640---515UR with failover T1---3640---^ Both T1s going into a single 515UR with a standby unit. I figured out the first scenario, I just thought of it as it as being in different locations and use global load balancing on the LBs. This second scenario I don't know if it is possible, I would have 2 IPs coming from the e0/0 on the router, into only 1 Pix interface which I don't know if it is possible -Original Message- From: Brian Zeitz Sent: Friday, December 13, 2002 12:03 PM To: [EMAIL PROTECTED] Subject: Load Balancing Firewalls [7:59183] I have just been given the task of setting up a website with load balancing. T1 --- 3640Pix 515 UR+4E--Load balancer T1 --- 3640---Pix 515 UR+4ELoad balancer The Pix 515 are separate full units, I got another on because I know you cannot use the failover as an active unit. My load balancers are not active/active. But if I use them separately, they can run independently. I need to run just one website like www.mydomain.com My managers would like both T1s to be used, but can also act as a failover. Can anyone give me any pointers or tell me of any pitfalls before I dive into this task? I thought about HSRP, would this work if I had redundant firewalls? Can you cluster pix firwalls? I don't think you can, I wish I could. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=59474t=59183 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
checking temperature in router [7:58189]
Is there any command in IOS to check the operating temperature inside the router? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58189t=58189 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco CSS load setting [7:58171]
I've seen similiar things happen here. The problem was interface errors on switchports. Check the port where the CSS is plugged into switch and where high load webserver is plugged for interface errors. The CSS seems to be very sensititve to lost packets when calculating load so I'd check this out. sukhesh T wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All, I have a pair of CSS 11150 switched (vrrp configured for redundancy) configured for load balancing between 2 web application server (Layer 5).The setup up was working alright and we tested the load balancing and the request used were going to both servers on round robin. Now I am facing problem that the request is sent to only one server. When I see show load it shows for one server1 as 2 and server2 as 255 and that is the reason request is not being sent to server2. The CSS is using all default configuration related to load treshold and teardown timer etc. Can anyone tell me how to reset the load value on the CSS..or any other info on this will be highly appreciated. Regards, Sukhdev. _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58190t=58171 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: checking temperature in router [7:58189]
I am checking on lower end router, 2500 but it is not available. Avinash Tadimalla wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... not sure, but doesn't show env work? avinash At 07:25 AM 11/27/2002, sam sneed wrote: Is there any command in IOS to check the operating temperature inside the router? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58201t=58189 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Programming Language for Network Engingeers. [7:58032]
I would definitely say Perl. It runs on both Unix and Winblows so its portable. I used to write scripts for monitoring network services, connecting to ports ie. There is even a library to easily write your own network sniffer and a very good scokets library as well. John Tafasi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... What programming languages a network engineer MIGHT need to perform his job? What do network engineers or adminiastrators do with a programming language? please elaborate I am looking to learn a couple of programming language that I may need on the job and I need you advice. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58035t=58032 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Programming Language for Network Engingeers. [7:58032]
Pascal was great. Howard C. Berkowitz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... At 5:58 PM + 11/25/02, John Tafasi wrote: This a nice answer, but do you know any book that specifically deal with programming for network engineers? Again, depends on your definition of network engineer, but John Moy's second book goes through the programming of a public domain OSPF implementation. That's pretty network-ish. There's a lot of material on the Internet, primarily aimed at service providers. Check through www.nanog.org, www.radb.net, www.ripe.net, and the NANOG mailing list. For statistical analysis, www.caida.org is a good starting place. Apropos of not much, I once wrote a complete analyzer for IBM NCP configurations. I used Pascal. - Original Message - From: Moffett, Ryan To: 'John Tafasi' ; Sent: Monday, November 25, 2002 10:20 AM Subject: RE: Programming Language for Network Engingeers. [7:58032] Perl - Use it to do many things like parsing log files, parsing and even generating config files. Too many uses to list. Once you learn what perl is and what it can do, you WILL find uses for it. Expect - Use it to script things that otherwise would only be able to occur interactively with network devices, such as Telnet to a router, log on, dump the config to a tftp server. Or, create an expect script to log on to a router, copy tftp image to flash and reload, then set this to run via a cron job for an unattended router upgrade (yes, that is risky but some people can get away with it :-). If you run both on unix/linux, learn bash or whatever shell you plan on using because you will find many useful functions built into the shell. It isn't unrealistic to setup a generic unix/linux system with Perl, Expect and a TFTP server to to manage all of your device configs, images and logfiles. -Original Message- From: John Tafasi [mailto:[EMAIL PROTECTED]] Sent: Monday, November 25, 2002 10:28 AM To: [EMAIL PROTECTED] Subject: Programming Language for Network Engingeers. [7:58032] What programming languages a network engineer MIGHT need to perform his job? What do network engineers or adminiastrators do with a programming language? please elaborate I am looking to learn a couple of programming language that I may need on the job and I need you advice. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=58057t=58032 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: full duplex or half duplex, how can you tell [7:57431]
this is about the comment You'd get a link but lots of collisions, eh? The half-duplex side would receive while it was sending, because the full-duplex side would send whenever it wanted. In other words, the 2500 side would report collisions, assuming there was enough simultanesous traffic. I hooked up a 2501 eth0 to a 3548 set to full duplex and speed 100. Interestingly the link light on the router lights up but no the switch. The switch sees the total link down and would not even bother sending. I plugged it into an auto-neg port and it obviously worked. Here is the output from switch. Cisco3500-3#sh int fa0/17 FastEthernet0/17 is down, line protocol is down Hardware is Fast Ethernet, address is 0002.fd45.4b91 (bia 0002.fd45.4b91) MTU 1500 bytes, BW 0 Kbit, DLY 100 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of show interface counters 1y40w Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast 0 input packets with dribble condition detected 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 2 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Cisco3500-3# Priscilla Oppenheimer wrote in message news:200211141830.SAA03800;groupstudy.com... The Long and Winding Road wrote: John Tafasi wrote in message news:200211141056.KAA04663;groupstudy.com... Hi, I have a cisco 2516 router with an ethernet interface. How can I find out if this inteface is full duplex or half duplex? plug it into a full duplex 100 mbs switch port and see if link occurs? You'd get a link but lots of collisions, eh? The half-duplex side would receive while it was sending, because the full-duplex side would send whenever it wanted. In other words, the 2500 side would report collisions, assuming there was enough simultanesous traffic. I think the best answer is that the 2500 routers pre-date the full-duplex standard. I bet they don't do full-duplex. seriously, I believe all routers in the 25xx line are 10/half. there is no report on speed and duplex on routers that I can find. That's annoying. I guess show run would show you a non-default setting, but that's not too helpful. Priscilla show int on a switch gives you a status Encapsulation ARPA, loopback not set Keepalive set (10 sec) Auto-duplex, Auto-speed even on a router with a port that do duplex changes ( 3640 NM-4E )there is no status. I don't have access to a router with a port that permits speed and duplex changes.so I can't compare. Thanks Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57466t=57431 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]