Re: Public Internet Access [7:55898]

[Shawn Heisey]

Robert,

Have the VLAN for these users route to a DMZ interface on your PIX
rather than the layer 3 switch.  Set the security level of that
interface to 1 (just higher than the outside).

If you don't specify an ACL on that PIX interface, you should be able to
use PIX security levels to automatically deny access to the internal LAN
while permitting access to the internet.

Thanks,
Shawn

Robert Edmonds wrote:
 
 I work for a county government.  As part of building a new courthouse, I am
 tasked with providing attorneys in courtrooms with Internet access through
 my network.  Of course, I would like to provide them access to what they
 need while blocking access to our internal network.
 My network is setup in the following manner:
 In the new courthouse, the MDF has a 3550-12G acting as the root switch for
 the building, and has the layer 3 image.  It connects directly to my core,
 with a 6506 with Sup2 and MSFC2, which in turn connects to my PIX 515 for
 Internet access.  I plan on creating a separate VLAN for the public
Internet
 access, but beyond that I'm left a bit short.  Obviously I don't want to
 create a 300 line access-list that would deny them access to each internal
 VLAN, then each of our servers in turn.  Can someone give me some
 suggestions to get this done?  Thanks in advance.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55903t=55898
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: I need any 5.x firmware for a Catalyst 1900 [7:55125]

[Shawn Heisey]

You need to go to this URL, and click on the Catalyst 1900 original
link:

http://www.cisco.com/kobayashi/sw-center/lan/cat1900.shtml

You will need a CCO login to get to it.  If you don't have a login, you
can only get the version 9 software for the newer models.

Thanks,
Shawn

Colin Weaver wrote:
 
 Please!!!




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=55126t=55125
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Config-register???? [7:54632]

[Shawn Heisey]

You've managed to set the router to netboot, and the console baud rate
to 19200.

Everything else is the same as the default 0x2102.

Set your baud rate to 19200, and after make sure there is no baud rate
in line con 0, get the config-register set right, and you can switch
back to 9600 baud.

Useful tool in case something like this happens again:

http://www.marcuscom.com/confregdecode.html

Thanks,
Shawn

Frank Lodato wrote:
 
 I broke in to a Cisco 2600 router today, but I didn't have access to my
 handy sheet that tells me exactly what config-register setting to type in.
 Instead of 0x2142 I put 0x2124.  Now when I hard bott the router it gives
 me'JJJ^^' .
 Now, I've never seen this before so I'm very confused as to what to do
 next.  I can't really type anything either so it wont take commands that I
 know.  What did I do?  How can I fix it?
 Help!

-- 
Shawn Heisey
Cisco Systems USA TAC
Technical Lead for SLC-AAA-LD team




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54641t=54632
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Config-register???? [7:54632]

[Shawn Heisey]

Mark,

Actually, the 'break disabled' is the default setting.  It means that
after rommon passes control to the IOS, you can't issue a break to get
back to rommon.  You can always issue the break before control is passed
to IOS, regardless of this setting.

If you turn this setting off, you can send a break at any time to get to
rommon -- even after the router is up and running.  This can be a Very
Bad Thing (tm), especially if you leave something connected to the
console port all the time.

Thanks,
Shawn


Mark W. Odette II wrote:
 
 Set your terminal app's baud rate to 19200 and see if that doesn't fix
 ya.
 
 Also, according to the nifty Config-Register calculator (from Boson's
 website), the Break Key is disabled.  So, you'll need to let the router
 boot normally, and then, via the console, go into config mode and change
 the config register to your desired setting.
 
 HTH's
 Mark
 
 -Original Message-
 From: Frank Lodato [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, October 01, 2002 10:10 AM
 To: [EMAIL PROTECTED]
 Subject: Config-register [7:54632]
 
 I broke in to a Cisco 2600 router today, but I didn't have access to my
 handy sheet that tells me exactly what config-register setting to type
 in.
 Instead of 0x2142 I put 0x2124.  Now when I hard bott the router it
 gives
 me'JJJ^^' .
 Now, I've never seen this before so I'm very confused as to what to do
 next.  I can't really type anything either so it wont take commands that
 I
 know.  What did I do?  How can I fix it?
 Help!

-- 
Shawn Heisey
Cisco Systems USA TAC
Technical Lead for SLC-AAA-LD team




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54656t=54632
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: slightly OT: Pingflood [7:54334]

[Shawn Heisey]

Sam,

Typically the ping program included with Linux has the -f option, but
you cannot use it if you are not root.

It's included in debian and redhat, not sure about other distros.

I don't have root access on any Sun boxes, so I can't tell if the option
is there or not.  You could always compile GNU ping on it if it's not an
option.

Thanks,
Shawn


sam sneed wrote:
 
 Does anyone know where I can get a copy of this or something similiar for
 Linux. I found a windoze version but I need linux or UNIX.
 My ping versions of linux and SunOS do not have the -f option. The only
 version of pingflood I found on google is crap, the source code reads:
 
 void main(){
 int count=1;
 for(;count10;count++){
 system (ping -s 2000 targetsite);
 sleep(3);
 }
 }
 
 all this does is ping alot, I want the version of thje program that sends
 pings out faster than usual. I need to create lots of traffic to check
 response times across a router. And I want to do it without purchasing
 software (aka solarwinds WAN Killer)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54342t=54334
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AAA in console [7:54282]

[Shawn Heisey]

Hidden IOS command in global config:

aaa authorization console

(that is the entire command)

Thanks,
Shawn

Newell Ryan D SrA 18 CS/SCBT wrote:
 
 How can I configure authorization on the console port?
-- 
Shawn Heisey
Cisco Systems USA TAC
Technical Lead for SLC-AAA-LD team




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54285t=54282
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AAA in console [7:54282]

[Shawn Heisey]

Additional note:

The aaa authorization console command was added in 12.0(7)T. by DDTS
number CSCdi82030.

It's not available on 2900XL and 3500XL switches.  This is because the
IOS on these switches was based on the 12.0(5)T IOS for routers.

Thanks,
Shawn

Newell Ryan D SrA 18 CS/SCBT wrote:
 
 How can I configure authorization on the console port?

-- 
Shawn Heisey
Cisco Systems USA TAC
Technical Lead for SLC-AAA-LD team




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=54286t=54282
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Web Console of Catalyst 2924XL [7:53131]

[Shawn Heisey]

Zolla,

Chances are that you have the wrong Java plugin version for the IOS
version that you are running.

If you have Java 1.3.1, you need 12.0(5)WC5 IOS.  Earlier IOS will only
work with 1.2.2 and 1.3.0 of the plugin software.  If you have Java
1.4.x, there is not yet an IOS version that will work with it.

Best bet is to use Java 1.3.1 and 12.0(5)WC5 IOS.  If you are using
other Cisco products that require the 1.4.x plugin, you'll need to
access the switch from another system.

Thanks,
Shawn

Zolla Zimmerman wrote:
 
 Hi Everybody,
 
 I am configuring a Catalyst 2924 XL with IOS 12.0(5) for web configuration
 and it is asking password each minute even if I am not doing anything. Can
 somebody through some light on this.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=53145t=53131
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Router IOS Upgrade bug in 12.1 images [7:52489]

[Shawn Heisey]

This is not actually a bug.

Starting with 12.2(1) IOS, the 2600 and 3600 platforms support the
squeeze command.  To get it to work, you have to reformat the flash
using a 12.2 image, which creates a log file used in the squeeze
process.  That log is a few hundred K in size, and hidden.

The listed flash requirements for 12.2(8)Tx images is 16MB, and this is
part of the reason why ... even though technically it can fit in an 8MB
flash.  It's also listed that way because future versions are not going
to fit in 8MB, even formatted with old flash.

Thanks,
Shawn


Sasa Milic wrote:
 
 Speaking about upgrade bugs, I've found upgrade bug in 12.2.
 Here is what is happening, and how to overcome it.
 
 Hardware:
 -
 
 2600 with 8 MB flash, 12.2(8)T1 telco IOS loaded.
 
 Problem:
 
 
 There is 8MB flash, and I want to load 12.2(8)T2. show flash
 shows that flash is 8MB. Do erase flash to remove existing
 image from flash. Now show flash shows that there is 7.8MB
 free in flash, and 12.2(8)T2 cannot be loaded (copy tftp flash
 says that there is no enough space). squeeze doesn't help.
 
 Solution:
 -
 
 Load older IOS that fits into 7.8 MB, for example 12.0(7)T,
 reload router, erase flash (now it will have 8 MB free), and
 then load 12.2(8)T2.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52680t=52489
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52621]

[Shawn Heisey]

Magdy,

You did not make it clear what kind of device you are using.  If you are
using a PIX or other device with missing or braindead accounting, the
max-sessions feature will not work as expected.  Aironet is another
device that is broken.  If the device is non-cisco, it probably does not
send accounting in the way that ACS expects.

ACS uses accounting records to count sessions, and if those records are
not perfect, the feature will break.  Here's a URL that talks about
what's needed for the logged-in user report, which is tied in with
max-sessions:

http://www.cisco.com/warp/public/480/csntfaq.html#Q28

The PIX can do accounting, but because there's no good way to track when
a user stops using the internet, its accounting is useless to ACS as far
as session tracking.

Thanks,
Shawn

Magdy H. Ibrahim wrote:
 
 Dear All,
 
 This is my second post regarding ACS2.6 bugs...
 The problem is:
 As you know;-) I have an acs2.6 server on W2k advanced server , My users
 Using it to connect to the internet and sometimes many of my users logged
 into my network through the acs and when they disconnected from my system,
I
 noticed that they still exist on the acs server , and since i made a single
 session to my users , they cannot enter again till i make a purge to the
 user.
 Please this is a big problem for me so can u help me to solve it?

-- 
Shawn Heisey
Cisco Systems USA TAC
Technical Lead for SLC-AAA-LD team




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52621t=52621
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: ICQ and blocking the thing-PIX [7:52285]

[Shawn Heisey]

I may be off my rocker, but I think it's possible that you could set up
an IDS system that blocks access to any IP on the outside that sends
packets to your network that look like ICQ.  At the very least it could
record the addresses for future inclusion into ACLs.

This won't block the people who set up SSH tunnelling as described in
other messages, but you can make it a violation of security policy to
use that kind of back door.

Thanks,
Shawn

Mears, Rob wrote:
 
 Hi Cisco gods,
 
 I have successfully blocked all chat services at the PIX firewall, I
 think. As I walk around and find people using MSN or Messenger I find
 that public proxy they are using and kill it too. BUT, I am having a
 hell of a time with ICQ. I do have all the ports UDP and TCP blocked so
 it does not work UNLESS they use port 80. This is where I am stuck, I
 cant block port 80 as you know so how do I kill this monster?   Has any
 one had luck with this and has anyone found a way to stop the public
 proxy usage?   I really feel as if I am fighting a losing battle, cuss
 for every block I am countered with a way around it.
 
 My inside ACL in the pix is quite impressive and all just for blocking
 this crap, if anyone would like it for theirs I will provide as it is
 proven and works, with exception to ICQ.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=52395t=52285
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Restricting VPN 3000 Groups [7:51798]

[Shawn Heisey]

Fly,

There's actually a slightly better option.

Send all your users the same profile, and use RADIUS to select the
actual VPN3000 group they will be using.  Set it up so that the group in
their profile has extremely limited access.

http://www.cisco.com/warp/public/471/altigagroup.html

Thanks,
Shawn

Fly Ers wrote:
 
 We are currently using rsa ace server to authenticate vpn clients
connecting
 to vpn3000 concentrator.  we will need to create different groups depending
 on users function, thus several pcf files will need to be deployed.  we
will
 need to  restrict users to a particular vpn concentrator group. For
example,
 a user inadvertently receives the wrong pcf file, we want to be able to
deny
 that user access or limit his/her access.  any recommendations appreciated.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51838t=51798
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 2502 Memory/Flash [7:51387]

[Shawn Heisey]

Actually it says you've got 8MB of flash and 4MB of RAM.

The 2500 series is one of the routers that has a single pool of RAM that
gets split at boot time into Processor memory and I/O memory.  On these
platforms, you add up the two numbers to get the total RAM.

A few models (particularly the AS5xxx series and XL switches) have
separate memory chips for I/O (packet) memory.  On these, only the first
number counts towards IOS requirements.

Thanks,
Shawn

Robert D. Cluett wrote:
 
 All, am I reading this right?  Does this state that there is 8MB Flash and
 2MB of DRAM?  If so, what do I need to do to get it to the latest version
of
 IOS that Cisco uses for the tests?  Help would be more than appreciated!
 
 cisco 2500 (68030) processor (revision L) with 2048K/2048K bytes of memory.
 Processor board ID 06992214, with hardware revision 
 Bridging software.
 X.25 software, Version 2.0, NET2, BFE and GOSIP compliant.
 1 Token Ring/IEEE 802.5 interface(s)
 2 Serial network interface(s)
 32K bytes of non-volatile configuration memory.
 8192K bytes of processor board System flash (Read ONLY)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=51398t=51387
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Does IOS 11.1(2) support show tech command [7:50494]

[Shawn Heisey]

Jimmy,

(watch for URL wrap)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf013.htm#1068334

Introduced in 11.2 IOS.

The DDTS that implemented the command (CSCdi47180) shows integration in
10.3(12), 11.0(8), 11.1(3), and 11.2(1).

Thanks,
Shawn

Jimmy wrote:
 
 Hi all :
 
 Does anyone know whether IOS 11.1(2) support show
 tech command ? I have a 2501 router running on
 11.1(2) and it does not has show tech . However
 another 2501 router running on 11.0(22) and it has
 show tech command.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50533t=50494
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: aux - serial connection? [7:50069]

[Shawn Heisey]

Crow,

If the 2501 is set up for async, you can do this without any problem. 
You would need the 2501 to have a DCE RS232 cable.

The speed would of course be limited to what the AUX port can do.  I
haven't been able to locate anything saying whether that is 38400 or
115200 baud on a 4000M.  What I have found suggests that it might be
38400.

Also, every character that hits the aux port on a Cisco router generates
a processor interrupt, so it's hard on the CPU.

crow wrote:
 
 hi folks !!
 
 is there a way to connect a aux(4000m router) to a serial(2501) for
 lab-purpose?
 cable is available. i would say no.
 thx in advance
 andy




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=50075t=50069
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: access-list for steaming audio [7:49817]

[Shawn Heisey]

Steaming audio would be caught by your porn filter!

On the other hand, StReaming audio and video tends to be very difficult
to block, as most of the programs that do that sort of thing will
function just fine on port 80.  I don't think you want to block port 80.

You didn't mention what application(s) are involved.  The best way to
find out what ports are involved is to research the individual
applications and find out what ports they use.  Alternatively, you can
try them out and get sniffer traces.

Thanks,
Shawn

Spencer Plantier wrote:
 
 Which ports need to be blocked for streaming video and
 audio.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49824t=49817
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco 2651 Problem [7:49815]

[Shawn Heisey]

To reinstall the IOS on a 2600 with an incorrect image, you will need to
use TFTP from ROMMON.

http://www.cisco.com/warp/public/471/76.html

Make sure the image that you download is correct for the exact 2600
model you have.  For the 2651, depending on what you want to do, I would
use a 12.2 mainline or 12.2T image.

Thanks,
Shawn

Curious wrote:
 
 Re-Install the Correct IOS.
 
 . .  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi
 
  I have a Cisco 2651 with two Fast Ethernet interfaces. I have
accidentally
  installed a Cisco 2600 IOS image.  now when I do a show run the
 interfaces
  are not there anymore.  I tried to make it to boot from boot but the
  interfaces is not showing up.
 
  If you can give me some help, that would be great
 
  Thanks
 
  ===
  Router#show running-config
  Building configuration...
 
  Current configuration:
  !
  version 12.0
  downward-compatible-config 12.1
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  no service dhcp
  !
  hostname Router
  !
  boot system rom
  !
  !
  !
  !
  !
  ip subnet-zero
  !
  !
  !
  !
  ip classless
  no ip http server
  !
  !
  line con 0
  transport input none
  line aux 0
  line vty 0 4
  login
  !
  end
 
  Router#
  Router#show version
  Cisco Internetwork Operating System Software
  IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T,  RELEASE SOFTWARE
  (fc2)
  Copyright (c) 1986-1999 by cisco Systems, Inc.
  Compiled Tue 07-Dec-99 02:12 by phanguye
  Image text-base: 0x80008088, data-base: 0x807AAF70
 
  ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
 
  Router uptime is 0 minutes
  System returned to ROM by power-on
  System image file is flash:c2600-i-mz.120-7.T
 
  cisco 2600 (MPC860) processor (revision 0x200) with 39936K/9216K bytes of
  memory.
  Processor board ID JAB05410GVS (3360889488)
  M860 processor: part number 5, mask 2
  Bridging software.
  X.25 software, Version 3.0.0.
  32K bytes of non-volatile configuration memory.
  8192K bytes of processor board System flash (Read/Write)
 
  Configuration register is 0x2102
 
  Router#show flash
 
  System flash directory:
  File  Length   Name/status
1   4209848  c2600-i-mz.120-7.T
  [4209912 bytes used, 4178696 available, 8388608 total]
  8192K bytes of processor board System flash (Read/Write)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49842t=49815
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco IOS Docs Hardcopy? [7:49444]

[Shawn Heisey]

Virtually any Cisco contract will entitle you to free documentation.  If
it shows up with an orderable quantity in the product upgrade tool, then
you can get it for free.

Thanks,
Shawn

Mark W. Odette II wrote:
 
 Jason,
 
 Funny you should mention it.
 
 I just received my order of documentation, which I placed over a month
 ago.
 
 One thing for sure, I got more documentation than I realized I ordered-
 and it was all free.  I did not find an indication of charge for
 shipping or the docs themselves.  Now I have enough documentation to
 fill 5 bookshelves!
 
 ... and yes, part of that documentation is the 12.2 docs-- config guide,
 debug docs, command guide, Voice-Video-Fax docs, and the list goes on.
 
 All of it is soft-cover though, so don't expect hard-cover.
 
 I received 1 very large box, a medium sized box, several small boxes and
 bubble envelopes... 11 pieces in all.
 
 Some of that was Voice docs though... ICS 7750, IP Phones, Call Manager,
 CiscoWorks for Voice, etc.
 
 I figured, if it was free, and I want to familiarize myself with that
 stuff for the future, why the heck not order it!
 
 I believe my Reseller Status is what allowed me to order it all for free
 though.
 
 Good Luck!
 
 Mark Odette II
 StellarConnection Services
 CCNP, MCSE, A+ Certified.
 
 -Original Message-
 From: Barbee Jason [mailto:[EMAIL PROTECTED]]
 Sent: Tuesday, July 23, 2002 10:37 AM
 To: [EMAIL PROTECTED]
 Subject: Cisco IOS Docs Hardcopy? [7:49444]
 
 When logged in to CCO, I can go to the Product Upgrade tool, select
 documentation, and see a large list of available documentation. I would
 like
 to order the documentation set for 12.2, but I do not see it on the
 list.
 Is there a way to order the complete set? or should I just enter
 quantity 1
 for all the IOS documenations.
 And I'm concerned about billing too, it appears it will charge our Cisco
 Reseller for the shipping and/or costs.
 Do these documents cost anything or is it just the cost of shipping?
 
 I thought I had read a thread that mentioned this somewhere, but I
 couldn't
 find it using the groupstudy google search engine, and the older archive
 search engine gave a glimpse not found error. I apologize if some of the
 questions here have already been answered.

-- 
Shawn Heisey
Cisco Systems USA
Technical Lead for SLC-SECURITY team
Direct: +1 801 736 3939 ext 55153
Toll Free: +1 800 553 2447
Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=49473t=49444
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

[Shawn Heisey]

Pat,

The 8th layer policy idea is good.  I would take that one step
further, after checking with your legal department to make sure they
don't have a problem with it and that it's airtight:

In addition to the disciplinary action up to and including termination
clause, incorporate in company policy a clause something like this: 
Any personal computer or networking equipment that is plugged into
company infrastructure without explicit approval is forfeit and becomes
the property of the company.

This is particularly effective if your policies include a statement that
those who agree to it also agree to any future revisions of said policy.

As for a technical way to stop it ... shutdown all unused switchports,
or assign them to a VLAN that goes nowhere.  You'd still need to check
for rogue equipment -- someone could set up their machine with two NICs,
hang an AP off one of them, and make it work with address translation.

Thanks,
Shawn

Patrick Donlon wrote:
 
 Thanks Chris, I was thinking more about securing the switch ports by
 authenticating mac's (probably a bit OTT) or using SNMP to check for new
 devices, any other ideas?  I've already set up a wireless LAN here with WEP
 with authentication on an ACS server, which is a waste of time when you
have
 people setting up there own kit,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47391t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Rogue Wireless LANs [7:47287]

[Shawn Heisey]

 Question: Is Cisco's LEAP better than WEP? Does it have the same purpose
 but without some of the issues? I should know this, but I don't use Cisco
 for wireless (shame, shame).

It's not that it's better than WEP, it just provides reasonably secure
authentication and a bandaid for WEP's security issues.

Using LEAP or EAP-TLS provides a dynamic unicast WEP key.  If you
specify RADIUS attribute 27 (Session-Timeout) then the connection will
be cut after that many seconds.  When it reauthenticates, a new WEP key
is in place.

Thanks,
Shawn




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47413t=47287
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: serial interface down/down or up/down [7:47101]

[Shawn Heisey]

I've seen both down/down and up/down in real-world scenarios.  The
difference between the two seemed to be the intelligence of the CSU/DSU.

With a recent Adtran unit, it goes down/down - if the CSU is down, it
takes down the DSU.  I did not delve into the configuration to see if
this behavior could be changed.

A very old Black Box unit that I've played with will happily keep the
DSU up regardless of the state of the CSU.  This one was configured with
DIP switches, and I didn't see a way to change the behavior.


Priscilla Oppenheimer wrote:
 
 I guess the question is too hard for a practice test if NOBODY can answer
 it!?
 
 Here's the thing: Cisco says that a down/down interface means the router
 interface is not sensing a Carrier Detect signal (that is, the CD is not
 active).
 
 Now, from my studies of V.35 I know that data carrier detect (DCD or CD)
 comes from the DCE side of the V.35 link, carried on pin 8, yadda, yadda.
 It comes from the data interface on the DSU side of the CSU/DSU.
 
 If the router is correctly connected to the CSU/DSU, will it see CD or does
 the answer depend on whether the CSU/DSU is also correctly talking to the
 telco?
 
 Does carrier detect mean literally what it sounds like it means? Would
 the CSU/DSU not assert CD if there was a problem on the telco side? And
 hence the router wouldn't see CD and would say the interface was down/down.
 
 Not something I can easily test. Maybe I better simplify the question. ;-)
 
 Priscilla
 
 At 06:34 PM 6/20/02, Priscilla Oppenheimer wrote:
 Hi Group Study,
 
 While writing some questions for a practice test, I found myself
 questioning what I thought was the right answer. Here's the scenario:
 
 A Cisco router serial interface is correctly connected with a good V.35
 cable to the data port on the DSU side of a CSU/DSU. The CSU/DSU has been
 misconfigured for the framing method (SF instead of ESF). The framing
 doesn't match what the provider is using. (The question refers to a
CSU/DSU
 that is external to the router, not one that is built into the router.)
 
 Will the Cisco router serial interface be down/down or up/down?
 
 And, would the answer be any different if the question has to do with
 misconfiguring the encoding (AMI versus B8ZS)?
 
 If you have real-world experience with this, that would help. I have read
 the Cisco documentation and the troubleshooting charts, etc.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=47159t=47101
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Cisco ACS db corrupt?? [7:46882]

[Shawn Heisey]

Are you by chance using a UNIX browser to do this?  Only browsers on
Microsoft operating systems will properly enter a password into a user. 
There's a DDTS (CSCdu40827), but it's been postponed.

Other than that -- yes, it's possible for the database to be corrupt. 
To rule this out, I would recommend the following steps.  These are run
from a command prompt in the UTILS directory, with all services running:

csutil -q -b recovery.cab
net stop csauth
csutil -q -d -n -l
net start csauth

This will make a full backup, then do a text dump of the user database,
wipe the user database, and reimport the text dump.

Thanks,
Shawn

Patrick Donlon wrote:
 
 Patrick Donlon wrote:
 
  I have a problem with the local database on a 2.6(6) ACS server. All
  users use an external database  for authentication (NT or RSA) but I
  want to create a user with a password stored in the ACS server. I can
  create a new user and assign all the correct attributes without any
  errors, however when I try to login with the user they are rejected. The
  logs show the user is rejected due to the CS password : CS password
  invalid .
  I have tried to create other users and also to change users account
  setting so that they authenticate using the CS password, with no luck.
  So I think there is a problem with the passwords stored in the ACS
  server
  We have upgraded the server twice in the past 8 months for new features
  and bug fixes whether this has caused the problem I don't know. Any
  ideas on how to verify or fix this?

-- 
Shawn Heisey
Cisco Systems USA
Technical Lead for SLC-SECURITY team
Direct: +1 801 736 3939 ext 55153
Toll Free: +1 800 553 2447
Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46895t=46882
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: authentication and router [7:46932]

[Shawn Heisey]

George,

Make sure that you have an enable secret defined.  It SHOULD work with
the enable password, but you never know.

You might see something useful in the following debugs:

debug aaa authen
debug aaa author
debug tacacs
debug aaa subsys !! not supported by all releases
debug tacacs authentication !! not supported by all releases
debug tacacs authorization !! not supported by all releases
debug tacacs events !! not supported by all releases

If you are running a 12.2 non-mainline version (has letters after the
right parenthesis in show ver), it's not very stable - AAA was
rewritten.

Thanks,
Shawn

GEORGE wrote:
 
 I just configured my router to authenticate with cisco secure every
 works ok, except if I try to
 Console I get a password promt, and I stop cisco secure I get a password
 promt
 Now I tried to enter my enable password and wont work
 Am I missing something here
 
 
 
 aaa new-model
 aaa authentication login default group tacacs+ enable
 aaa authentication login local local
 aaa authentication login no_tacacs enable
 aaa authentication ppp default if-needed group tacacs+
 aaa authorization exec default group tacacs+ local
 aaa authorization network default group tacacs+
 aaa accounting exec default start-stop group tacacs+
 aaa accounting network default start-stop group tacacs+
 
 
 
 line con0
 line authentication no_tacacs




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46941t=46932
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Default Password [7:46536]

[Shawn Heisey]

Removing and reintalling the program should take care of it.

http://www.cisco.com/warp/public/102/wlan/pwrec-2.html#cem

Thanks,
Shawn

Kevin Wigle wrote:
 
 I have some old client software for a wireless LAN card.
 
 I would like to set a WEP key but you need the default password to get into
 the Encryption Manager.
 
 This is version 4.10 which says Aironet, CCO's docs start at 4.12 which
says
 Cisco.
 
 Cisco's default is Cisco but that doesn't work.
 
 I have a Xircom PC Card and it's default is Xircom and that worked.
 
 Tried all kinds of combinations around Cisco/Aironet but no luck.
 
 Does anybody know the default password for this version??
 
 (yes I'll be attempting to upgrade the software)




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46582t=46536
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3550-24 Question [7:46572]

[Shawn Heisey]

Brian,

All the licensing of software for Cisco products is per server/device
unless specifically stated otherwise.  Usually those special situations
involve explicit backup/failover, and the second unit can't stand
alone.  The PIX and CiscoSecure ACS for UNIX are two products where this
is the case.  Of course, these two products include license enforcement.

In the case of a switch or router, you can do more than pure redundancy
with two devices, so you have to purchase a software license for each of
them.

Thanks,
Shawn

Brian Zeitz wrote:
 
 I just checked with CDW, its 1500$ for the upgrade for the SMI to EDI
 for the 3550. Which brings me to my next question. If I have 2 switches,
 in a cluster, do I need a license for both. Man, $3000 to do layer 3
 switching!
 
 -Original Message-
 From: jeff sicuranza [mailto:[EMAIL PROTECTED]]
 Sent: Friday, June 14, 2002 10:42 AM
 To: [EMAIL PROTECTED]
 Subject: RE: 3550-24 Question [7:46572]
 
 I had the same queston so I opened a TAC case to get an answer. Here is
 my
 first response for those interested...
 
 *** NOTES LOG 13-JUN-2002 16:26:43 PST, emailcio, Action Type: Action
 ***
 Technology(T1): LAN Switching
 Sub-Technology(T2): Cat3550
 Problem Summary(T3): Upgrading Software and Working with Configuration
 Files
 Software Version: 12.1
 Router Node/Name:
 Contract: xx
 Problem Description: We have just purchased a Cisco WS-C3550-24-SMI
 switch.
 Can I just go to the CCO Software center and download the following to
 upgrade my unit from SMI to EMI?
 
 c3550-i5q3l2-tar.121-9.EA1c.tar
 c3550 EMI IOS Image and CMS Files
 
 Is the above the download the CD-3550-EMI= product?
 
 What is the CD-3550-EMI= and how do I optain it, if required, to upgrade
 my
 switch to EMI?
 Thank you..
 
 Please contact customer via email: [EMAIL PROTECTED]
 Email: [EMAIL PROTECTED]
 Phone: 516-796-9607
 Urls shown to the user :
 http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550sc
 g/swiosfs.htm
 http://www.cisco.com/public/sw-center/sw-lan.shtml
 http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550sc
 g/swtrbl.htm
 
 *** EMAIL OUT 13-JUN-2002 16:57:09 PST, jerlim, Action Type: Email Out
 ***
 Send to:
 Jeff,
 Hi my name is TAC GUY and I'm the engineer that is working on your case
 C806967. I see you are interested in installing the EMI software on your
 3550. While you can download it from CCO you may need to contact your SE
 or
 our Entitlement group to get approval or purchase the software. The
 software
 that you listed in the case notes would be the correct software to
 install.
 If you have any questions please do not hesitate to email or phone me.
 Thanks,
 TAC GUY
 
 *** STATUS CHANGE 13-JUN-2002 16:57:09 PST, jerlim, Action Type: ***
 
 I will follow-up with the SE to see what the deal is.. Unless in the
 meantime does somebody want to try the file I have listed above?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46598t=46572
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3550-24 Question [7:46572]

[Shawn Heisey]

Jeff,

You can download the file, but legally you are only authorized to use it
if your switch was purchased with the enhanced software, or if you
purchase the upgrade.

Cisco does watch who downloads which software, and checks it against
what the downloading user is entitled to.  If it doesn't match up, you
might get contacted about the download, especially if you get each new
version as it comes out.

Thanks,
Shawn

jeff sicuranza wrote:
 
 Thanks Radford, I saw the same thing but it was still unclear from Cisco's
 tac response. Is the downloadable file the CD-3550-EMI= and all you need is
 a valid CCO account to upgrade? Or do you have to spend x amount of $$ to
 purchase a special download for the CD-3550? According to the response it
 looks like all I have to do is just download the file, which I did, but all
 of this SE or our Entitlement group to get approval nonsense has confused
 me...

-- 
Shawn Heisey
Cisco Systems USA
Technical Lead for SLC-SECURITY team
Direct: +1 801 736 3939 ext 55153
Toll Free: +1 800 553 2447
Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46618t=46572
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3550-24 Question [7:46572]

[Shawn Heisey]

No problem ... splitting hairs is how technical people work. :)

Your interpretation is correct.

The only actual difference between the SMI and EMI switches is the
software loaded on them.  Everything else is a matter of licensing. 
Loading the EMI software on a switch without an EMI license is illegal.

This has been done before with 1900 and 2900XL switches - the Standard
Edition and Enterprise Edition software.  They stopped it with the
2900XL, and just made all newer versions Enterprise.  The 1900 still has
the distinction, but if it's not EOS/EOL already, it will be soon.

It's similar to Router IOS -- When you purchase a router with IP only
IOS, it's perfectly possible to download and install Enterprise/FW Plus
IPSEC 3DES (provided you have enough memory).  Doing so without paying
Cisco for the software license is illegal.

Thanks,
Shawn

jeff sicuranza wrote:
 
 Thanks Shawn. I know this is splitting hairs but I just wanted to clarify a
 few things so folks on this board and myself are clear on the policy and we
 do not end up in Cisco jail, purchase the wrong switch options or damage
the
 switch by loading the wrong software.
 
  So what you are saying is that the file listed on CCO is the CD-3550-EMI=
 upgrade? Correct?
 
  If you buy a switch with just SMI installed but do have a CCO contract,
but
 it(the CCO account) does not cover the 3550 entitlement you can still
 download the file and install it, (it will work??)but you are doing
 something illegal?  Correct?
 
 The above scenario also applies to someone who buys the switch used with
SMI
 installed and borrowed someones CCO account, regardless of account
 entitlement status, downloads the software and upgrades their switch.
This
 is also illegal in Cisco's eyes.
 Correct?
 
 If a person buys a switch with a SMI installed but has a valid CCO account
 with the proper 3550 EMI entitlement on the CCO account, then all that is
 needed to upgrade the switch from that point is just a download of the file
 and follow the install instructions?  Correct?
 
 You see I was confused that the CD-3550-EMI is an actual physical product
 ordered and is received on a CD or via special download with a key or
 something that is required for you to upgrade from SMI to EMI. However, I
 see the EMI IOS on the 3550 download page.
 
  The reference to CD-3550-EMI is a logical reference to CCO entitlement
 privilege level. So Cisco is basically using a monitored Honor System
when
 it comes to the downloads??? Correct?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46624t=46572
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: which is the best Router for the following tasks [7:46288]

[Shawn Heisey]

Just when you thought you had a lock on all the router models ... :)

http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1760e_ds.htm

John Kaberna wrote:
 
 2611 if you want Ethernet and 2621 if you want Fast Ethernet.  I generally
 don't like to work with anything under a 2600.  You can also look at the
 1751.  The problem with the 17XX series is they aren't rack mountable.
 
 Fab Perez  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  Hi news
 
  I need to pickup a Router with the following features:
  _ 2 Ethernets
  _ 1 V.35 Serial / Sync
  _ QoS
  _ Load Balancing (EIGRP ?)
  _ NAT
  _ Firewall




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46349t=46288
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3600 10MB port duplex? [7:46250]

[Shawn Heisey]

Patrick,

I'm thinking that you actually mean a 2610.  I've never heard of a 3610.

Yes, 10Mb ports on 2600 routers will do full duplex.  12.0(4)T minimum
IOS is required.  I had problems with it at 12.0(7)T ... recommended IOS
would be 12.1 mainline or 12.2 mainline.  If duplex is not configured,
it will run at half.

I haven't been able to locate a public page stating this, but I know
from experience that it can do it.

Thanks,
Shawn

Patrick Donlon wrote:
 
 Hi All
 
 I've a dead simple question for anyone with a 3610 at their disposal, I'd
 like to know whether the built in 10MB ethernet port will run at full
 duplex. Reason why is I don't have a 3610 with one of these I can access
and
 I've been told by ATT that their router will only run at half-duplex and
 10MB




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46267t=46250
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: 3600 10MB port duplex? [7:46250]

[Shawn Heisey]

The 3620 is the same - 12.0(4)T to get full duplex on 10Mb ethernet
ports.

I found a public URL for the NM-1E2W and NM-2E2W modules, but not for
the NM-1E and NM-4E modules.  The internal page does say the latter can
do it as well, at 12.0(4)T.

http://www.cisco.com/warp/public/107/nm-e2w.shtml

Thanks,
Shawn


Pat Donlon wrote:
 
 Shawn you're dead right, sorry 3620, can't touch the image I'm afraid as
 it's a managed router. I too have searched through the CCO and couldn't
 find anything that documents this,




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46278t=46250
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Privilige Password Advice ... [7:46246]

[Shawn Heisey]

Paul,

AAA is what I do, so I would recommend that.  Unless you've got a small
handful of routers and the configs rarely change, AAA makes your life
much easier.

TACACS+ would have let you get much more specific on what commands the
outside company could run - command authorization.

If you have any UNIX systems, you can get the freeware TACACS+ server
from Cisco and compile that.  If you have Debian or RedHat Linux, I know
for sure that it's available as a binary package right on the CD.

http://www.cisco.com/warp/public/480/tacplus.shtml

Thanks,
Shawn

Paul wrote:
 
 Hi ...
 
 I am just about to change all the router/switch passwords in my company
 (about
 40) ... I have only been there several weeks and I have only worked in a
very
 small routing/switching environment before 
 
 I have had to give access to an outside company so they can monitor certain
 WA
 N links they have set-up ... I have setup privilige level 7 for these guys
 with a relevant line vty username and password  and priv level 15 for
me
 
 
 All the routers and switches currently have different passwords 
because
 I
 have very little expereince in this field .. I was wondering what the norm
 would be ??? and what you guys yourselves have done in situations like this
   or is there another way I could do this ??? Oh yes ... and I don't
have
 any TACACS or Radius servers or the such for remote authentication .




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46284t=46246
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Using Catalyst 2950 switch [7:46062]

[Shawn Heisey]

Autosensing can work very well, depending on the NIC.

It's important that both sides either be set the same.  If one side is
set for autosense and the other side is hardset, the autosense side will
almost always pick half duplex.

If you have any issues at all with autosensing, check layer 1, then once
you know that's OK, hardset speed and duplex on both the NIC and the
switch.

Thanks,
Shawn

George Kallingal wrote:
 
 I want to use the Catalyst 2950T-24 in my Windows NT/2000 and Linux
network.
 According to the specs, it states that it does provide 10/100 autosensing.
 I wanted to know if anyone has run into problem with the autosensing
 feature.  Or should duplex be hardcoded?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=46069t=46062
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Dropping Characters on Reverse Telnet [7:45729]

[Shawn Heisey]

Every character that is processed by an AUX port creates an interrupt,
so the AUX port hits the CPU harder than any other port running at the
same speed.  CPU utilization at 35% shouldn't be enough to cause the
problem you're seeing.

One thing you'd want to make sure of is that you are not trying to use a
baud rate higher than 9600, and that you have set flow control to none,
stop bits to 1, and configured 'no exec' on the aux port.  Similar
settings should be configured on the console port at the other end,
though it does of course need 'exec'.  Make sure that none of the router
lines include the command logging synchronous.

Console ports run at 9600 baud by default because they have no flow
control lines.  Higher speeds cannot be guaranteed to work reliably,
though they often do.

It's always possible that you've run into a bug.  My personal favorites
for IOS version are 12.1(15) if you can run it, 12.0(22) or 11.3(11c) if
memory isn't sufficient.

Recommended config:

2514 aux port:
!
line aux 0
 speed 9600
 flowcontrol none
 stopbits 1
 no exec
!

25xx router:
!
line con 0
 speed 9600
 flowcontrol none
 stopbits 1
 exec
!
config-register 0x2102
!

Thanks,
Shawn

Michael Gunnels wrote:
 
 I've been having a strange problem.  When reverse
 telnetting from my 2514's AUX port to my 25xx's
 console port (I've tried multiple routers).  I am
 sometimes losing packets during show commands.  The
 router that initiates the reverse telnet cpu is at
 most 35%.  I've tried using variations of flow control
 on both routers, but it doesn't seem to make much
 difference.  Has anyone else experienced this?  It's
 driving me nuts!  It skips and jumbles things
 together.  It only shows up when reverse telnetting.
 If I'm consoled in or regular telnet ting their is no
 problem.  Please help.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45761t=45729
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Show Interface Output [7:45716]

[Shawn Heisey]

Zahid,

The 'show interface' command would show the actual going through the
interface.

You probably are after the 'show interface  rate-limit' command
instead [shown here on 12.2(7a)]:

milliways#show int f0/0.102 rate-limit
FastEthernet0/0.102 
  Input
matches: all traffic
  params:  128000 bps, 24000 limit, 32000 extended limit
  conformed 200597 packets, 36550102 bytes; action: transmit
  exceeded 616 packets, 895075 bytes; action: drop
  last packet: 59244ms ago, current burst: 7483 bytes
  last cleared 2w6d ago, conformed 0 bps, exceeded 0 bps
  Output
matches: all traffic
  params:  128000 bps, 24000 limit, 32000 extended limit
  conformed 220716 packets, 103342492 bytes; action: transmit
  exceeded 7757 packets, 11884318 bytes; action: drop
  last packet: 59168ms ago, current burst: 0 bytes
  last cleared 2w6d ago, conformed 0 bps, exceeded 0 bps
milliways#


Zahid Hassan wrote:
 
 Dear All,
 
 I would really appreciate if someone would shed some light into my
following
 question:
 
 I have configured rate-limit on an interface. When I do show interface
fa0/0,
 do I see the
 number of bit/s under the 5 min input and output rate after the rate-limit
 has
 been applied or the
 actual bits/s the interface is receiving or transmitting ?
 
 Thanks in advance,
 
 Zahid




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45718t=45716
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Lab Reading [7:45486]

[Shawn Heisey]

I have a set of 12.2 IOS documentation at home ordered for free with a
smartnet contract.  It would be worth ordering a smartnet contract on
your smallest piece of Cisco hardware just for the documentation you can
get for free.

http://www.cisco.com/upgrade

Thanks,
Shawn

MADMAN wrote:
 
 We have a very large smartnet contract and used to get the hard copies
 as they came out.  The last hardcopies I seen were 11.2.  I don't even
 know if they print them anymore.
 
   Dave
 
 Brad Ellis wrote:
 
  John,
 
  I believe if you have a smartnet contract, you can get the IOS manuals
free
  from Cisco (at least you could a couple years ago).




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45560t=45486
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: CCIE Lab Reading [7:45486]

[Shawn Heisey]

Any documentation can be ordered with a smartnet contract.  Take your
contract number and visit http://www.cisco.com/upgrade ... CCO login
required.  It will give you a list of all documentation that can be
ordered.

I even ordered the Internetworking Terms and Acronyms book. :)

Thanks,
Shawn

Jeff Harris wrote:
 
 Is this set for all products or just the products that you have a contract
 on? Just wondering as we don't have any manuals at all (besides the little
 getting started booklets that come with WIC's and whatnot). We're a Premier
 Partner as well..




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45568t=45486
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Fast Ether Channel [7:45271]

[Shawn Heisey]

I believe that will all currently supported hardware, FE or GE are the
minimum requirements.  You should be able to run it at any supported
speed, as long as both ends match.

Some of the older switches like the Cat3000 supported EtherChannel on
10Mb interfaces.  While you can still find these switches, they have
reached End Of Life.

As far as routers, only the larger hardware like the 7x00 series and the
router modules for the Cat5K/Cat6K support etherchannel.  As far as I
have been able to determine, it's not supported on 10Mb router
interfaces at all.  I haven't verified this absolutely, though.

Thanks,
Shawn

Michael L. Williams wrote:
 
 I appreciate your information, Joseph.  I guess my question was more toward
 the types of interfaces that will run etherchannel.  i.e. if you're
knocking
 the speed down on a FastEthernet interface to 10Mbps, it's still a
 FastEthernet interface, not Ethernet interface.
 
 One of the requirements for an etherchannel bundle is that all of the ports
 (interfaces) in the bundle all be matching speed/duplex.  So it would make
 sense that you could knock 100Mbps interfaces down to 10Mbps (as long as
 they all match) and it still work.
 
 But are they any Ethernet interfaces (not Fast- or Gig-Ethernet) on any
 Cisco devices that support Etherchannel.  I'm thinking there's not, but
 that's not to say there's not some switch/router out there that may violate
 this Cisco rule of thumb  (being you can only do EtherChannel on Fast- or
 Gig-Ethernet)
 
 Mike W.
 
 Brunner Joseph  wrote in message
 [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
  tested it.. works on 3548XL but not on 7206VXR (command was not under int
  e4/0). On the 3548XL I just set hardcode 10, so it must be in the
hardware
 
  !3548XL
 
  !
  interface FastEthernet0/1
   speed 10
   port group 3
   spanning-tree portfast
  !
  interface FastEthernet0/2
   speed 10
   port group 3
   spanning-tree portfast
  !
 
 
  3548XL_1#sh port group
  Group  Interface  Transmit Distribution
  -  -  -
  3  FastEthernet0/2source address
  3  FastEthernet0/1source address




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45369t=45271
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: Emergency: HOw to extend the telnet timeout fo [7:45268]

[Shawn Heisey]

If your connection is clean, and the telnet program properly written, it
will terminate the TCP session correctly when the program is closed.

It's badly written clients, or when your network connection gets cut, or
your system crashes that it becomes a problem.  In these instances, the
TCP session isn't properly shut down.  A router with default
configuration will never take action to disconnect the hung session.

What I typically do is configure a 240 minute (4 hour) timeout.  It's
long enough to give you time to think about what you're doing, and short
enough that if my session is killed by a network problem or an
overzealous firewall, I know I'll eventually get back in.

There is also another way to deal with the problem - TCP keepalives.
http://www.cisco.com/warp/public/471/tcpkeepalive.html

Thanks,
Shawn

Michael Williams wrote:
 
 Daniel Cotts wrote:
 
  Be extremely careful if you configure an exec-timout of 0 0 on
  a vty port.
  It will never release! So when you drop the connection and
  again telnet into
  the box you now have one less open port. After five times (or
  number of vty
  ports) you are locked out of the box. Should you still be
  inclined to use
  this - then either (a) don't save the config (so someone can
  power cycle the
  box to let you back in) or (b) change the setting before you
  log off.
 
 Good point.  We have this setup on some of our routers that we commonly
 just sit in all day, and if I kill the telnet process (without allowing it
a
 graceful exit) my session doesn't hang. it frees up the VTY line I was
 using.  Interesting.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=45300t=45268
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: cheapest router supporting two ethernet ports [7:44061]

[Shawn Heisey]

The cheapest brand new Cisco router with two routable ethernet ports
would be the Cisco 806.  It looks like you can choose between IP/FW and
IP PLUS for free on this platform.

In terms of LIST price, the 1605-R ties with a 1721/WIC-1ENET combo. 
Either of these would leave you with a free WIC slot, but the 1721 would
give you dot1q vlan routing and far greater performance.

If you're looking for something used, there are more options, and prices
will vary. :)

Thanks,
Shawn

Patrick Ramsey wrote:
 
 Anyone know what the cheapest cisco router is that supports 2 ethernet
 ports?  Either built in or modular.  (if any of the older 25xx series have
 two aui ports, that would work as well!)  I would also like to put
 IOS-firewall on it so memory constraints may dictate which one I buy as
well.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=44080t=44061
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Re: PPP and tacacs [7:42818]

[Shawn Heisey]

Yes - use a config like this:

!
aaa authentication ppp default none
aaa authorization network default none
aaa authentication ppp dialup group tacacs+ local
aaa authorization network dialup group tacacs+ local
aaa accounting network dialup start-stop group tacacs+ local
!
interface group-async1
 ! 
 ppp authentication ms-chap pap dialup
 ppp authorization dialup
 ppp accounting dialup
!
interface serial0/0
 ! 
 no ppp authentication
 no ppp authorization
 no ppp accounting
!


NetEng wrote:
 
 I have a 2600 series that has a 16 port async card for RAS dialup. It also
 has two WIC's for two T-1s that run ppp multilink. I want to enable tacacs
 for ppp dialup but not for the two T-1s. Is this possible?




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=42831t=42818
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]