Re: Public Internet Access [7:55898]
Robert, Have the VLAN for these users route to a DMZ interface on your PIX rather than the layer 3 switch. Set the security level of that interface to 1 (just higher than the outside). If you don't specify an ACL on that PIX interface, you should be able to use PIX security levels to automatically deny access to the internal LAN while permitting access to the internet. Thanks, Shawn Robert Edmonds wrote: I work for a county government. As part of building a new courthouse, I am tasked with providing attorneys in courtrooms with Internet access through my network. Of course, I would like to provide them access to what they need while blocking access to our internal network. My network is setup in the following manner: In the new courthouse, the MDF has a 3550-12G acting as the root switch for the building, and has the layer 3 image. It connects directly to my core, with a 6506 with Sup2 and MSFC2, which in turn connects to my PIX 515 for Internet access. I plan on creating a separate VLAN for the public Internet access, but beyond that I'm left a bit short. Obviously I don't want to create a 300 line access-list that would deny them access to each internal VLAN, then each of our servers in turn. Can someone give me some suggestions to get this done? Thanks in advance. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55903t=55898 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: I need any 5.x firmware for a Catalyst 1900 [7:55125]
You need to go to this URL, and click on the Catalyst 1900 original link: http://www.cisco.com/kobayashi/sw-center/lan/cat1900.shtml You will need a CCO login to get to it. If you don't have a login, you can only get the version 9 software for the newer models. Thanks, Shawn Colin Weaver wrote: Please!!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55126t=55125 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Config-register???? [7:54632]
You've managed to set the router to netboot, and the console baud rate to 19200. Everything else is the same as the default 0x2102. Set your baud rate to 19200, and after make sure there is no baud rate in line con 0, get the config-register set right, and you can switch back to 9600 baud. Useful tool in case something like this happens again: http://www.marcuscom.com/confregdecode.html Thanks, Shawn Frank Lodato wrote: I broke in to a Cisco 2600 router today, but I didn't have access to my handy sheet that tells me exactly what config-register setting to type in. Instead of 0x2142 I put 0x2124. Now when I hard bott the router it gives me'JJJ^^' . Now, I've never seen this before so I'm very confused as to what to do next. I can't really type anything either so it wont take commands that I know. What did I do? How can I fix it? Help! -- Shawn Heisey Cisco Systems USA TAC Technical Lead for SLC-AAA-LD team Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54641t=54632 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Config-register???? [7:54632]
Mark, Actually, the 'break disabled' is the default setting. It means that after rommon passes control to the IOS, you can't issue a break to get back to rommon. You can always issue the break before control is passed to IOS, regardless of this setting. If you turn this setting off, you can send a break at any time to get to rommon -- even after the router is up and running. This can be a Very Bad Thing (tm), especially if you leave something connected to the console port all the time. Thanks, Shawn Mark W. Odette II wrote: Set your terminal app's baud rate to 19200 and see if that doesn't fix ya. Also, according to the nifty Config-Register calculator (from Boson's website), the Break Key is disabled. So, you'll need to let the router boot normally, and then, via the console, go into config mode and change the config register to your desired setting. HTH's Mark -Original Message- From: Frank Lodato [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 01, 2002 10:10 AM To: [EMAIL PROTECTED] Subject: Config-register [7:54632] I broke in to a Cisco 2600 router today, but I didn't have access to my handy sheet that tells me exactly what config-register setting to type in. Instead of 0x2142 I put 0x2124. Now when I hard bott the router it gives me'JJJ^^' . Now, I've never seen this before so I'm very confused as to what to do next. I can't really type anything either so it wont take commands that I know. What did I do? How can I fix it? Help! -- Shawn Heisey Cisco Systems USA TAC Technical Lead for SLC-AAA-LD team Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54656t=54632 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: slightly OT: Pingflood [7:54334]
Sam, Typically the ping program included with Linux has the -f option, but you cannot use it if you are not root. It's included in debian and redhat, not sure about other distros. I don't have root access on any Sun boxes, so I can't tell if the option is there or not. You could always compile GNU ping on it if it's not an option. Thanks, Shawn sam sneed wrote: Does anyone know where I can get a copy of this or something similiar for Linux. I found a windoze version but I need linux or UNIX. My ping versions of linux and SunOS do not have the -f option. The only version of pingflood I found on google is crap, the source code reads: void main(){ int count=1; for(;count10;count++){ system (ping -s 2000 targetsite); sleep(3); } } all this does is ping alot, I want the version of thje program that sends pings out faster than usual. I need to create lots of traffic to check response times across a router. And I want to do it without purchasing software (aka solarwinds WAN Killer) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54342t=54334 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AAA in console [7:54282]
Hidden IOS command in global config: aaa authorization console (that is the entire command) Thanks, Shawn Newell Ryan D SrA 18 CS/SCBT wrote: How can I configure authorization on the console port? -- Shawn Heisey Cisco Systems USA TAC Technical Lead for SLC-AAA-LD team Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54285t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AAA in console [7:54282]
Additional note: The aaa authorization console command was added in 12.0(7)T. by DDTS number CSCdi82030. It's not available on 2900XL and 3500XL switches. This is because the IOS on these switches was based on the 12.0(5)T IOS for routers. Thanks, Shawn Newell Ryan D SrA 18 CS/SCBT wrote: How can I configure authorization on the console port? -- Shawn Heisey Cisco Systems USA TAC Technical Lead for SLC-AAA-LD team Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=54286t=54282 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Web Console of Catalyst 2924XL [7:53131]
Zolla, Chances are that you have the wrong Java plugin version for the IOS version that you are running. If you have Java 1.3.1, you need 12.0(5)WC5 IOS. Earlier IOS will only work with 1.2.2 and 1.3.0 of the plugin software. If you have Java 1.4.x, there is not yet an IOS version that will work with it. Best bet is to use Java 1.3.1 and 12.0(5)WC5 IOS. If you are using other Cisco products that require the 1.4.x plugin, you'll need to access the switch from another system. Thanks, Shawn Zolla Zimmerman wrote: Hi Everybody, I am configuring a Catalyst 2924 XL with IOS 12.0(5) for web configuration and it is asking password each minute even if I am not doing anything. Can somebody through some light on this. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=53145t=53131 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Router IOS Upgrade bug in 12.1 images [7:52489]
This is not actually a bug. Starting with 12.2(1) IOS, the 2600 and 3600 platforms support the squeeze command. To get it to work, you have to reformat the flash using a 12.2 image, which creates a log file used in the squeeze process. That log is a few hundred K in size, and hidden. The listed flash requirements for 12.2(8)Tx images is 16MB, and this is part of the reason why ... even though technically it can fit in an 8MB flash. It's also listed that way because future versions are not going to fit in 8MB, even formatted with old flash. Thanks, Shawn Sasa Milic wrote: Speaking about upgrade bugs, I've found upgrade bug in 12.2. Here is what is happening, and how to overcome it. Hardware: - 2600 with 8 MB flash, 12.2(8)T1 telco IOS loaded. Problem: There is 8MB flash, and I want to load 12.2(8)T2. show flash shows that flash is 8MB. Do erase flash to remove existing image from flash. Now show flash shows that there is 7.8MB free in flash, and 12.2(8)T2 cannot be loaded (copy tftp flash says that there is no enough space). squeeze doesn't help. Solution: - Load older IOS that fits into 7.8 MB, for example 12.0(7)T, reload router, erase flash (now it will have 8 MB free), and then load 12.2(8)T2. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52680t=52489 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: AGAIN... aCS2.6 on W2k advanced server with bug!!!! [7:52621]
Magdy, You did not make it clear what kind of device you are using. If you are using a PIX or other device with missing or braindead accounting, the max-sessions feature will not work as expected. Aironet is another device that is broken. If the device is non-cisco, it probably does not send accounting in the way that ACS expects. ACS uses accounting records to count sessions, and if those records are not perfect, the feature will break. Here's a URL that talks about what's needed for the logged-in user report, which is tied in with max-sessions: http://www.cisco.com/warp/public/480/csntfaq.html#Q28 The PIX can do accounting, but because there's no good way to track when a user stops using the internet, its accounting is useless to ACS as far as session tracking. Thanks, Shawn Magdy H. Ibrahim wrote: Dear All, This is my second post regarding ACS2.6 bugs... The problem is: As you know;-) I have an acs2.6 server on W2k advanced server , My users Using it to connect to the internet and sometimes many of my users logged into my network through the acs and when they disconnected from my system, I noticed that they still exist on the acs server , and since i made a single session to my users , they cannot enter again till i make a purge to the user. Please this is a big problem for me so can u help me to solve it? -- Shawn Heisey Cisco Systems USA TAC Technical Lead for SLC-AAA-LD team Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52621t=52621 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ICQ and blocking the thing-PIX [7:52285]
I may be off my rocker, but I think it's possible that you could set up an IDS system that blocks access to any IP on the outside that sends packets to your network that look like ICQ. At the very least it could record the addresses for future inclusion into ACLs. This won't block the people who set up SSH tunnelling as described in other messages, but you can make it a violation of security policy to use that kind of back door. Thanks, Shawn Mears, Rob wrote: Hi Cisco gods, I have successfully blocked all chat services at the PIX firewall, I think. As I walk around and find people using MSN or Messenger I find that public proxy they are using and kill it too. BUT, I am having a hell of a time with ICQ. I do have all the ports UDP and TCP blocked so it does not work UNLESS they use port 80. This is where I am stuck, I cant block port 80 as you know so how do I kill this monster? Has any one had luck with this and has anyone found a way to stop the public proxy usage? I really feel as if I am fighting a losing battle, cuss for every block I am countered with a way around it. My inside ACL in the pix is quite impressive and all just for blocking this crap, if anyone would like it for theirs I will provide as it is proven and works, with exception to ICQ. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52395t=52285 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Restricting VPN 3000 Groups [7:51798]
Fly, There's actually a slightly better option. Send all your users the same profile, and use RADIUS to select the actual VPN3000 group they will be using. Set it up so that the group in their profile has extremely limited access. http://www.cisco.com/warp/public/471/altigagroup.html Thanks, Shawn Fly Ers wrote: We are currently using rsa ace server to authenticate vpn clients connecting to vpn3000 concentrator. we will need to create different groups depending on users function, thus several pcf files will need to be deployed. we will need to restrict users to a particular vpn concentrator group. For example, a user inadvertently receives the wrong pcf file, we want to be able to deny that user access or limit his/her access. any recommendations appreciated. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51838t=51798 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2502 Memory/Flash [7:51387]
Actually it says you've got 8MB of flash and 4MB of RAM. The 2500 series is one of the routers that has a single pool of RAM that gets split at boot time into Processor memory and I/O memory. On these platforms, you add up the two numbers to get the total RAM. A few models (particularly the AS5xxx series and XL switches) have separate memory chips for I/O (packet) memory. On these, only the first number counts towards IOS requirements. Thanks, Shawn Robert D. Cluett wrote: All, am I reading this right? Does this state that there is 8MB Flash and 2MB of DRAM? If so, what do I need to do to get it to the latest version of IOS that Cisco uses for the tests? Help would be more than appreciated! cisco 2500 (68030) processor (revision L) with 2048K/2048K bytes of memory. Processor board ID 06992214, with hardware revision Bridging software. X.25 software, Version 2.0, NET2, BFE and GOSIP compliant. 1 Token Ring/IEEE 802.5 interface(s) 2 Serial network interface(s) 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read ONLY) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=51398t=51387 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does IOS 11.1(2) support show tech command [7:50494]
Jimmy, (watch for URL wrap) http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_r/ffrprt3/frf013.htm#1068334 Introduced in 11.2 IOS. The DDTS that implemented the command (CSCdi47180) shows integration in 10.3(12), 11.0(8), 11.1(3), and 11.2(1). Thanks, Shawn Jimmy wrote: Hi all : Does anyone know whether IOS 11.1(2) support show tech command ? I have a 2501 router running on 11.1(2) and it does not has show tech . However another 2501 router running on 11.0(22) and it has show tech command. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50533t=50494 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: aux - serial connection? [7:50069]
Crow, If the 2501 is set up for async, you can do this without any problem. You would need the 2501 to have a DCE RS232 cable. The speed would of course be limited to what the AUX port can do. I haven't been able to locate anything saying whether that is 38400 or 115200 baud on a 4000M. What I have found suggests that it might be 38400. Also, every character that hits the aux port on a Cisco router generates a processor interrupt, so it's hard on the CPU. crow wrote: hi folks !! is there a way to connect a aux(4000m router) to a serial(2501) for lab-purpose? cable is available. i would say no. thx in advance andy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=50075t=50069 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: access-list for steaming audio [7:49817]
Steaming audio would be caught by your porn filter! On the other hand, StReaming audio and video tends to be very difficult to block, as most of the programs that do that sort of thing will function just fine on port 80. I don't think you want to block port 80. You didn't mention what application(s) are involved. The best way to find out what ports are involved is to research the individual applications and find out what ports they use. Alternatively, you can try them out and get sniffer traces. Thanks, Shawn Spencer Plantier wrote: Which ports need to be blocked for streaming video and audio. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49824t=49817 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco 2651 Problem [7:49815]
To reinstall the IOS on a 2600 with an incorrect image, you will need to use TFTP from ROMMON. http://www.cisco.com/warp/public/471/76.html Make sure the image that you download is correct for the exact 2600 model you have. For the 2651, depending on what you want to do, I would use a 12.2 mainline or 12.2T image. Thanks, Shawn Curious wrote: Re-Install the Correct IOS. . . wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi I have a Cisco 2651 with two Fast Ethernet interfaces. I have accidentally installed a Cisco 2600 IOS image. now when I do a show run the interfaces are not there anymore. I tried to make it to boot from boot but the interfaces is not showing up. If you can give me some help, that would be great Thanks === Router#show running-config Building configuration... Current configuration: ! version 12.0 downward-compatible-config 12.1 service timestamps debug uptime service timestamps log uptime no service password-encryption no service dhcp ! hostname Router ! boot system rom ! ! ! ! ! ip subnet-zero ! ! ! ! ip classless no ip http server ! ! line con 0 transport input none line aux 0 line vty 0 4 login ! end Router# Router#show version Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.0(7)T, RELEASE SOFTWARE (fc2) Copyright (c) 1986-1999 by cisco Systems, Inc. Compiled Tue 07-Dec-99 02:12 by phanguye Image text-base: 0x80008088, data-base: 0x807AAF70 ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1) Router uptime is 0 minutes System returned to ROM by power-on System image file is flash:c2600-i-mz.120-7.T cisco 2600 (MPC860) processor (revision 0x200) with 39936K/9216K bytes of memory. Processor board ID JAB05410GVS (3360889488) M860 processor: part number 5, mask 2 Bridging software. X.25 software, Version 3.0.0. 32K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 Router#show flash System flash directory: File Length Name/status 1 4209848 c2600-i-mz.120-7.T [4209912 bytes used, 4178696 available, 8388608 total] 8192K bytes of processor board System flash (Read/Write) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49842t=49815 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco IOS Docs Hardcopy? [7:49444]
Virtually any Cisco contract will entitle you to free documentation. If it shows up with an orderable quantity in the product upgrade tool, then you can get it for free. Thanks, Shawn Mark W. Odette II wrote: Jason, Funny you should mention it. I just received my order of documentation, which I placed over a month ago. One thing for sure, I got more documentation than I realized I ordered- and it was all free. I did not find an indication of charge for shipping or the docs themselves. Now I have enough documentation to fill 5 bookshelves! ... and yes, part of that documentation is the 12.2 docs-- config guide, debug docs, command guide, Voice-Video-Fax docs, and the list goes on. All of it is soft-cover though, so don't expect hard-cover. I received 1 very large box, a medium sized box, several small boxes and bubble envelopes... 11 pieces in all. Some of that was Voice docs though... ICS 7750, IP Phones, Call Manager, CiscoWorks for Voice, etc. I figured, if it was free, and I want to familiarize myself with that stuff for the future, why the heck not order it! I believe my Reseller Status is what allowed me to order it all for free though. Good Luck! Mark Odette II StellarConnection Services CCNP, MCSE, A+ Certified. -Original Message- From: Barbee Jason [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 23, 2002 10:37 AM To: [EMAIL PROTECTED] Subject: Cisco IOS Docs Hardcopy? [7:49444] When logged in to CCO, I can go to the Product Upgrade tool, select documentation, and see a large list of available documentation. I would like to order the documentation set for 12.2, but I do not see it on the list. Is there a way to order the complete set? or should I just enter quantity 1 for all the IOS documenations. And I'm concerned about billing too, it appears it will charge our Cisco Reseller for the shipping and/or costs. Do these documents cost anything or is it just the cost of shipping? I thought I had read a thread that mentioned this somewhere, but I couldn't find it using the groupstudy google search engine, and the older archive search engine gave a glimpse not found error. I apologize if some of the questions here have already been answered. -- Shawn Heisey Cisco Systems USA Technical Lead for SLC-SECURITY team Direct: +1 801 736 3939 ext 55153 Toll Free: +1 800 553 2447 Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49473t=49444 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Rogue Wireless LANs [7:47287]
Pat, The 8th layer policy idea is good. I would take that one step further, after checking with your legal department to make sure they don't have a problem with it and that it's airtight: In addition to the disciplinary action up to and including termination clause, incorporate in company policy a clause something like this: Any personal computer or networking equipment that is plugged into company infrastructure without explicit approval is forfeit and becomes the property of the company. This is particularly effective if your policies include a statement that those who agree to it also agree to any future revisions of said policy. As for a technical way to stop it ... shutdown all unused switchports, or assign them to a VLAN that goes nowhere. You'd still need to check for rogue equipment -- someone could set up their machine with two NICs, hang an AP off one of them, and make it work with address translation. Thanks, Shawn Patrick Donlon wrote: Thanks Chris, I was thinking more about securing the switch ports by authenticating mac's (probably a bit OTT) or using SNMP to check for new devices, any other ideas? I've already set up a wireless LAN here with WEP with authentication on an ACS server, which is a waste of time when you have people setting up there own kit, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47391t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Rogue Wireless LANs [7:47287]
Question: Is Cisco's LEAP better than WEP? Does it have the same purpose but without some of the issues? I should know this, but I don't use Cisco for wireless (shame, shame). It's not that it's better than WEP, it just provides reasonably secure authentication and a bandaid for WEP's security issues. Using LEAP or EAP-TLS provides a dynamic unicast WEP key. If you specify RADIUS attribute 27 (Session-Timeout) then the connection will be cut after that many seconds. When it reauthenticates, a new WEP key is in place. Thanks, Shawn Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47413t=47287 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: serial interface down/down or up/down [7:47101]
I've seen both down/down and up/down in real-world scenarios. The difference between the two seemed to be the intelligence of the CSU/DSU. With a recent Adtran unit, it goes down/down - if the CSU is down, it takes down the DSU. I did not delve into the configuration to see if this behavior could be changed. A very old Black Box unit that I've played with will happily keep the DSU up regardless of the state of the CSU. This one was configured with DIP switches, and I didn't see a way to change the behavior. Priscilla Oppenheimer wrote: I guess the question is too hard for a practice test if NOBODY can answer it!? Here's the thing: Cisco says that a down/down interface means the router interface is not sensing a Carrier Detect signal (that is, the CD is not active). Now, from my studies of V.35 I know that data carrier detect (DCD or CD) comes from the DCE side of the V.35 link, carried on pin 8, yadda, yadda. It comes from the data interface on the DSU side of the CSU/DSU. If the router is correctly connected to the CSU/DSU, will it see CD or does the answer depend on whether the CSU/DSU is also correctly talking to the telco? Does carrier detect mean literally what it sounds like it means? Would the CSU/DSU not assert CD if there was a problem on the telco side? And hence the router wouldn't see CD and would say the interface was down/down. Not something I can easily test. Maybe I better simplify the question. ;-) Priscilla At 06:34 PM 6/20/02, Priscilla Oppenheimer wrote: Hi Group Study, While writing some questions for a practice test, I found myself questioning what I thought was the right answer. Here's the scenario: A Cisco router serial interface is correctly connected with a good V.35 cable to the data port on the DSU side of a CSU/DSU. The CSU/DSU has been misconfigured for the framing method (SF instead of ESF). The framing doesn't match what the provider is using. (The question refers to a CSU/DSU that is external to the router, not one that is built into the router.) Will the Cisco router serial interface be down/down or up/down? And, would the answer be any different if the question has to do with misconfiguring the encoding (AMI versus B8ZS)? If you have real-world experience with this, that would help. I have read the Cisco documentation and the troubleshooting charts, etc. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=47159t=47101 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Cisco ACS db corrupt?? [7:46882]
Are you by chance using a UNIX browser to do this? Only browsers on Microsoft operating systems will properly enter a password into a user. There's a DDTS (CSCdu40827), but it's been postponed. Other than that -- yes, it's possible for the database to be corrupt. To rule this out, I would recommend the following steps. These are run from a command prompt in the UTILS directory, with all services running: csutil -q -b recovery.cab net stop csauth csutil -q -d -n -l net start csauth This will make a full backup, then do a text dump of the user database, wipe the user database, and reimport the text dump. Thanks, Shawn Patrick Donlon wrote: Patrick Donlon wrote: I have a problem with the local database on a 2.6(6) ACS server. All users use an external database for authentication (NT or RSA) but I want to create a user with a password stored in the ACS server. I can create a new user and assign all the correct attributes without any errors, however when I try to login with the user they are rejected. The logs show the user is rejected due to the CS password : CS password invalid . I have tried to create other users and also to change users account setting so that they authenticate using the CS password, with no luck. So I think there is a problem with the passwords stored in the ACS server We have upgraded the server twice in the past 8 months for new features and bug fixes whether this has caused the problem I don't know. Any ideas on how to verify or fix this? -- Shawn Heisey Cisco Systems USA Technical Lead for SLC-SECURITY team Direct: +1 801 736 3939 ext 55153 Toll Free: +1 800 553 2447 Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46895t=46882 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: authentication and router [7:46932]
George, Make sure that you have an enable secret defined. It SHOULD work with the enable password, but you never know. You might see something useful in the following debugs: debug aaa authen debug aaa author debug tacacs debug aaa subsys !! not supported by all releases debug tacacs authentication !! not supported by all releases debug tacacs authorization !! not supported by all releases debug tacacs events !! not supported by all releases If you are running a 12.2 non-mainline version (has letters after the right parenthesis in show ver), it's not very stable - AAA was rewritten. Thanks, Shawn GEORGE wrote: I just configured my router to authenticate with cisco secure every works ok, except if I try to Console I get a password promt, and I stop cisco secure I get a password promt Now I tried to enter my enable password and wont work Am I missing something here aaa new-model aaa authentication login default group tacacs+ enable aaa authentication login local local aaa authentication login no_tacacs enable aaa authentication ppp default if-needed group tacacs+ aaa authorization exec default group tacacs+ local aaa authorization network default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+ line con0 line authentication no_tacacs Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46941t=46932 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Default Password [7:46536]
Removing and reintalling the program should take care of it. http://www.cisco.com/warp/public/102/wlan/pwrec-2.html#cem Thanks, Shawn Kevin Wigle wrote: I have some old client software for a wireless LAN card. I would like to set a WEP key but you need the default password to get into the Encryption Manager. This is version 4.10 which says Aironet, CCO's docs start at 4.12 which says Cisco. Cisco's default is Cisco but that doesn't work. I have a Xircom PC Card and it's default is Xircom and that worked. Tried all kinds of combinations around Cisco/Aironet but no luck. Does anybody know the default password for this version?? (yes I'll be attempting to upgrade the software) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46582t=46536 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3550-24 Question [7:46572]
Brian, All the licensing of software for Cisco products is per server/device unless specifically stated otherwise. Usually those special situations involve explicit backup/failover, and the second unit can't stand alone. The PIX and CiscoSecure ACS for UNIX are two products where this is the case. Of course, these two products include license enforcement. In the case of a switch or router, you can do more than pure redundancy with two devices, so you have to purchase a software license for each of them. Thanks, Shawn Brian Zeitz wrote: I just checked with CDW, its 1500$ for the upgrade for the SMI to EDI for the 3550. Which brings me to my next question. If I have 2 switches, in a cluster, do I need a license for both. Man, $3000 to do layer 3 switching! -Original Message- From: jeff sicuranza [mailto:[EMAIL PROTECTED]] Sent: Friday, June 14, 2002 10:42 AM To: [EMAIL PROTECTED] Subject: RE: 3550-24 Question [7:46572] I had the same queston so I opened a TAC case to get an answer. Here is my first response for those interested... *** NOTES LOG 13-JUN-2002 16:26:43 PST, emailcio, Action Type: Action *** Technology(T1): LAN Switching Sub-Technology(T2): Cat3550 Problem Summary(T3): Upgrading Software and Working with Configuration Files Software Version: 12.1 Router Node/Name: Contract: xx Problem Description: We have just purchased a Cisco WS-C3550-24-SMI switch. Can I just go to the CCO Software center and download the following to upgrade my unit from SMI to EMI? c3550-i5q3l2-tar.121-9.EA1c.tar c3550 EMI IOS Image and CMS Files Is the above the download the CD-3550-EMI= product? What is the CD-3550-EMI= and how do I optain it, if required, to upgrade my switch to EMI? Thank you.. Please contact customer via email: [EMAIL PROTECTED] Email: [EMAIL PROTECTED] Phone: 516-796-9607 Urls shown to the user : http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550sc g/swiosfs.htm http://www.cisco.com/public/sw-center/sw-lan.shtml http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/1216ea1/3550sc g/swtrbl.htm *** EMAIL OUT 13-JUN-2002 16:57:09 PST, jerlim, Action Type: Email Out *** Send to: Jeff, Hi my name is TAC GUY and I'm the engineer that is working on your case C806967. I see you are interested in installing the EMI software on your 3550. While you can download it from CCO you may need to contact your SE or our Entitlement group to get approval or purchase the software. The software that you listed in the case notes would be the correct software to install. If you have any questions please do not hesitate to email or phone me. Thanks, TAC GUY *** STATUS CHANGE 13-JUN-2002 16:57:09 PST, jerlim, Action Type: *** I will follow-up with the SE to see what the deal is.. Unless in the meantime does somebody want to try the file I have listed above? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46598t=46572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3550-24 Question [7:46572]
Jeff, You can download the file, but legally you are only authorized to use it if your switch was purchased with the enhanced software, or if you purchase the upgrade. Cisco does watch who downloads which software, and checks it against what the downloading user is entitled to. If it doesn't match up, you might get contacted about the download, especially if you get each new version as it comes out. Thanks, Shawn jeff sicuranza wrote: Thanks Radford, I saw the same thing but it was still unclear from Cisco's tac response. Is the downloadable file the CD-3550-EMI= and all you need is a valid CCO account to upgrade? Or do you have to spend x amount of $$ to purchase a special download for the CD-3550? According to the response it looks like all I have to do is just download the file, which I did, but all of this SE or our Entitlement group to get approval nonsense has confused me... -- Shawn Heisey Cisco Systems USA Technical Lead for SLC-SECURITY team Direct: +1 801 736 3939 ext 55153 Toll Free: +1 800 553 2447 Shift: Mon-Fri 8:30a-5:00p Mountain Daylight Time Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46618t=46572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3550-24 Question [7:46572]
No problem ... splitting hairs is how technical people work. :) Your interpretation is correct. The only actual difference between the SMI and EMI switches is the software loaded on them. Everything else is a matter of licensing. Loading the EMI software on a switch without an EMI license is illegal. This has been done before with 1900 and 2900XL switches - the Standard Edition and Enterprise Edition software. They stopped it with the 2900XL, and just made all newer versions Enterprise. The 1900 still has the distinction, but if it's not EOS/EOL already, it will be soon. It's similar to Router IOS -- When you purchase a router with IP only IOS, it's perfectly possible to download and install Enterprise/FW Plus IPSEC 3DES (provided you have enough memory). Doing so without paying Cisco for the software license is illegal. Thanks, Shawn jeff sicuranza wrote: Thanks Shawn. I know this is splitting hairs but I just wanted to clarify a few things so folks on this board and myself are clear on the policy and we do not end up in Cisco jail, purchase the wrong switch options or damage the switch by loading the wrong software. So what you are saying is that the file listed on CCO is the CD-3550-EMI= upgrade? Correct? If you buy a switch with just SMI installed but do have a CCO contract, but it(the CCO account) does not cover the 3550 entitlement you can still download the file and install it, (it will work??)but you are doing something illegal? Correct? The above scenario also applies to someone who buys the switch used with SMI installed and borrowed someones CCO account, regardless of account entitlement status, downloads the software and upgrades their switch. This is also illegal in Cisco's eyes. Correct? If a person buys a switch with a SMI installed but has a valid CCO account with the proper 3550 EMI entitlement on the CCO account, then all that is needed to upgrade the switch from that point is just a download of the file and follow the install instructions? Correct? You see I was confused that the CD-3550-EMI is an actual physical product ordered and is received on a CD or via special download with a key or something that is required for you to upgrade from SMI to EMI. However, I see the EMI IOS on the 3550 download page. The reference to CD-3550-EMI is a logical reference to CCO entitlement privilege level. So Cisco is basically using a monitored Honor System when it comes to the downloads??? Correct? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46624t=46572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: which is the best Router for the following tasks [7:46288]
Just when you thought you had a lock on all the router models ... :) http://www.cisco.com/warp/public/cc/pd/rt/1700/prodlit/1760e_ds.htm John Kaberna wrote: 2611 if you want Ethernet and 2621 if you want Fast Ethernet. I generally don't like to work with anything under a 2600. You can also look at the 1751. The problem with the 17XX series is they aren't rack mountable. Fab Perez wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi news I need to pickup a Router with the following features: _ 2 Ethernets _ 1 V.35 Serial / Sync _ QoS _ Load Balancing (EIGRP ?) _ NAT _ Firewall Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46349t=46288 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3600 10MB port duplex? [7:46250]
Patrick, I'm thinking that you actually mean a 2610. I've never heard of a 3610. Yes, 10Mb ports on 2600 routers will do full duplex. 12.0(4)T minimum IOS is required. I had problems with it at 12.0(7)T ... recommended IOS would be 12.1 mainline or 12.2 mainline. If duplex is not configured, it will run at half. I haven't been able to locate a public page stating this, but I know from experience that it can do it. Thanks, Shawn Patrick Donlon wrote: Hi All I've a dead simple question for anyone with a 3610 at their disposal, I'd like to know whether the built in 10MB ethernet port will run at full duplex. Reason why is I don't have a 3610 with one of these I can access and I've been told by ATT that their router will only run at half-duplex and 10MB Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46267t=46250 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 3600 10MB port duplex? [7:46250]
The 3620 is the same - 12.0(4)T to get full duplex on 10Mb ethernet ports. I found a public URL for the NM-1E2W and NM-2E2W modules, but not for the NM-1E and NM-4E modules. The internal page does say the latter can do it as well, at 12.0(4)T. http://www.cisco.com/warp/public/107/nm-e2w.shtml Thanks, Shawn Pat Donlon wrote: Shawn you're dead right, sorry 3620, can't touch the image I'm afraid as it's a managed router. I too have searched through the CCO and couldn't find anything that documents this, Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46278t=46250 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Privilige Password Advice ... [7:46246]
Paul, AAA is what I do, so I would recommend that. Unless you've got a small handful of routers and the configs rarely change, AAA makes your life much easier. TACACS+ would have let you get much more specific on what commands the outside company could run - command authorization. If you have any UNIX systems, you can get the freeware TACACS+ server from Cisco and compile that. If you have Debian or RedHat Linux, I know for sure that it's available as a binary package right on the CD. http://www.cisco.com/warp/public/480/tacplus.shtml Thanks, Shawn Paul wrote: Hi ... I am just about to change all the router/switch passwords in my company (about 40) ... I have only been there several weeks and I have only worked in a very small routing/switching environment before I have had to give access to an outside company so they can monitor certain WA N links they have set-up ... I have setup privilige level 7 for these guys with a relevant line vty username and password and priv level 15 for me All the routers and switches currently have different passwords because I have very little expereince in this field .. I was wondering what the norm would be ??? and what you guys yourselves have done in situations like this or is there another way I could do this ??? Oh yes ... and I don't have any TACACS or Radius servers or the such for remote authentication . Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46284t=46246 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Using Catalyst 2950 switch [7:46062]
Autosensing can work very well, depending on the NIC. It's important that both sides either be set the same. If one side is set for autosense and the other side is hardset, the autosense side will almost always pick half duplex. If you have any issues at all with autosensing, check layer 1, then once you know that's OK, hardset speed and duplex on both the NIC and the switch. Thanks, Shawn George Kallingal wrote: I want to use the Catalyst 2950T-24 in my Windows NT/2000 and Linux network. According to the specs, it states that it does provide 10/100 autosensing. I wanted to know if anyone has run into problem with the autosensing feature. Or should duplex be hardcoded? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=46069t=46062 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Dropping Characters on Reverse Telnet [7:45729]
Every character that is processed by an AUX port creates an interrupt, so the AUX port hits the CPU harder than any other port running at the same speed. CPU utilization at 35% shouldn't be enough to cause the problem you're seeing. One thing you'd want to make sure of is that you are not trying to use a baud rate higher than 9600, and that you have set flow control to none, stop bits to 1, and configured 'no exec' on the aux port. Similar settings should be configured on the console port at the other end, though it does of course need 'exec'. Make sure that none of the router lines include the command logging synchronous. Console ports run at 9600 baud by default because they have no flow control lines. Higher speeds cannot be guaranteed to work reliably, though they often do. It's always possible that you've run into a bug. My personal favorites for IOS version are 12.1(15) if you can run it, 12.0(22) or 11.3(11c) if memory isn't sufficient. Recommended config: 2514 aux port: ! line aux 0 speed 9600 flowcontrol none stopbits 1 no exec ! 25xx router: ! line con 0 speed 9600 flowcontrol none stopbits 1 exec ! config-register 0x2102 ! Thanks, Shawn Michael Gunnels wrote: I've been having a strange problem. When reverse telnetting from my 2514's AUX port to my 25xx's console port (I've tried multiple routers). I am sometimes losing packets during show commands. The router that initiates the reverse telnet cpu is at most 35%. I've tried using variations of flow control on both routers, but it doesn't seem to make much difference. Has anyone else experienced this? It's driving me nuts! It skips and jumbles things together. It only shows up when reverse telnetting. If I'm consoled in or regular telnet ting their is no problem. Please help. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45761t=45729 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Show Interface Output [7:45716]
Zahid, The 'show interface' command would show the actual going through the interface. You probably are after the 'show interface rate-limit' command instead [shown here on 12.2(7a)]: milliways#show int f0/0.102 rate-limit FastEthernet0/0.102 Input matches: all traffic params: 128000 bps, 24000 limit, 32000 extended limit conformed 200597 packets, 36550102 bytes; action: transmit exceeded 616 packets, 895075 bytes; action: drop last packet: 59244ms ago, current burst: 7483 bytes last cleared 2w6d ago, conformed 0 bps, exceeded 0 bps Output matches: all traffic params: 128000 bps, 24000 limit, 32000 extended limit conformed 220716 packets, 103342492 bytes; action: transmit exceeded 7757 packets, 11884318 bytes; action: drop last packet: 59168ms ago, current burst: 0 bytes last cleared 2w6d ago, conformed 0 bps, exceeded 0 bps milliways# Zahid Hassan wrote: Dear All, I would really appreciate if someone would shed some light into my following question: I have configured rate-limit on an interface. When I do show interface fa0/0, do I see the number of bit/s under the 5 min input and output rate after the rate-limit has been applied or the actual bits/s the interface is receiving or transmitting ? Thanks in advance, Zahid Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45718t=45716 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Reading [7:45486]
I have a set of 12.2 IOS documentation at home ordered for free with a smartnet contract. It would be worth ordering a smartnet contract on your smallest piece of Cisco hardware just for the documentation you can get for free. http://www.cisco.com/upgrade Thanks, Shawn MADMAN wrote: We have a very large smartnet contract and used to get the hard copies as they came out. The last hardcopies I seen were 11.2. I don't even know if they print them anymore. Dave Brad Ellis wrote: John, I believe if you have a smartnet contract, you can get the IOS manuals free from Cisco (at least you could a couple years ago). Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45560t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Lab Reading [7:45486]
Any documentation can be ordered with a smartnet contract. Take your contract number and visit http://www.cisco.com/upgrade ... CCO login required. It will give you a list of all documentation that can be ordered. I even ordered the Internetworking Terms and Acronyms book. :) Thanks, Shawn Jeff Harris wrote: Is this set for all products or just the products that you have a contract on? Just wondering as we don't have any manuals at all (besides the little getting started booklets that come with WIC's and whatnot). We're a Premier Partner as well.. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45568t=45486 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Fast Ether Channel [7:45271]
I believe that will all currently supported hardware, FE or GE are the minimum requirements. You should be able to run it at any supported speed, as long as both ends match. Some of the older switches like the Cat3000 supported EtherChannel on 10Mb interfaces. While you can still find these switches, they have reached End Of Life. As far as routers, only the larger hardware like the 7x00 series and the router modules for the Cat5K/Cat6K support etherchannel. As far as I have been able to determine, it's not supported on 10Mb router interfaces at all. I haven't verified this absolutely, though. Thanks, Shawn Michael L. Williams wrote: I appreciate your information, Joseph. I guess my question was more toward the types of interfaces that will run etherchannel. i.e. if you're knocking the speed down on a FastEthernet interface to 10Mbps, it's still a FastEthernet interface, not Ethernet interface. One of the requirements for an etherchannel bundle is that all of the ports (interfaces) in the bundle all be matching speed/duplex. So it would make sense that you could knock 100Mbps interfaces down to 10Mbps (as long as they all match) and it still work. But are they any Ethernet interfaces (not Fast- or Gig-Ethernet) on any Cisco devices that support Etherchannel. I'm thinking there's not, but that's not to say there's not some switch/router out there that may violate this Cisco rule of thumb (being you can only do EtherChannel on Fast- or Gig-Ethernet) Mike W. Brunner Joseph wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... tested it.. works on 3548XL but not on 7206VXR (command was not under int e4/0). On the 3548XL I just set hardcode 10, so it must be in the hardware !3548XL ! interface FastEthernet0/1 speed 10 port group 3 spanning-tree portfast ! interface FastEthernet0/2 speed 10 port group 3 spanning-tree portfast ! 3548XL_1#sh port group Group Interface Transmit Distribution - - - 3 FastEthernet0/2source address 3 FastEthernet0/1source address Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45369t=45271 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Emergency: HOw to extend the telnet timeout fo [7:45268]
If your connection is clean, and the telnet program properly written, it will terminate the TCP session correctly when the program is closed. It's badly written clients, or when your network connection gets cut, or your system crashes that it becomes a problem. In these instances, the TCP session isn't properly shut down. A router with default configuration will never take action to disconnect the hung session. What I typically do is configure a 240 minute (4 hour) timeout. It's long enough to give you time to think about what you're doing, and short enough that if my session is killed by a network problem or an overzealous firewall, I know I'll eventually get back in. There is also another way to deal with the problem - TCP keepalives. http://www.cisco.com/warp/public/471/tcpkeepalive.html Thanks, Shawn Michael Williams wrote: Daniel Cotts wrote: Be extremely careful if you configure an exec-timout of 0 0 on a vty port. It will never release! So when you drop the connection and again telnet into the box you now have one less open port. After five times (or number of vty ports) you are locked out of the box. Should you still be inclined to use this - then either (a) don't save the config (so someone can power cycle the box to let you back in) or (b) change the setting before you log off. Good point. We have this setup on some of our routers that we commonly just sit in all day, and if I kill the telnet process (without allowing it a graceful exit) my session doesn't hang. it frees up the VTY line I was using. Interesting. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45300t=45268 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: cheapest router supporting two ethernet ports [7:44061]
The cheapest brand new Cisco router with two routable ethernet ports would be the Cisco 806. It looks like you can choose between IP/FW and IP PLUS for free on this platform. In terms of LIST price, the 1605-R ties with a 1721/WIC-1ENET combo. Either of these would leave you with a free WIC slot, but the 1721 would give you dot1q vlan routing and far greater performance. If you're looking for something used, there are more options, and prices will vary. :) Thanks, Shawn Patrick Ramsey wrote: Anyone know what the cheapest cisco router is that supports 2 ethernet ports? Either built in or modular. (if any of the older 25xx series have two aui ports, that would work as well!) I would also like to put IOS-firewall on it so memory constraints may dictate which one I buy as well. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44080t=44061 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PPP and tacacs [7:42818]
Yes - use a config like this: ! aaa authentication ppp default none aaa authorization network default none aaa authentication ppp dialup group tacacs+ local aaa authorization network dialup group tacacs+ local aaa accounting network dialup start-stop group tacacs+ local ! interface group-async1 ! ppp authentication ms-chap pap dialup ppp authorization dialup ppp accounting dialup ! interface serial0/0 ! no ppp authentication no ppp authorization no ppp accounting ! NetEng wrote: I have a 2600 series that has a 16 port async card for RAS dialup. It also has two WIC's for two T-1s that run ppp multilink. I want to enable tacacs for ppp dialup but not for the two T-1s. Is this possible? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=42831t=42818 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]