RE: WLAN security matters [7:57160]
As far as I know Cisco does support AES on the Concentrators. It's on the roadmap for the router and PIX, but already out for the Concentrators. Michael --- mike greenberg wrote: paul, When I talked about IPSec, I mean to say that AES is not currently supported on on Pix Firewalls on any VPN concentrator. After I established connection via EAP/TLS on the wireless network, I have to make another IPSec connection via Cisco VPN client to make a secure connection to the internal network or surfing the Internet from my wireless DMZ segment. At the moment, I know that Pix does NOT support AES, only 3DES. CheckPoint has beaten Cisco to the punch with SecureRemote (CheckPoint Client that is similar to Cisco VPN client) that supports AES. Now if you know where I can get AES for Pix firewall from Cisco, please let me know so that I can contact Cisco for support. Mike G. Paul Forbes wrote:Some notes/opinions: 1. A stolen laptop should trigger an employee to contact Human Resources, Security and/or IS. Anything less on the part of said employee is cause for termination - period. Alternatively, if the perceived threat is via corporate/military espionage, then the short-term solution is IPsec (IMO defeating the valuable properties of wireless) and long-term PEAP. Better yet, no wireless access at all and lock the your wired ports down via URT or some such. 2. ACS v3.1 was released and is orderable, but I can't find a single thing regarding CRL support by the authentication server. I'm digging around within my Cisco contacts for an answer. If I hear anything on this front, I'll be sure to toss a up a comment. 3. Mike G. mentioned in a previous email the absence of AES in Cisco's product plans. This is NOT the case - the AP1200 product line was created so that, among other reasons, the CPU was capable of 256-bit AES. This was addressed in some detail at the San Diego Networkers' evening Product Session by Mike McAndrews, the Director of Product Management for the Wireless Networking BU. Cheers all. Paul -Original Message- From: Roberts, Larry [mailto:Larry.Roberts;expanets.com] Sent: Monday, November 11, 2002 4:12 PM To: [EMAIL PROTECTED] Subject: RE: WLAN security matters [7:57160] Going back to the original e-mail question. I disagree that EAP-TLS is not a solution for sniffing. Technically any wireless data can be sniffed, regardless of encryption. However, it will be garbage until decoded. If you use EAP-TLS and set the rekeying to a very short interval ( say 1 minute ) you would not be passing enough data for the person to be able to decrypt using the weakness in the IV. I'm not saying rekey every 1 minute, just that rekeying at 1 minute would assure you that not enough data had passed. You need to weigh the load on the server/the amount of wireless traffic/the amount of security that you need, to come up with the rekeying interval. The biggest drawback to EAP-TLS has been lack of support at the OS level. Windows XP supports it natively, but all other Microsoft OS's require additional software. Supposedly Microsoft is going to back fit W2K , but they haven't released when. If you want vendor neutrality as I am looking to do , you either need to be assured that all the vendors release software that allows you to run EAP-TLS on your PC, or wait until MS does it at the OS level. I know that Cisco and Lucent have EAP-TLS aware clients, although I have only used Cisco's. Cisco and Lucent/Orinoco also have EAP-TLS aware AP's, but I have yet to get the spare time to actually install my AP-500. With EAP-TLS, you must worry about stolen laptops, which will have the Certificate stored automatically allowing access to the network. CSACS 3.0 doesn't't support CRL's , so until 3.1 comes out which I was told will have CRL support, you will need to just disable the username on the certificate. The more obstacles that the end user must jump over, the more likely that a rogue AP will pop up on the network. It is critical IMO that the authentication to the network be as smooth and transparent as possible. LEAP does an excellent job of that, but its proprietary :( Just my opinion though Thanks Larry Do you Yahoo!? U2 on LAUNCH - Exclusive medley videos from Greatest Hits CD [EMAIL PROTECTED] __ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=57275t=57160 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: General PIX question DES/3DES [7:55200]
Upgrade. You can get DES free but 3DES is upgrade. --- [EMAIL PROTECTED] wrote: Do any of the PIX firewalls come with 3DES or is it an upgrade option on all the models Particularly the PIX-525-UR-BUN. Thanx, mkj [EMAIL PROTECTED] __ Do you Yahoo!? Faith Hill - Exclusive Performances, Videos More http://faith.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=55240t=55200 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Security Lab schedule FYI [7:52281]
The only two places that offer this test is San Jose and Brussels. As you know SJ does not have an opening until April. Brussels has their first opening next week! My company only has a certain amount of money alloted for these test so I can either take it in October or wait until after February. Since I don't feel like waiting I've gone ahead and signed up for Brussels on October 17. That gives me a month and half to get ready. I wasn't prepared to take it so soon so I guess I better catch up! Michael Le, CCIE #6811 --- John Dorffler wrote: I thought I should share some info with the group, especially those interested in pursuing the Security CCIE. I passed the written last week, and the system finally updated last night so that I could register for the lab. By the way, all lab types can be registered for on the web now. According to the online system, the first available date to take the Security lab in San Jose (the only North American site that offers the Security lab) is, ironically, April 1, 2003. That is over 7 months away. Extrapolating, if I have to schedule another date (I'm not so arrogant to assume I will pass the first try, but you never know...) I won't be able to take it again until November 1, 2003. I don't know if Cisco is planning to add more seats in San Jose or other locations anytime soon, so if you are thinking about taking the Security lab you better plan ahead, way ahead. My $0.02, John Dorffler CCIE #6677 [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52425t=52281 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: failover only licence on PIX [7:45475]
Hi Richard, The FO is just a license and can be upgraded. The hardware is all the same. So is the software for that matter. Its the activation key that lets you use the software and hardware the way you want or can afford. Michael --- nettable_walker wrote: 5/30/2002 6:35pm Thursday Professionals, I have seen some deals on ebay for PIX 515's with FO license. I also do a lot of work on 2 sets of 525's Is the FO license upgradeable to a regular license ? Is the FO something in the chip set has anyone tried to modify it ? Thanks, Richard // [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45510t=45475 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX: Active FTP vs Passive FTP [7:43625]
The 'fixup protocol ftp strict 21' is generally suggested for passive ftp. This is to make sure servers are the only ones that can send the PASV command. This closed a security hole in the past. Michael Le, CCIE #6811 --- Jeffrey Reed wrote: Are there any special considerations when allowing FTP through a PIX if clients can do either passive or active FTP sessions? Jeffrey Reed Classic Networking, Inc. Cell 717-805-5536 Office 717-737-8586 FAX 717-737-0290 [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Mother's Day is May 12th! http://shopping.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=43806t=43625 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Async dial access parameters [7:23910]
He is right. You can pass DNS and WINS information, but subnet mask and stuff won't be in there. I don't believe there is even a field in the IPCP packet for that. Don't worry about what ipconfig says. It works right? :) Michael Le, CCIE #6811 --- nrf wrote: Strange, I was able to pass information like DNS and WINS to the client just fine on my access-server, using async-bootp. Note, you generally don't need to pass things like subnet mask or GW to the client anyway. If you are using normal IPCP negotiations, then the address of the access-server gets passed to the client as a host route. And whatever address the access-server hands to the client, Windows automatically gives it a /32 mask, even if you try to negotiate some other mask (I'm sure this behavior can be changed somewhere in the registry, I just don't know how, and besides, I don't know why you would want to). And by default in Windows, once a dial PPP session has been negotiated, Windows uses that PPP session as a default gateway automatically, so your access-server doesn't need to hand default gateway information to the client. You can turn this behavior off, if you want. NetEng wrote: I have a 2600 w/ NM16AM, I have it configured and it works like a champ except for one thing. How do I pass network parameters to the client? I need to specify the subnet mask, default gw, dns, etc. I tried the async-bootp command from global config, but that didnt work. I created the ip pool just fine, but I cant find where to set the rest of the info. TIA. [EMAIL PROTECTED] __ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=24245t=23910 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN to PIX using Win2000 or Millennium?? [7:16452]
I have PPTP running fine with Win2K. I had it working on 5.3 and am now running 6.1. I recently upgraded to DES but haven't tried using IPSec. Michael Le, CCIE #6811 --- Rik Guyler wrote: Yes, PIX supports PPTP acording to CCO. However, I became frustrated with PPTP as each version of Windows offers different options and interacts with the PIX in a different manner. In other words, I have set this up and made it work most of the times I tried, but this one time, in band camp Now, my experience is with the 5.x code and maybe, just maybe, it's better with the 6.x code as this now seems to be the trendy way to provide remote access. Despite this, I really recommend purchasing the VPN client. The 100-user license retails for around $250. BTW - It used to be that the PPTP configs for the PIX on CCO were flawed. Maybe this is still the same, maybe not. --- Rik Guyler -Original Message- From: Andy [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 6:48 AM To: [EMAIL PROTECTED] Subject: VPN to PIX using Win2000 or Millennium?? [7:16452] Hi Does anyone know if it is possible to set up a VPN using either Windows 2000 or Millennium to connect to a corporate PIX without using any Cisco client software? I believe it is possible but haven't had any luck in getting it to work. I have it working great using NT with the Cisco Secure VPN client, which unfortunately doesn't run on the newer versions of Windows. I've also been told this is because the newer versions of Windows don't need it as they have this capability built in. I've done the usual setting up the VPN part on Windows but to my mind there seems to be a lot of options missing that would allow you to get it to work properly, such as ESP and AHP settings, etc. Any help would be greatly appreciated. Andy [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16525t=16452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN to PIX using Win2000 or Millennium?? [7:16452]
You need at least 5.1 to do PPTP. Look in Advanced PIX Configurations for the commands. Michael Le, CCIE #6811 --- Jose Villatoro wrote: Hi Mike, Are there any references out there on the net on setting this up? Our PIX IOS version is 5.0. I've been using the VPN Client v1.0.a succesfully, but it's not Win2K compatible. Thanks, Jose Villatoro -Original Message- From: Yonkerbonk [mailto:[EMAIL PROTECTED]] Sent: Monday, August 20, 2001 1:34 AM To: [EMAIL PROTECTED] Subject: RE: VPN to PIX using Win2000 or Millennium?? [7:16452] I have PPTP running fine with Win2K. I had it working on 5.3 and am now running 6.1. I recently upgraded to DES but haven't tried using IPSec. Michael Le, CCIE #6811 --- Rik Guyler wrote: Yes, PIX supports PPTP acording to CCO. However, I became frustrated with PPTP as each version of Windows offers different options and interacts with the PIX in a different manner. In other words, I have set this up and made it work most of the times I tried, but this one time, in band camp Now, my experience is with the 5.x code and maybe, just maybe, it's better with the 6.x code as this now seems to be the trendy way to provide remote access. Despite this, I really recommend purchasing the VPN client. The 100-user license retails for around $250. BTW - It used to be that the PPTP configs for the PIX on CCO were flawed. Maybe this is still the same, maybe not. --- Rik Guyler -Original Message- From: Andy [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 18, 2001 6:48 AM To: [EMAIL PROTECTED] Subject: VPN to PIX using Win2000 or Millennium?? [7:16452] Hi Does anyone know if it is possible to set up a VPN using either Windows 2000 or Millennium to connect to a corporate PIX without using any Cisco client software? I believe it is possible but haven't had any luck in getting it to work. I have it working great using NT with the Cisco Secure VPN client, which unfortunately doesn't run on the newer versions of Windows. I've also been told this is because the newer versions of Windows don't need it as they have this capability built in. I've done the usual setting up the VPN part on Windows but to my mind there seems to be a lot of options missing that would allow you to get it to work properly, such as ESP and AHP settings, etc. Any help would be greatly appreciated. Andy [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16569t=16452 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: blocking PORTS ON PIX!!! [7:16275]
Well, by default your internal devices will be able to access anything on the outside. You don't need to open a port for that. Allen is correct in just shutting down the port. Michael Le --- Magdy H. Ibrahim wrote: Hi Allen, Actually my point it hot to restrict my outbound POP3 from access the outside mail servers.. I want to block any internal request for external POP3 from accessing that target. you got it?? I hope you may help me in this??? Magdy Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Maybe I missed the point of the question, but just don't open POP3 on the outside interface for inbound and that will restrict all outside users from using POP3. Unless inside users pass through the PIX to get to the POP3 server you won't need to add anything to the PIX to allow inside users POP3 (or anything else for that matter). The rest of the configuration for mail server restrictions can be done at the mail server if you want to tighten it down even further for inside users. Hope that helps. Allen - Original Message - From: Magdy H. Ibrahim To: Sent: Thursday, August 16, 2001 7:46 AM Subject: blocking PORTS ON PIX!!! [7:16275] Dear All, I have a question about how to block ports on PIX firewall: my case is: I have mail server working behind PIX so I opened POP3 and SMTP ports for this mail server. my mail server accessed from inside and outside interfaces. I want to limit my internal IP only to work with POP3 using outlook express or any mail client from my mail server and deny any request for POP3 from outside mail servers such as hotmail or yahoo. can I do something like that ??? Please advice me ASAP... here is my shortcut of my PIX conf.: static (inside,outside) 62.21.55.68 10.0.0.21 netmask 255.255.255.255 0 0 access-group acl_in in interface inside conduit permit icmp any any conduit permit tcp host 62.21.55.66 eq smtp any conduit permit tcp host 62.21.55.66 eq pop3 any Regards, Magdy [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16312t=16275 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN 3000 design and PIX [7:15653]
Though some Cisco documentation says to put it in parallel to the PIX, Cisco actually prefers three ways and they all require you to go through the PIX. One way is to have the public interface of the VPN to be in the DMZ. This way the only traffic that hits the VPN has been through the firewall already. The second way is to have the private interface of the VPN to be on the DMZ. This way unecrypted traffic is forced through the PIX for inspection. The third and best way is to have both the private and public interface be on two different DMZs, so that both encrypted and unencrypted traffic is forced through PIX inspection. It's all a matter of how many interfaces you have for DMZs. Michael Le, CCIE #6811 --- Tom Richs wrote: Can someone tell me if I have a PIX in place, where should I install my VPN 3000 box (in front of the pix, behind the pix, parallel, in the dmz on the pix, etc). Also, I can't seem to find any documentation that has how to do it or how to configure each component. Any help espeically with configuration on both would be greatly appreciated. Thanks. Tom _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [EMAIL PROTECTED] __ Do You Yahoo!? Send instant messages get email alerts with Yahoo! Messenger. http://im.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=15888t=15653 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN ...firewall [7:14463]
Cisco advises using one of three solutions. 1.) Firewall DMZ one going to VPN outside so that encrypted traffic can be filtered. Then VPN inside going to another DMZ on the firewall so that unencrypted traffic has to go again through firewall. This is best probably if you have the interfaces. 2.) Only VPN outside is connected to firewall. Once traffic is unecrypted then it hits network directly. 3.) Only VPN inside is connected to firewall. Traffic can hit VPN directly, but once unecrypted it will have to go through firewall. Stateful inspection is a more thorough inspection of the IP packet to determine various things like if the packet is a response packet to something on the inside. If it is, then it's more likely to be safe. Basically, it checks the state of sessions between inside and outside devices. And yes the PIX supports it. Proxy server is a device that does something for another device. Most common is a web proxy that goes out and makes the http request for an internal PC. The web server only sees the request coming from the web proxy. The proxy most times also maintains a cache so that commonly hit sites are stored locally and thus data is returned quicker. Some proxies now also try to do some packet filtering to be more like firewalls. They don't do as good a job and don't scale as well as true firewalls. Michael Le, CCIE #6811 --- RAJESH AGNIHOTRI wrote: Greetings , QUESTIONS 1)If we install a vpn box in the network ... does this mean it is secured .. or should we have firewall also .. if so where should the firewall site on the network .. before the vpn box or after vpn box... 2) what do you mean by stateful inspection... does cisco PIX firewall support it ... 3difference between the firewall and proxy server ... ?? Please let me know ... Regards Rajesh Agnihotri _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp [EMAIL PROTECTED] __ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=14515t=14463 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Weird VPN issue [7:11055]
If all the users are having problems accessing the same server, have you checked to see if it's an issue with that box? Do a route print and see what routes are set on that box? Check the arp cache and nbtstat cache. --- Mark Smith wrote: I am using several PIX units to tunnel between locations for where I work. The Pix to Pix tunnels works fine. I also have users tunneling in from home/dialup/remotely however they chose to connect. These connections work almost fine. They all share the same issue. They cannot see one NT4 server on the internal network. They can't map drives to it and they can't even ping the IP address. Unfortunately there are user files on this box. All other internal addresses are completely accessible through their external connection except this one. I called Cisco TAC and they just shrugged their shoulders on this one. This box is a domain controller, internal DHCP and WINS server and has some users flat files stored on it (no apps running on it) and I have a DFS share pointing to a directory it. Don't know if that matters any. Any ideas as to why I can access the entire 172.25.1.0 network except for 172.25.1.21? Thanks. [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=11084t=11055 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN troubles [7:10714]
What you need to test with is do an extended ping. Type in ping ip and then enter. And then follow the prompts after that. It gives you the choice of picking which ip address the router will use as the source. By default is uses the interface the packet leaves from. Michael Le, CCIE #681 --- Allen May wrote: OK I'll get the configs forward in a bit. But for now...the inside interface has an IP on that subnet. What would it take to get it to work from the router itself? It's got an outside IP going to the ISP and an inside IP for a 10.43.2.0/24 network with a secondary IP on the inside interface of 10.43.2.1. I guess what I'm trying to say is...how DO you make it work then? ;) Allen - Original Message - From: G30RG3 To: Sent: Monday, July 02, 2001 7:53 PM Subject: Re: VPN troubles [7:10714] The reason you cant ping from the router itself is that when you specified what traffic to encrypt and send to the tunnel you only specified the subnets behind the firewall and router. If you try and ping the other side it will not go through the tunnel because it is not a match on the access-list. That is one of the reasons. I cant say that is the only reason cuz I don't know what your configs look like. Hope that helps George, Head Janitor, CCNA CCDA Cisco Systems Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have an IPSec tunnel set up between PIX and a 2600 and it works perfectly for clients end-to-end. However, I can't ping across the VPN from pix or router. I suspect a routing issue. When I try to add a route to tell it anything going to the other end should use that IP on that interface, it gives an error saying invalid hop because it's on that router. Any ideas? A little info: Remote network has 10.43.2.0/24 but gateway is a secondary IP on the internal FastEthernet interface of a 2600. Central network is 10.43.1.0/24 on a PIX 515. Future networks will be on the 10.x.y.z network centralize to the PIX rack. The problem I'm trying to solve is making the remote routers authenticate over the VPN to TACACS+ for the enable password. If I can't ping the box because it's trying to bo out the default route, it won't work. Allen [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10819t=10714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN troubles [7:10714]
I reread the problem you were having. I missed it before. You are trying to ping an address on the other side of the VPN that is in the same range as on your local LAN? That's where you're running into a problem. You're trying to bridge across the tunnel. If you want that, you need to specify that. Otherwise, you will need to do NAT to translate the addresses - destination or source. The PIX has an alias command that double NATs for this very problem. Never tried it with VPN tunnel tho, but I guess it should be the same. Michael Le, CCIE #6811 --- Allen May wrote: Doesn't seem to work with 12.0(5). Here's the config. FastEthernet0/0 secondary IP is in the range capable of going over the VPN. When the router tries to ping over the VPN it just uses the default gateway out to the internet. I have a workaround to just give the TACACS+ box an internet address but it's bugging me that this won't work the way it was originally planned. Using 2646 out of 29688 bytes ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname MSI-2621 ! logging buffered 4096 debugging no logging console enable password 7 * ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero ip name-server 209.113.31.100 ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 11 hash md5 authentication pre-share crypto isakmp key * address 207.x.y.70 ! ! crypto ipsec transform-set msiset esp-des esp-md5-hmac ! ! crypto map nolan 11 ipsec-isakmp set peer 207.x.y.70 set transform-set msiset match address 120 ! ! ! process-max-time 200 ! interface FastEthernet0/0 description MSI-LAN Austin ip address 10.43.2.1 255.255.255.0 secondary ip address 192.168.103.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface Serial0/0 description MSI-Austin to Insync-Houston T1 (Internet) ip address 207.x.y.22 255.255.255.252 no ip directed-broadcast ip nat outside no ip route-cache no ip mroute-cache crypto map nolan ! interface FastEthernet0/1 description MSI DMZ LAN ip address 207.x.y.129 255.255.255.224 no ip directed-broadcast ! interface Serial0/1 description MSI-Austin to Microspace-Raleigh T1 ip address 192.168.254.10 255.255.255.252 no ip directed-broadcast service-module t1 clock source internal ! router ospf 100 redistribute connected subnets redistribute static subnets network 192.168.103.0 0.0.0.255 area 0 network 192.168.254.8 0.0.0.3 area 0 network 207.x.y.160 0.0.0.31 area 0 ! ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask 255.255.255.224 ip nat inside source route-map nonat pool MSI-LAN overload ip classless ip route 0.0.0.0 0.0.0.0 207.170.95.21 ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent ip route 207.x.y.120 255.255.255.248 207.x.y.14 ip route 207.x.y.128 255.255.255.224 207.x.y.14 no ip http server ! access-list 1 permit 192.168.103.0 0.0.0.255 access-list 120 permit ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 deny ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 permit ip 10.43.2.0 0.0.0.255 any access-list 130 permit ip 192.168.103.0 0.0.0.255 any access-list 198 permit icmp any any route-map nonat permit 10 match ip address 130 ! snmp-server engineID local 000902309468D480 snmp-server community RO snmp-server community RW ! line con 0 exec-timeout 30 0 transport input none line aux 0 line vty 0 4 password 7 login ! ntp clock-period 17180260 ntp server 192.168.103.242 prefer ! end - Original Message - From: Yonkerbonk To: Allen May ; Sent: Tuesday, July 03, 2001 10:14 AM Subject: Re: VPN troubles [7:10714] What you need to test with is do an extended ping. Type in ping ip and then enter. And then follow the prompts after that. It gives you the choice of picking which ip address the router will use as the source. By default is uses the interface the packet leaves from. Michael Le, CCIE #681 --- Allen May wrote: OK I'll get the configs forward in a bit. But for now...the inside interface has an IP on that subnet. What would it take to get it to work from the router itself? It's got an outside IP going to the ISP and an inside IP for a 10.43.2.0/24 network with a secondary IP on the inside interface of 10.43.2.1. I guess what I'm trying to say is...how DO you make it work then? ;) Allen - Original Message - From: G30RG3 To: Sent: Monday, July 02, 2001 7:53 PM Subject: Re: VPN troubles [7:10714] The reason you cant ping from the router itself is that when you specified what traffic to encrypt and send to the tunnel you only specified the subnets behind the firewall and router. If you try and ping the other side
Re: VPN troubles [7:10714]
That's what I get for not creating a signature. Michael --- Kevin Wigle wrote: can't resist Hey Michael, that's some CCIE# you go there :-) Kevin Wigle - Original Message - From: Yonkerbonk To: Sent: Tuesday, July 03, 2001 11:30 AM Subject: Re: VPN troubles [7:10714] What you need to test with is do an extended ping. Type in ping ip and then enter. And then follow the prompts after that. It gives you the choice of picking which ip address the router will use as the source. By default is uses the interface the packet leaves from. Michael Le, CCIE #681 --- Allen May wrote: OK I'll get the configs forward in a bit. But for now...the inside interface has an IP on that subnet. What would it take to get it to work from the router itself? It's got an outside IP going to the ISP and an inside IP for a 10.43.2.0/24 network with a secondary IP on the inside interface of 10.43.2.1. I guess what I'm trying to say is...how DO you make it work then? ;) Allen - Original Message - From: G30RG3 To: Sent: Monday, July 02, 2001 7:53 PM Subject: Re: VPN troubles [7:10714] The reason you cant ping from the router itself is that when you specified what traffic to encrypt and send to the tunnel you only specified the subnets behind the firewall and router. If you try and ping the other side it will not go through the tunnel because it is not a match on the access-list. That is one of the reasons. I cant say that is the only reason cuz I don't know what your configs look like. Hope that helps George, Head Janitor, CCNA CCDA Cisco Systems Allen May wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have an IPSec tunnel set up between PIX and a 2600 and it works perfectly for clients end-to-end. However, I can't ping across the VPN from pix or router. I suspect a routing issue. When I try to add a route to tell it anything going to the other end should use that IP on that interface, it gives an error saying invalid hop because it's on that router. Any ideas? A little info: Remote network has 10.43.2.0/24 but gateway is a secondary IP on the internal FastEthernet interface of a 2600. Central network is 10.43.1.0/24 on a PIX 515. Future networks will be on the 10.x.y.z network centralize to the PIX rack. The problem I'm trying to solve is making the remote routers authenticate over the VPN to TACACS+ for the enable password. If I can't ping the box because it's trying to bo out the default route, it won't work. Allen [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10870t=10714 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ARP cache [7:10832]
That's not minimum. That's minutes. Michael Le, CCIE #6811 --- andylow wrote: Hi, I would like to find out if anyone knows why the age min is 133? What cause it? Definitely I did not create static ARP. Is there a link about ARP information on cisco router. Protocol Address Age (min) Hardware Addr Type Interface Internet 123.123.123.123 133 0090.7f04.4516 ARPA FastEthernet1 Regards, Andy [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10871t=10832 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tracking rogue dialup users [7:10859]
You tell the devices that are logging how specific you want them to be, regarding dates and minutes and all that. The parameter is 'timestamps'. This is also why you need to have a central timekeeping server that syncs your devices across the enterprise, so that the times make sense to everyone. NTP is used for this. Michael Le, CCIE #6811 --- - wrote: Greetz. Just a matter of interest. Say there is user A, he dials up to ISP J. User A breaks into server X. Server X has the ip, he contacts the isp How is the user tracked from there on... Do servers like CiscoSecure ACS keep track of the ip and the time connected. The reason I am asking is in my little experience that I had with CiscoSecure ACS and their radius, I could not find such info on the logs. Is tacacs perhaps a little better, will it give me more info? Or will this user just get away with this -- Doubt it though Any help will be greatly appreciated. Ciao [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10872t=10859 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN troubles [7:10714]
The only thing I can think of is packets originating from the router normally don't get passed through access-lists. But I remember being able to pass router-originated packets through my tunnel just fine, so I'm not sure what the rules for VPNs are. Sorry. Michael --- Allen May wrote: Actually it's not in the same range. The config I sent was from a 2600 on 10.43.2.0/24 and the destination on the other end of the tunnel is 10.43.1.0/24. It is set up to only allow IP's originating from 10.43.2.0/24 to go through the tunnel (vice-versa on other end). Everything else gets routed out to the internet nat'd. NAT does not work with IPSec tunnels according to all the documents I found on cisco.com. The whole problem is that it won't use the 10.43.2.1 interface as the source IP when I try to get across the tunnel from the router. Thanks alot for the help...I do appreciate it. Any other ideas? I'm about to give up use the work-around of sending TACACS+ authentication requests over the internet via a real IP address. That will just mean I have to add another access-list for source IP's allowed into the TACACS+ box. More work but it would be do-able. Allen - Original Message - From: Yonkerbonk To: Allen May ; Sent: Tuesday, July 03, 2001 1:40 PM Subject: Re: VPN troubles [7:10714] I reread the problem you were having. I missed it before. You are trying to ping an address on the other side of the VPN that is in the same range as on your local LAN? That's where you're running into a problem. You're trying to bridge across the tunnel. If you want that, you need to specify that. Otherwise, you will need to do NAT to translate the addresses - destination or source. The PIX has an alias command that double NATs for this very problem. Never tried it with VPN tunnel tho, but I guess it should be the same. Michael Le, CCIE #6811 --- Allen May wrote: Doesn't seem to work with 12.0(5). Here's the config. FastEthernet0/0 secondary IP is in the range capable of going over the VPN. When the router tries to ping over the VPN it just uses the default gateway out to the internet. I have a workaround to just give the TACACS+ box an internet address but it's bugging me that this won't work the way it was originally planned. Using 2646 out of 29688 bytes ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname MSI-2621 ! logging buffered 4096 debugging no logging console enable password 7 * ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero ip name-server 209.113.31.100 ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 11 hash md5 authentication pre-share crypto isakmp key * address 207.x.y.70 ! ! crypto ipsec transform-set msiset esp-des esp-md5-hmac ! ! crypto map nolan 11 ipsec-isakmp set peer 207.x.y.70 set transform-set msiset match address 120 ! ! ! process-max-time 200 ! interface FastEthernet0/0 description MSI-LAN Austin ip address 10.43.2.1 255.255.255.0 secondary ip address 192.168.103.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface Serial0/0 description MSI-Austin to Insync-Houston T1 (Internet) ip address 207.x.y.22 255.255.255.252 no ip directed-broadcast ip nat outside no ip route-cache no ip mroute-cache crypto map nolan ! interface FastEthernet0/1 description MSI DMZ LAN ip address 207.x.y.129 255.255.255.224 no ip directed-broadcast ! interface Serial0/1 description MSI-Austin to Microspace-Raleigh T1 ip address 192.168.254.10 255.255.255.252 no ip directed-broadcast service-module t1 clock source internal ! router ospf 100 redistribute connected subnets redistribute static subnets network 192.168.103.0 0.0.0.255 area 0 network 192.168.254.8 0.0.0.3 area 0 network 207.x.y.160 0.0.0.31 area 0 ! ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask 255.255.255.224 ip nat inside source route-map nonat pool MSI-LAN overload ip classless ip route 0.0.0.0 0.0.0.0 207.170.95.21 ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent ip route 207.x.y.120 255.255.255.248 207.x.y.14 ip route 207.x.y.128 255.255.255.224 207.x.y.14 no ip http server ! access-list 1 permit 192.168.103.0 0.0.0.255 access-list 120 permit ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 deny ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 permit ip 10.43.2.0 0.0.0.255 any access-list 130 permit ip 192.168.103.0 0.0.0.255 any access-list 198 permit icmp any any route-map nonat permit 10
Re: VPN troubles [7:10714]
The only thing I can think of is packets originating from the router normally don't get passed through access-lists. But I remember being able to pass router-originated packets through my tunnel just fine, so I'm not sure what the rules for VPNs are. Sorry. Michael --- Allen May wrote: Actually it's not in the same range. The config I sent was from a 2600 on 10.43.2.0/24 and the destination on the other end of the tunnel is 10.43.1.0/24. It is set up to only allow IP's originating from 10.43.2.0/24 to go through the tunnel (vice-versa on other end). Everything else gets routed out to the internet nat'd. NAT does not work with IPSec tunnels according to all the documents I found on cisco.com. The whole problem is that it won't use the 10.43.2.1 interface as the source IP when I try to get across the tunnel from the router. Thanks alot for the help...I do appreciate it. Any other ideas? I'm about to give up use the work-around of sending TACACS+ authentication requests over the internet via a real IP address. That will just mean I have to add another access-list for source IP's allowed into the TACACS+ box. More work but it would be do-able. Allen - Original Message - From: Yonkerbonk To: Allen May ; Sent: Tuesday, July 03, 2001 1:40 PM Subject: Re: VPN troubles [7:10714] I reread the problem you were having. I missed it before. You are trying to ping an address on the other side of the VPN that is in the same range as on your local LAN? That's where you're running into a problem. You're trying to bridge across the tunnel. If you want that, you need to specify that. Otherwise, you will need to do NAT to translate the addresses - destination or source. The PIX has an alias command that double NATs for this very problem. Never tried it with VPN tunnel tho, but I guess it should be the same. Michael Le, CCIE #6811 --- Allen May wrote: Doesn't seem to work with 12.0(5). Here's the config. FastEthernet0/0 secondary IP is in the range capable of going over the VPN. When the router tries to ping over the VPN it just uses the default gateway out to the internet. I have a workaround to just give the TACACS+ box an internet address but it's bugging me that this won't work the way it was originally planned. Using 2646 out of 29688 bytes ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname MSI-2621 ! logging buffered 4096 debugging no logging console enable password 7 * ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero ip name-server 209.113.31.100 ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 11 hash md5 authentication pre-share crypto isakmp key * address 207.x.y.70 ! ! crypto ipsec transform-set msiset esp-des esp-md5-hmac ! ! crypto map nolan 11 ipsec-isakmp set peer 207.x.y.70 set transform-set msiset match address 120 ! ! ! process-max-time 200 ! interface FastEthernet0/0 description MSI-LAN Austin ip address 10.43.2.1 255.255.255.0 secondary ip address 192.168.103.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface Serial0/0 description MSI-Austin to Insync-Houston T1 (Internet) ip address 207.x.y.22 255.255.255.252 no ip directed-broadcast ip nat outside no ip route-cache no ip mroute-cache crypto map nolan ! interface FastEthernet0/1 description MSI DMZ LAN ip address 207.x.y.129 255.255.255.224 no ip directed-broadcast ! interface Serial0/1 description MSI-Austin to Microspace-Raleigh T1 ip address 192.168.254.10 255.255.255.252 no ip directed-broadcast service-module t1 clock source internal ! router ospf 100 redistribute connected subnets redistribute static subnets network 192.168.103.0 0.0.0.255 area 0 network 192.168.254.8 0.0.0.3 area 0 network 207.x.y.160 0.0.0.31 area 0 ! ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask 255.255.255.224 ip nat inside source route-map nonat pool MSI-LAN overload ip classless ip route 0.0.0.0 0.0.0.0 207.170.95.21 ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent ip route 207.x.y.120 255.255.255.248 207.x.y.14 ip route 207.x.y.128 255.255.255.224 207.x.y.14 no ip http server ! access-list 1 permit 192.168.103.0 0.0.0.255 access-list 120 permit ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 deny ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 permit ip 10.43.2.0 0.0.0.255 any access-list 130 permit ip 192.168.103.0 0.0.0.255 any access-list 198 permit icmp any any route-map nonat permit 10
Re: VPN troubles [7:10714]
The only thing I can think of is packets originating from the router normally don't get passed through access-lists. But I remember being able to pass router-originated packets through my tunnel just fine, so I'm not sure what the rules for VPNs are. Sorry. Michael --- Allen May wrote: Actually it's not in the same range. The config I sent was from a 2600 on 10.43.2.0/24 and the destination on the other end of the tunnel is 10.43.1.0/24. It is set up to only allow IP's originating from 10.43.2.0/24 to go through the tunnel (vice-versa on other end). Everything else gets routed out to the internet nat'd. NAT does not work with IPSec tunnels according to all the documents I found on cisco.com. The whole problem is that it won't use the 10.43.2.1 interface as the source IP when I try to get across the tunnel from the router. Thanks alot for the help...I do appreciate it. Any other ideas? I'm about to give up use the work-around of sending TACACS+ authentication requests over the internet via a real IP address. That will just mean I have to add another access-list for source IP's allowed into the TACACS+ box. More work but it would be do-able. Allen - Original Message - From: Yonkerbonk To: Allen May ; Sent: Tuesday, July 03, 2001 1:40 PM Subject: Re: VPN troubles [7:10714] I reread the problem you were having. I missed it before. You are trying to ping an address on the other side of the VPN that is in the same range as on your local LAN? That's where you're running into a problem. You're trying to bridge across the tunnel. If you want that, you need to specify that. Otherwise, you will need to do NAT to translate the addresses - destination or source. The PIX has an alias command that double NATs for this very problem. Never tried it with VPN tunnel tho, but I guess it should be the same. Michael Le, CCIE #6811 --- Allen May wrote: Doesn't seem to work with 12.0(5). Here's the config. FastEthernet0/0 secondary IP is in the range capable of going over the VPN. When the router tries to ping over the VPN it just uses the default gateway out to the internet. I have a workaround to just give the TACACS+ box an internet address but it's bugging me that this won't work the way it was originally planned. Using 2646 out of 29688 bytes ! version 12.0 service timestamps debug datetime localtime service timestamps log datetime localtime service password-encryption ! hostname MSI-2621 ! logging buffered 4096 debugging no logging console enable password 7 * ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero ip name-server 209.113.31.100 ! ip audit notify log ip audit po max-events 100 ! ! crypto isakmp policy 11 hash md5 authentication pre-share crypto isakmp key * address 207.x.y.70 ! ! crypto ipsec transform-set msiset esp-des esp-md5-hmac ! ! crypto map nolan 11 ipsec-isakmp set peer 207.x.y.70 set transform-set msiset match address 120 ! ! ! process-max-time 200 ! interface FastEthernet0/0 description MSI-LAN Austin ip address 10.43.2.1 255.255.255.0 secondary ip address 192.168.103.1 255.255.255.0 no ip directed-broadcast ip nat inside ! interface Serial0/0 description MSI-Austin to Insync-Houston T1 (Internet) ip address 207.x.y.22 255.255.255.252 no ip directed-broadcast ip nat outside no ip route-cache no ip mroute-cache crypto map nolan ! interface FastEthernet0/1 description MSI DMZ LAN ip address 207.x.y.129 255.255.255.224 no ip directed-broadcast ! interface Serial0/1 description MSI-Austin to Microspace-Raleigh T1 ip address 192.168.254.10 255.255.255.252 no ip directed-broadcast service-module t1 clock source internal ! router ospf 100 redistribute connected subnets redistribute static subnets network 192.168.103.0 0.0.0.255 area 0 network 192.168.254.8 0.0.0.3 area 0 network 207.x.y.160 0.0.0.31 area 0 ! ip nat pool MSI-LAN 207.x.y.129 207.x.y.148 netmask 255.255.255.224 ip nat inside source route-map nonat pool MSI-LAN overload ip classless ip route 0.0.0.0 0.0.0.0 207.170.95.21 ip route 10.0.0.0 255.0.0.0 10.43.1.1 permanent ip route 207.x.y.120 255.255.255.248 207.x.y.14 ip route 207.x.y.128 255.255.255.224 207.x.y.14 no ip http server ! access-list 1 permit 192.168.103.0 0.0.0.255 access-list 120 permit ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 deny ip 10.43.2.0 0.0.0.255 10.43.1.0 0.0.0.255 access-list 130 permit ip 10.43.2.0 0.0.0.255 any access-list 130 permit ip 192.168.103.0 0.0.0.255 any access-list 198 permit icmp any any route-map nonat permit 10
Re: Catalyst 6500 Alteon [7:10895]
You need to worry about native vlans if you're doing 802.1q trunking. It is trying to talk CDPv2 to the Alteons and probably expecting something back. Just turn off CDP since you won't need it with Alteons anyway. At least I don't think so, unless Alteons do 802.1q trunking. If they do, then probably it expects native vlan 1 or something. Make sure your trunk to the device is on vlan 1 or whatever the Alteon is set to. Turn off trunking, change port vlan to 1, and then turn trunking back on. Michael Le, CCIE #6811 --- Ralph Filippelli wrote: I am receiving an error message on my Cat 6500 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected . It is connected to an Alteon AD2.. Any Ideas Thanks __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=10905t=10895 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: network security issue [7:9556]
Implement soft security tokens. They work like the hard SecurID tokens, but you have to install them on all the machines and have an AAA server to authenticate them. Michael Le, CCIE #6811 --- Jim Bond wrote: Hello, My client is a Cisco shop and they have many offices all over the world. They want to make sure that only authorized person can connect to their network. Their concern is that someone may just walk into one of their offices and plug in a laptop and then is on their network. How can we prevent this? The only thing I can think of is create a MAC database and implement security on the 6509 switches. But to create and manage tens of thousands of MAC addresses is a pain. Is there any other way? Thanks in advance. Jim __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9884t=9556 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: PIX static addreess translation updated [7:8090]
Have you allowed pings through the PIX? --- Gary Crouch wrote: config as below Address translation unable to pass traffic to server farm Have static and conduits configured added static route on fire wall to Internal router have statics routes on internal router to ISP router also have routes on servers Internet router---Outside int /-PIX---Inside int---Internal router-ISP router-Server farm | Intern al networks I can ping the Server farm from the PIX inside interface I can ping the PIX inside interface from the server farm Can not ping server farm from outside network tracert from outside traces to ISP router and then drops out Can ping and access conduited servers on Internal networks. can ping ISP router from Internal router but can ping servers can ping and access server from internal network can ping internal network from Server farm a tracert from server farm hangs at ISP router alt-c cause trace to complete What am I missing?? Thanks for your help config as below Address translation unable to pass traffic to server farm Have static and conduits configured added static route on fire wall to Internal routerhave statics routes on internal router to ISP router also have routes on servers Internet router---Outside int -PIX---Inside int---Internal router-ISP router-Server farm | Internal networks I can ping the Server farm from the PIX inside interfaceI can ping the PIX inside interface from the server farmCan not ping server farm from outside networktracert from outside traces to ISP router and then drops outCan ping and access conduited servers on Internal networks.can ping ISP router from Internal router but can ping servers can ping and access server from internal networkcan ping internal network from Server farma tracert from server farm hangs at ISP router alt-c cause trace to complete What am I missing?? Thanks for your help [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=8164t=8090 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP multi-homed load sharing/balancing and redundancy [7:2107]
If you're not running BGP to ISP2 yet and you have a default route in there, it will take precedence over the BGP routes to ISP1. So, you will end up only using the FT3 link. When you get BGP running to ISP2, in step two, then things will work fine. Michael Le, CCIE #6811 --- Kim Seng wrote: Everyone, I currently have two T-1's to ISP1 and a Fractional T3 to ISP2. I am using static and default routes to connect them to the internet. There is no automaticaly fail-over as you know. Therefore, I am changing our ISPs but keep the BW the same. Two T1's to ISP1 and FT3 to ISP2 and I would like to run BGP-4 at this time with multihomed load sharing and load balancing across these 3 links. These will be two steps upgrade: 1. Run BGP load sharing/balancing across two T1 links to ISP1. Can I do this while the FT3 link is still up and running with default route to ISP2. Another word, can I do load sharing/balancing and redundancy at this step across these three links? (BGP via T1s to ISP1 and FT3 default route to ISP2) 2. The second step is changing the fractional T3 from default route to run BGP and do load sharing ,balancing and redundancy across these three links. Can these be done and what would be the appropriate steps. Many thanks in advance. Kim. __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=2107t=2107 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ADSL Splits off a 4KHz Region
I think it refers to the fact that voice is ran at the 3KHz or abouts spectrum. ADSL runs higher than that so they don't interfere with each other. That's why you can surf and talk on the phone at the same time. But you still need a splitter to send traffic from your phone line to either the phone or the DSL CPE. Michael --- [EMAIL PROTECTED] wrote: Can someone explain the following statement to me? ADSL Splits off a 4 KHz region for basic telephone service at the DC end of the band. I do not understand what they mean by Splits off (How)? I do not understand; at the DC end of the band? TIA, Jess _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Any magazine about routers and networks??
Network Magazine is great. It's free too if you fill out the standard forms. You can find them online too at http://www.networkmagazine.com/. Michael Le, CCIE #6811 (RS) --- xzadio [EMAIL PROTECTED] wrote: Did you know any good magazine about network technology and routers or switches??? Many thanks xzadio _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Good book on Catalyst Switches
Cisco LAN Switching by Cisco Press Kennedy Clark and Kevin Hamilton Michael --- Jon Krabbenschmidt [EMAIL PROTECTED] wrote: Hi All! I am looking for your recommendations on a(some) good book(s) on Catalyst switches. I have several 4000 and 5000 switches and want to get to know them better, in addition to preparing for exams. All input greatly appreciated. Jon _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE salary
That's a pretty broad stroke you're painting. The CCIE is great, but the other certs can get you very good paying jobs. Especially if you have good experience with it. I made very good money as a CCNP, alot more than what was quoted to you - $65K. And I live in city that has very low cost of living. I have at least 5 CCNP friends making just about the same. None of us are sys admins. Now that I'm a CCIE, it is indeed alot easier to ask for more, but I wouldn't skip the CCNP straight for the IE. The NP gives you the incremental raises as you work your way up to IE. It would suck to get 7% per year for 2-3 years as you tried for the #. The NP gets your more. --- Gayathri [EMAIL PROTECTED] wrote: Thanks for all the varying thoughts, It is good to hear first hand information from like minded people than to visit some recruiters/head hunters web sites and make wild guess. It looks like CCIE is the ultimate. These middle level certificates only land you in a sys admin job.. "Mask Of Zorro" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... The DC market rate for CCIE's is around $125. This varies with how long you have been a CCIE and what else you know... Z From: Stephane Wantou Siantou [EMAIL PROTECTED] Reply-To: Stephane Wantou Siantou [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: CCIE salary Date: Wed, 21 Feb 2001 00:40:02 -0500 (EST) Hi everybody, Does anybody know approximately what the average CCIE makes in the DC area? Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Creating Multiple Interfaces on an Ethernet Port
You can add IPX addresses to it, so it doesn't seem to be an issue of layer 3 addresses. I think it just a matter of Cisco IOS supporting it. Michael --- Kenneth [EMAIL PROTECTED] wrote: try adding an ip address to it. "Tim Lovelace" [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... This seems to be incorrect. I tried this on a router I had spare and below are hte results. It may be a newer feature, I am to lazy to look on CCO. Tim Router2#sh ver Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-I-M), Version 12.0(15), RELEASE SOFTWARE (fc1) Router2#config t Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#int e0/0 Router2(config-if)#int e0/0.1 Router2(config-subif)# 00:01:29: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to up Router2(config-subif)#^Z Router2#sh run interface Ethernet0/0 ip address 10.10.10.1 255.255.255.128 no ip directed-broadcast ! interface Ethernet0/0.1 no ip directed-broadcast ! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Brian Sent: Monday, February 19, 2001 9:29 PM To: Chris Wornell Cc: [EMAIL PROTECTED] Subject: Re: Creating Multiple Interfaces on an Ethernet Port the only way you can create sub interfaces on ethernet is to use dot1q or ISL encapsulation on a FastEthernet interface (VLANs) brian On Mon, 19 Feb 2001, Chris Wornell wrote: Hello, I've found out you can't create multiple interfaces on an ethernet port apparently. I was wondering why this is exactly? I know you can accomplish the same on serial lines using pvc's but it seems odd you can't do it on ethernet. I know there are ethernet only networks and the ip secondary command doesn't seem right compared to creating a new interface. Chris Wornell Technical Support MM Internet http://mminternet.com 888-654-4971 CCNA, CCDA, CSE _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- I'm buying used CISCO gear!! email me for a quote Brian Feeny e:[EMAIL PROTECTED] CCNP+Voice/ATM/Security p:318.222.2638x109 CCDP f:318.221.6612 Network Administrator ShreveNet Inc. (ASN 11881) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OSPF config
Routes that have their next-hop as being Null0, will be distributed. The second Null0 seems to be redundant since it means 'match either interface Null0 or interface Null0'. The only reason I can see this being used is if you're advertising a summary route to your neighbors. Michael --- Jon Kuhn [EMAIL PROTECTED] wrote: Hi all, There's a route map for an OSPF configuration I'm working on that has a line: match interface Null0 Null0 Does this mean match any interface or no interface? I can't get any information from cisco. Thanks! Jon __ Jon Kuhn IGNYTE Technology, Inc. 3226 scott boulevard santa clara, california 95054 phone 408.350.2600 ext. 335 fax 408.350.2601 [EMAIL PROTECTED] www.ignyte.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: 2 default routes on PIX???
To extend this line of thought - if you had another 2600 inside the PIX, could you point two default routes through the PIX to the other routers? I don't think there is a way to run two HSRP groups in this case for redundancy, but we could have the two 2600 Internet routers point to each other as backup. This would add an extra hop if one were to go down, but it might be better than spending money on another router. Michael --- Paul Lalonde [EMAIL PROTECTED] wrote: Cory, I'm afraid the PIX does not support load balancing (or multiple default routes). You'll need an intermediary router (in-between) to handle the load-balancing. Paul ""Stull, Cory"" [EMAIL PROTECTED] wrote in message 0D7A05A19CE4D211BD050008C7330FE7259076@CCUPDC">news:0D7A05A19CE4D211BD050008C7330FE7259076@CCUPDC... Scenario: 2 2600 routers both with T1's to the same ISP. 1 PIX firewall between internal lan and the 2 2600's. Can I have 2 default routes in the PIX pointing one to one 2600 and the other to the other 2600? If so is this doing per packet load balancing? and what happens when one T1 goes down? I would have set this up in a lab to test it but don't have a PIX. I don't know if a router and PIX would do the same thing. Thanks in advance. Cory _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices! http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Firewall design question (was Re: Does a PIX Route)
to not allow a firewall to run routing protocols, could someone give me advice on how to set up my proposed redundant firewalls. Please refer to my ugly ASCII network. [BGP]---[BGP] | | --[PIX]---[PIX]-- || || | [ A ]---[ A ] | || || --[CPT]---[CPT]-- | | [ B ]---[ B ] I plan to have two failover PIXs right behind two BGP routers to the Internet. On the inside of the PIXs I have one connection going to Network A and another going to Network B. But right in front of Network B (critical production network), I have a load balancing set of Checkpoint firewalls. The Checkpoints are connected to both Network A B. I want it done so that the Checkpoint will forward data to A when destined there and send all other packets to the PIX. However, if the Checkpoint's link to the PIX goes down, I want it to be able to send traffic through network A and through the PIX from there. I want it to work the other way around for the PIX going to network B. My question is, how would I do that if the firewalls don't run a routing protocol? Do the PIXs allowing for floating statics? Thanks for your help. Michael __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Does a PIX Route (was Re: Firewalls and VPNs)
Is there any good reason why the PIX doesn't route? Why it doesn't run OSPF? A Checkpoint firewall running on a Solaris box would be able to run OSPF or something, right? Why not a PIX? Michael --- anthony kim [EMAIL PROTECTED] wrote: Does your pix have a default route? Does your pix forward packets between subnets? Logically, then, the pix routes. Call it what you will, when forwarding between disparate networks, you route. I suppose cisco misunderstands the term "route" too. http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v42/pix42cfg/pix42apa.htm#xtocid88422 Here's from Cisco: route Command The following are the extensions to the route command: The routing table has been improved to let you specify the IP address of a PIX Firewall interface in the route command. If the route command statement uses the IP address from one of the PIX Firewall unit's interfaces as the gateway IP address, PIX Firewall will ARP for the destination IP address in the packet instead of ARPing for the gateway IP address. PIX Firewall also does not accept duplicate routes with different metrics for the same gateway. In version 5.1(1), the CONNECT route entry is supported. (This identifier appears when you use the show route command.) The CONNECT identifier is assigned to an interface's local network and the interface IP address, which is in the IP local subnet. PIX Firewall will use ARP for the destination address. The CONNECT identifier cannot be removed, but changes when you change the IP address on the interface. You can now enter duplicate route command statements with different gateways and metrics. You can now enter static route command statements with virtual subnets; for example: route outside 10.2.2.8 255.255.255.248 192.168.1.3 route outside 10.2.2.8 255.255.255.255 192.168.1.1 --- Jason [EMAIL PROTECTED] wrote: As someone said yesterday: The PIX will not route, period. It will NAT (including NAT 0), but it will not route packets between different networks. If you need routing off any interface on a PIX, you need a router there. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "anthony kim" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... A device can best be described by its chief function. You can use a PIX as a router, just allow everything through. In fact you can use a router as a firewall, be selective with access lists. Terminology is flexible as long as you're pragmatic about function. On Fri, Feb 16, 2001 at 10:52:06AM -0800, Dan West wrote: PIX - sounds like a router to me - packet forwarding based on layer 3 addressing. It has extra security features and all of a sudden it's a firewall...marketing fluff? or accurate description??? who will uncover this mystery ; --- mtieast [EMAIL PROTECTED] wrote: I think this comes from the fact that cisco instructors in class say that the Pix is not a router. I have heard this as well when I had the class. I know the Pix is not a router, but does it route? Well, if making decisions about where to send traffic based on layer 3 info is routing then I would argue it does route. It does not forward traffic based on layer 2 info so .. It routes traffic to the appropriate interface. Can someone else shed some light as to why this is said. If it doesn't route the traffic it recieves what does it do? -Original Message- From: haroldnjoe [EMAIL PROTECTED] Newsgroups: groupstudy.cisco To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Friday, February 16, 2001 12:41 PM Subject: Firewalls and VPNs I've read here a couple of times that PIX's don't route. Period. In light of this I'm left a little confused as to a proposed network map I was given recently. The core layer router is a 3640 linking all of our branch offices together. From the 3640, there is an ethernet connection to a PIX 515R. From the PIX, there is another ethernet connection to a 1750 router. The 1750 connects via T1 to our ISP. There is yet another ethernet connection from the PIX to the isolation lan, on which resides an internet mail/web server and a VPN 3000 concentrator. If PIX's don't route, what subnet is the isolation lan going to sit on? As I understand it, the PIX will be providing NAT functionality for the 3640 and everything behind it. So I would assume that the T1 and ethernet interfaces on the 1750, the outside interfaces on the PIX, and everything in the
Re: VLAN routing
Outbound access-lists on each sub-interface, blocking other VLANs and allowing everything else. Michael --- Moiz Badr [EMAIL PROTECTED] wrote: Hi all, What is the best way to prevent a router on a stick from routing between VLANs, I have to route the VLANs traffic only to the Internet while keeping each VLAN intact and isolated for security reason. Thanks. Mo __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DISTURBING: Spanning Tree Protocol Does not Work.
Hi Pierre, You still need to finish setting up trunking on the 2924XL to see if my theory is correct. The two Catalysts on the segment between Port B on the C1912 and Fa0/21 on the 2924XL don't seem to be talking. So Port B shows that it knows who the root bridge is, but it shows itself as the designated bridge since it sees itself as the only switch on that segment and thus the only way to get to the root. One thing I still can't explain is why Port A on the C1912 shows the root cost as being 0. It should be only 0 only if it sees itself as the root, but it doesn't because it shows the proper MAC address. Anyways, give that a shot and let's see where it goes. Michael --- Pierre-Alex [EMAIL PROTECTED] wrote: Hi Leigh Anne and others: Leigh Anne, I hope you did not loose sleep over this problem At 8:30 PM after a full day on this problem I went to sleep and crashed So here we again: You discovered correctly that PORT A is connected to f0/20 and PORT B to f 0/21 ALL those ports are part of VLAN 1 (see output bellow) And all the ports are in fowarding mode and the lights on the switch are glowing GREEN! (see below the span tree) Someone suggested the presence of an etherchannel configured by default. I will look into this and will let you know Pierre-Alex Interface Fa0/20 (port 22) in Spanning tree 1 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 32768, address 0050.3ef0.3580 Designated bridge has priority 32768, address 0050.3ef0.3580 Designated port is 22, path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 73253, received 5 Interface Fa0/21 (port 23) in Spanning tree 1 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 32768, address 0050.3ef0.3580 Designated bridge has priority 32768, address 0050.3ef0.3580 Designated port is 23, path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 73251, received 3 --More-- VLAN Name Status Ports - --- 1default active Fa0/2, Fa0/3, Fa0/4, Fa0/5, Fa0/6, Fa0/7, Fa0/10, Fa0/11, Fa0/12, Fa0/13, Fa0/14, Fa0/15, Fa0/17, Fa0/18, Fa0/19, Fa0/21, Fa0/22, Fa0/23 2VLAN_A active Fa0/9, Fa0/16, Fa0/24 3VLAN_B active Fa0/1, Fa0/8 ___ Port FastEthernet 0/26 of VLAN1 is Forwarding Port path cost 10, Port priority 128 Designated root has priority 32768, address 0050.3EF0.3580 Designated bridge has priority 32768, address 0050.3EF0.3580 Designated port is 22, path cost 0 Timers: message age 20, forward delay 15, hold 1 --More-- Port FastEthernet 0/27 of VLAN1 is Forwarding Port path cost 10, Port priority 128 Designated root has priority 32768, address 0050.3EF0.3580 Designated bridge has priority 32768, address 0050.50E2.42C0 Designated port is 27, path cost 10 Timers: message age 20, forward delay 15, hold 1 Pierre-Alex -Original Message- From: Leigh Anne Chisholm [mailto:[EMAIL PROTECTED]] Sent: Wednesday, February 14, 2001 1:29 AM To: Pierre-Alex; Cisco Groupstudy (E-mail) Cc: Dale Cunningham Subject: RE: DISTURBING: Spanning Tree Protocol Does not Work. Okay, here's the jist of things. The Catalyst 2924XL is the root bridge: C2924XL#sh span Spanning tree 1 is executing the IEEE compatible Spanning Tree protocol Bridge Identifier has priority 32768, address 0050.3ef0.3580 Configured hello time 2, max age 20, forward delay 15 We are the root of the spanning tree Port 0/26 on the Catalyst 1912 is identifying "Port 22" as the "designated port": Port FastEthernet 0/26 of VLAN1 is Forwarding Port path cost 10, Port priority 128 Designated root has priority 32768, address 0050.3EF0.3580 Designated bridge has priority 32768, address 0050.3EF0.3580 Designated port is 22, path cost 0 Timers: message age 20, forward delay 15, hold 1 Port 22 is, port 0/20 on the Catalyst 2924XL switch: Interface Fa0/20 (port 22) in Spanning tree 1 is FORWARDING Port path cost 19, Port priority 128 Designated root has priority 32768, address 0050.3ef0.3580 Designated bridge has priority 32768, address 0050.3ef0.3580 Designated port is 22, path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 46897, received 5 We can deduce that FastEthernet 0/26 on the 1912 switch is directly connected to FastEthernet 0/20 on the 2924XL switch. Note that FastEthernet
Re: DISTURBING: Spanning Tree Protocol Does not Work.
Could you send a config for both switches? How about a fuller show spantree? A show port on the two ports? Maybe this is caused by some half-duplex, full-duplex issue... though I can't rationalize that explanation. The fact that one port shows the switch as being the root bridge and the other port pointing outwards is getting me. Also, who is MAC 0050.50E2.42C0? Michael --- Pierre-Alex [EMAIL PROTECTED] wrote: Or I am really dumb I have two switches a Cisco 2924XL-EN and a Cisco 1912-EN. I have setup port A and port B of the 1912 swictch to do ISL trunking with the 2924XL This situation should have created a loop and the Spanning Tree protocol should have disabled port B.( I have setup the 2924XL to be the root). Instead I am getting the following output, with both port A and B in the fowarding mode (see below) So either the Spanning Tree protocol did not do its job (with due respect to its creator), or the trunking ports are not part of the spanning tree calculation, or I am really dumb and I missed something in the story Any comment? DISL state: On, Trunking: On, Encapsulation type: ISL C1912#sh trunk b DISL state: On, Trunking: On, Encapsulation type: ISL Port FastEthernet 0/26 of VLAN1 is Forwarding Port path cost 10, Port priority 128 Designated root has priority 32768, address 0050.3EF0.3580 Designated bridge has priority 32768, address 0050.3EF0.3580 Designated port is 22, path cost 0 Timers: message age 20, forward delay 15, hold 1 --More-- Port FastEthernet 0/27 of VLAN1 is Forwarding Port path cost 10, Port priority 128 Designated root has priority 32768, address 0050.3EF0.3580 Designated bridge has priority 32768, address 0050.50E2.42C0 Designated port is 27, path cost 10 Timers: message age 20, forward delay 15, hold 1 Pierre-Alex _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: DISTURBING: Spanning Tree Protocol Does not Work.
The 2924XL doesn't have trunking configured on Fa0/21, while it is configured on Fa0/27 of the C1912 it is connected to. I would have thought this would cause baby giant errors on 2924XL's Fa0/21, but it doesn't look like there are any. But anyways, try to set it up and see if that works. The C1912 'show spantree' output still doesn't look right. I don't know why the C1912 shows the root port as having a cost of 0 instead of 10. Michael --- Pierre-Alex [EMAIL PROTECTED] wrote: Hi Yonkerbonk, As you requested, I did a show interface on the ports that are used on both switches. Regards, - on THE 1912-- sh int f 0/26 FastEthernet 0/26 is Enabled Hardware is Built-in 100Base-TX Address is 0050.50E2.42DA MTU 1500 bytes, BW 10 Kbits Port monitoring: Disabled Unknown unicast flooding: Enabled Unregistered multicast flooding: Enabled Description: Duplex/Flow Control setting: Auto-negotiate Auto-negotiation status: Full duplex Enhanced Congestion Control: Disabled --More-- Receive Statistics Transmit Statistics - - Total good frames 45739 Total frames 8243 Total octets 4758190 Total octets 935475 Broadcast/multicast frames 45687 Broadcast/multicast frames 8206 Broadcast/multicast octets4752684 Broadcast/multicast octets 930237 Good frames forwarded 27228 Deferrals 0 Frames filtered 18511 Single collisions 0 Runt frames 0 Multiple collisions 0 No buffer discards 0 Excessive collisions0 Queue full discards 0 Errors:Errors: FCS errors0Late collisions 0 Alignment errors 0Excessive deferrals 0 Giant frames 0Jabber errors 0 Address violations0Other transmit errors 0 C1912#sh int f 0/27 FastEthernet 0/27 is Enabled Hardware is Built-in 100Base-TX Address is 0050.50E2.42DB MTU 1500 bytes, BW 10 Kbits Port monitoring: Disabled Unknown unicast flooding: Enabled Unregistered multicast flooding: Enabled Description: Duplex/Flow Control setting: Auto-negotiate Auto-negotiation status: Full duplex Enhanced Congestion Control: Disabled --More-- Receive Statistics Transmit Statistics - - Total good frames4788 Total frames 28073 Total octets 366300 Total octets 2553093 Broadcast/multicast frames 4788 Broadcast/multicast frames 28064 Broadcast/multicast octets 366300 Broadcast/multicast octets2552388 Good frames forwarded4788 Deferrals 0 Frames filtered 0 Single collisions 0 Runt frames 0 Multiple collisions 0 No buffer discards 0 Excessive collisions0 Queue full discards 0 Errors:Errors: FCS errors0Late collisions 0 Alignment errors 0Excessive deferrals 0 Giant frames 0Jabber errors 0 Address violations0Other transmit errors 0 C1912# ON THE 2924XL sh int f 0/1 FastEthernet0/1 is up, line protocol is up Hardware is Fast Ethernet, address is 0050.3ef0.3581 (bia 0050.3ef0.3581) MTU 1500 bytes, BW 1 Kbit, DLY 1000 usec, rely 255/255, load 1/255 Encapsulation ARPA, loopback not set, keepalive not set Duplex setting unknown, Unknown Speed, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:31, output 00:00:01, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Output queue 0/40, 0 drops; input queue 0/75, 0 drops 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 1 packets/sec 30444 packets input, 5042703 bytes, 0 no buffer Received 20759 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 0 watchdog, 8294 multicast 0 input packets with dribble condition detected 100788 packets output, 3850388 bytes, 0 underruns 0 output errors, 0 collisions, 1 interface resets 0 babbl
Re: Are Traditional Routing Protocols going to DIE
I'm not sure increased bandwidth would affect routing policy. That's an interesting question though. As far as the granularity of the delay formula, they will probably do the same as they did with calculating Spanning-Tree path costs. With the old calculations (1000MB/Bandwidth), Fastethernet would be 10 (1000/100) and anything a Gig or higher would be 1 or fractional. So they instituted non-linear numbers such as a cost of 19 for a 100MB link and 4 for a 1 GB link and 2 for a 10 GB link. I would like to hear discussions about the first part of the question though. Michael --- Santosh Koshy [EMAIL PROTECTED] wrote: With new emerging technologies like (Gig Eth, 10 Gig Eth, e.t.c), I am beggining to wonder how scalable or well suited today's routing protocols (OSPF, IGRP, EIGRP, e.tc. ) are to manage them effectively. I stubled across something while reading about delay calculations on a IGRP / EIGRP network... maybe you guys can help.. The bandwith component of a metric is calculated by dividing 10,000,000 by bandwith in Kbps. Eth = 10,000,000 / 10,000 = 1000 Fast Eth = 10,000,000 / 100,000 = 100 Gig Eth = 10,000,000 / 1,000,000 = 10 10 Gig Eth = 10,000,000 / 10,000,000 = 1 New Fangled Eth (not yet invented) = 10,000,000 / 100,000,000 = 0.1 As you can see delay will be calculated in thousands of microseconds and we end up getting fractional numbers.. I highly doubt IOS can use fractional numbers to calulate delay.. Are todays's routers capable of making such calculations with an easy IOS upgrade Thanks, Santosh Koshy _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Load Balancing Advice
[MCI][Cat5K w/RSM][UUNet] | Internal LAN I have a client with two Internet routers running BGP multihomed to the ISPs, MCI and UUNET. Inbound traffic to their AS is pretty much balanced between MCI and UUNET. On the inside however, where MCI and UUNET connect into a Cat5K, the MCI is the HSRP active router and thus handles most of the outbound traffic. The client wants to load balance outbound traffic between the two. So when the client recently added an RSM to the Cat5K, I proposed to remove HSRP totally and run OSPF so that the RSM sees two equal-cost default routes to the routers. My question is, can you run default-information originate on two routers? And would that work in this scenario? Thanks. Michael __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Recertification UPDATE (Networkers not needed anymore)
That means we have no more excuses to tell our managers we need to go to New Orleans or Vegas. :) Michael --- Brad Ellis [EMAIL PROTECTED] wrote: Thanks to Mr. Zudal, CCIEs are no longered required to attend Networkers to recert for their CCIE status. -Brad Ellis CCIE#5796 Cisco Hardware: www.optsys.net From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 08, 2001 12:19 PM To: szudal@ Subject: CCIE Recertification Changes Dear CCIE, In 1997, we introduced the CCIE recertification program. At that time there were two requirements: attend 5 CCIE-level sessions at Networkers and successfully complete a CCIE recertification exam every two years. In response to your feedback, we have decided to drop the Networkers session requirement for recertification. We will still have CCIE-level sessions at selected Networkers, however effective February 1, 2001, attendance will no longer be mandatory for recertification. All CCIE recertification deadlines will remain the same. Effective February 1, 2001, a CCIE will be required to successfully complete one CCIE recertification exam every two years in accordance with your current deadline. As part of this program update, we will no longer be issuing recertification certificates. Exam results are downloaded automatically into the CCIE database. When the CCIE team receives your successful exam result, an email notification will be sent to you verifying your recertification status. If you have any questions, please write to [EMAIL PROTECTED] Good Luck with your CCIE recertification! Regards, CCIE Team _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Token Ring White Paper
I originall found it on ccprep.com and it's still there. So check that out under Resources. Michael --- Hal White [EMAIL PROTECTED] wrote: Several people have asked me where I got the Token Ring white paper that I used to study for the CCIE written. I got the paper from www.certificationzone.com when it was free for download a few months ago. Unfortunately, it is not free this month. If you have a membership you should definitely read this white paper. If you are not a member then go to their site and decide if it is worth spending the money. I was not a member, but others on the list have said it was a good investment. Caslow's book and the exam cram both have chapters about bridging and token ring that are also helpful although they do not explain it as well and as clearly as the white paper on certification zone. There is another document about Token Ring that is also helpful which can be found at http://www.groupstudy.com/notes/notepages/rif2.html I hope this helps everyone who is preparing for the CCIE Written. Hal _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Load Balancing Advice
There is BGP running on the Internet routers and they have their own AS. So now that I know default-information originate is the way to go, can it be put on two routers on the same segment at the same time? And also, since the command requires the router to have a default route itself, should I put in a static route pointing towards the ISP peer? Would this be counter-productive since I'm taking in so many BGP routes already? I don't want to use the 'always' parameter because what if my link goes down. I don't want to rely on icmp redirect to point back to the other Internet router. Thanks for your advice. Michael --- "Howard C. Berkowitz" [EMAIL PROTECTED] wrote: [MCI][Cat5K w/RSM][UUNet] | Internal LAN I have a client with two Internet routers running BGP multihomed to the ISPs, MCI and UUNET. Inbound traffic to their AS is pretty much balanced between MCI and UUNET. On the inside however, where MCI and UUNET connect into a Cat5K, the MCI is the HSRP active router and thus handles most of the outbound traffic. The client wants to load balance outbound traffic between the two. So when the client recently added an RSM to the Cat5K, I proposed to remove HSRP totally and run OSPF so that the RSM sees two equal-cost default routes to the routers. My question is, can you run default-information originate on two routers? And would that work in this scenario? It's a good approach, at least for load-balancing your outgoing traffic. To have any chance of affecting incoming traffic, you need to play BGP games. Since you speak of their AS, I assume there is BGP. Default-information originate works quite well. If the Cat5K is the only layer 3 aware hop, the next caveat may not be that important, but if it feeds additional router hops, be sure that the default originated is of OSPF external type 1, not type 2, so internal reachability is considered in the interest of load balancing. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: HSRP on my WKS subnet
Well, the 6509s will past broadcasts and multicasts through so your hosts off each VLAN will see that. The only thing that I can think of (and I have no idea if it would work) is to run CGMP on the switch to denote which ports should and should not get the multicast traffic. Michael --- Stephen Skinner [EMAIL PROTECTED] wrote: is there a way of blocking them because i thought that as long as the clients can link to the virtual addressthen there would be no need for the hsrp hello (which are just for the cat`s and no-one else needs to know about them ) to be seen by all workstations...surely this is shoving un-neccasery packetsa into my Vlan... or am i completely off the mark many thanks steve From: "Brant Stevens" [EMAIL PROTECTED] Reply-To: "Brant Stevens" [EMAIL PROTECTED] To: "Stephen Skinner" [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: RE: HSRP on my WKS subnet Date: Thu, 8 Feb 2001 11:02:46 -0500 Yes, you should be seeing them... That is proper multicast behavior, and these packets would be seen for any VLAN that is running HSRP... Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Stephen Skinner Sent: Thursday, February 08, 2001 8:00 AM To: [EMAIL PROTECTED] Subject: HSRP on my WKS subnet Guys, i have a slight problem ... i have 2 6509`s running HSRP on my comms vlan 4 these 65`s do all routing between Vlan`s i have sniffer pro on my local workstation , vlan 5 i am seeing multicast traffic from 224.0.0.2 which has HSRP packet headers (that are hello`s)every 3 seconds Should i be seeing these i don`t think i should i think the only Vlan that these should be seen on is the comms vlan 4 ? answers please.. also if i am right how can i stop the HSRP hello bieng sent to all the other vlan`s many thanks in advance steve _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Help me Urgent all CCIES please !!!!!!!!!!!!!!!
What do you consider a paper CCIE? I've known some not-so-impressive CCIEs, but I don't know of any I'd consider paper. Michael --- Circusnuts [EMAIL PROTECTED] wrote: EEEKKK !!! I'd have to agree... I work with a couple paper CCIE's Phil CCNA Lot's of hands on- closing in on CCNP - Original Message - From: "Chris Supino" [EMAIL PROTECTED] To: "Ravi N Varma" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Saturday, February 03, 2001 4:39 PM Subject: RE: Help me Urgent all CCIES please !!! Sounds like you may want to postpone that test, my friend. I personally believe that one of the biggest problems with our industry is paper certs. Do us all a favor and KNOW the material before you pass the exam. Just my two cents. Christopher Supino CCNA, MCSE, CNA 5, ASE Senior Systems Engineer TransNet Corp. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ravi N Varma Sent: Saturday, February 03, 2001 12:53 PM To: [EMAIL PROTECTED] Subject: Help me Urgent all CCIES please !!! Hi there , I am having trouble getting answers for these questions could you please help me planing to take exam day after please help me out 1.ip datagram contain which of the following a,arp packet b,bits icmp messages udp,tcp data 2. difference between tacas tacas+ 3.in dlsw environment when all route explorer sent between dlsw peers how it will be sent a directed broadcast b explorer frame etc 4 in x.25 environment if frame error occurs which one will reset connection There is diagram two routers separated by serial link both ends one host at each end A, Router or Host 5 same as above but protocol is HDLC in this situation what will happen 6 what is result of sending a loop up signal to csu/dsu? 7 what lane resolution protocol do all nw protocols address to nsap ip address to nsap etc 8 nlsp is-is link sate or distance vector 9 when bridge receive a frame how it will be forwarded to all ports or except disabled ports it will forward to all ports 10 when tacas does not contain user account what it wiil do 11 frames are unable to transmit from router though serial link what happen output error connection reset etc 12 characteristics of 4B/5B encoding in fddi 13 what is meant by tcp slow start 14 tacas+ has what advantages over tacas? waitning for your reply Regards, sun _ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Altiga Question
Make sure if you have the right level of encryption running on both the VPN concentrator and your clients. I had to upgrade my IE Explorer with the high encryption pack to make it 128-bit. Michael --- Dave [EMAIL PROTECTED] wrote: Open a case with Cisco. I am working with the VPN 3000 series, but not with Win2K or the PIX. I use the Cisco client software and it works fine. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Manoj Ghorpade Sent: Friday, January 19, 2001 12:06 AM To: [EMAIL PROTECTED] Subject: Re: Altiga Question Hi Group, Does it mean that nobodys worked on Altiga / doesn't want to share on Altiga ? Regards Manoj Ghorpade ([EMAIL PROTECTED]) Manoj Ghorpade wrote: Hi Group, I'm facing problems setting up a VPN connection with Altiga and Windows 2000 CA server. (Using L2TP) Can anyone advise/suggest the correct procedure of implementing the solutions ? Componets of of my Network are :- 1. A Cisco Router 3640 2. A Pix Firewall 515 3. Altiga 3000 VPN Concentrator 4. Switch 2948G- L3 5. Windows 2000 Advance Server. I run the NAT on PIX and currently have only ports 80,443,22 1352 open. I followed the procedures : "Installing Digital Certificates on Cisco VPN 3000 Concentrator" , "Configuring the Cisco VPN 3000 Concentrator for Microsoft Windows 2000 Support" "Using a Microsoft Windows 2000 Client to Connect to the Cisco VPN 3000 Concentrator" These all references are download from the offical Cisco Web Site. After doing these a protocol error "Error 789 : The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." Also from the design perspective advise me where to keep the Certificate Server, like should it be in the DMZ or running in the internal network (does it really matter ?) On the Alitga, in the ESP-L2TP-TRANSPORT template, what are the settings that should be there ? The error may be related to the fact, that we accidently deleted the transport template and re-added it . Also advice the on how to setup the Windows 2000 Certificate Server ? Regards Manoj Ghorpade. ([EMAIL PROTECTED]) _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BGP Reg Expressions
Your method should work, but if you want to be exact then you can filter by using ^\(65001\)_. The \ allows you to use the parentheses. --- Katson PN Yeung [EMAIL PROTECTED] wrote: I use a very very stupid method to do it. But it works I found that all private AS path cannot be identified simply by the AS number That is, you apply an ASpath filtering list likes "sh ip bgp reg ^65001_" will not be able to display path beginning with 65001. I tried serveral methods at last I found this. "sh ip bgp reg ^.65001._". Is this what you want? "root" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, Does anyone know how to tell the router to allow all AS's except for Private AS's for Ingress traffic? I know that .* tells it to allow all paths, but how do I exclude 65xxx (Private AS's)? I know about the keyword "remove-private-as", but this is for Egress (outbound) traffic. As far as I know it's for when your using confederations and such. Is this something I need to be concerned with? I'm not sure if this is something I should be spending my time on or not. Is it necessary to block inbound Private AS's? Please excuse my ignorance, I'm still learning! Thank You, Andre _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - Buy the things you want at great prices. http://auctions.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Any body know about Cisco Content Switch
Actually, before I found out about the CSS, I had intended to put two Alteons in front of the PIX and two behind for a total of four. So yes, there would be redundancy at that level too. And behind the PIXs would be two Checkpoints, using Stonebeat to load balance. I'm just wondering if local director and CSS will be able to do this too. --- Christopher Larson [EMAIL PROTECTED] wrote: I suppose maybe you could still get this to work through a combination of the discussed and some DNS manipulation, but I would have to think to much to figure it out, and I suppose that is part of what the CSS is addressing. I can see where if the CSS had a single address that pointed to multiple advertised globals on seperate pix's this would be easier, but then for high availability won't you also need 2 CSS'? Now my cusriosity is peaked. I think I should research the CSS' and what they do exactly to allow for firewall load balancing. Original Message- From: Christopher Larson Sent: Friday, January 12, 2001 11:14 AM To: 'Yonkerbonk'; Christopher Larson; Tim O'Brien; [EMAIL PROTECTED] Subject: RE: Any body know about Cisco Content Switch For statefull PIX failovers they do need to share info. In the scenario below, a downed PIX would cause people to need to reconnect. In Pix's statefull failover that would not happen. I guess there is a lot more at issue here then I first thought. Like the static's and nat on the pix's. You could not maintain that info in this scenario. You could not have both pix's advertising the same global address either so it would not work. -Original Message- From: Yonkerbonk [mailto:[EMAIL PROTECTED]] Sent: Friday, January 12, 2001 10:26 AM To: Christopher Larson; Tim O'Brien; [EMAIL PROTECTED] Subject: RE: Any body know about Cisco Content Switch I imagine the problem comes when the PIX needs to know the state of the data flow, like if it's an ongoing TCP session or just random data. I'm not sure if this is an issue. Do the PIXs need to share information? Do the CSS do that for them? --- Christopher Larson [EMAIL PROTECTED] wrote: I am not sure about CSS switches, and maybe your needs are special, but couldn't you just add a default route to both PIX's on each switch's RSM and turn off fast-switching. You will then get per packet load balancing between the switches and the pix's. I have done this before between 6500's and routers in for high avail/reliability but not between the switches and PIX's. I don't know why it wouldn't work with the pix though . -Original Message- From: Yonkerbonk [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 11, 2001 8:39 PM To: Tim O'Brien; [EMAIL PROTECTED] Subject: Re: Any body know about Cisco Content Switch We currently have our PIXs side by side right behind the internet routers. Then the PIXs connect into two redundant 6509s, which is our core. We are trying for high availibility, which the failover software already does for us. But I was thinking it probably was better to use both of them at the same time, more efficient and more throughput without having to buy 535. So I'm looking to load balance the two PIXs, which we can do with Checkpoint/Stonebeat combo. From the link you sent me on the 6509, it seems perhaps that I can use them to load balance to the PIXs from the inside? What is better for traffic coming from the internet to be load balanced on the PIX? The CSS or Local Director? The both seem to be for web or server traffic, but I can see them being used in other ways. Got any advice? Thanks. --- Tim O'Brien [EMAIL PROTECTED] wrote: Here are some links for the CSS switches. For the application that it appears that you are trying to run you will need the switches in front and behind the PIX boxes. The PIX 535 is out now and will do a Gig of throughput. What are you trying to accomplish? You can run PIXes in a active/passive config if it is high availability that you are looking for. Give me a little more on the design that you are doing. http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/ or load balance on the 6500 http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm - Original Message - From: "Yonkerbonk" [EMAIL PROTECTED] To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy Mitchell" [EMAIL PROTECTED]; "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Thursday, January 11, 2001 5:46 PM Subject: RE: Any body know about Cisco Content Switch Hi Wayne, Could you point me to some information on the CSSes and how to configure for load balancing? I was looking
RE: Any body know about Cisco Content Switch
I imagine the problem comes when the PIX needs to know the state of the data flow, like if it's an ongoing TCP session or just random data. I'm not sure if this is an issue. Do the PIXs need to share information? Do the CSS do that for them? --- Christopher Larson [EMAIL PROTECTED] wrote: I am not sure about CSS switches, and maybe your needs are special, but couldn't you just add a default route to both PIX's on each switch's RSM and turn off fast-switching. You will then get per packet load balancing between the switches and the pix's. I have done this before between 6500's and routers in for high avail/reliability but not between the switches and PIX's. I don't know why it wouldn't work with the pix though . -Original Message- From: Yonkerbonk [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 11, 2001 8:39 PM To: Tim O'Brien; [EMAIL PROTECTED] Subject: Re: Any body know about Cisco Content Switch We currently have our PIXs side by side right behind the internet routers. Then the PIXs connect into two redundant 6509s, which is our core. We are trying for high availibility, which the failover software already does for us. But I was thinking it probably was better to use both of them at the same time, more efficient and more throughput without having to buy 535. So I'm looking to load balance the two PIXs, which we can do with Checkpoint/Stonebeat combo. From the link you sent me on the 6509, it seems perhaps that I can use them to load balance to the PIXs from the inside? What is better for traffic coming from the internet to be load balanced on the PIX? The CSS or Local Director? The both seem to be for web or server traffic, but I can see them being used in other ways. Got any advice? Thanks. --- Tim O'Brien [EMAIL PROTECTED] wrote: Here are some links for the CSS switches. For the application that it appears that you are trying to run you will need the switches in front and behind the PIX boxes. The PIX 535 is out now and will do a Gig of throughput. What are you trying to accomplish? You can run PIXes in a active/passive config if it is high availability that you are looking for. Give me a little more on the design that you are doing. http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/ or load balance on the 6500 http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm - Original Message - From: "Yonkerbonk" [EMAIL PROTECTED] To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy Mitchell" [EMAIL PROTECTED]; "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Thursday, January 11, 2001 5:46 PM Subject: RE: Any body know about Cisco Content Switch Hi Wayne, Could you point me to some information on the CSSes and how to configure for load balancing? I was looking at Local Director and Alteon boxes to do that for two PIXs. Do I need them on both he outside and inside? Thanks. --- Wayne Lawson [EMAIL PROTECTED] wrote: Tommy, Actually you CAN have the CSS in an "active / active" mode with true firewall load balancing. Wayne Lawson, CCIE # 5244 Systems Engineer - Cisco Systems, Inc. 2000 Town Center, Suite 450 Southfield, Michigan 48075 Voice: (248) 455 - 1663 Cell: (248) 709 - 5797 Pager: (800) 365 - 4578 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tommy Mitchell Sent: Wednesday, January 10, 2001 8:15 AM To: cisco@groupstudy. com (E-mail) Subject: Re: Any body know about Cisco Content Switch Yes, they can unless you're trying to load-balance firewalls. Try to load-balance firewalls and you have to go active-standby. Tommy - Original Message - From: "Muhammad Faheem" [EMAIL PROTECTED] To: "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Wednesday, January 10, 2001 7:26 AM Subject: Any body know about Cisco Content Switch Hi All Just wanted to know that Cisco Content Switch (CSS-11000 CSS-11800) can work as Active - Active or not. Thanks for Input Muhammad Faheem Systems Engineer Afcomp Hello : (9714)-3933878 / 3027338 Fax : (9714)-3933832 Web : www.afcomp.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, l
Re: Checkpoint Cisco VPN 5000 Concentrator
I installed a VPN 3010 and it goes parallel with the firewall, in my case a PIX. I didn't use the VPN 3000 client, but rather Windows 2000 built-in VPN adapter. It does have the abilitity to do all the things you listed. I did run into some issues with the box talking MS-CHAPv2 and our NT server only talking v1, but overall it seemed like a good box. Bought from Altiga back in April 2000 I think. --- pat [EMAIL PROTECTED] wrote: HellO Everyone: Does this box works with Checkpoint to establish IPSec tunnels..? I am new to this VPN 5002 box, though I have good hands on on other VPN. Can anybody through some light on how this box works with the client software that comes with the box. I am not looking for configuration details at this stage. My concern is I have seen VPN client software where in you can configure IPSec details such as AH,ESP,des,3des,md5,sha. But in this client software (which can be installed on Win98/NT) I don't see any options to do this. Does it detect from VPN 5000 box automatically? I am planning to place this VPN box behind the checkpoint firewall. Is this correct way of doing it..? The box has only one ethernet interface.Does it suppose to be like this or it needs to have min of two interfaces..? If somebody can help me out with answers it will really be great. thanks. __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Any body know about Cisco Content Switch
Hi Wayne, Could you point me to some information on the CSSes and how to configure for load balancing? I was looking at Local Director and Alteon boxes to do that for two PIXs. Do I need them on both he outside and inside? Thanks. --- Wayne Lawson [EMAIL PROTECTED] wrote: Tommy, Actually you CAN have the CSS in an "active / active" mode with true firewall load balancing. Wayne Lawson, CCIE # 5244 Systems Engineer - Cisco Systems, Inc. 2000 Town Center, Suite 450 Southfield, Michigan 48075 Voice: (248) 455 - 1663 Cell: (248) 709 - 5797 Pager: (800) 365 - 4578 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tommy Mitchell Sent: Wednesday, January 10, 2001 8:15 AM To: cisco@groupstudy. com (E-mail) Subject: Re: Any body know about Cisco Content Switch Yes, they can unless you're trying to load-balance firewalls. Try to load-balance firewalls and you have to go active-standby. Tommy - Original Message - From: "Muhammad Faheem" [EMAIL PROTECTED] To: "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Wednesday, January 10, 2001 7:26 AM Subject: Any body know about Cisco Content Switch Hi All Just wanted to know that Cisco Content Switch (CSS-11000 CSS-11800) can work as Active - Active or not. Thanks for Input Muhammad Faheem Systems Engineer Afcomp Hello : (9714)-3933878 / 3027338 Fax : (9714)-3933832 Web : www.afcomp.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Any body know about Cisco Content Switch
We currently have our PIXs side by side right behind the internet routers. Then the PIXs connect into two redundant 6509s, which is our core. We are trying for high availibility, which the failover software already does for us. But I was thinking it probably was better to use both of them at the same time, more efficient and more throughput without having to buy 535. So I'm looking to load balance the two PIXs, which we can do with Checkpoint/Stonebeat combo. From the link you sent me on the 6509, it seems perhaps that I can use them to load balance to the PIXs from the inside? What is better for traffic coming from the internet to be load balanced on the PIX? The CSS or Local Director? The both seem to be for web or server traffic, but I can see them being used in other ways. Got any advice? Thanks. --- Tim O'Brien [EMAIL PROTECTED] wrote: Here are some links for the CSS switches. For the application that it appears that you are trying to run you will need the switches in front and behind the PIX boxes. The PIX 535 is out now and will do a Gig of throughput. What are you trying to accomplish? You can run PIXes in a active/passive config if it is high availability that you are looking for. Give me a little more on the design that you are doing. http://www.cisco.com/warp/public/cc/pd/si/11000/prodlit/ or load balance on the 6500 http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/ios6k_wp.htm http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/aslb_wp.htm - Original Message - From: "Yonkerbonk" [EMAIL PROTECTED] To: "Wayne Lawson" [EMAIL PROTECTED]; "Tommy Mitchell" [EMAIL PROTECTED]; "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Thursday, January 11, 2001 5:46 PM Subject: RE: Any body know about Cisco Content Switch Hi Wayne, Could you point me to some information on the CSSes and how to configure for load balancing? I was looking at Local Director and Alteon boxes to do that for two PIXs. Do I need them on both he outside and inside? Thanks. --- Wayne Lawson [EMAIL PROTECTED] wrote: Tommy, Actually you CAN have the CSS in an "active / active" mode with true firewall load balancing. Wayne Lawson, CCIE # 5244 Systems Engineer - Cisco Systems, Inc. 2000 Town Center, Suite 450 Southfield, Michigan 48075 Voice: (248) 455 - 1663 Cell: (248) 709 - 5797 Pager: (800) 365 - 4578 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Tommy Mitchell Sent: Wednesday, January 10, 2001 8:15 AM To: cisco@groupstudy. com (E-mail) Subject: Re: Any body know about Cisco Content Switch Yes, they can unless you're trying to load-balance firewalls. Try to load-balance firewalls and you have to go active-standby. Tommy - Original Message - From: "Muhammad Faheem" [EMAIL PROTECTED] To: "cisco@groupstudy. com (E-mail)" [EMAIL PROTECTED] Sent: Wednesday, January 10, 2001 7:26 AM Subject: Any body know about Cisco Content Switch Hi All Just wanted to know that Cisco Content Switch (CSS-11000 CSS-11800) can work as Active - Active or not. Thanks for Input Muhammad Faheem Systems Engineer Afcomp Hello : (9714)-3933878 / 3027338 Fax : (9714)-3933832 Web : www.afcomp.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN location
Typically it runs parallel to the PIX. Check out the Cisco page on that. The Getting Started link will tell you where Cisco thinks you should put it, which is in parallel. http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/vpn3kco/vcogs/index.htm --- SH Wesson [EMAIL PROTECTED] wrote: I'm installing a new VPN box. Traditionally, where in the network does the VPN box reside. Does it run parallel to the PIX firewall and be connected to the inside the same way as the pix or should the VPN box be located in the DMZ with a secure tunnel created between the VPN box and the PIX firewall and all requests to the inside network would go through PIX firwall via conduits, etc. Thanks. _ Get your FREE download of MSN Explorer at http://explorer.msn.com _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: crossover or straight cable?
A trunk port is simply a port that has traffic from more than one VLAN running over it. It is a function of the software to combine and split the data. That has nothing to do with how the cabling is done. If you have a trunk running from switch to switch, it will be crossover. If you have a trunk running from switch to router, it will be straight through. Normal cabling scheme. --- sean [EMAIL PROTECTED] wrote: Tony, Are you saying that, to connect "trunk" ports between switches, crossover cable is required? I know for "switch" ports that's the case, I am wondering if it is true for trunk as well. Tks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Photos - Share your holiday photos online! http://photos.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: W2K and 98, off subject sorry but I need help
This should do it. [boot loader] timeout=30 default=multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft Windows 98" [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft Windows 98" --- Brandon Peyton [EMAIL PROTECTED] wrote: Hi, Im trying to figure out how to configure my boot.ini file so it will boot into win98. I have 2 40 gig drives in my server, on 1 HD is W2K Advanced Server on the second HD was in98. Currently I have: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Advanced Server" multi(0)disk(1)rdisk(0)partition(1)\C:\="Microsoft Windows 98" I've also tried "\Windows" and "C:\WINDOWS" both fail and have fatal error. Would someone who has dual boot NT and 98 please show me a copy of your boot.ini file? it would be in your c: dir. I've looked in tons of how to's but none offer 2 disk assistance only partition. Thanks for your help Brandon _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Salary article
Quoted from article: "For example, Cisco frowns on competing solutions providers raiding each other in search of CCIEs. Should one company lure another's CCIE, Cisco will not recognize that engineer's certification for a year, meaning the company that scored the new employee cannot count on him or her in its effort to climb the Cisco Partner Certification Program." I have never heard of this. How does Cisco determine if they've left or were lured away? That's dumb. Michael --- Daniel Cotts [EMAIL PROTECTED] wrote: http://www.zdnet.com/sp/stories/issue/0,4537,2664303,00.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: CCIE Salary article
It's easy to figure out that someone has left the company, but how do they determine the reason someone left? If I got my CCIE and after 6 months I decide my company is not making use of me, and then I go to another Cisco partner... that does not mean the new company lured me away. I left for my own reasons. Should my new company be penalized? --- Austin [EMAIL PROTECTED] wrote: Yonker Bonk, Cisco knows that they have left because the reseller notifies Cisco as to the amount of Cisco Certified individuals they have on staff, because the reseller discount from Ciscois determined by the number of Cisco Certified SEs. So when a CCIE leaves Company A for Company B, Company B submits to Cisco that they have another CCIE ... this is how Cisco knows. The same goes for Compaq ASEs. Hope this explains it to you. "Yonkerbonk" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Quoted from article: "For example, Cisco frowns on competing solutions providers raiding each other in search of CCIEs. Should one company lure another's CCIE, Cisco will not recognize that engineer's certification for a year, meaning the company that scored the new employee cannot count on him or her in its effort to climb the Cisco Partner Certification Program." I have never heard of this. How does Cisco determine if they've left or were lured away? That's dumb. Michael --- Daniel Cotts [EMAIL PROTECTED] wrote: http://www.zdnet.com/sp/stories/issue/0,4537,2664303,00.html _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Can any one explain this Ping problem...
Yahoo load balances it's traffic across two web servers, with different ip addresses. If you run nslookup to www.yahoo.fr you get this: nslookup www.yahoo.fr Server: houdhcp1.houston.rr.com Address: 24.28.99.64 Non-authoritative answer: Name:homerc.europe.yahoo.com Addresses: 217.12.6.16, 217.12.6.17 Aliases: www.yahoo.fr --- karthikeyan [EMAIL PROTECTED] wrote: Hi, When i execute ping www.yahoo.fr -t -l 2 -w 500 i got reult as=20 c:\ping www.yahoo.fr -t -l 2 -w 500 Pinging homerc.europe.yahoo.com [217.12.6.16] with 2 bytes of data: Reply from 217.12.6.16: bytes=3D2 time=3D471ms TTL=3D234 Reply from 217.12.6.16: bytes=3D2 time=3D461ms TTL=3D234 Reply from 217.12.6.16: bytes=3D2 time=3D451ms TTL=3D234 ^C But when i tried to change the size to 1, ie when i tried ping = www.yahoo.fr -t -l 1 -w 500 I got result as=20 c:\ping www.yahoo.fr -t -l 1 -w 500 Pinging homerc.europe.yahoo.com [217.12.6.17] with 1 bytes of data: Reply from 217.12.6.17: bytes=3D1 time=3D521ms TTL=3D234 Reply from 217.12.6.17: bytes=3D1 time=3D450ms TTL=3D234 Reply from 217.12.6.17: bytes=3D1 time=3D481ms TTL=3D234 ^C The ip address are differingcan you explain it ...? Thx, karthi _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISL to 2600 series router
Ethernet running at 100mb *is* FastEthernet. For the 2620s and 2621s you need to run IOS with "plus" feature set. --- Michael Everett [EMAIL PROTECTED] wrote: In my lab at work I have 2 2924xl switches, 1 cat5509, and a Cisco 2600 router with a 10/100 ethernet port. The router will not enable me to enter an encapsulation command on the ethernet interface. Is ISL not an option on plan old 10/100 ethernet? Will it only work on a fast ethernet interface? Dumb question, what is the functional difference between an ethernet interface configured to run at 100m full duplex and a fast ethernet interface? If you wish to respond to me directly please send replies to, [EMAIL PROTECTED] Thanks Mike _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Shopping - Thousands of Stores. Millions of Products. http://shopping.yahoo.com/ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]