from:"mjans001"

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nope, 

The only engineering you can do is at the cpe, where your traffic
goes out and comes in.

Thais makes that you at best can configure QOS at the BOTTLENECK,
that may be your remote office router.
If not applicable, than the agregation point (HQ) will be the next
best.

I still would say that you carefully analyse the traffic patterns and
look at the bottlenecks. That is the no 1 point to do business.

Martijn

- -Oorspronkelijk bericht-
Van: Julian Pentermann [mailto:[EMAIL PROTECTED]] 
Verzonden: dinsdag 21 januari 2003 6:58
Aan: mjans001
Onderwerp: Re: QOS on 2621xm [7:61353]


would the isp have to do anything or would i just impliment the qos
on my router?

Thanks for the help
- - Original Message -
From: mjans001 
Newsgroups: groupstudy.cisco
Sent: Tuesday, January 21, 2003 12:53 AM
Subject: RE: QOS on 2621xm [7:61353]


 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 You may need to use Priority Queueing, and hardcode telnet High prio 
 based on an access-list.

 Normal traffic despools after telnet queue is empty. If you are sure 
 that there will always be bandwitfh left for other traffic, PQ will do 
 fine.

 That is one way of using it.

 
 During transmission, PQ gives priority queues absolute preferential 
 treatment over low priority queues; important traffic, given the 
 highest priority, always takes precedence over less important traffic. 
 Packets are classified based on user-specified criteria and placed 
 into one of the
four
 output queues-high, medium, normal, and low-based on the assigned
priority.
 Packets that are not classified by priority fall into the normal 
 queue. Figure 7 illustrates this process.

 Congestion Management Overview

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c
/qcpart2/qcconman.htm


 Why Use Priority Queueing?
 PQ provides absolute preferential treatment to high priority traffic, 
 ensuring that mission-critical traffic traversing various WAN links 
 gets priority treatment. In addition, PQ provides a faster response 
 time than
do
 other methods of queueing.

 Although you can enable priority output queueing for any interface, it 
 is best used for low-bandwidth, congested serial interfaces.

 Considerations
 When choosing to use PQ, consider that because lower priority traffic 
 is often denied bandwidth in favor of higher priority traffic, use of 
 PQ
could,
 in the worst case, result in lower priority traffic never being
transmitted.
 To avoid inflicting these conditions on lower priority traffic, you 
 can
use
 traffic shaping or CAR to rate-limit the higher priority traffic.

 PQ introduces extra overhead that is acceptable for slow interfaces, 
 but
may
 not be acceptable for higher speed interfaces such as Ethernet. With 
 PQ enabled, the system takes longer to switch packets because the 
 packets are classified by the processor card.

 PQ uses a static configuration and does not adapt to changing network 
 conditions.




 

 Martijn

 - -Oorspronkelijk bericht-
 Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens 
 Julian P
 Verzonden: maandag 20 januari 2003 9:02
 Aan: [EMAIL PROTECTED]
 Onderwerp: QOS on 2621xm [7:61353]


 Hi


 We would like to prioritize incoming traffic on our 256k internet link 
 to uunet .We need to give telnet at least 64k incoming bandwidth.

 Any ideas on the best way to do this ?

 Thanks in advance

 Julian
 Version: PGP 8.0

 iQA/AwUBPix7Bndq56XWk+VyEQJ+/ACfS2LZO44i+6Y+cRg37a/ApiovJtgAoLvz
 kS6ZvDnOtSXEqAAi/6u1v+p4
 =nXJB
 -END PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBPi2VbHdq56XWk+VyEQIPOQCfTguOnPMduMdxWbRuzbadddit3esAn3/6
vmrK61ZimecTbrS2DXPX3Jwo
=FsQK
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61482t=61353
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Traffic separate by protocol [7:61431]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Us ecustum queueing, you do nat want to starve queues with prio queueing.

Weigted fair(normal default is not going to cut it for your exact needs.

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Frederico
Madeira
Verzonden: dinsdag 21 januari 2003 4:11
Aan: [EMAIL PROTECTED]
Onderwerp: Traffic separate by protocol [7:61431]


How i separe traffic in my 2600 router by protocol.
Ex: I have a frame-relay circuit of 64Kb cir 32Kb
and i wnat to have:
10Kb for http
10Kb for smtp/pop3
5Kb for ftp
and the remain for all others.

How i make this configuration ?? i  must to make in the concentrator router
or in all routers on my wan ??

Tanks

Fred
Version: PGP 8.0

iQA/AwUBPi29wHdq56XWk+VyEQIO2gCgor7jlAbjxM1TYTzP061vg9bg41UAnRDN
prUeh04GJhIbrtO55xMtTdwp
=2+cA
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61510t=61431
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: backup to line ISP [7:61355]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

2 boxes?

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens GeorgeB
Verzonden: maandag 20 januari 2003 9:45
Aan: [EMAIL PROTECTED]
Onderwerp: backup to line ISP [7:61355]


Hello
I need to find a way if our frame -relay to ISP went down
auto switch to DSL for redundency.

Thank you for any thoughts,

George
Version: PGP 8.0

iQA/AwUBPi2+N3dq56XWk+VyEQIAogCeNbPSw/RubHpxONHrIlygsmGhf4sAn3jj
W64KZAXcfA5cSS56VrSaGM4/
=V8+c
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61512t=61355
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: backup to line ISP [7:61355]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Do we need to fail-over outgoing traffic only?

We can do that from a hosts standpoint. A second default gateway. A
destination-unreachable from the box that has the downed link should
do the trick.

You also can give the cisco box an extra Eth intf. I assume no L3
switch in front?

Then an extra 3 eth box should do it.

Martijn 

- -Oorspronkelijk bericht-
Van: George Mansoor [mailto:[EMAIL PROTECTED]] 
Verzonden: dinsdag 21 januari 2003 22:39
Aan: mjans001
Onderwerp: RE: backup to line ISP [7:61355]


Yes one Cisco one none Cisco router

- -Original Message-
From: mjans001 [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, January 21, 2003 1:40 PM
To: George Mansoor; [EMAIL PROTECTED]
Subject: RE: backup to line ISP [7:61355]

 
- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

2 boxes?

Martijn

- - -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens GeorgeB
Verzonden: maandag 20 januari 2003 9:45
Aan: [EMAIL PROTECTED]
Onderwerp: backup to line ISP [7:61355]


Hello
I need to find a way if our frame -relay to ISP went down
auto switch to DSL for redundency.

Thank you for any thoughts,

George
Version: PGP 8.0

iQA/AwUBPi2+N3dq56XWk+VyEQIAogCeNbPSw/RubHpxONHrIlygsmGhf4sAn3jj
W64KZAXcfA5cSS56VrSaGM4/
=V8+c
- -END PGP SIGNATURE-



-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBPi2/9ndq56XWk+VyEQIvCACgpr0dVLN/H4iUNtw6+GJs17NiFvQAniyj
M5wEAe4VA08pjZJetKhDBHat
=Q6Hc
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61513t=61355
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Traffic separate by protocol [7:61431]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sorry for the typos. Custom Queueing.



- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens
mjans001
Verzonden: dinsdag 21 januari 2003 22:39
Aan: [EMAIL PROTECTED]
Onderwerp: RE: Traffic separate by protocol [7:61431]


- -BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Us ecustum queueing, you do nat want to starve queues with prio queueing.

Weigted fair(normal default is not going to cut it for your exact needs.

Martijn

- - -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Frederico
Madeira
Verzonden: dinsdag 21 januari 2003 4:11
Aan: [EMAIL PROTECTED]
Onderwerp: Traffic separate by protocol [7:61431]


How i separe traffic in my 2600 router by protocol.
Ex: I have a frame-relay circuit of 64Kb cir 32Kb
and i wnat to have:
10Kb for http
10Kb for smtp/pop3
5Kb for ftp
and the remain for all others.

How i make this configuration ?? i  must to make in the concentrator router
or in all routers on my wan ??

Tanks

Fred
Version: PGP 8.0

iQA/AwUBPi29wHdq56XWk+VyEQIO2gCgor7jlAbjxM1TYTzP061vg9bg41UAnRDN
prUeh04GJhIbrtO55xMtTdwp
=2+cA
- -END PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBPi3AFHdq56XWk+VyEQKpMwCcCAJ7Gwb8K3lukDIFkGlcqHibTY8AoOzc
bDmr7/OnEHkR+ouzyi+zPOhs
=g1sD
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61514t=61431
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Voice Over Internet [7:61467]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Nice reading, maybe applicable:
Look into next hop resolution protocol, where the dynamic host registers
itself at the static host.

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/stlvp_cg.pdf



Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens neil K.
Verzonden: dinsdag 21 januari 2003 20:10
Aan: [EMAIL PROTECTED]
Onderwerp: Re: Voice Over Internet [7:61467]


I have a couple of questions more.
1) The IP addressing. The Ip address is assigned dynamically by Service
Provider and also the running NAT on the router, will it be an issue.
2) In that case VPN would be a better choice or not.

Neil


Bruce Enders  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 Neil,
 In broad brushstrokes the answers are sort of:
 1. Variable delay is the worst enemy of Voice QoS. Queuing delays are 
 sometimes very common in ISP-to-ISP connections. Putting Voice traffic 
 on the Internet is a risky proposition if you have significant 
 concerns regarding Voice quality. Making sure that each remote has 
 significant bandwidth for the VOIP traffic is the first step.  ISPs 
 may be capable of providing some levels of QoS, but may be reluctant 
 to do so. Most ISPs have significantly less queuing delay within their 
 network than they do across connections to other ISPs. (VOIP across 
 the same ISP backbone usually results in better than acceptable voice 
 quality). It is usually the links that connect different ISPs that 
 create the most problems. I have seen large VOIP implementations that 
 achieved very good voice quality over a very large geographic area 
 that was all served by one ISP. (Choose your ISP wisely).

 2. VPN could hurt voice quality as some concentrators inject delay 
 into the audio streams. Check the delay specs on any VPN concentrator 
 you are thinking about using to see how much delay you can expect to 
 have to deal with.

 3. Solution? Most new Cisco routers and switches support QoS 
 configurations that enhance the probability of achieving good voice 
 quality within a network. I do not know the specs on their VPN 
 concentrators off the top of my head.

 HTH
 Bruce

 neil K. wrote:

 Hi Guys,
 
 I have a few questions regarding implementing VoIP.
 1) Can I have different remote offices run VoIP if they have (DSL 
 access
of
 Cable modem access) to the Internet, I mean running VoiP over 
 internet as there wouldn't be any QoS.I am not sure about the Quality 
 of Voice in
that
 case.Also can the service provider of DSL or Cable provide us with 
 some
kind
 of QoS so that the Voice quality can be improved.
 
 2)Will implementing a VPN solution help in running VoIP  and how and 
 what are the different solutions and what vendors should I be looking 
 at.
 
 3) Does Cisco have a solution for this.
 
 Thanks in advance.
 
 Neil. K.
 --


   Bruce Enders   Email: [EMAIL PROTECTED]
   Chesapeake NetCraftsmeno:(410)-280-6927, c:(443)-994-0678
   1290 Bay Dale Drive, Suite 312 WWW: http://www.netcraftsmen.net
   Arnold, MD 21012-2325  Cisco CCSI# 96047
  Efax 443-331-0651
Version: PGP 8.0

iQA/AwUBPi3E4Xdq56XWk+VyEQKRaQCgs+Uul6YIxocqc/XHtZu+YvA++OgAn0Ku
gCmGuhIxzZUBQ1A7vG2wvmau
=OqwR
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61515t=61467
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Token Ring/HSRP Question [7:61359]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Seems that after 11.3(9) they fixed a few bugs regarding HSRP.

You can try it.


http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/rn113m/rn113mnt.htm#xtocid25

.2eu c

MArtijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Simon Watson
Verzonden: maandag 20 januari 2003 11:08
Aan: [EMAIL PROTECTED]
Onderwerp: Token Ring/HSRP Question [7:61359]


Hi Guys I'm going to a client's site that has a 2513 router with
11.3(11a) IOS (image is  c2500-ds-l_113-11a.bin). 2 things: I'm looking to
set up HSRP on the router, should I have any issues with that level of
software ?Also are there an issues I should be aware of when configuring
HSRP on token ring routers ??  Thanks in advance Simon.

- 

Help STOP SPAM: Try the new MSN 8 and get 2 months FREE*
Version: PGP 8.0

iQA/AwUBPi3HR3dq56XWk+VyEQJSSwCgoyJ1D/+pXgdipbJ+6xW4DiiwIj0AoO8m
n9jRny4WKcn+HQ+oy4vM5jyy
=3WHB
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61517t=61359
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Confusion on CISSP requirements [7:60997]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I stand firm behind Will's post.

Martijn Jansen CISSP etc.

www.wortell.nl


- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens William
Gragido
Verzonden: dinsdag 14 januari 2003 18:24
Aan: [EMAIL PROTECTED]
Onderwerp: RE: Confusion on CISSP requirements [7:60997]


Not necessarily Scott.  You've got to be able to prove (in others words have
documentable proof), that you've worked for a cumulative total of 4 years in
the security field.  Now, the caveat is that your work can be spread amongst
the ten domains or relegated to one as long as your total time meets the
minimum criteria.  Then you are eligible to test.  Once you test and pass,
you must then be sponsored by a CISSP in good standing.

Shoot me a note with any questions,

Will Gragido CISSP CCNP CIPTSS CCNA CCDA MCP blah blah blah
NSC
www.ins.com

- -Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Scott
Sent: Monday, January 13, 2003 6:44 PM
To: [EMAIL PROTECTED]
Subject: OT: Confusion on CISSP requirements [7:60997]


I'm a CCIE with over 4 years of experience in networking and a college
degree.  Each position I have had required a small percentage of security
related work.  Does that satisfy the requirements or are they asking for
100% security work?  Any help greatly appreciated.
Version: PGP 8.0

iQA/AwUBPi3H0ndq56XWk+VyEQK0dgCeIcxQJ9SP1PWxATSQ8/DRcBx7mp0AnRCw
KzEAqYs83YjxNpwMPomn/Lxw
=6s/J
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61519t=60997
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Concetrator #3030 [7:58982]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

There is like a failover setting in the 3002 hardware client. The software
client needs to dial in again, the second/backup ip.

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens neil K.
Verzonden: woensdag 11 december 2002 18:16
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Concetrator #3030 [7:58982]


Hi All,

Few questions regarding the VPN Concentrator

1. what do I do for Redundancy, ( VPN Redundant Bundle)
2. Load balancing
3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind
Firewall).What are issues I will have to consider if I put the concentrator
behind Firewall.

Thanks,

Sunil
Version: PGP 8.0

iQA/AwUBPi3Irndq56XWk+VyEQLceQCgxuZ/wMidJNS1cvEC71ERrjRJDwcAn1h4
GfDWR3RKOJKORSoieVp4UEj6
=gMi+
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61522t=58982
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX NAT bypass [7:61338]

2003-01-20 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#1032129

Usage Guidelines 

The nat command lets you enable or disable address translation for one or
more internal addresses. Address translation means that when a host starts
an outbound connection, the IP addresses in the internal network are
translated into global addresses. Network Address Translation (NAT) allows
your network to have any IP addressing scheme and the PIX Firewall protects
these addresses from visibility on the external network.

The nat outside option lets you enable or disable address translation for
the external addresses.

The nat if_name 0 access-list acl_name command lets you exempt traffic that
is matched by the access-list command statements from the NAT services.
Adaptive Security remains in effect with the nat 0 access-list command. The
extent to which the inside hosts are accessible from the outside depends on
the access-list command statements that permit inbound access. The if_name
is the higher security level interface name. The acl_name is the name you
use to identify the access-list command statement.

With PIX Firewall software version 5.3 and higher, there is no longer a
restriction on having the nat 0 command (Identity NAT) and the nat 0
access-list command configured at the same time. Both the nat 0 command and
the nat 0 access-list command may be configured concurrently.

The access-list option changes the behavior of the nat 0 command. (Without
the access-list option, the command is backward compatible with previous
versions.) The nat 0 command implemented the identity feature; this new
version of the command disables NAT. Specifically, the new behavior disables
proxy ARPing for the IP addresses in the nat 0 command statement.




http://www.cisco.com/warp/public/707/28.html

Define the inside group to be included for NAT:

 
nat (inside) 0 175.1.1.0 255.255.255.0  disabled nat
nat (inside) 1 10.1.6.0 255.255.255.0   enabled nat




- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Michael
Vasilenko
Verzonden: zondag 19 januari 2003 17:21
Aan: [EMAIL PROTECTED]
Onderwerp: PIX NAT bypass [7:61338]


Hello!

I need to implement unidirectional traffic flow with NAT bypass through PIX.
Any help, links, config examples would be fine. Thanks.

- -- 
Michael Vasilenko
Version: PGP 8.0

iQA/AwUBPixvCXdq56XWk+VyEQLNdACbBN+D0sbxbYj8M3pPIWC7q09Gk40AoNnZ
CR9mRTQti3JfttFfnetjP0X7
=+Rd7
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61412t=61338
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: QOS on 2621xm [7:61353]

2003-01-20 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

You may need to use Priority Queueing, and hardcode telnet High prio based
on an access-list.

Normal traffic despools after telnet queue is empty. If you are sure that
there will always be bandwitfh left for other traffic, PQ will do fine.

That is one way of using it.

During transmission, PQ gives priority queues absolute preferential
treatment over low priority queues; important traffic, given the highest
priority, always takes precedence over less important traffic. Packets are
classified based on user-specified criteria and placed into one of the four
output queues-high, medium, normal, and low-based on the assigned priority.
Packets that are not classified by priority fall into the normal queue.
Figure 7 illustrates this process.

Congestion Management Overview
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/qos_c/qcpart2/qcconman.htm

Why Use Priority Queueing?
PQ provides absolute preferential treatment to high priority traffic,
ensuring that mission-critical traffic traversing various WAN links gets
priority treatment. In addition, PQ provides a faster response time than do
other methods of queueing.

Although you can enable priority output queueing for any interface, it is
best used for low-bandwidth, congested serial interfaces.

Considerations
When choosing to use PQ, consider that because lower priority traffic is
often denied bandwidth in favor of higher priority traffic, use of PQ could,
in the worst case, result in lower priority traffic never being transmitted.
To avoid inflicting these conditions on lower priority traffic, you can use
traffic shaping or CAR to rate-limit the higher priority traffic.

PQ introduces extra overhead that is acceptable for slow interfaces, but may
not be acceptable for higher speed interfaces such as Ethernet. With PQ
enabled, the system takes longer to switch packets because the packets are
classified by the processor card.

PQ uses a static configuration and does not adapt to changing network
conditions.

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Julian P
Verzonden: maandag 20 januari 2003 9:02
Aan: [EMAIL PROTECTED]
Onderwerp: QOS on 2621xm [7:61353]

We would like to prioritize incoming traffic on our 256k internet link to
uunet .We need to give telnet at least 64k incoming bandwidth.

Any ideas on the best way to do this ?

Thanks in advance

Julian
Version: PGP 8.0

iQA/AwUBPix7Bndq56XWk+VyEQJ+/ACfS2LZO44i+6Y+cRg37a/ApiovJtgAoLvz
kS6ZvDnOtSXEqAAi/6u1v+p4
=nXJB
-END PGP SIGNATURE-

Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61420t=61353
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Study group Amsterdam, The Netherlands [7:61347]

2003-01-19 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Anybody interested in forming a RS LAB study group in The Netherlands,
Amsterdam. Have no date, aiming on summer.

Have more hardware than they do in Brussels. ;-)

Pls contact off-line.

Martijn Jansen

-BEGIN PGP SIGNATURE-
Version: PGP 8.0

iQA/AwUBPismhHdq56XWk+VyEQJMegCfQfezfLSjYY/AhcQmx1/Yk+IN0P4AnAl9
K+nurBWqCHFXj7PLCodYUr/O
=Vjed
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61347t=61347
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX Exam...(CSPFA) [7:61293]

2003-01-18 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I would do the MCNS first at least.

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Gunjan
Mathur
Verzonden: zaterdag 18 januari 2003 9:02
Aan: [EMAIL PROTECTED]
Onderwerp: PIX Exam...(CSPFA) [7:61293]


Hi,

I'm CCNA and now thinking for Cisco Secure PIX
Firewall Advanced. 

I wanted to know about the value of this exam. is this
is in demand and help me to get better jobs...

I'm in India and don't know whether in India this
would help me to get a good opportunity..

TIA...


__
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Version: PGP 8.0

iQA/AwUBPikiAHdq56XWk+VyEQLNLACfQfgmvm6C//0ARCgXMid7+6JVOmgAn2xi
5xqd7+HjYLkZt7xiT0EoehHL
=Am7V
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61294t=61293
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: URGENT: Modem Authentication Failure [7:61292]

2003-01-18 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I do not have lots of debug experience in that area, but maybe can help a
little.

The message 

Call Handle failed for Modem 5/2
Does not seem to worry, see

Configuring Dialin with the NM-8AM or NM-16AM Analog Modem Module
Sample Debugs Output 
http://www.cisco.com/warp/public/471/nm-xam_dialin.html#9
Where it is standard debug output for a succeeded call.

The message
Received authen response status FAIL (3)

Does worry me. Triple check that nothing changed in the radius/tacacs config.

Common Problems in Debugging TACACS+, PAP and CHAP
http://www.cisco.com/warp/public/480/tacacs_pppdebug.html 

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Hamid Ali
Asgari
Verzonden: zaterdag 18 januari 2003 8:34
Aan: [EMAIL PROTECTED]
Onderwerp: URGENT: Modem Authentication Failure [7:61292]


Hi everybody,

Today I have encountered a strabge problem. I have a 3660 router with
NM-16AM modules. Nothing has been changed. Suddenly we got complains from
users tht they cannot connect. I have checked the AAA server. But there is
nothing wrong. Here is my debug log:
- ---
Call Handle failed for Modem 5/2
%LINK-3-UPDOWN: Interface Async163, changed state to up
TPLUS: Queuing AAA Authentication request 634 for processing
TPLUS: processing authentication start request id 634
TPLUS: Authentication start packet created for 634(testuser)
TPLUS: Using server XY.XY.XY.250
TPLUS(027A): connected to server XY.XY.XY.250
TPLUS: response received for AAA request 634
TPLUS: Received authen response status FAIL (3)
%LINK-5-CHANGED: Interface Async163, changed state to reset
%LINK-3-UPDOWN: Interface Async163, changed state to down

Call Handle failed for Modem 5/2
%LINK-3-UPDOWN: Interface Async163, changed state to up
TPLUS: Queuing AAA Authentication request 637 for processing
TPLUS: processing authentication start request id 637
TPLUS: Authentication start packet created for 637(testuser)
TPLUS: Using server XY.XY.XY.250
TPLUS(027D): connected to server XY.XY.XY.250
TPLUS: response received for AAA request 637
TPLUS: Received authen response status FAIL (3)
%LINK-5-CHANGED: Interface Async163, changed state to reset

- ---
Any comments?

I couldn't find what the FAIL(13) error code means. And also I don't know
what causes Call Handle failed for Modem 5/2. I get this for a lot of my
modems on my console.Thanks in advance, Hamid
Version: PGP 8.0

iQA/AwUBPikla3dq56XWk+VyEQKphACfa6B8lpmTQ3Yt6D18Vb8Kxk6aEdUAoNbu
ITDsRaSUCQlsXdkQFM5zARCH
=EO/E
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=61295t=61292
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Client+IOS [7:59283]

2003-01-06 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

For example in 

http://www.cisco.com/warp/public/707/ios_usr_rad.html

Is, like I said, ANOTHER ip range used than in the LAN.

Configuring Router to VPN Client, Mode-Config, Wild-Card Pre-Shared Key with
NAT
http://www.cisco.com/warp/public/707/25.shtml

Speaks of

interface Serial1
ip address 10.2.2.1 255.255.255.0
no ip directed-broadcast
ip nat inside
!
And
 ip local pool ourpool 10.2.1.1 10.2.1.254

So diff ip ranges works.

Than
!--- Except the private network to private network traffic 
!--- from the NAT process.
access-list 101 deny ip 10.2.2.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 101 permit ip 10.2.2.0 0.0.0.255 any

route-map nonat permit 10
match ip address 101



Martijn


- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens JM
Verzonden: maandag 16 december 2002 12:35
Aan: [EMAIL PROTECTED]
Onderwerp: VPN Client+IOS [7:59283]


Hello
I am trying to run VPN beetwen VPN Client 3.6.2.A and Cisco 2651. On Cisco
router I have: Software with 3DES/IP PLus/FW/IDS - Version 12.2(11)T2 Router
has 4 interfaces: serial 0/1 - Internet here I gave cryptomap fasteth 0/1
-DMZ fasteth 0/0 -LAN ( here I want to be tgrough VPN) I have the same
configuration like in TAC help :
http://www.cisco.com/warp/customer/471/ipsecrouter_vpn.html
VPN Client can login inside router, and I have ipaddress from router, 
but I don't see anything. I can't ping.
I have question ?
Where am Im inside the router ? I am in,  but I don't see anything. When I
will have : ip access-list out on fast0/0 (LAN) what should I
enable ? I have nat inside on fast 0/0 and outside on ser 0/1 Regards JM
Version: PGP 8.0

iQA/AwUBPhoJc3dq56XWk+VyEQK89gCg3+KCCkku2715DESXMZKofwxptnsAoMdU
Y0VwPf1Hyx9CaBuNqOreI30C
=vomy
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60466t=59283
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: O/T more campus design issues [7:60136]

2003-01-03 Thread mjans001

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Priscilla,

For startup (win 9x) you must put wins in place. The Netbios node type is
covered in a prev thread.

You can do a include statement in the client lmhosts file that refers to a
lmhosts file at the DC for (example the netlogon share or on a random
server) for scaling issues.

Browsing:
Older Windows boxes make lousy browsing masters. They elect all the time,
startup/shut. Also the LANMAN processes are not that tuned for that role.

So putting NT on the segment (for file/print) trough multi-home or vlan tags
is recommended, sure when there are al lot of win 9x clients. Make that
WINS, and you are OK.

I've seen that work fine.

My 2 eurocents

Martijn

- -Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Verzonden: donderdag 2 januari 2003 23:16
Aan: [EMAIL PROTECTED]
Onderwerp: O/T more campus design issues [7:60136]


You all remember my very simple campus network re-design that I've been
helping out with? It sure has been keeping me humble. ;-)

So we upgraded the single subnet to two subnets and two VLANs.

Everything is working OK except for Windows networking. The PCs on the new
subnet can't find a domain controller for authentication.

So, you can feel free to yell at me for not gathering more information on
the symptoms, but the client hasn't told me much. ;-) But does this ring a
bell with anyone? Are there standard recommendations on how to handle this
in a subnetted VLANed internetwork.

I'm not too well informed on Windows networking. My co-author wrote that
chapter in my troubleshooting book.

Thank-you so much!

Priscilla
Version: PGP 8.0

iQA/AwUBPhVcXndq56XWk+VyEQJtxACfTnxxXhn1VNAYEa5IO9YXPwQBLc4AoPkR
4Hx1X4WCHL0K29snGvn3agg/
=8zm5
-END PGP SIGNATURE-




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=60200t=60136
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: VPN Client+IOS [7:59283]

2002-12-16 Thread mjans001

Last time iot worked for me I used another private range (than i use in
the lan) for the vpn clients, and had to triple check my access-lists,
especially the one that encrypts from lan to vpn client. Make sure that
your vpn headend (2600) is the default gateway for that vpn client lan,
or give away a static route per server.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Jacek
Malinowski
Verzonden: maandag 16 december 2002 22:53
Aan: [EMAIL PROTECTED]
Onderwerp: Re: VPN Client+IOS [7:59283]


I have 4 interfaces:
Serial 0/1 - public IP for example 1.1.1.1
fast 0/1 -public IP for example 2.2.2.2
fast 0/0 -LAN IP : 192.168.1.1/24
My ip address pool for VPN : 192.168.1.170-192.168.1.190
On VPN padlock i haver Ip address from router for example 192.168.1.170 
but I can't ping any address on LAN.
I don't know I am using the newest VPN Client : 
vpnclient-win-is-3.6.3.Rel-k9
I have ip nat inside on Fast 0/0 and outside on ser 0/1 but without 
doesn't work to :(.

Ben Woltz wrote:
 The IP address that your VPN Client gets from the router, are you 
 advertising that route through your network?
 
 JM  wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 
Hello
I am trying to run VPN beetwen VPN Client 3.6.2.A and Cisco 2651. On 
Cisco router I have: Software with 3DES/IP PLus/FW/IDS - Version 
12.2(11)T2 Router has 4 interfaces:
serial 0/1 - Internet here I gave cryptomap
fasteth 0/1 -DMZ
fasteth 0/0 -LAN ( here I want to be tgrough VPN)
I have the same configuration like in TAC help :
http://www.cisco.com/warp/customer/471/ipsecrouter_vpn.html
VPN Client can login inside router, and I have ipaddress from router,
but I don't see anything. I can't ping.
I have question ?
Where am Im inside the router ? I am in,  but I don't see anything.
When I will have : ip access-list out on fast0/0 (LAN) what should I
enable ? I have nat inside on fast 0/0 and outside on ser 0/1
Regards
JM




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59352t=59283
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Mac network [7:58945]

2002-12-15 Thread mjans001

Always harcode L2 speeds with mac, especially on the switch and server.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Dwayne
Saunders
Verzonden: woensdag 11 december 2002 17:32
Aan: [EMAIL PROTECTED]
Onderwerp: Mac network [7:58945]


Hi all Mac users
I have a small problem with a network that I was asked to look
at there is 6 end user machines and 1 server all connected via a switch
the problem is that when connected to the switch network transfers to
and from the server are very slow i.e. 100meg file take approx 18
minutes 
Now I have swapped the cheap $100 switch out and replaced it with a
another one from the supplier still the same problem I then replaced the
switch with a hub and now everything flies along The Mac's are running
9.2 os and from what I can see without doing a network capture there is
speed and duplex conflict these settings cant be changed on this os.

So any help with this would be greatly appreciated.

Regards

D'Wayne Saunders
Data Network Administrator

Phone:  +61 8 8950 7742
Mobile: +61 412 832 322
Fax:  +61 8 8952 1112

www.lasseters.com.au
  
World's First Government Licensed and Regulated Online Casino...



***
This email message (and attachments) may contain information that is
confidential to Lasseters Online. If you are not the intended recipient
you cannot use, distribute or copy the message or attachments. In such a
case, please notify the sender  by return email immediately and erase
all copies of the message and attachments. Opinions, conclusions and
other information in this message and attachments that do not relate to
the official business of Lasseters Online are neither given nor endorsed
by it.


***




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59228t=58945
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Cisco 675 DSL ATM Setting [7:59225]

2002-12-14 Thread mjans001

Group, anybody experience with the 675 series?

I am trying to put a vpi of 8 in the config but it does not accept it,
goes to 4.

http://www.cisco.com/univercd/cc/td/doc/product/dsl_prod/c600s/600inop/r
config.htm#xtocid1095515

Says 

 In CBOS version 2.3 or earlier, the VPI count is 1 to 4. In later
versions, the VPI count is 1 to 8. 

But i cannot config it 

Config that is NOT accepted:

set interface wan0-0 disable
write
set interface wan0-0 vpi 8
set interface wan0-0 vci 48
set interface wan0-0 enable
Write


OS Version 
nsrouter.c675.2.4.6.bin
I need to set 8/48 vpi/vci fot the telco in the netherlands.

Any ideas? Had no luck on usenet.

Martijn

Cheers




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=59225t=59225
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: How to change the default Telnet port of a router [7:58647]

I started using  ssh. I think TheraTherm also has a free client. I
placed some effort in not using standard port 22 ssh.

ip ssh authentication-retries 2
ip ssh port 2500 rotary 1

line vty 0 4
 access-class 199 in
 rotary 1
 transport input telnet ssh

no access-list 199
access-list 199 permit tcp  000x any eq telnet
(inside)
access-list 199 permit tcp any any eq 2500
(from outside?)

Martijn


-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Simon
Cheng
Verzonden: donderdag 5 december 2002 20:24
Aan: [EMAIL PROTECTED]
Onderwerp: How to change the default Telnet port of a router [7:58647]

Hi, can anyone tell me is that possible to change the default telnet
port no. on a cisco router? Say I dont want to use tcp port 23 to telnet
to my company router.
Simon




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58815t=58647
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: PIX 501 and MSN Messanger Voice / Video Chat [7:58809]

I agree. Nat some ports to inside, see if they telnet or something.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Verzonden: maandag 9 december 2002 20:39
Aan: [EMAIL PROTECTED]
Onderwerp: PIX 501 and MSN Messanger Voice / Video Chat [7:58809]


Guys
I have just installed PIX 501 at my home network, i can not do VOICE /
VIDEO chat through MSN Messanger / Net Meeting. For testing i am
permitting IP ANY ANY on outside Interface. Still same issue, Let Me
know if you know the fix or work around to this problem.

thanks,


--
Curious

MCSE, CCNP




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58816t=58809
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: more VPN fun... [7:58818]

Am working on the IOS version of what you are doing. We better keep each
other posted.

In a few weeks I am bound to roll out multi ios to (pix head-end) 3des
ipsec hub/spoke.

Martijn


-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Edward
Sohn
Verzonden: maandag 9 december 2002 21:44
Aan: [EMAIL PROTECTED]
Onderwerp: more VPN fun... [7:58818]


anyone have any working configs of a PIX set up for a site-to-site IPSec
tunnel with another PIX (at a remote site), as well as set up for mobile
user VPN access (through dialup/dsl/cable/etc)?  the client will user
secure VPN client 3.0 for windows.

i have the docs from CCO, but someone told me that their config for the
remote user is wrong and does not work right.

appreciate your help.  please email me directly.

ed




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58822t=58818
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Graphical Bandwidth Utilization [7:58819]

Check this.
Not really a log analyser, but nice realtime internet traffic stats
features for pix (if that is the only edge device).

http://www.stonylakesolutions.com/sls/insideout.jsp 


Does a lot, cheap verion also.

Martijn





-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Patrick
Matthews
Verzonden: maandag 9 december 2002 22:43
Aan: [EMAIL PROTECTED]
Onderwerp: Re: Graphical Bandwidth Utilization [7:58819]


Thanks for the responses - New Question: A good Realtime Log analyzer
for our Pix  and 2651 Internet Router Syslog's. One that would
preferrably run on Win2k (Not absolutely neccessary though). One that is
capable of detecting portscans and the like as close to Real time as
possible. Thanks in advance

John McCartney  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 When I was at an ISP we used MRTG. There are many available on the
Internet,
 some require a server. HTH's




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58847t=58819
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Graphical Bandwidth Utilization [7:58819]

Webtrends (now NetIQ) should do a good job (a large suite), but tested
it only for a day on IOS.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Patrick
Matthews
Verzonden: maandag 9 december 2002 22:43
Aan: [EMAIL PROTECTED]
Onderwerp: Re: Graphical Bandwidth Utilization [7:58819]


Thanks for the responses - New Question: A good Realtime Log analyzer
for our Pix  and 2651 Internet Router Syslog's. One that would
preferrably run on Win2k (Not absolutely neccessary though). One that is
capable of detecting portscans and the like as close to Real time as
possible. Thanks in advance

John McCartney  wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
 When I was at an ISP we used MRTG. There are many available on the
Internet,
 some require a server. HTH's




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58846t=58819
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: RE: Block MSN Messenger [7:57595]

2002-11-29 Thread mjans001

AOL instant messenger can be blocked by filtering out the following I.P.
addresses: 
205.188.3.160. 205.188.3.176, 
205.188.5.204, 
205.188.5.208, 
205.188.7.164, 
205.188.7.168, 
205.188.7.172 
205.188.7.176, and 

 DNS name of login.oscar.aol.com which is used to login to aol instant
messenger.

block yahoo messenger 
msg.sc5.yahoo.com 
msg.yahoo.com

MSN
gateway.messenger.hotmail.com

This should resolve most of your messenger blocking issues. If you need
anything else, let me know.
 
 

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens Mears,
Rob
Verzonden: dinsdag 19 november 2002 18:28
Aan: [EMAIL PROTECTED]
Onderwerp: RE: RE: Block MSN Messenger [7:57595]


Yes and I have done it all via the PIX
Where you run into problems is when they use port 80.

Rob

Rob H Mears III, CCNP, MCSE, NNCDS, NNCSS, CNE, A+
LAN Engineer and Technical Mercenary
Valor Telecom
469.420.2656


-Original Message-
From: vikramjskeer [mailto:[EMAIL PROTECTED]] 
Sent: Tuesday, November 19, 2002 10:46 AM
To: [EMAIL PROTECTED]
Subject: Re: RE: Block MSN Messenger [7:57595]

Hi All,


Very rightly said that these messengers use so many servers and so many
ports that it's kind of impossible to block them all. But you can very
easily do it, right on the OS level. I know about the Win2K that you can
set up some system policies with which you can directly block these exes
themselves.


Hope it helps:


Regards,


Vikram

Lidiya White wrote:



Try to block the login servers: http://acronymsonline.com/im_ips.htm

-- Lidiya White



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Josh Green
Sent: Monday, November 18, 2002 10:16 AM
To: [EMAIL PROTECTED]
Subject: RE: Block MSN Messenger [7:57595]


It is possible, however Messenger uses so many different ports on so
many different servers that it's not worth your time.

-Original Message-
From: Steven A. Ridder [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 18, 2002 8:36 AM
To: [EMAIL PROTECTED]
Subject: Re: Block MSN Messenger [7:57595]

no. don't waste your time.


Ahed Naimi wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
gt; Dear All;
gt;
gt; Is there any way to block MSN Messenger by using the access-list
statements gt; on an IOS Cisco router. gt; gt; Thanks All. Get Your
Private, Free E-mail from Indiatimes at http://email.indiatimes.com Buy
Music, Video, CD-ROM, Audio-Books and Music Accessories from
http://www.planetm.co.in Change the way you talk. Indiatimes presents
Valufon, Your PC to Phone service with clear voice at rates far less
than the normal ISD rates. Go to http://www.valufon.indiatimes.com.
Choose your plan. BUY NOW.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=58302t=57595
--
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: RE: Block MSN Messenger COMPLETE [7:58304]

2002-11-29 Thread mjans001

Sorry my 11th finger seemed to hit send.

From several lists, but not tested thouroughly
http://www.groupstudy.com/archives/cisco/200206/msg00480.html 

 
Block Kazaa
Kazaa connects to other peers running Kazaa, on port 1214. So, the best
way to block Kazaa downloads is to reject incoming and outgoing data
packets-both TCP and UDP packets-on this port.
Block Gnutella clients
The P2P apps, which use the Gnutella network connect to peers on ports
6346 and 6347.


AOL instant messenger can be blocked by filtering out the following I.P.
addresses:

But BLOCK internal DNS server AOL's DNS first BLOCK out  from /32 to
205.188.0.0/16 port = 53
aim.aol.com
login.oscar.aol.com 
64.12.161.153bucp1-vip-m.blue.aol.com
64.12.161.185bucp2-vip-m.blue.aol.com
152.163.214.75  bucp-r01.blue.aol.com
152.163.214.76  bucp-r02.blue.aol.com
152.163.214.108bucp-r03.blue.aol.com
152.163.242.24
152.163.241.120
152.163.241.128
152.163.241.96
205.188.1.56
205.188.3.160
205.188.3.176
205.188.4.106
205.188.5.204
205.188.5.208
205.188.7.164
205.188.7.168
205.188.7.172
205.188.7.176
205.188.147.114
205.188.147.113
205.188.147.114
205.188.148.180
205.188.148.181


AOL Instant Messenger - Ok, I have been able to block this one with
pretty solid results. I had to pretty much block 1 class C's worth of
addresses in the 64 region of AOL's address range, but have not heard
any complaints thus far. The program is pretty damn smart about getting
around rules in your firewall. It will try and use FTP, TELNET, HTTP,
FINGER, NETBIOS over IP, APPLETALK over IP, 1080 (SOCKS), 1024, Lotus
Notes (TCP 1352) and a few others. I pretty much locked the subnet down
but AIM was somehow getting through. I finally figured out that my
CheckPoint firewall was allowing DNS traffic outbound in my rule base
above rule 1. I had to go to the Properties section and disable the
implicit access to DNS (TCP/UDP 53). Once I did that, it killed AIM
altogether. 



DNS name of login.oscar.aol.com which is used to login to aol instant
messenger.

block yahoo messenger
msg.sc5.yahoo.com
msg.yahoo.com

msg.edit.yahoo.com
messenger.yahoo.com
http.pager.yahoo.com
cs.yahoo.com
Default Port: 5050
216.136.175.145
216.136.224.213
216.136.224.214
216.136.225.11
216.136.225.12
216.136.225.35
216.136.225.36
216.136.225.83
216.136.225.84
216.136.226.117
216.136.226.118
216.136.131.93
216.136.175.142
216.136.175.143
216.136.175.144

access-list 101 deny ip 10.1.4.0 0.0.0.255  216.136.0.0 0.0.255.255 
access-list 101 deny ip 10.1.4.0 0.0.0.255  66.163.0.0 0.0.255.255
access-list 101 deny ip 10.1.4.0 0.0.0.255 64.58.0.0 0.0.255.255

Test first.


MSN
gateway.messenger.hotmail.com
Messenger uses port 1863, but if you block it then it can automatically
switch to port 80. 
1. Add the following registry key into client machines either through
login script or similar: 
HKLM\SOFTWARE\Policies\Microsoft\Messenger\Client\PreventRun=1 
This will prevent Messenger from running, whether or not it is
installed. Because this key isn't modified during a Messenger
install/re-install/upgrade, and isn't removed if the software is
uninstalled, this should work for you. 

Nov. 9, and there were multiple login servers, where in the past there
was only one.  By Nov. 29, it appeared that there were login servers at
addresses 
64.4.13.17 64.4.13.170 through 64.4.13.190.  
Microsoft may be adding even more in the future.  I was still able to
block MSN Messenger with just default filter exceptions and the Access
Rule listed above, but should a new version of MSN Messenger come out
that is able to slip by the proxy rules, try redirecting an entire
subnet.  Redirecting subnet 64.4.13.160 (255.255.255.224) will prevent
traffic from reaching all addresses from 64.4.13.161 through
64.4.13.191.  (Changing that subnet to 64.4.13.128 and the subnet mask
to 255.255.255.128 would expand the blocking to 64.4.13.129 through
64.4.13.255). 

Block ICQ/AIM traffic
block out from any to any port = 5190
block in  from any to any port = 5190
web.icq.com
ads.icq.com
login.icq.com
cb.icq.com
icq.mirabilis.com
http.proxy.icq.com 
 
 
 
 
Work in progress. (from several posts)
 
Martijn Jansen 





-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [ 
mailto:[EMAIL PROTECTED]] Namens Mears, Rob
Verzonden: dinsdag 19 november 2002 18:28
Aan: [EMAIL PROTECTED]
Onderwerp: RE: RE: Block MSN Messenger [7:57595]


Yes and I have done it all via the PIX
Where you run into problems is when they use port 80.

Rob

Rob H Mears III, CCNP, MCSE, NNCDS, NNCSS, CNE, A+
LAN Engineer and Technical Mercenary
Valor Telecom
469.420.2656


-Original Message-
From: vikramjskeer [ 
mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 19, 2002 10:46 AM
To: [EMAIL PROTECTED]
Subject: Re: RE: Block MSN Messenger [7:57595]

Hi All,


Very rightly said that these messengers use so many servers and so many
ports that it's kind of impossible to block them all. But you can very

RE: Need Help ( DNS Server)

2001-02-09 Thread mjans001


Hi,
Check client hostname and domain name in local IP-stack.

PER interface DNS resolution can done in NT, but normally PER DOMAIN/PER
MACHINE. So check local IP settings.

Browse trough hostname AND domain name of the DNS server locally (ipstack)
also.

Cheers, Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Shahid
Muhammad Shafi
Verzonden: maandag 5 februari 2001 4:10
Aan: [EMAIL PROTECTED]
Onderwerp: Need Help ( DNS Server)


I m just running a DNS server with Microsoft DNS
manager and I got 8 clients on the subnet. The problem
i  having here is that I can ping all the clients from
DNS Server using their FQDN but when I try to ping the
DNS server from the clients they ping it only when I
give the Hostname i.e Labserver but they dont ping it
whaen i try using Labserver.itplab.com

Any suggestions???

Thanks in advance
Shahid

__
Get personalized email addresses from Yahoo! Mail - only $35
a year!  http://personal.mail.yahoo.com/

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: routers for home lab

2001-02-07 Thread mjans001


Do not forget that practicing with reverse telnet is HANDY for the lab (do
not kill me if I am not right) so a 2509/11 would do great, only it has 2s
and 1e.

I am getting pretty used to telnetting into my 4 other routers/1 switch
trough my 2511.. octal cable.

Believe ccieprep.com has a labdocument where they state the use of the
reverse telnetting, also every CCIE book comes back on the subject.

Cheers Martijn


http://www.ccprep.com/resources/news/archives/ccielab.zip




-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens kz
Verzonden: woensdag 7 februari 2001 3:13
Aan: [EMAIL PROTECTED]
Onderwerp: routers for home lab


hi

i want to make a home lab of my own as a preparation for the CCIE lab test.
what kind of routers and switches do i need to build such lab?
I already have 4 2500 (2 2501s, 2503, 2523) routers and 1 Catalyst 5000.

any advice is highly appreciated

kz

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Merging two companies

2001-02-06 Thread mjans001


Why don't you combine nat with 2 or 3 extra IP's in a dmz.

The road from 1 to 2 would look like this.

c1  NAT--FW-- vpn --FW--dmz- IP1 / ip2 / ip3 -dmz--- nat --- c2

10.x packet dest ip1/2/3 say 25.x

25.x server maps share/port/server to internal ip 10.x


The dmz ip's can map internal c2 servers with shares, caching /forwarding
mail servers etc.

Just a braindunp, maybe tunable. #;-)

Cheers, Martijn

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

1200 Catalyst for CCNP lab?

2001-02-01 Thread mjans001


Group, I would like to know if it is a good buy to get a few Catalyst 1200's
for switching certification.

Has anyone used them, and are they any use for the exam.

The 1900 with Enterprise I already have has IOS and the syntaxes etc on the
1200 look different, but support building VLAN's, TRUNK's etc.

Cheers

Martijn

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: IPSec help

2001-01-31 Thread mjans001


What you could use is a separate OR double tunnel, for example (some extra
public IP's)

network private

nat (here) to public ip (behind FW=DMZ)

vpn FW ipsec(here) source

 internet

vpn FW ipsec dest

nat (here) from public ip to private ip (behind FW=DMZ)

network private

This chapter shines a in-dept light on the topic, and also explains a
pass-trough vpn scenario.

http://www.microsoft.com/TechNet/win2000/win2ksrv/reskit/intch09.asp



Cheers,

Martijn

-Oorspronkelijk bericht-

Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Ricky

Gomez

Verzonden: woensdag 31 januari 2001 16:43

Aan: '[EMAIL PROTECTED]'

Onderwerp: IPSec help



Hey all, I'm trying to implement IPsec in my existing network but we are

using NAT. In order for the Encapsulating Secure Payload (ESP) and

Authentication Header (AH) protocol to exit out my network the packet cannot

be modified, in which it is being modified due to Network Address

Translation (NAT), so the connection is terminated.

Does anyone know what appliance I need to invest in, in order to make this

work?

Ricky Gomez

LAN/WAN ENGINEER

Email: mailto:[EMAIL PROTECTED]



_

FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html

Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: WAN switching Exam

2001-01-29 Thread mjans001



http://cramsession.brainbuzz.com/cramsession/cisco/ccna_ws/

sorry.

Cheers
-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens mjans001
Verzonden: dinsdag 16 januari 2001 14:58
Aan: Stuart Laubstein; [EMAIL PROTECTED]
Onderwerp: RE: WAN switching Exam


Try the QA  forum here.

Cheers.

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Stuart
Laubstein
Verzonden: dinsdag 16 januari 2001 14:13
Aan: '[EMAIL PROTECTED]'
Onderwerp: WAN switching Exam


Are there any good books for the CCNA Wan switching exam? Is it a useful
cert in any case--ie are companies looking for it at all or even know it
exists? The exam outline looked pretty much like CCNA with some of the stuff
from CCNP thrown in but not much. Has anyone actually taken the test?

thanks

stu

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco router purchase FW: Home CCNP lab


A little from the archives

Cheers
Martijn Jansen

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Chris Larson
Verzonden: vrijdag 24 november 2000 21:28
Aan: Elias Aggelidis; Michael Ross; [EMAIL PROTECTED]
Onderwerp: Re: Home CCNP lab


Actually you could get by just fine with 2 or 3 2500 series and a Cat 1900.
The CAT 1900 has basically the same OS as 5000. Make sure the 2500's have a
couple serial (use them as a frame relay or X.25 switch) and to test ISDN
you will need an ISDN interface and ISDN simulator.
  - Original Message -
  From: Elias Aggelidis
  To: Michael Ross ; [EMAIL PROTECTED]
  Sent: Friday, November 24, 2000 12:44 PM
  Subject: Re: Home CCNP lab


  Hi,

  I do not think that you need to setup a LAB
  to pass the CCNP.

  But if you would like to do it you must have a 55xx, 36xx, 7xx, 25xx and
maybe a 4xxx

  Regards
- Original Message -
From: Michael Ross
To: [EMAIL PROTECTED]
Sent: Friday, November 24, 2000 1:51 AM
Subject: Home CCNP lab


G Day


I am currently looking at setting up a home lab to self study CCNP. I
would be most appreciative if any one would be able to assist me
by advising what equipment would be required and avaiable to carry out
most of the labs.

I am in Australia and am willing to purchase second hand equipment.
Hopefully the Aussie dollar will improve for exchange rates.


Regards,

Michael.








_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Cisco router purchase FW: 2523 or 2522 for homelab


RE: 2523 or 2522 for homelabIn addition to the archives I found for you:

A dual 2501 lab is good for starters because of the 2 serials a piece, and
the ethernet connection.
For BCRAN you will need ISDN interfaces though ( 2 2503's).
At the moment articles surface about dialing through the aux port that every
25* router posesses.
Then DDR/backup and Snapshot routing should work also.
(Then no BRI needed, but you may to leartn a little about the complex world
of ISDN signaling).

Do not want to dive too deap into routing here, as every BSCN, CCIEprepbook
etc. book lists them fine, the labs show the amount of routers you need.
One is fine for basics, 2 for routing basics, 3 for 3/4 of all routing, then
you go to 4-5-6 etc CAT 5000.

My lab I ordered at Netfix.com has a
2509 for reverse telnetting, 2 serials, 1 Eth, x async
2521 for working as a frame switch, 4 serials, 1 TR, BRI
2514 with 2 serials and 1 TR, 1 Eth.
Nice package with all cabling, trancievers, TR equipment etc.

1603 for ETH/BRI already there.

Later more can be added, if your budget allows.
You will want to watch IOS versions, I believe you will need atleast 11.2,
enterprise plus version if possible for Exterior routing.

Try to look in the future, what labs do belong to that future, then start
building, IOS/memory can be upgraded (ebay), but no ports added (if not
buying 2524/2525).

My 2nd 0.2c as a beginner.

Martijn
MCP 18x
CCNA

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Han Nguyen
Verzonden: donderdag 16 november 2000 13:54
Aan: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Onderwerp: RE: 2523 or 2522 for homelab


The different is the Fixed LAN port: Ethernet for 2522 and Token Ring for
2523.

Cisco 2522/CPA2522  1 Ethernet port with a selectable AUI connection or 1
Ethernet 10BaseT connection
1 ISDN BRI port (RJ-45)
2 high-speed synchronous serial ports
8 low-speed asynchronous/synchronous serial ports

Cisco 2523/CPA2523  1 Token Ring STP port or 1 Token Ring UTP port
1 ISDN BRI port (RJ-45)
2 high-speed synchronous serial ports
8 low-speed asynchronous/synchronous serial ports

Any router with Token Ring port is usually much cheaper than the one with
Ethernet port.

If you only use it as a Frame-Switch, then the 2523 can do the same job as
the 2522.

Han.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, November 15, 2000 9:24 PM
To: [EMAIL PROTECTED]
Subject: 2523 or 2522 for homelab



Hi,Group
   My small homelab have 2 2501s , and I want to add a
Frame-Switch ,but I have some questions
   Why the 2522 is much more expensive than the 2523? They are
just the same except the Fixed Lan Port, but I found  a 2522 costs
$2xxx ,and the 2523 costs just $1xxx on www.iqsale.com.
  If I use the routers in the homelab, can a 2523 do the lab than
one 2522 can do?IMHO, 2523 is more suitable for the homelab,because
it's cheaper,Please correct me,thanks a lot.

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]


_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Writing on 26/1


Carl, go get it, keep the level of concentration .
;-)

Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens
Celliers, Carl
Verzonden: donderdag 25 januari 2001 14:54
Aan: '[EMAIL PROTECTED]'
Onderwerp: Writing on 26/1


Im writing CCIE Written tomorrow.

Hold thumbs for me.

Carl





**
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.

www.mimesweeper.com
**

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: Question about Napt


Hi Fred. I don't have the answers, but came across a nice NA(p)T article.
I'll be watching while this also has my interest.

http://www.cisco.com/warp/public/759/ipj_3-4/ipj_3-4_nat.html


Quote:
The Cisco Secure PIX Firewall series supports port address translation (PAT)
with "port-level multiplexing"---a method to further conserve IP addresses.
With PAT, users' inside local addresses are automatically converted to
single outside local addresses using different port numbers to distinguish
between each translation. More than 64,000 inside hosts can be served by a
single outside IP address with PAT.
http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/pie_ds.htm

Somewher else it states 64.000 TCP-connections at the same time.
Not the theory, but some info after all.

Cheers, Martijn

-Oorspronkelijk bericht-
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Namens Fred
Danson
Verzonden: donderdag 25 januari 2001 15:07
Aan: [EMAIL PROTECTED]
Onderwerp: Question about Napt


 Hi, I was reading RFC3022 about Napt last night, and I still dont
understand one thing about it. From what I understand is that Napt allows
you to use one single globally unique IP address on the WAN interface of
your router, and then a large number of local addresses inside your network
which aren't globally unique.
 Now the router will be able to translate the different traffic streams
coming from the WAN according to the port on the packet. So if host A inside
the network wanted to communicate with Host B which is on a different
outside network, it would directly address the outside site, and the router
would catch the packet enroute and change the source IP address to the
router WAN interface IP address and also change the source port to a port of
the router's discretion.
 Normally, from what I understand, ports are used to multiplex streams
of traffic across a link. If Host A was using two applications and wanted to
start a second session with Host B. Would the router allow this? The RFC
states "While not a common practice, it is possible to have an application
on a private host establish multiple simutaneous sessions originating from
the same tuple of (private address, private TU port). In such a case, a
single binding for the tuple of (private address, private TU port) may be
used for translation of packets pertaining to all sessions originating from
the same tuple on a host. How exactly would the applications know which
traffic stream was for itself?
Also, how many local hosts can the router assign to a single IP address
before it has to use a second IP address? Could a company of 10 use a
single IP address for NAPT? or would it need to use more than one?


Thanks in advance,

Freddy
_
Get your FREE download of MSN Explorer at http://explorer.msn.com

_
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

_
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

RE: CCNA Exam results