Re: eigrp lab [7:26566]
www.fatkid.com is a good place to start with some intermediate level labs. Bob Wilson wrote: > Does anyone have suggestions on setting up a eigrp lab??? I have some > equipment already bought but need some suggestions and a direction to go.. -- Jason Boson BCMSN1 BSCN2 BSCI2 practice tests E-Quizware CCIE practice test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26574&t=26566 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: ISDN problem [7:26625]
Zapeta - Suggest you use "debug ppp" (particularly, "debug ppp authentication") to determine what is going on. My ignorant hunch would be an authentication problem (the callback connection is established, then dropped). In particular, don't you need the command "authentication chap" on R9? Jason zapeta zape wrote: > Hello Guys, > I am having problem with with ISDN confideration. Can any help? > I have 1 ISDn connection between r8 and r9 and I want r8 to initiate a call > and get authenticated by r9 > Here is the configuration > > > R8 > username cisco5 password 0 cisco > username r9 password 0 cisco > ! > interface BRI0/0 > ip address 150.10.65.1 255.255.255.252 > no ip directed-broadcast > encapsulation ppp > ip ospf network non-broadcast > ip ospf demand-circuit > ip ospf database-filter all out > dialer callback-secure > dialer enable-timeout 9 > dialer map ip 150.10.65.2 name r9 class dial1 broadcast 7704324217 > dialer load-threshold 128 outbound > dialer-group 1 > isdn switch-type basic-ni > isdn spid1 77043242400101 > ppp callback request > ppp authentication chap > ppp multilink > ! > map-class dialer dial1 > dialer callback-server username > ! > > access-list 101 deny ospf any any > access-list 101 permit ip any any > dialer-list 1 protocol ip list 101 > > > == > r9 > > username cisco5 password 0 cisco > ! > > interface BRI0/0 > ip address 150.10.65.2 255.255.255.252 > encapsulation ppp > ip ospf network non-broadcast > ip ospf demand-circuit > ip ospf database-filter all out > dialer callback-secure > dialer map ip 150.10.65.1 name cisco5 class dial1 broadcast 7704324240 > dialer load-threshold 1 either > dialer-group 1 > isdn switch-type basic-ni > isdn spid1 77043242170101 > cdapi buffers regular 0 > cdapi buffers raw 0 > cdapi buffers large 0 > ppp callback accept > ppp chap hostname cisco5 > ppp multilink > ! > map-class dialer dial1 > dialer callback-server username > ! > access-list 101 deny ospf any any > access-list 101 permit ip any any > dialer-list 1 protocol ip list 101 > > > > When I tried to ping the dialer map this is what I am getting: > > Mar 2 04:38:24: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to up > *Mar 2 04:38:24: %ISDN-6-CONNECT: Interface BRI0/0:2 is now connected to > 7704324240 > *Mar 2 04:38:24: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to down > *Mar 2 04:38:24: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up > *Mar 2 04:38:24: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to > 7704324217 > *Mar 2 04:38:24: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down > *Mar 2 04:38:26: %LINK-3-UPDOWN: Interface BRI0/0:2, changed state to up > *Mar 2 04:38:26: %ISDN-6-CONNECT: Interface BRI0/0:2 is now connected to > 7704324240 -- Jason Boson BCMSN1 BSCN2 BSCI2 practice tests E-Quizware CCIE practice test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26638&t=26625 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Boson Tests border on Unethical [7:26639]
The basic analysis here seems to make sense. But there is an implied assumption that doesn't. There will always be some people that take advantage of a situation, but the majority of people do not. Our society and economy, to say nothing of complex organizations in general, could not possibly function as they do unless that were the case. Boson has always suggested to me that tests should be written based on the stated exam criteria on CCO and the subjects covered in associated cisco curricula. YMMV. Jason - Boson author (bcmsn1, bscn2, bsci, quizware ccie) Kaminski, Shawn G wrote: > > It's easy to see what's happening here. All of Boson's tests > are done by > different authors. Each author is going to try like hell to get > their > questions as close as possible to the questions on the actual > exams, if not > right from the exams. Boson doesn't care because they state > right in their > author contract that they are not responsible for exams that > contain > questions that break the NDA. The author will be held > responsible. It's not > like Boson's going to double-check every authored exam for NDA > violations. > Anyway, the closer the author comes to the actual exam > questions, the more > exams he'll sell when word gets around that, for example, > "Boson Test #2 is > the one you need to get". However, Boson isn't doing anything > different than > any other company selling certification practice exams. It's a > ridiculously > huge, cut-throat, and competitive market out there for study > materials. > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27061&t=26639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Routers as tftp servers [7:27912]
JP wrote: > It is a lot saver and easy to manage if you just use a PC, I do > not see why > you would want to use your router as tftp server. Your PC might not be in the appropriate location to act as the tftp server. For example, at an ISP, the routers are internet connected and the PCs are on a management LAN behind a firewall. You'd have to punch a hole in that firewall, but the routers are obviously directly connected to each other. Jason author, Boson bcmsn1, bscn2, bsci2, Quizware ccie Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=27938&t=27912 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
tunneling with previously undefined endpoint? [7:32057]
Help, I can't think of a way to do this . :-( We have two IPSec "appliances" at work that require known, routable addresses on their "non-secure" ethernet interfaces. We want to create a kit engineers can take home for remote IPSec access into the network from personal cable/dsl connections. Our typical home networks have a cheapo router running NAT. The router is getting a real "outside" address from a service provider via DHCP (point "C" in the drawing). On the inside, we use private addressing (point "B"). The problem is to configure an IPSec appliance with a real address but connect it via the private address LAN at home. The obvious way to do this is with a tunnel, so we've managed to scavenge a couple of old 2500s for this purpose... IPSec cheapo IPSec appliance -->2500-->router-->ISP-->Internet-->3660-->2500-->appliance A B C D Ideally, we want a tunnel from the left side of the left 2500 to either the 3660 or the right 2500 so that we can give the left IPSec appliance some of our address space. With GRE, however, you have to specify the endpoint addresses in advance, and of course we don't know what address the ISP will give one via DHCP After some reading, I _think_ PPPoE, L2F, PPTP, and L2TP won't help us much Does anyone have any ideas? Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32057&t=32057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tunneling with previously undefined endpoint? [7:32057]
Henry - Absolutely right, the "dynamic" keyword for crypto maps solves the problem, but our Cisco SE and quite a few others at work are quite sure that we can't run IPSec on a 2500. I thought the 2500s could be used just to provide cleartext encapsulation (to keep the vpn appliances happy) the link you ref. specifies the 2500 platform and the IOS feature navigator _does_ show IPSec support on a 2500 (with the right image, of course). Guess I'll have to call our SE ... thanks for the tip! Hey, if this works we can toss the IPSec appliances! Jason Henry D. wrote: > If I get this correctly you can use dynamic-map feature > as seen in the example here: > > http://www.cisco.com/warp/customer/707/ios_804.html > > ""the-other-jason"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >>Help, I can't think of a way to do this . :-( >> >>We have two IPSec "appliances" at work that require known, routable >>addresses on their "non-secure" ethernet interfaces. >> >>We want to create a kit engineers can take home for remote IPSec access >>into the network from personal cable/dsl connections. Our typical home >>networks have a cheapo router running NAT. The router is getting a real >>"outside" address from a service provider via DHCP (point "C" in the >>drawing). On the inside, we use private addressing (point "B"). >> >>The problem is to configure an IPSec appliance with a real address but >>connect it via the private address LAN at home. The obvious way to do >>this is with a tunnel, so we've managed to scavenge a couple of old >>2500s for this purpose... >> >> >>IPSec cheapo IPSec >>appliance -->2500-->router-->ISP-->Internet-->3660-->2500-->appliance >> A B C D >> >>Ideally, we want a tunnel from the left side of the left 2500 to either >>the 3660 or the right 2500 so that we can give the left IPSec >>appliance some of our address space. With GRE, however, you have to >>specify the endpoint addresses in advance, and of course we don't know >>what address the ISP will give one via DHCP >> >>After some reading, I _think_ PPPoE, L2F, PPTP, and L2TP won't help us >> > much > >>Does anyone have any ideas? >> >>Jason Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32066&t=32057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: OT: Support for IPSec on 7513 [7:32060]
CCO says you can use IPSEC on a 7513 (and I've seen, if memory servers, DES56 secure shell, so the encryption itself should not be a problem) if the image is intended for a 7513 (i.e., rsp) and it includes IPSEC, nothing should crash and/or burn (i.e., a 7200 image won't load on a 7500). ;-) And if you look at the release notes, they do specify images with rsp support and ipsec. For example, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121relnt/xprn121/121feats.htm#xtocid96 which makes no mention of any additional processor requirements. Like you said, there is no ISA for the 75xx, there must be a typo in the configuration guide. Jason John Neiberger wrote: > I'm confused about what is needed to run IPSec on a 7513. The Cisco IOS > Security Configuration Guide mentions that an Integrated Services > Adapter is needed for IPSec on a 7200 or 7500 series router. However, > upon looking closer at the ISA, CCO says that this is only for the 7100 > or 7200 routers. An ISA for a 7500 does not appear to be available. If > it is, I'm looking in the wrong place. > > So, what's the scoop? If I were to simply load an IPSec image on the > 7513 would it melt and die a horrible death? What is necessary to make > this work? Buy a 7200? :-) > > Thanks, > John Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32075&t=32060 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tunneling with previously undefined endpoint? [7:32057]
Unless the pix is really cheap, this might be a tough sell. We could do it fairly cheaply already -- a 1720 at work with (free) Cisco vpn clients to take home. But then they start saying at work, well, we need a spare, and of course there is maintenance . the problem, frankly, is that this is not a mission critical function, just something that would allow an engineer to provide level 3 support to the NOC after hours ... Thanks for the suggestion, though, I'll ask my SE Jason Mark Odette II wrote: > Jason- > > Why not just invest in a half-dozen (or however many you need) PIX 501's and > be done with it. > This way, you ditch the "Cheapo Router", the 2500, and the "IPSEC > appliance". > > If I recall correctly, the PIX 501 has PPPoE support (after all, that's the > niche market its targeting!) and it can do IPSEC with dynamic maps (I > believe). > > And the plus side is, you get to learn hands-on some PIX stuff, if you > didn't have the experience already! > > BTW- PIX 501s are "Nationally Back-Ordered for 3DES 10 User Units" as of the > last I heard from the distributor last week, until Mid to late February. :( > > Mark Odette II Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32144&t=32057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: tunneling with previously undefined endpoint? [7:32057]
1. Thanks for the GRE tunnel with keys suggestion, but can you configure this without specifying the remote endpoint? Any idea where I could find this on CCO ... the logical interface configuration guide seems to say that the endpoints _must_ be specified and that keys just provide weak protection against misconfiguration But, if you can avoid configuring the endpoint, this would fit the bill perfectly :-) 2. Has anyone ever fooled with "asynchronous host mobility?" This demands some lab time http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122sup/122csum/csum2/122csdia/dsfshsev.htm#xtocid630954 and http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/inter_c/iclogint.htm#xtocid564814 3. Several folks have written asking if IPSec wouldn't choke a 2500 to which the answer is, but the traffic would be so light, just a 3des tunnel usually carrying a single active telnet session (to provide remote troubleshooting access). Does the group think this is an unwise load for a 2500? Jason Robert Oppenheimer wrote: > If by dynamic, you mean GRE multipoint tunneling (with keys) You got it!! Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=32147&t=32057 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Xmodem fails [7:33289]
Its possible on many platforms to tftp download from the rom monitor. If you have physical access and a laptop with ether, you are be back on the air pretty fast. Sounds like you talked with the TAC, and they should have told you if this was an option on your platform, but Jason Michael Smith wrote: > After booting, at the console we got the rommon#> 1 prompt, and error > messages that the image decompression had failed, invalid format, blah > blah blah. Everything had been working fine for a couple of months, then > this, just as this beast is to go into production. We tried to install > new IOS on this new, isolated, stand-alone router, via Xmodem, because > there was no other apparent way to do it. It failed, and Cisco said the > only other way was to replace the flash with a factory installed IOS, > which we will do. > > Anyone out there had similar problems (Xmodem failure)? We also do not > have an identical or similar router with PCMCIA cards. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=6&t=33289 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Checking overall LAN utilization [7:33256]
Priscilla is absolutely right, its a fuzzy question. I have just two things to add. If the network is "mainly LAN" that suggests that there are some wide area links. Because wide area links are usually slower than local area media and are used by lots of users, congestion on them is definitely worth checking. Also, if there are complaints about response to a distant resource, you should also look at delay (which you could check with ping). If people are complaining about the time required for a complex interaction (one requiring many packets in both directions), its possible that a moderate amount of delay can be a problem. Second, ethernet is different from most media. Because of the way ethernet works utilization numbers require some interpretation, at least for half duplex operation. This necessarily includes segments used by more than two hosts, if you have any. There are no definite definitions of what ok and whats too much, but utilization above 40% (and maybe less), IMHO, should be considered congested. HTH, Jason Priscilla Oppenheimer wrote: > At 06:36 PM 1/25/02, Doug Korell wrote: > >>I have checked individual switches and routers for utilization before but >>when asked what the average utilization of an entire network (mainly LAN) >>is, what exactly makes up this figure? I am working on getting a packet >>sniffer which I know will help take all the variables and give me an answer >>but is there a way to do it without one? How about SNMP queries? If anyone >>can help explain this or knows of a good website, please let me know. >> > Thanks. > > That's a rather old-fashioned question. It used to make sense on a shared > LAN. You could put a Sniffer or RMON Probe in a shared hub and get a > measurement of how much of the overall, shared 10-Mbps capacity was in use > on the LAN. > > In these days of microsegmented, switched networks, you can't do that > easily. You can only monitor the switch ports that you mirror. > > Each switch port provides full capacity, usually 100-Mbps full duplex. (You > would have to know if that's true for your network.) Overall capacity is > the number of ports times the speed. Overall utilization would be the > aggregate of each port utilization divided by the overall capacity, I > guess. (But people don't actually tend to make that calculation.) > > Another capacity issue is the backplane speed of the switches and routers > in use. That could actually be more of a bottleneck than overall LAN > capacity. > > Did a pointy-haired boss type ask you to make this measurement? I'm afraid > you might have to explain that it doesn't make sense. Work with them to > specify which individual LAN ports need monitoring, rather than trying to > find an overall number. The ports that you should monitor are any ones that > aggregate traffic. Check the utilization on trunk lines and links that go > to mission-critical servers. Also, check utilization on an end-user port > while doing some typical processes, including logging into the network. It > might also make sense to check other performance metrics such as response > time. > > Hopefully others will respond too in case I have a blind spot with regards > to this, but my initial thought is that this is not the right performance > measurement to be considering for a modern LAN. > > Priscilla > > > Priscilla Oppenheimer > http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=33354&t=33256 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Frame Relay CIR [7:26199]
JJohn Tafasi wrote: > Does it affect IPX tick? IPX assumes 6 ticks for a serial interface unless you run IPXWAN, which actually measures the delay. > Does it affect OSPF cost? (assuming subinterfaces are used) No, OSPF will not know the CIR. -- Jason Boson BCMSN1 BSCN2 BSCI2 practice tests E-Quizware CCIE practice test Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=26210&t=26199 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]