RE: Multicast private ip address [7:71411]
You can find the scope of the addresses here: http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/mcst_sol/mcs t_ovr.htm#xtocid7 Regards, Janó Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71736t=71411 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Multicast private ip address [7:71411]
Hi, We have some reserved address ranges as follows: 224.0.0.0 to 224.0.0.255 and 239.0.0.0 to 239.255.255.255. You can check more details on multicasting. Mwalie Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=71422t=71411 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
BGP Query : Removal of Private AS numbers. [7:56678]
Hi I am using IOS 12.2 . and have a query on BGP operation therein I configure private AS numbers to be removed towards an EBGP neighbor. A peer group is also configured though it does not have private AS number removal configured. When this neighbor is brought into the peer group, features like localAS get reset( i.e the neighbor's properties get lost and it takes whatever properties the peer group has. ) However the private AS number removal for the neighbor does not changed but it is RETAINED for that neighbor. ANY special reasons for this behavior ( in case of private AS number removal). Another anamoly which seems to exist is that if we have change the AS number of the peer group and make this an internal peer group even then the removal private AS number for that neighbor remains set , though it is not supposed to be set for IBGP neighbors ? Is this a bug ? - srivatsan - Get a bigger mailbox -- choose a size that fits your needs. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=56678t=56678 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Log files - spoofing from private 10 adddress [7:52552]
My log files show that 10.78.0.1 address is attempting to get through my permimeter router . Would anyone know if this is someone really trying to spoof me or what? And is there any way or tool I can use to determine the real public source address this entity is coming from ? Does any one know if that is a port number (67) beside the IP address and (68) besides that 32 bit host mask? thx Randy 1w3d: %SYS-5-CONFIG_I: Configured from console by console 1w3d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 1 packet 1w3d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 7 packets 1w4d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 4 packets 1w4d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 6 packets Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52552t=52552 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Log files - spoofing from private 10 adddress [7:52552]
Randy, This appears to be a DHCP server querying its clients. This is pretty common on a cable modem network. Yes, that is UDP port 67, and as you can see, it's a broadcast. I wouldn't think it's a hacker, because of the fact that it's a broadcast. It's probably just someone running a DHCP server on their home network. Eddie -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of McHugh Randy Sent: Monday, September 02, 2002 11:34 AM To: [EMAIL PROTECTED] Subject: Log files - spoofing from private 10 adddress [7:52552] My log files show that 10.78.0.1 address is attempting to get through my permimeter router . Would anyone know if this is someone really trying to spoof me or what? And is there any way or tool I can use to determine the real public source address this entity is coming from ? Does any one know if that is a port number (67) beside the IP address and (68) besides that 32 bit host mask? thx Randy 1w3d: %SYS-5-CONFIG_I: Configured from console by console 1w3d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 1 packet 1w3d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 7 packets 1w4d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 4 packets 1w4d: %SEC-6-IPACCESSLOGP: list 199 denied udp 10.78.0.1(67) - 255.255.255.255(68), 6 packets Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=52575t=52552 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: private addressing [7:49083]
Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Public. The private blocks are 10/8 172.16/12 192.168/16 Again, the sooner you stop thinking in classful terms, the easier real-world addressing becomes. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49118t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: private addressing [7:49083]
Howard, Since 192.168/16 is supposedly Class C, can you tell me why if I configure RIPv1 it allows me to configure network 192.168.0.0 instead of giving me an error? I've tested it and of course it does not generate or accept any updates until you change it something like 192.168.10.0. Although it reports when you do a sh ip prot that it is routing for networks 192.168.0.0 and 192.168.10.0. Is this a Cisco IOS feature? I guess the same thing holds true with my question on the 172.16/12 Private IP. Thanks in advance for your input. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard C. Berkowitz Sent: Thursday, July 18, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: Re: private addressing [7:49083] Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Public. The private blocks are 10/8 172.16/12 192.168/16 Again, the sooner you stop thinking in classful terms, the easier real-world addressing becomes. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49181t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: private addressing [7:49083]
At 9:08 PM + 7/18/02, cebuano wrote: Howard, Since 192.168/16 is supposedly Class C, can you tell me why if I configure RIPv1 it allows me to configure network 192.168.0.0 instead of giving me an error? The traditional class C space began with 192/8, of which 192.168/16 is a part. I'm puzzled by your comment, since I generally use 192.168.0.0/24 for /30 serial links when I write scenarios, and never have any problem. There's no formal relationship between RIPv1 and RFC1918 addressing; RIPv1 long preceded private addressing. According to the IETF, RIPv1 is in Historic status, or considered obsolete. I've tested it and of course it does not generate or accept any updates until you change it something like 192.168.10.0. I know this runs in some of the Gett scenarios. From S0010: [EMAIL PROTECTED] ! ! Establishes initial RIP-only routing on R1. ! hostname r1 ! interface Loopback0 ip address 192.168.255.1 255.255.255.252 ! interface Loopback1 ip address 172.16.0.1 255.255.0.0 ! interface Ethernet0/0 description to Cat 5K 3/1 ip address 192.168.4.1 255.255.255.0 half-duplex ! interface Serial1/0 no ip address encapsulation frame-relay no frame-relay inverse-arp frame-relay lmi-type ansi ! interface Serial1/0.2 point-to-point description FR hub to R2; rev should be 211 ip address 192.0.2.1 255.255.255.252 frame-relay interface-dlci 112 ! interface Serial1/0.3 point-to-point description FR hub to R3; rev should be 311 ip address 192.0.2.5 255.255.255.252 frame-relay interface-dlci 113 ! interface Serial1/1 description serial to R3 bandwidth 56 ip address 192.168.0.1 255.255.255.252 ! router rip network 172.16.0.0 network 192.0.2.0 network 192.168.0.0 network 192.168.2.0 network 192.168.4.0 network 192.168.255.0 ip classless Although it reports when you do a sh ip prot that it is routing for networks 192.168.0.0 and 192.168.10.0. Is this a Cisco IOS feature? I guess the same thing holds true with my question on the 172.16/12 Private IP. Thanks in advance for your input. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard C. Berkowitz Sent: Thursday, July 18, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: Re: private addressing [7:49083] Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Public. The private blocks are 10/8 172.16/12 192.168/16 Again, the sooner you stop thinking in classful terms, the easier real-world addressing becomes. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49194t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: private addressing [7:49083]
you can enter all kinds of things into the RIP process and not get errors. It doesn't mean it will work the way you want it to. Did you know, for example, that about the only way to get CIDR routes INTO a Cisco RIPv2 router is to redistribute them? cebuano wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Howard, Since 192.168/16 is supposedly Class C, can you tell me why if I configure RIPv1 it allows me to configure network 192.168.0.0 instead of giving me an error? I've tested it and of course it does not generate or accept any updates until you change it something like 192.168.10.0. Although it reports when you do a sh ip prot that it is routing for networks 192.168.0.0 and 192.168.10.0. Is this a Cisco IOS feature? I guess the same thing holds true with my question on the 172.16/12 Private IP. Thanks in advance for your input. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard C. Berkowitz Sent: Thursday, July 18, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: Re: private addressing [7:49083] Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Public. The private blocks are 10/8 172.16/12 192.168/16 Again, the sooner you stop thinking in classful terms, the easier real-world addressing becomes. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49207t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: private addressing [7:49083]
It's probably not valid to frame the question as one that stands to confirm or deny the validity of a denifition such as that applied to the notion of a class C address based upon the behavior exhibited by a given implementation of old-style tcp/ip. Unlike many parts of life, in this case the definition supercedes the implementation. Conversely, in the context of scrutinizing cisco's rip implementation, your questions are quite timely relevant. I'd love to know the answers myself. It's obvious that cisco has a reason to stand behind invest effort into their igrp/eigrp implementation. Based upon both Fred Baker's pivotal role in crafting RFC 1812 and his professional affiliations, their effort in maintaining a competitive OSPF implementation comes as no surprise (I fully admit that those observations may not have had any causal affect or effect on actual events, but i wonder if the reality of their unrobust rip implementation might have encouraged them to more fervently refine enhance their OSPF implementation). But I've always wondered why they have been several steps behind other competitors as far as their RIP implementation is concerned, in terms of both controlling and diagnosing its behavior. The simple answer is one indirectly implied in threads from many months back, that their proprietary hybrid (whatever that means outside the context of gatherings of marketing executives) protocol effort left them with little motivation to direct a sufficient quantity of their programming wherewithal might towards a truly robust rip implementation Is there more to it? The few high level Cisco engineers I've interacted with seemed well-versed in all commonly-adopted routing protocols EXCEPT RIP, indicating somewhat of a pattern corporate-wide. Nota Bene: my reference point is Wellfleet's RIP implementation, which mattered a lot more when both wellfleet rip were more prominent participants in the capital I internet and the enterprise organizations which fed off of it. - Original Message - From: cebuano To: Sent: 18 July 2002 5:08 pm Subject: RE: private addressing [7:49083] Howard, Since 192.168/16 is supposedly Class C, can you tell me why if I configure RIPv1 it allows me to configure network 192.168.0.0 instead of giving me an error? I've tested it and of course it does not generate or accept any updates until you change it something like 192.168.10.0. Although it reports when you do a sh ip prot that it is routing for networks 192.168.0.0 and 192.168.10.0. Is this a Cisco IOS feature? I guess the same thing holds true with my question on the 172.16/12 Private IP. Thanks in advance for your input. Elmer -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Howard C. Berkowitz Sent: Thursday, July 18, 2002 9:11 AM To: [EMAIL PROTECTED] Subject: Re: private addressing [7:49083] Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Public. The private blocks are 10/8 172.16/12 192.168/16 Again, the sooner you stop thinking in classful terms, the easier real-world addressing becomes. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49213t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
private addressing [7:49083]
Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49083t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: private addressing [7:49083]
Public though it apparently hasn't been doled out: dmadlan horton:/aces/home/dmadlan $ whois 172.35.0.0 No match for 172.35.0.0. Dave birdy wrote: Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? -- David Madland CCIE# 2016 Sr. Network Engineer Qwest Communications Inc. 612-664-3367 [EMAIL PROTECTED] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49084t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: private addressing [7:49083]
Actually, it's 172.16.0.0 to 172.31.255.255. So the answer is yes, 172.35.0.0 is from the public block. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of birdy Sent: Wednesday, July 17, 2002 8:14 PM To: [EMAIL PROTECTED] Subject: private addressing [7:49083] Can anyone tell me. 172.16.0.0 - 172.31.0.0 is used for class B private addressing.. That means that it can use 16 class B network address Now, let say I wan to use 172.35.0.0 block, so is this consider a private address or a public address ? Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=49088t=49083 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
You know...I just revamped a class b network (150.150.0.0) that a company had implemented years ago and they didn't own the space. Even though everything seemed to be working properly, the entire 150.150 network was not accessible on the internet.Heaven forbid micrsoft move their hotmail servers to 150.150.x.x. There should be no reason to not do things the right way... :) Craig Columbus 05/25/02 01:25PM IMO, it's never a good idea to use public addresses in a private network. The standard response I get when I tell people this is Well, it's never going to be put on the Internet or connected to another network, so it doesn't matter. But, you should look at it this way: For a given network, there are two outcomes: 1) It will never be connected to another network or 2) It will someday be connected to another network. For small test networks, training networks, home networks, etc., the first option may truly be the case. If so, it is just as easy to assign one of the 10.x, 172.x, or 192.x networks as it is to assign some other IP block that another company may own. At the least, it gets you accustomed to working with the RFC spec private ranges. For business networks, experience tells me that you should always assume that the network will be connected to another network at some point in the future...even if you can't imagine it now. To mitigate problems down the road, a RFC spec private range should be used. This doesn't eliminate the possibility of overlapping private addresses if, for example, you merge with another company that uses the same private block. It does, however, assure that if you hook to the Internet, you won't hit a local server when trying to get to a registered IP address on the Internet. Here's a true story to illustrate the point: I was called in to examine a network that had chronic connectivity problems to points both inside and outside the corporate network. When I looked at the routers, I was astonished to find that each WAN remote site and each subnet had a different public block assigned. Further, there was a spattering of routing protocols installed, including RIP, OSPF, and iBGP, with no apparent purpose or reason. The company had a single Internet gateway that was performing NAT. I pointed out all of the flaws with the installation and design to the company owners who insisted on calling a meeting with the company that had been maintaining the network. We sat down at the table and I presented my findings. The network admin's only defense to his workmanship was Show me where it says that I can't set things up this way. Needless to say, the meeting was over in less than an hour and I walked away with a substantial contract to fix and maintain the network. I readdressed the network and put static routes in place of the routing protocols. Problem was solved and connectivity was never again an issue. The moral of the story is that just because you CAN do something, it doesn't mean that you SHOULD do something. Craig At 12:52 AM 5/25/2002 -0400, you wrote: Thanks Craig. Yes I know 128.128.0.0 is not technically a standard private address defined in RFC 1918, but those are just so that ISPs have a standard address in which to block routing information for. Therefore a private address within a network can be any class A B or C address. Thanks for your reply. Jarred Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45246t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
IMO, it's never a good idea to use public addresses in a private network. The standard response I get when I tell people this is Well, it's never going to be put on the Internet or connected to another network, so it doesn't matter. But, you should look at it this way: For a given network, there are two outcomes: 1) It will never be connected to another network or 2) It will someday be connected to another network. For small test networks, training networks, home networks, etc., the first option may truly be the case. If so, it is just as easy to assign one of the 10.x, 172.x, or 192.x networks as it is to assign some other IP block that another company may own. At the least, it gets you accustomed to working with the RFC spec private ranges. For business networks, experience tells me that you should always assume that the network will be connected to another network at some point in the future...even if you can't imagine it now. To mitigate problems down the road, a RFC spec private range should be used. This doesn't eliminate the possibility of overlapping private addresses if, for example, you merge with another company that uses the same private block. It does, however, assure that if you hook to the Internet, you won't hit a local server when trying to get to a registered IP address on the Internet. Here's a true story to illustrate the point: I was called in to examine a network that had chronic connectivity problems to points both inside and outside the corporate network. When I looked at the routers, I was astonished to find that each WAN remote site and each subnet had a different public block assigned. Further, there was a spattering of routing protocols installed, including RIP, OSPF, and iBGP, with no apparent purpose or reason. The company had a single Internet gateway that was performing NAT. I pointed out all of the flaws with the installation and design to the company owners who insisted on calling a meeting with the company that had been maintaining the network. We sat down at the table and I presented my findings. The network admin's only defense to his workmanship was Show me where it says that I can't set things up this way. Needless to say, the meeting was over in less than an hour and I walked away with a substantial contract to fix and maintain the network. I readdressed the network and put static routes in place of the routing protocols. Problem was solved and connectivity was never again an issue. The moral of the story is that just because you CAN do something, it doesn't mean that you SHOULD do something. Craig At 12:52 AM 5/25/2002 -0400, you wrote: Thanks Craig. Yes I know 128.128.0.0 is not technically a standard private address defined in RFC 1918, but those are just so that ISPs have a standard address in which to block routing information for. Therefore a private address within a network can be any class A B or C address. Thanks for your reply. Jarred Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45034t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
couple of thoughts in line: Craig Columbus wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... IMO, it's never a good idea to use public addresses in a private network. The standard response I get when I tell people this is Well, it's never going to be put on the Internet or connected to another network, so it doesn't matter. CL: it never snows here in my home town, either. things change. But, you should look at it this way: For a given network, there are two outcomes: 1) It will never be connected to another network or 2) It will someday be connected to another network. For small test networks, training networks, home networks, etc., the first option may truly be the case. If so, it is just as easy to assign one of the 10.x, 172.x, or 192.x networks as it is to assign some other IP block that another company may own. At the least, it gets you accustomed to working with the RFC spec private ranges. For business networks, experience tells me that you should always assume that the network will be connected to another network at some point in the future...even if you can't imagine it now. To mitigate problems down the road, a RFC spec private range should be used. This doesn't eliminate the possibility of overlapping private addresses if, for example, you merge with another company that uses the same private block. It does, however, assure that if you hook to the Internet, you won't hit a local server when trying to get to a registered IP address on the Internet. CL: NAT can solve a lot of problems. However, IMHO, those problems, NAT notwithstanding, are easier to solveif you use either your own public space or reserved private space. Here's a true story to illustrate the point: I was called in to examine a network that had chronic connectivity problems to points both inside and outside the corporate network. When I looked at the routers, I was astonished to find that each WAN remote site and each subnet had a different public block assigned. Further, there was a spattering of routing protocols installed, including RIP, OSPF, and iBGP, with no apparent purpose or reason. The company had a single Internet gateway that was performing NAT. I pointed out all of the flaws with the installation and design to the company owners who insisted on calling a meeting with the company that had been maintaining the network. We sat down at the table and I presented my findings. The network admin's only defense to his workmanship was Show me where it says that I can't set things up this way. CL: don't you just love this kind of attack/response? There's no place I know of where it says you can't bathe in gasoline either. Needless to say, the meeting was over in less than an hour and I walked away with a substantial contract to fix and maintain the network. I readdressed the network and put static routes in place of the routing protocols. Problem was solved and connectivity was never again an issue. The moral of the story is that just because you CAN do something, it doesn't mean that you SHOULD do something. Craig At 12:52 AM 5/25/2002 -0400, you wrote: Thanks Craig. Yes I know 128.128.0.0 is not technically a standard private address defined in RFC 1918, but those are just so that ISPs have a standard address in which to block routing information for. Therefore a private address within a network can be any class A B or C address. Thanks for your CL: the problem arises when you have reason or need to connect to those in the public world using subnets of that particuar public space. It can get real ugly real fast. Now granted, the chances are that you won't need to connect to the Woods Hole Oceanographic Insitution ( if the ARIN record is current ) But you never can tell. reply. Jarred Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45037t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
Craig, You are absolutely correct, and I was well aware of each of the important concepts and points you made. I was simply saying a random address to use for my example, but thanks =) Jarred Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45061t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Addressing over Distances [7:44946]
Hello Everyone, I have a newbie question to ask. If, for example, I had a building in one location (for say, the state of maryland) and then another building in another location (for say, the state of virginia), would I be able to have the locations directly connect to each other via phone lines and still be able to use my private addressing? Or MUST I use an ISP and either do NAT or use their external ip addresses? In other words, if I had a private class B address of 128.128.0.0 and wanted to use that across a distance, would the phone company have a direct link between my two buildings (is it possible?) and allow my own addressing? (keep in mind in this example I am not worried about connecting to the Internet, just my intranet, which is why I do not think an ISP or NAT or external addressing should matter at all) Thank you everyone, i have learned so much on this message board. I am taking my CCNP Routing June 7th and this question just was bothering me =) I am a newbie to how the phone system interconnects networks, I only know my end of the job hehe. Thanks again. Jarred CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44946t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
Well...technically, 128.128.0.0 isn't a private address re: RFC1918. :-) But more to the point of your question, you can run whatever addresses you want over a private point-to-point connection. Craig At 09:38 AM 5/24/2002 -0400, you wrote: Hello Everyone, I have a newbie question to ask. If, for example, I had a building in one location (for say, the state of maryland) and then another building in another location (for say, the state of virginia), would I be able to have the locations directly connect to each other via phone lines and still be able to use my private addressing? Or MUST I use an ISP and either do NAT or use their external ip addresses? In other words, if I had a private class B address of 128.128.0.0 and wanted to use that across a distance, would the phone company have a direct link between my two buildings (is it possible?) and allow my own addressing? (keep in mind in this example I am not worried about connecting to the Internet, just my intranet, which is why I do not think an ISP or NAT or external addressing should matter at all) Thank you everyone, i have learned so much on this message board. I am taking my CCNP Routing June 7th and this question just was bothering me =) I am a newbie to how the phone system interconnects networks, I only know my end of the job hehe. Thanks again. Jarred CCNA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=44948t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Addressing over Distances [7:44946]
Thanks Craig. Yes I know 128.128.0.0 is not technically a standard private address defined in RFC 1918, but those are just so that ISPs have a standard address in which to block routing information for. Therefore a private address within a network can be any class A B or C address. Thanks for your reply. Jarred Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=45011t=44946 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Understanding Private IP Networks! Free Webinar [7:39046]
Maybe it's just me but Why not use a private ip network across frame relay? Are they talking about putting your own equipment in the CO.. I don't see how much more private you could possibly make it. -Patrick Jim Dixon 03/21/02 11:55AM To all that may be interested in a online seminar on Migrating from Frame Relay to Private IP networks. Watch the wor- d wrap on the url below. Jim http://us1.webex.com/visualnetworks/onstage/mainframe.php?Rnd3287=0.03651925 66600846 Time: Next Thursday 13:00 Eastern Standard Time 03/28/2002. A FREE 1-Hour Webinar from Visual Networks: Understanding Private IP Networks! If you're considering migrating from a frame relay to a private IP network, don't miss Visual Networks' Understanding Private IP Networks Webinar on Thursday, March 28, 2002, at 1:00 p.m. EST! To register for this invaluable Webinar, click here. While much has been said about private IP or MPLS-enabled networks, the Understanding Private IP Networks Webinar will present the catalysts for migrating from a frame relay to private IP network and the benefits and technical implications of the private IP solution. Additionally, this Webinar will address the fear and pain points associated with migrating and how Visual Networks. can alleviate these concerns with our private IP performance-management solution-Visual UpTime.. Specifically, Understanding Private IP Networks will provide the rationale for this network strategy, including: The critical need for network redundancy Why you must maximize bandwidth resources How WAN complexity has overburdened your network support staff The increased remote site-to-remote site traffic driving the need for meshed networks Get the benefits of migrating to a private IP-based network. Gain understanding of the pain-points associated with changing your network. Realize the value of performance-management visibility for private IP networks. Act Now! To register for the FREE Understanding Private IP Networks Webinar, taking place Thursday, March 28, 2002 at 1:00 p.m. EST, click here. Join us! You'll walk away with the information you need to determine why private IP networks should be an integral part of your network strategy! Visual Networks and Visual UpTime are registered trademarks, and Visual IP InSight is a trademark of Visual Networks Technologies, Inc. Added Bonus! If you register for the Understanding Private IP Networks Webinar, you'll automatically receive Visual Networks' monthly Intelligence From The Edge(tm) newsletter. The Intelligence From The Edge newsletter summarizes network management articles and notes from a variety of worldwide sources. With Intelligence From The Edge delivered directly to your inbox, you can quickly scan pertinent articles that can assist you with your day-to-day network management challenges. http://www.visualnetworks.com If you would prefer not to receive further messages from this sender: 1. Click on the Reply button. 2. Replace the Subject field with the word REMOVE. 3. Click the Send button. You will receive one additional e-mail message confirming your removal. Confidentiality Disclaimer This email and any files transmitted with it may contain confidential and /or proprietary information in the possession of WellStar Health System, Inc. (WellStar) and is intended only for the individual or entity to whom addressed. This email may contain information that is held to be privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any unauthorized access, dissemination, distribution or copying of any information from this email is strictly prohibited, and may subject you to criminal and/or civil liability. If you have received this email in error, please notify the sender by reply email and then delete this email and its attachments from your computer. Thank you. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=39082t=39046 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RFC on Private IP Address v.s. RIP/IGRP [7:38190]
Chuck, Your non sequitor is minor if it's only one of those nights My non sequitor is one of those days and nights. Anyway, the reason i was curios about this was that most of the labs i've done (or remembered) were done with classless for the 172.16 and 192.168. Back when i did the RIP/IGRP to study for the CCNA i was using class A address ranges. I guess it's time to hit the rack. Thanks. Elmer - Original Message - From: Chuck Larrieu To: Cebuano Sent: Wednesday, March 13, 2002 11:09 PM Subject: Re: RFC on Private IP Address v.s. RIP/IGRP [7:38190] interesting way to put the question. but.. 172.16.0.0/12 and 192.168.0.0/16 are CIDR notation. any subnets within those ranges would default to the classfull values based upon the first couple of bits. remembering that 0 in the first position is class A, 10 in the first two positions indicate class B, and 110 in the first three positions indicate class C. RIP and IGRP are classful, and would note the classful values. - Original Message - From: Cebuano Newsgroups: groupstudy.cisco Sent: Wednesday, 13 March, 2002 7:51 PM Subject: RFC on Private IP Address v.s. RIP/IGRP [7:38190] Ladies and gents, If you are all aware of the RFC on Private IP Address allocation, it specifies that 172.16.0.0 uses /12 and 192.168.0.0 uses /16. Now does this mean our old friends RIP and IGRP are aware of this when they perform the First-Octet Rule to apply the mask for these network ranges accordingly? Please someone clarify this subtle issue. Thanks. Elmer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38216t=38190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RFC on Private IP Address v.s. RIP/IGRP [7:38190]
At 11:16 PM 3/13/02, Chuck wrote: interesting way to put the question. but.. 172.16.0.0/12 and 192.168.0.0/16 are CIDR notation. It's also simply a notation used by humans to save on the typing required. You will often see the private class B addresses listed as 172.16.0.0 - 172.31.255.255. That's the same thing as 172.16.0.0/12. Notice that the first 12 bits are the same in all the network addresses in the 172.16.0.0 - 172.31.255.255 range, so why not save on some typing? Priscilla any subnets within those ranges would default to the classfull values based upon the first couple of bits. remembering that 0 in the first position is class A, 10 in the first two positions indicate class B, and 110 in the first three positions indicate class C. RIP and IGRP are classful, and would note the classful values. and my apologies for putting this answer into the BGP thread. The news server ate my post, and.. Cebuano wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ladies and gents, If you are all aware of the RFC on Private IP Address allocation, it specifies that 172.16.0.0 uses /12 and 192.168.0.0 uses /16. Now does this mean our old friends RIP and IGRP are aware of this when they perform the First-Octet Rule to apply the mask for these network ranges accordingly? Please someone clarify this subtle issue. Thanks. Elmer Priscilla Oppenheimer http://www.priscilla.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38298t=38190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RFC on Private IP Address v.s. RIP/IGRP [7:38190]
Ladies and gents, If you are all aware of the RFC on Private IP Address allocation, it specifies that 172.16.0.0 uses /12 and 192.168.0.0 uses /16. Now does this mean our old friends RIP and IGRP are aware of this when they perform the First-Octet Rule to apply the mask for these network ranges accordingly? Please someone clarify this subtle issue. Thanks. Elmer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38190t=38190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: RFC on Private IP Address v.s. RIP/IGRP [7:38190]
interesting way to put the question. but.. 172.16.0.0/12 and 192.168.0.0/16 are CIDR notation. any subnets within those ranges would default to the classfull values based upon the first couple of bits. remembering that 0 in the first position is class A, 10 in the first two positions indicate class B, and 110 in the first three positions indicate class C. RIP and IGRP are classful, and would note the classful values. and my apologies for putting this answer into the BGP thread. The news server ate my post, and.. Cebuano wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Ladies and gents, If you are all aware of the RFC on Private IP Address allocation, it specifies that 172.16.0.0 uses /12 and 192.168.0.0 uses /16. Now does this mean our old friends RIP and IGRP are aware of this when they perform the First-Octet Rule to apply the mask for these network ranges accordingly? Please someone clarify this subtle issue. Thanks. Elmer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=38195t=38190 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Access list for private FTP site [7:35032]
Hey Guys, I have a 2514 doing NAT with overload on my internet connection getting public dhcp address from my provider on eth 0 . I have a win 2k server getting a private address from eth 1 like 192.168.0.1 and have an ftp site set up with IIS that I want people to be able to access from the internet. What type of access list would allow (if it is possible) people to access my ftp site on the server with a private address like 192.168.0.6 ? Also in the future want to put a web server on a private address also so the same scenario would apply to that. Right now to do the NAT with overload I have ip nat inside source list 1 interface Ethernet0 overload access-list 1 permit 192.168.0.0 0.0.0.255 And also a more granular extended list that specifies a whole bunch of filters . The main ones being access-list 199 permit ip any 192.168.0.0 0.0.0.255 access-list 199 permit ip any any All suggestions welcome and appreciated. Thanks, Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35032t=35032 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Access list for private FTP site [7:35032]
You can setup NAT using the interface instead of the actual IP that you learn from your ISP on e0. If you search the archives, you'll find a thread where this topic (NAT and Dynamic external IP) is discussed at length. A co-worker has his DSL cable modem setup like this. It seems this functionality is called Easy IP and was available in IOS 11.3. Here's the command I saw in a post saying how it was done: ip nat inside source list xx interface overload The only thing I can think of to help you do what you want to do is to setup static NAT entries for the ports you want to forward. I.E. setup a static NAT entry for incoming traffic on port 21 to forward to the desired IP on the inside. Of course, as you can imagine, this would limit you to one internal IP per port, i.e. only one machine on the internal LAN could be reached via port 21, one via port 80, etc. HTH, Mike W. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35065t=35032 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Access list for private FTP site [7:35032]
Randy, one possible way to do this is with Static/Dynamic NAT. You will need to use at least a /29 address from your provider to do this. Use a pool to NAT overload with and define a static NAT for your internet based services.. !!! first and last valid IP to nat with ip nat pool nat-pool 216.18.31.x 216.18.31.x prefix-length 24 !!! Define the pool to overload with ip nat inside source route-map nat-map pool nat-pool overload !! Define the inside and ouside address to stay static ip nat inside source static 192.168.200.1 216.18.31.200 route-map nat-map permit 10 !! Route-maps use less CPU match ip address 10!! referes to access list 10 !! Deny your static address translation access-list 10 deny x.x.x.x x.x.x.x access-list 10 permit x.x.x.x x.x.x.x !! Permit the rest Hope this helps Mark CCNP,CCNA,CCDA,CNE,MCSE (CCIE to Be) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=35071t=35032 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
connecting (private) networks using RFC 1918 address [7:34655]
Hi Folks, What's the best practice if i want to connect multiple private networks together if all of them are presumably using RFC 1918 addresses ?? I read about the technical doc abt NAT implementation in Overlaping networks in Cisco web site ...to me it looks bit cumbersome, has anyone in this forum used/implemented it?? Or is it a good practice to use NAT in connection with public IP to connect those networks ?? If i get a class c public IP from my ISP can that be used for this purposes ? I read in one of the service agreement provided by an ISP and it says that assigned IP numbers should be used only in conjunction with the services provided by that specific ISP . Is there any other way of doing it ?? Appreciate your feedback on this. Thanks, Muthu Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34655t=34655 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: connecting (private) networks using RFC 1918 address [7:34658]
readdress. In the meantime, NAT. Muthuraja Ayyanar wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi Folks, What's the best practice if i want to connect multiple private networks together if all of them are presumably using RFC 1918 addresses ?? I read about the technical doc abt NAT implementation in Overlaping networks in Cisco web site ...to me it looks bit cumbersome, has anyone in this forum used/implemented it?? Or is it a good practice to use NAT in connection with public IP to connect those networks ?? If i get a class c public IP from my ISP can that be used for this purposes ? I read in one of the service agreement provided by an ISP and it says that assigned IP numbers should be used only in conjunction with the services provided by that specific ISP . Is there any other way of doing it ?? Appreciate your feedback on this. Thanks, Muthu Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34658t=34658 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
using BGP private AS [7:33595]
Hi, Everyone: I saw some examples to use BGP private AS for single ISP redundancy. I was wonderingwhether I could use it for DMZ. that will disallow customer routes inject to my IGP? ISP1 ISP2 | | AS200 -AS5400-- AS100 Any suggestion? Thanks, ~q Send and receive Hotmail on your mobile device: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33595t=33595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: using BGP private AS [7:33595]
Why not simply prevent your customer routes from entering your IGP by the normal means? Is there some relationship from BGP to the IGP in your network that we may not be aware of? Pete At 02:57 PM 1/29/2002 -0500, you wrote: Hi, Everyone: I saw some examples to use BGP private AS for single ISP redundancy. I was wonderingwhether I could use it for DMZ. that will disallow customer routes inject to my IGP? ISP1 ISP2 | | AS200 -AS5400-- AS100 Any suggestion? Thanks, ~q Send and receive Hotmail on your mobile device: Click Here Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=33604t=33595 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private IRC Server for Cisco Study [7:31159]
This is a quick post to let people know that the address of the IRC server has changed to: irc.aegis-networks.com I noticed that several people seemed to have dropped off after the move to our permanent home and as I have no email list of members, I hope you are reading this. New members are welcome. We gather on channel #cisco and though we are primarily ccie candidates, people at all certification levels are welcome. Best wishes for the New Year! Geoff Zinderdine Aegis Network Consulting Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=31159t=31159 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Routing from a public network to a private resource [7:29127]
Dear All, Here is the scenario. You have one router with an interface that has access to the internet. The interface that faces the internet obtains its IP address from the Web via DHCP. You enable PAT on the outside interface using the dynamic outside IP address as the PAT address. You either register with a web site for a name and they watch it so that when it changes your name to address relationship changes or constantly know what the IP address is. Good we have internet connectivity. Now the problem. I want to get to a resource on the private network from a resource on the internet. How do I redirect the traffic destined for a public address to a private one inside my network? I have a feeling it is by port number but I am not sure. You are not running a version of PIX IOS on the router either. How do I solve this problem? -Thanks Mike Wing Network Engineer CCNA, CCDA, CCNP TWA Airlines LLC Phone: 1-816-464-7920 Fax: 1-816-464-6585 Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=29127t=29127 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private VLAN's amp; VTP [7:27940]
VLANs configured as PVLANs are done only when the VTP mode is transparent. So the VTP messages aren't carried or passed to the adjacent switch. You will have to configure in all the switches. By the way, which platform you are using and which version of software? Thanks Rajesh Urooj's Hi-speed Internet wrote: Hi Folks, Do VLAN's configured as PVLAN's get communicated throughout the VTP domain via VTP messages or are they kept segregated ? Can someone please enlighten me on this ? Thanks very much. Aziz [GroupStudy.com removed an attachment of type text/x-vcard which had a name of pikumar.vcf] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27992t=27940 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private VLAN's amp; VTP [7:27940]
Hi Folks, Do VLAN's configured as PVLAN's get communicated throughout the VTP domain via VTP messages or are they kept segregated ? Can someone please enlighten me on this ? Thanks very much. Aziz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27940t=27940 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private IRC Server for Cisco Certification Discussion [7:27958]
I have been running an irc server at someone.somewhere.ca:6667 for my study partners and me and would like to invite any of you that are interested to come join the public channel at #cisco Primarily there are CCIE candidates using it at this time, a few that that have earned their # and a few who are working on CCNP. Feel free to drop by and hang out. This channel tends to be a bit more on topic than the similarly named efnet and DALnet channels. Be patient if you don't get a response right away from the channel denizens... many of us are juggling lab time, family and jobs. Best regards and good luck to you all in your networking pursuits. Geoff Zinderdine CCNP MCP CCA Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27958t=27958 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private VLAN's amp; VTP [7:27940]
If I understand private vlans properly... They are configured exactly like normal vlans, however, the ports are either left alone (promiscuous) or restricted. Restricted ports cannot talk to each other, they can only talk to promiscuous ports. -- Kevin Welch -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Urooj's Hi-speed Internet Sent: Sunday, December 02, 2001 1:32 PM To: [EMAIL PROTECTED] Subject: Private VLAN's amp; VTP [7:27940] Hi Folks, Do VLAN's configured as PVLAN's get communicated throughout the VTP domain via VTP messages or are they kept segregated ? Can someone please enlighten me on this ? Thanks very much. Aziz Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27960t=27940 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPX stands for- PIX Private Internet Exchange [7:27647]
Wrong. PIX stands for Private Internet Exchange. You are thinking of IPXchange. Cisco briefly had a box that it bought that converted IPX to IP for internet connectivity. mlh wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... IPX stands for - PIX Private Internet Exchange (Cisco) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27682t=27647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPX stands for- PIX Private Internet Exchange [7:27647]
heh what? ipx is a protocol mlh 11/29/01 12:19AM IPX stands for - PIX Private Internet Exchange (Cisco) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27691t=27647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPX stands for- PIX Private Internet Exchange [7:27647]
Novell Internet Packet Exchange (IPX) -Original Message- From: Patrick Ramsey [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 29, 2001 12:32 PM To: [EMAIL PROTECTED] Subject: Re: IPX stands for- PIX Private Internet Exchange [7:27647] heh what? ipx is a protocol mlh 11/29/01 12:19AM IPX stands for - PIX Private Internet Exchange (Cisco) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27709t=27647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Cisco Systems' PIX (Private Internet Exchange) Firewall [7:27575]
Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27575t=27575 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPX stands for- PIX Private Internet Exchange [7:27647]
IPX stands for - PIX Private Internet Exchange (Cisco) Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=27647t=27647 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private phone numbering [7:26021]
So extension part of a phone numer does not come from telco, is that corect? Thanks John Tafasi VoIP Guy wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... DID is the public address of voice, but you may still need to map over DID numbers to your internal extensions. Otherwise you need an auto-attendant that asks you to enter the extension of the person you are trying to reach, which could be considered the NAT of voice, since you need a box to route your call to the proper person. John Tafasi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello Group, When designing an enterprise voice network, is it normal practice to give phone devices private phone numbers that have to be translated to a valid phone number when calling another external phone number, that is to say, similar to IP NAT translation? Does any body know about a good reference that could explain this design issue? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26198t=26021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private phone numbering [7:26021]
It can. At home it definitly does. Once you get a PBX or KSU, you havemore control over the exstensions. If you order one number for the main site and you have extensions that you have to dial to get to the individual phones from the automated attendant, then you can make those extensions what ever you want. And if you have DID, the Telco may give you a block of numbers, say 1000-1099, you can either use thos as your extension such as (nnn) nnn-1000 or you can map those into your internal extensions. So a customer outside may call you at (nnn) nnn-1000, but your internal co-workers can get to you by dialing your extension number which may be x3546. You would map the DID number to the extension on the PBX, like you do in NAT. John Tafasi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... So extension part of a phone numer does not come from telco, is that corect? Thanks John Tafasi VoIP Guy wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... DID is the public address of voice, but you may still need to map over DID numbers to your internal extensions. Otherwise you need an auto-attendant that asks you to enter the extension of the person you are trying to reach, which could be considered the NAT of voice, since you need a box to route your call to the proper person. John Tafasi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello Group, When designing an enterprise voice network, is it normal practice to give phone devices private phone numbers that have to be translated to a valid phone number when calling another external phone number, that is to say, similar to IP NAT translation? Does any body know about a good reference that could explain this design issue? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26205t=26021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private phone numbering [7:26021]
DID is the public address of voice, but you may still need to map over DID numbers to your internal extensions. Otherwise you need an auto-attendant that asks you to enter the extension of the person you are trying to reach, which could be considered the NAT of voice, since you need a box to route your call to the proper person. John Tafasi wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello Group, When designing an enterprise voice network, is it normal practice to give phone devices private phone numbers that have to be translated to a valid phone number when calling another external phone number, that is to say, similar to IP NAT translation? Does any body know about a good reference that could explain this design issue? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26157t=26021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
I: Private VLAN [7:25644]
-Messaggio originale- Da: Tiziano Sassatelli [mailto:[EMAIL PROTECTED]]Per conto di Tiziano Sassatelli Inviato: venerdl 9 novembre 2001 8.40 A: 'William' Oggetto: R: Private VLAN [7:25644] This is one example of configuration about Pvlan on Catalyst 4006 and Catalyst 6509: - gbeth - cat6509-1 cat6509-2 -1/11/1- || 1/2| HSRP |1/2 || |gbeth |gbeth || 1/1| |1/2 cat4006 |100Fx |100Fx |2/1 |2/2 || -- user1user2 -- Net IP:10.0.0.0/24 Cat4006: set system name CAT4006 set interface sc0 1(vlan) IP/mask (for management) set vtp domain DOMAIN set vtp mode transparent set vlan 10 pvlan-type community set vlan 20 pvlan-type community set vlan 30 pvlan-type primary set pvlan 30 10 2/1 set pvlan 30 20 2/2 set trunk 1/1 on dot1q set trunk 1/2 on dot1q Cat6509-1 set vlan 10 pvlan-type community set vlan 20 pvlan-type community set vlan 30 pvlan-type primary set pvlan 30 10 set pvlan 30 20 set pvlan mapping 30 10 15/1 (virtual port of MSFC) set pvlan mapping 30 20 15/1 (virtual port of MSFC) set trunk 1/1 on dot1q Cat6509-2: Catalyst 6509-2: set vlan 10 pvlan-type community set vlan 20 pvlan-type community set vlan 30 pvlan-type primary set pvlan 30 10 set pvlan 30 20 set pvlan mapping 30 10 15/1 (virtual port of MSFC) set pvlan mapping 30 20 15/1 (virtual port of MSFC) Catalyst 6509-1 (MSFC): interface Vlan30 ip address 10.0.0.250 255.255.255.0 no ip redirects ip local-proxy-arp ip route-cache same-interface standby priority 100 preempt standby ip 10.0.0.243 Catalyst 6509-2 (MSFC): interface Vlan30 ip address 10.0.0.251 255.255.255.0 no ip redirects ip local-proxy-arp ip route-cache same-interface standby priority 200 preempt standby ip 10.0.0.243 Regards -Messaggio originale- Da: William [mailto:[EMAIL PROTECTED]] Inviato: giovedl 8 novembre 2001 7.29 A: [EMAIL PROTECTED] Oggetto: Private VLAN [7:25644] Did anybody know about PVLAN and got the sample configuration? Thanks. William Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=25918t=25644 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
CID: Private phone numbering [7:26021]
Hello Group, When designing an enterprise voice network, is it normal practice to give phone devices private phone numbers that have to be translated to a valid phone number when calling another external phone number, that is to say, similar to IP NAT translation? Does any body know about a good reference that could explain this design issue? Thanks John Tafasi Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=26021t=26021 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Transition from private network to public [7:19181]
Is anyone aware of any links or research that discuss the advantages of taking a large enterprise from an expensive private network (OC-3s and private lines all over) to more use of the public network, in terms of cost reduction and efficiency? Many will still argue that a tightly firewalled private network is necessary, but -- out of the box here -- is it really? Couldn't one put protection on files and route them over the public network? Couldn't an enterprise save $$ by using the public network for email? At first, people might say, No! we don't want all your corporate email dumped on the Internet, which is crowded enough. But, if corporations make more use of the Internet and develop more dependency on it, wouldn't they have more of a stake in the development and improvement of it? If anyone knows of any public white papers on this subject that have been posted or would like to share thoughts on this subject, I'd appreciate it. Thanks, Lori Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=19181t=19181 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through a private IP network [7:16935]
John - actually, I just did it last night in the lab and it works great between Cisco routers. In order to make it work with NAT, a NAT access list that denies the source VPN network to the destination VPN network and then permitting everything else from the source VPN network. Then, a VPN tunnel can be configured from source to destination network If you do the VPN tunnel across platforms, there are a number of parameters that need to match. This is a good document for learning about those parameters: (watch the URL wrap) http://www.cisco.com/warp/public/105/IPSECpart1.html Here's an illustration what I described above, configuring a Cisco router with NAT and IPSec VPN Tunnels simultaneously: (watch wrap) http://www.cisco.com/warp/public/707/overload_private.html good luck, mate -e- - Original Message - From: johnny b To: Sent: Wednesday, August 22, 2001 9:40 PM Subject: VPN through a private IP network [7:16935] Hi all, Been asked to set up a vpn for a client in both Sydney and Europe. Problem that I am running into is that I have heard that VPN's will not work when any type of NAT is used. The client wants both server's using 192.168.1.0 type of IP address'sCan this be done on various platforms, not just cisco routers or linux or win2k Thanks for your help John Sydney Australia [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17009t=16935 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: VPN through a private IP network [7:16935]
You can have VPN concentrators behind firewalls with NAT static mappings. Just so long as the UDP 500 and IP protocol 50, 51 are open on your static mapping and you are using ESP in tunnel mode. Works good, lasts a long time. Tony M. #6172 - Original Message - From: johnny b To: Sent: Wednesday, August 22, 2001 9:40 PM Subject: VPN through a private IP network [7:16935] Hi all, Been asked to set up a vpn for a client in both Sydney and Europe. Problem that I am running into is that I have heard that VPN's will not work when any type of NAT is used. The client wants both server's using 192.168.1.0 type of IP address'sCan this be done on various platforms, not just cisco routers or linux or win2k Thanks for your help John Sydney Australia [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=17031t=16935 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
VPN through a private IP network [7:16935]
Hi all, Been asked to set up a vpn for a client in both Sydney and Europe. Problem that I am running into is that I have heard that VPN's will not work when any type of NAT is used. The client wants both server's using 192.168.1.0 type of IP address'sCan this be done on various platforms, not just cisco routers or linux or win2k Thanks for your help John Sydney Australia [EMAIL PROTECTED] _ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=16935t=16935 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: configuring Hyperterminal Private edition w/Wi [7:9590]
Hypeterm for Win ME and 2000 has issues. Goto download.cnet.com and download CRT. Its a much better program. Hope this helps. I will never use hypeterm again. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9666t=9590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: configuring Hyperterminal Private edition w/Wi [7:9590]
Basically, Hyperterm for WinME and Win2000 are horible and rarely work properly. Get CRT. Here's the link to download it. ftp://ftp.vandyke.com/pub/CRT/ntcrt331.exe 30day shareware. 35 bucks to reg. Worth every penny IMHO. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9667t=9590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: configuring Hyperterminal Private edition w/Wi [7:9590]
You may want to go the step further and get SecureCRT from vandyke, which allows SSH v1 and v2 connections. It's a $100, but worth the extra functionality if you want to use secure communications. Perry J. Lucas -Original Message- From: Jon Thomasberg [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 24, 2001 1:06 AM To: [EMAIL PROTECTED] Subject: Re: configuring Hyperterminal Private edition w/Wi [7:9590] Basically, Hyperterm for WinME and Win2000 are horible and rarely work properly. Get CRT. Here's the link to download it. ftp://ftp.vandyke.com/pub/CRT/ntcrt331.exe 30day shareware. 35 bucks to reg. Worth every penny IMHO. Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9670t=9590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: configuring Hyperterminal Private edition w/Windows ME [7:9479]
Have you checked different key combinations for the particular program?,= =2E.. Baud rate???..=0D =0D ---Original Message---=0D =0D From: [EMAIL PROTECTED]=0D Date: Friday, June 22, 2001 01:16:04 AM=0D To: [EMAIL PROTECTED]=0D Subject: configuring Hyperterminal Private edition w/Windows ME [7:9477]=0D =0D Hello,=0D I can connect to my Cisco devices but not communicate with them.=0D I am using hyperterminal private edition and windows ME.=0D is there anything special i have to do to get into the devices through th= e =0D console port?=0D Cables and Devices are known to be good.=0D =0D thank you for your time and consideration,=0D Joe gearhart=0D =0D =0D =0D =0D com/list/cisco.html=0D Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] [GroupStudy.com removed an attachment of type Image/jpeg] Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9479t=9479 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: configuring Hyperterminal Private edition w/Windows ME [7:9590]
I had a real nightmare with Windows ME and HyperTerminal which may or may not have been related to a change of laptop also. Try powering down your laptop, then powering it up while the console cable is connected. (Don't just restart - that doesn't do it). My com port kept locking out on changing device connections, and a full power down was the only answer. I suspect it may have been more hardware than software, but worth a try. Do me a favour and let me know if it has any effect. Cheers, Gaz wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I can connect to my Cisco devices but not communicate with them. I am using hyperterminal private edition and windows ME. is there anything special i have to do to get into the devices through the console port? Cables and Devices are known to be good. thank you for your time and consideration, Joe gearhart Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9590t=9590 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
configuring Hyperterminal Private edition w/Windows ME [7:9477]
Hello, I can connect to my Cisco devices but not communicate with them. I am using hyperterminal private edition and windows ME. is there anything special i have to do to get into the devices through the console port? Cables and Devices are known to be good. thank you for your time and consideration, Joe gearhart Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=9477t=9477 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private ASN question [7:7474]
I am thinking about a private asn to segregate a part of my network. Will updates between my private asn and my public ans follow the rules of an eBGP neighbor or a iBGP neigbor? Can I connect the private asn to a router reflector client and have it act as a eBGP neighbor. Thanks in advance, Thomas Gainer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7474t=7474 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private ASN question [7:7474]
I think you want BGP confederations... They work like EBGP between the different private ASs in the real AS, and normal IBGP with in the private sub as... router bgp bgp confederation identifier bgp confederation peers neighbor x.x.x.x remote-as ---this is IBGP neighbor x.x.x.x remote-as ---This acts like EBGP, (need to use ebgp-multihop if that applies) neighbor x.x.x.x remote-as---Just like you already have... Nothing changes here... If this as is not in the peers list, it will act like the router is configured for the identifier ... Hope this helps Thanks -The Nate tgainer wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I am thinking about a private asn to segregate a part of my network. Will updates between my private asn and my public ans follow the rules of an eBGP neighbor or a iBGP neigbor? Can I connect the private asn to a router reflector client and have it act as a eBGP neighbor. Thanks in advance, Thomas Gainer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7479t=7474 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private ASN question [7:7474]
The only thing unique about a private ASN is that your upstream providers or peers should you have them will not communicate with you. However, within your own routing domain, you are free to treat the ASN just like a public one. With respect to your questions, yes, you can run EBGP to RR clients or any other BGP speakers in your network and internal to your own network, so long as you don't explicity deny the use of private ASN's, all will work normally. Should you require external connectivity to your private ASN space, you'll need to properly advertise that space from your valid AS. You may want to reseach confederations as they may be valuable tool to help you scale your network, though are a disruptive conversion due to the need to change your ASN on all your existing BGP speakers. HTH Pete *** REPLY SEPARATOR *** On 6/6/2001 at 11:01 PM tgainer wrote: I am thinking about a private asn to segregate a part of my network. Will updates between my private asn and my public ans follow the rules of an eBGP neighbor or a iBGP neigbor? Can I connect the private asn to a router reflector client and have it act as a eBGP neighbor. Thanks in advance, Thomas Gainer Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=7485t=7474 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private VLAN on Cat2924 [7:6572]
The ideal solution is to make them in separate subnets. A slightly less elegant solution is to add a route to the hosts with a subnet mask of 255.255.255.255 with a destination of the router. -Original Message- From: Tay Chee Yong [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 31, 2001 2:13 AM To: [EMAIL PROTECTED] Subject: Private Vlan on Cat2924 [7:6572] Hi all, I am currently configuring 2 protected ports on a Catalyst 2924 to allow them to talk to each other with the help of a Cisco router. My understanding of the protected port on the catalyst switch is that, host on a protected port is not able to communication with another host on another protected port. But a protected host is able to talk to a non-protected port host, and vice versa. Now, I would like the protected host to talk to the other protected host via the non-protected host (Cisco router). How should I go about do it?? Current configuration: ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ip subnet-zero ! interface FastEthernet0/1 description Connection to PC 1 duplex half speed 10 port protected spanning-tree portfast ! interface FastEthernet0/2 description Connection to PC 2 duplex half speed 10 port protected spanning-tree portfast ! interface FastEthernet0/3 description Connection to Cisco router duplex half speed 10 spanning-tree portfast Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Mon 17-Jul-00 17:35 by ayounes Image text-base: 0x3000, data-base: 0x00301F3C ROM: Bootstrap program is C2900XL boot loader Switch uptime is 4 hours, 7 minutes System returned to ROM by power-on System image file is flash:c2900XL-c3h2s-mz-120.5.2-XU.bin cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byte s of memory. Processor board ID FAB0507U2T5, with hardware revision 0x01 Last reset from power-on Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:05:32:7B:BC:80 Motherboard assembly number: 73-3382-08 Power supply part number: 34-0834-01 Motherboard serial number: FAB050733U4 Power supply serial number: DAB045055RB Model revision number: A0 Motherboard revision number: C0 Model number: WS-C2924-XL-EN System serial number: FAB0507U2T5 Configuration register is 0xF Please assist. Thanks. Regards, Cheeyong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6774t=6572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Vlan on Cat2924 [7:6572]
Hi all, I am currently configuring 2 protected ports on a Catalyst 2924 to allow them to talk to each other with the help of a Cisco router. My understanding of the protected port on the catalyst switch is that, host on a protected port is not able to communication with another host on another protected port. But a protected host is able to talk to a non-protected port host, and vice versa. Now, I would like the protected host to talk to the other protected host via the non-protected host (Cisco router). How should I go about do it?? Current configuration: ! version 12.0 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ip subnet-zero ! interface FastEthernet0/1 description Connection to PC 1 duplex half speed 10 port protected spanning-tree portfast ! interface FastEthernet0/2 description Connection to PC 2 duplex half speed 10 port protected spanning-tree portfast ! interface FastEthernet0/3 description Connection to Cisco router duplex half speed 10 spanning-tree portfast Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5.2)XU, MAINTENANCE IN TERIM SOFTWARE Copyright (c) 1986-2000 by cisco Systems, Inc. Compiled Mon 17-Jul-00 17:35 by ayounes Image text-base: 0x3000, data-base: 0x00301F3C ROM: Bootstrap program is C2900XL boot loader Switch uptime is 4 hours, 7 minutes System returned to ROM by power-on System image file is flash:c2900XL-c3h2s-mz-120.5.2-XU.bin cisco WS-C2924-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K byte s of memory. Processor board ID FAB0507U2T5, with hardware revision 0x01 Last reset from power-on Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:05:32:7B:BC:80 Motherboard assembly number: 73-3382-08 Power supply part number: 34-0834-01 Motherboard serial number: FAB050733U4 Power supply serial number: DAB045055RB Model revision number: A0 Motherboard revision number: C0 Model number: WS-C2924-XL-EN System serial number: FAB0507U2T5 Configuration register is 0xF Please assist. Thanks. Regards, Cheeyong Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=6572t=6572 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private VLAN on cat 6500 [7:4862]
Got a problem configuring a promiscuous port for private VLAN. The primary Vlan 202 has 4 private vlan in it. I need to configure a promiscuous port(connected to a router) to communicate with all the 4 private vlan. When I tried to mapp a PVLAN to a promiscuous port in a vlan, I always got this following message: Any body knows what I did wrong ? How I accomplish this? set pvlan mapping 202 511 4/11 Can not add a private mapping to a port with another private port in same ASIC Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4862t=4862 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
configure promiscuous port for private VLAN [7:4869]
on 6500, one primary private VLAN 111, 4 secondary community private vlan, I need to configure one promiscuous port(3/18, connected to router) to communicate all 4 secondary community private vlan. set pvlan mapping 111 511 3/18 cannot add aprivate vlan mapping to a port with another private port in same ASIC and I can not set vlan 111 3/18 What did I do wrong ? How can I accomplish this ? Thanks Ruihai Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4869t=4869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: configure promiscuous port for private VLAN [7:4869]
To set a port to send out all traffic from a particular vlan try the command 'set span [vlan_number] [module/port]' where vlan_number is the vlan you want to monitor and module/port is the port you want to monitor on. This is used to listen to all traffic going through a particular vlan. Im not real clear as to what you are trying to do. If you are trying to have the router route between the different vlans you have configured you need to use a trunk line with either ISL or dot1q. HTH a little. Ben --- Group study wrote: on 6500, one primary private VLAN 111, 4 secondary community private vlan, I need to configure one promiscuous port(3/18, connected to router) to communicate all 4 secondary community private vlan. set pvlan mapping 111 511 3/18 cannot add aprivate vlan mapping to a port with another private port in same ASIC and I can not set vlan 111 3/18 What did I do wrong ? How can I accomplish this ? Thanks Ruihai FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! Auctions - buy the things you want at great prices http://auctions.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=4917t=4869 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans - Is this a good idea
Amen! ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p0500190eb6e697785d87@[63.216.127.100]... Let me generalize my standard question of "what is the problem you are trying to solve," with "what problem do you NOT WANT to solve." What you are describing is a management, not a technical, problem. If your customers are part of the same organization as you are, someone to whom both of you report needs to explain economic realities to them. This explanation would be along the lines of: 1. The network organization has a budget. 2. This budget is based on certain rational engineering assumptions about what components can do, and what services can safely share the same component. 3. VLANs were invented as a security technique, with the goal of isolating groups of users. 3a) The "multi-VLAN" approach that allows a port to be in more than one VLAN, IMNSHO, is _evil_, has marginal applicability, and designs that include it should be tied up and thrown into a pond. If they float, burn them at the stake. If they don't float, let them drown. 4. There is no reason for concern about sharing a properly configured switch. Unless the customer can document WHY it is a problem, their only justification is FUD, and the network organization should not have its budget governed by FUD. 5. If there are real security requirements for physical switch separation, as might be specified for government classified networks that follow RED/BLACK isolation criteria, then the costs of additional switchgear should be part of the budget of the organization with the security requirement. If your customers are a true customer and you are in a profit-making world, I would have the appropriate management (i.e., that is concerned with cost of sales rather than gross revenue) consider carefully if you can afford having them as a customer. Your strategic business interest may be served by letting your competitor inherit this customer's problems. In other words, the customer needs to ask, "what part of NO do you fail to understand?" Roberts, I don't think 5500 supports pvlan, it has to be 6500, but I heard from somewhere those lower end 2948/4000 also will be able to support pvlan very soon. pvlan, from my understanding, does not give you more security among vlans. It only controls ports within the same vlan by preventing them from talking to each other without your control. It is more of a way of saving vlans for service providers. Correct. I believe the doc of 6500 explains it pretty well. If your customer is concerned about vlan leak, I am afraid you will probably have to give them a seperate switch or they can use some kind encryption before sending out any traffic. Just my 2 cents. HTH KY ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans - Is this a good idea
FUD - Sounds gud! What is it? If the FU stands for what I think it does, what does the D stand for. Sorry for dragging the thread to one side, but I think I work somewhere that FUD cud become a major part of our vocabulary. I don't want to make up my own D if it's already in popular use :-) Cheers, Gaz ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p0500190eb6e697785d87@[63.216.127.100]... Let me generalize my standard question of "what is the problem you are trying to solve," with "what problem do you NOT WANT to solve." What you are describing is a management, not a technical, problem. If your customers are part of the same organization as you are, someone to whom both of you report needs to explain economic realities to them. This explanation would be along the lines of: 1. The network organization has a budget. 2. This budget is based on certain rational engineering assumptions about what components can do, and what services can safely share the same component. 3. VLANs were invented as a security technique, with the goal of isolating groups of users. 3a) The "multi-VLAN" approach that allows a port to be in more than one VLAN, IMNSHO, is _evil_, has marginal applicability, and designs that include it should be tied up and thrown into a pond. If they float, burn them at the stake. If they don't float, let them drown. 4. There is no reason for concern about sharing a properly configured switch. Unless the customer can document WHY it is a problem, their only justification is FUD, and the network organization should not have its budget governed by FUD. 5. If there are real security requirements for physical switch separation, as might be specified for government classified networks that follow RED/BLACK isolation criteria, then the costs of additional switchgear should be part of the budget of the organization with the security requirement. If your customers are a true customer and you are in a profit-making world, I would have the appropriate management (i.e., that is concerned with cost of sales rather than gross revenue) consider carefully if you can afford having them as a customer. Your strategic business interest may be served by letting your competitor inherit this customer's problems. In other words, the customer needs to ask, "what part of NO do you fail to understand?" Roberts, I don't think 5500 supports pvlan, it has to be 6500, but I heard from somewhere those lower end 2948/4000 also will be able to support pvlan very soon. pvlan, from my understanding, does not give you more security among vlans. It only controls ports within the same vlan by preventing them from talking to each other without your control. It is more of a way of saving vlans for service providers. Correct. I believe the doc of 6500 explains it pretty well. If your customer is concerned about vlan leak, I am afraid you will probably have to give them a seperate switch or they can use some kind encryption before sending out any traffic. Just my 2 cents. HTH KY ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
FUD definition (WAS: Private Vlans - Is this a good idea)
http://www.everything2.com/index.pl?node_id=20165 HTH, TroyC -Original Message- From: Gareth Hinton [mailto:[EMAIL PROTECTED]] Sent: Wednesday, March 28, 2001 2:50 PM To: [EMAIL PROTECTED] Subject: Re: Private Vlans - Is this a good idea FUD - Sounds gud! What is it? If the FU stands for what I think it does, what does the D stand for. Sorry for dragging the thread to one side, but I think I work somewhere that FUD cud become a major part of our vocabulary. I don't want to make up my own D if it's already in popular use :-) Cheers, Gaz ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p0500190eb6e697785d87@[63.216.127.100]... Let me generalize my standard question of "what is the problem you are trying to solve," with "what problem do you NOT WANT to solve." What you are describing is a management, not a technical, problem. If your customers are part of the same organization as you are, someone to whom both of you report needs to explain economic realities to them. This explanation would be along the lines of: 1. The network organization has a budget. 2. This budget is based on certain rational engineering assumptions about what components can do, and what services can safely share the same component. 3. VLANs were invented as a security technique, with the goal of isolating groups of users. 3a) The "multi-VLAN" approach that allows a port to be in more than one VLAN, IMNSHO, is _evil_, has marginal applicability, and designs that include it should be tied up and thrown into a pond. If they float, burn them at the stake. If they don't float, let them drown. 4. There is no reason for concern about sharing a properly configured switch. Unless the customer can document WHY it is a problem, their only justification is FUD, and the network organization should not have its budget governed by FUD. 5. If there are real security requirements for physical switch separation, as might be specified for government classified networks that follow RED/BLACK isolation criteria, then the costs of additional switchgear should be part of the budget of the organization with the security requirement. If your customers are a true customer and you are in a profit-making world, I would have the appropriate management (i.e., that is concerned with cost of sales rather than gross revenue) consider carefully if you can afford having them as a customer. Your strategic business interest may be served by letting your competitor inherit this customer's problems. In other words, the customer needs to ask, "what part of NO do you fail to understand?" Roberts, I don't think 5500 supports pvlan, it has to be 6500, but I heard from somewhere those lower end 2948/4000 also will be able to support pvlan very soon. pvlan, from my understanding, does not give you more security among vlans. It only controls ports within the same vlan by preventing them from talking to each other without your control. It is more of a way of saving vlans for service providers. Correct. I believe the doc of 6500 explains it pretty well. If your customer is concerned about vlan leak, I am afraid you will probably have to give them a seperate switch or they can use some kind encryption before sending out any traffic. Just my 2 cents. HTH KY ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Vlans - Is this a good idea
I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans - Is this a good idea
Roberts, I don't think 5500 supports pvlan, it has to be 6500, but I heard from somewhere those lower end 2948/4000 also will be able to support pvlan very soon. pvlan, from my understanding, does not give you more security among vlans. It only controls ports within the same vlan by preventing them from talking to each other without your control. It is more of a way of saving vlans for service providers. I believe the doc of 6500 explains it pretty well. If your customer is concerned about vlan leak, I am afraid you will probably have to give them a seperate switch or they can use some kind encryption before sending out any traffic. Just my 2 cents. HTH KY ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Vlans - Is this a good idea #2
I forgot that I will be upgrading the 5500s to 6509s before this would be implemented. I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans - Is this a good idea
Let me generalize my standard question of "what is the problem you are trying to solve," with "what problem do you NOT WANT to solve." What you are describing is a management, not a technical, problem. If your customers are part of the same organization as you are, someone to whom both of you report needs to explain economic realities to them. This explanation would be along the lines of: 1. The network organization has a budget. 2. This budget is based on certain rational engineering assumptions about what components can do, and what services can safely share the same component. 3. VLANs were invented as a security technique, with the goal of isolating groups of users. 3a) The "multi-VLAN" approach that allows a port to be in more than one VLAN, IMNSHO, is _evil_, has marginal applicability, and designs that include it should be tied up and thrown into a pond. If they float, burn them at the stake. If they don't float, let them drown. 4. There is no reason for concern about sharing a properly configured switch. Unless the customer can document WHY it is a problem, their only justification is FUD, and the network organization should not have its budget governed by FUD. 5. If there are real security requirements for physical switch separation, as might be specified for government classified networks that follow RED/BLACK isolation criteria, then the costs of additional switchgear should be part of the budget of the organization with the security requirement. If your customers are a true customer and you are in a profit-making world, I would have the appropriate management (i.e., that is concerned with cost of sales rather than gross revenue) consider carefully if you can afford having them as a customer. Your strategic business interest may be served by letting your competitor inherit this customer's problems. In other words, the customer needs to ask, "what part of NO do you fail to understand?" Roberts, I don't think 5500 supports pvlan, it has to be 6500, but I heard from somewhere those lower end 2948/4000 also will be able to support pvlan very soon. pvlan, from my understanding, does not give you more security among vlans. It only controls ports within the same vlan by preventing them from talking to each other without your control. It is more of a way of saving vlans for service providers. Correct. I believe the doc of 6500 explains it pretty well. If your customer is concerned about vlan leak, I am afraid you will probably have to give them a seperate switch or they can use some kind encryption before sending out any traffic. Just my 2 cents. HTH KY ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I have some customers that need to be connected to my network. They insist on not having their servers connected to a switch that has other customers on it. They will not pay for an additional switch. I was considering recommending private vlans? That way things are more secure on the switch. Is this a good idea? The current switches are catalyst 5500. Does this hardware support private vlans? I have checked the documentation and I have only found that the software needs to be 5.4(1) but they make no mention of hardware requirements. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans
People get so confused as soon as you add a V in front of LAN. What would a private LAN be? One that is isolated/firewalled/ACL'd from other LANs. The same would be for a VLAN, with the advantage that VLANs have (dynamic ports, trunking between switches/routers, etc). -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ "nobody" [EMAIL PROTECTED] wrote in message 009901c0a121$69154c10$[EMAIL PROTECTED]">news:009901c0a121$69154c10$[EMAIL PROTECTED]... sorry, my oversight. i already responded to timothy, but if you go to www.google.com and type in private vlans you should be at the begining of you search. i only skimmed through the first few links and it seems worth a while ;-) p. - Original Message - From: "Leigh Anne Chisholm" [EMAIL PROTECTED] To: "nobody" [EMAIL PROTECTED]; "Roberts, Timothy" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:11 PM Subject: RE: Private Vlans Thank you, "nobody" for helping teach common sense - but Timothy DID indicate he did try to find the information on Cisco's site before he posted his query to the group. PRIVATE VLANs are the latest switching hype to come out of Cisco. Our local Cisco rep recently did a presentation which covered this - and there's so little information that explains this topic well, even HE was confused. I quickly scanned the link you provided on www.cisco.com for more information information on private VLANs. Perhaps you could provide Timothy and myself with a more direct link? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nobody Sent: February 27, 2001 4:44 PM To: Roberts, Timothy; [EMAIL PROTECTED] Subject: Re: Private Vlans i thought this is an appropriate link for all, who first want to learn how to search the web and then do it right. http://www.hq.nasa.gov/office/hqlibrary/pathfinders/nethelp.htm and here is the info you should have found at www.cisco.com on VLANs: http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VLANs _and_Trunking:802.1Q - Original Message - From: "Roberts, Timothy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:36 PM Subject: Private Vlans Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
I don't know if they still do it, but AtHome's AtWork used private addressing for WAN links to T1 customers. I know that ATT's CDPD network uses private addressing as well. Only time my host is up is when I'm driving (yeah, watch out for the freak driving and using ssh to fix routers): tracerouting to han-cdpd.artoo.net: 8 144.232.18.138 (144.232.18.138) 27.021 ms 27.966 ms 31.880 ms 9 gbr4-p50.sffca.ip.att.net (12.123.13.70) 26.515 ms 30.128 ms 91.739 ms 10 gbr3-p50.st6wa.ip.att.net (12.122.2.62) 43.395 ms 44.815 ms 42.398 ms 11 gbr2-p10.st6wa.ip.att.net (12.122.5.166) 44.782 ms 44.792 ms 48.202 ms 12 ar1-a3120s1.st6wa.ip.att.net (12.127.6.137) 44.002 ms 48.997 ms 42.120 ms 13 * * * 14 * * * 15 * * * 16 mes129034064.airdata.net (166.129.34.64) 525.449 ms 507.090 ms 502.152 ms From my host I hit 3-4 172 addresses before I get to public ATT IP space. On that note, check out http://www.traceloop.com/. Seems like an interesting idea to me. -- Jason Roysdon, CCNP+Security/CCDP, MCSE, CNA, Network+, A+ List email: [EMAIL PROTECTED] Homepage: http://jason.artoo.net/ Cisco resources: http://r2cisco.artoo.net/ ""Howard C. Berkowitz"" [EMAIL PROTECTED] wrote in message news:p05001904b6c01af4cbb9@[63.216.127.100]... Really? So you wouldn't recommend using RFC 1918 addressing in a transient network, say, for a customer (end user) production network, as a means of securing the routers/switches that transport the data? The servers used direct server return (http://www.foundrynet.com/genFaqDSR.html), and didn't incur the performance penalty usually associated with NAT... I'm not sure what you mean by a transient network. But if the hosts on that network connect to the Internet, they should: 1. Tunnel to endpoints using private address space (i.e., you are building a VPN) 2. Use registered address space 3. Use private address space and NAT on the proivider side. It concerns me, however, that private address space, without being discussed along with explicit filtering and other complementary security mechanisms, can be thought of as adding any reliable level of security. Yes, you may not be reachable in the global Internet. But without other controls, you might be quite accessible from other customers of the same providers. Private addressing does have a place, and a good one. But it shouldn't EVER appear, IMNSHO, in ANY global Internet communications, whether those are the sources of packets or simply traceroute results. Too many operational and security implications. I don't think use of RFC 1918 for any form of Internet connectivity can be consistent with RFC 2828 and related anti-hacking measures. I've built several networks using this type addressing scheme, in conjunction with the use of OSPF and haven't had any problems... I realize that this is not the same class of network (ISP), but it was a design used for several e-commerce sites... I would just like to know other peoples' opinion on this practice, especially yours, Howard... :) Thanks Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Sunday, February 25, 2001 6:32 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing This remains a continuing thread on NANOG. My personal view is that the world has certain ISPs, such as cais.net DSL and apparently US West in your example, that exist for the same reason as do warthogs: to make roses even more beautiful. Several major ISPs have this pernicious practice, which confuses traceroute (in several ways), reverse DNS, and MTU path discovery. They are ISPs with significant allocations of address space and should be able to get more. I personally believe that anyone that uses private address space in a path where public traffic will EVER route through one of the addresses, is, at best, being irresponsible. Sort of like looking for the gas leak with a lighted match. I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used w
Re: Private Internet Addressing
Brian [EMAIL PROTECTED] wrote, On Mon, 26 Feb 2001, Bradley J. Wilson wrote: ElephantChild wrote: RFC 1918, section 3: "[...]Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, *and packets with private source or destination addresses should not be forwarded across such links.*" ...But that's not what's happening in the case of the traceroute which started this discussion. The only reason we're seeing those private addresses is because we're basically snooping around in someone else's network. RFC 1918 is still being upheld - privately-addressed traffic is not being forwarded over inter-enterprise links. and the packets being sourced or destined are not being done from rfc1918 space, just passing thru it. While what you say is true about the "forward path," onto which I send normal traffic or the UDP probes of traceroute, the ICMP TTL-exceeded responses that define the traceroute responses have the source address of the router interfaces that generated them. If these interfaces are RFC1918 numbered, and the address originating the traceroute is in registered space, there become only two alternatives: 1. Packets with RFC1918 source addresses have to enter registered space 2. There will be no response to the traceroute. The difference is this: "information about private networks shall not be *propogated*"...meaning my routers must not actively advertise my private networks to external ASes. Well, okay - the ISP isn't doing that. But when we trace through a network using private addresses, we will see them - we're snooping around, but the routers aren't actively propogating those private numbers. As best as I can see, you would want a "hole" put through the RFC 2827 ingress filtering filters (or equivalents with reverse path verification), which state that Best Current Practice is to block any packet sourced from an address to which you have no active route. To open an exception for ICMP, without maintaining state that you have issued a traceroute, is an open invitation for denial of service attack. To keep state that you have issued a traceroute, you impose a significant performance hit on the routers involve. Even if I could implement all these special cases, the reality remains that more than one provider in the path could use the same RFC1918 address, and I now have accurate traceroute results that are utterly confusing and indistinguishable from traceroutes of looping paths. I'm excited about IPv6...but if we can make v4 last a little while longer, hey, let's do it. ;-) BJ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
On Mon, 26 Feb 2001, Leigh Anne Chisholm wrote: Where I'm located, it seems that "major" ISP's are being bought left-right-and-center. I would think that with some of the acquisitions that have been made, what could have been a simple "merging" of networks would get a little ugly, trying to remove the duplicate "private internet addressing" routes from all the providers, replacing these configurations with new addressing schemes. Or am I still missing the boat? (-: Brian Feeny wrote, This is common in both Enterprise and ISP situations. NAT can be made to deal with this. When two networks have duplicate private addressing, you can use NAT to remedy this. Specifically, double NAT, where each former enterprise maps into a private DMZ, so translations between the enterprises do not require coordination between them, just with the NAT administrator. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Vlans
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd /vlans.htm http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm Give a good idea of configuring and deploying PVLAN's These pointers became my introduction to Private VLANs. My first impression of the material was "huh? What problem is this solving?" My second impression is that the marketing people have come up with yet another proprietary name for a set of functions that all are well-defined, although admittedly it may be original to package them together. The motivation for much of this seems to be generalizing "Ethernet" to non-LAN applications, such as using optical Fast or Gigabit Ethernet as an access technique. Inside Nortel, I recently was accused of sending out the "sermon email" bewailing that the word "Ethernet" is being extended so that it's approximately as precise as "switch" or "hub," rather than a family of specific IEEE 802 specifications and some vendor extensions. As I read the Private VLAN spec, although I haven't extensively analyzed it, it appears to be a means of imposing a hub-and-spoke, NBMA subnet onto a switched Ethernet subnet. In other words, switched Ethernet is normally a classical IP subnet that follows the local versus remote assumption: if you are on the same subnet as another node, according to this assumption, you have layer 2 connectivity to it. WAN NBMA services such as frame and ATM partial meshes violate this assumption. Private VLANs appear to be such a topology restriction, which I suppose may have applications when VLAN technology is simply being used for transmission. It's rather ironic that VLANs, as first defined in IEEE 802.10, were conceived as a security solution and included encryption. The evolution to 802.1 took out the security features, but Private VLANs are introducing a different security mechanism. If I went back to basics in the 802.10 model and applied it to private VLANs, considering one direction of transmission only just for simplicity, I might achieve a cryptographic equivalent that suggests that the promiscuous node had a set of decryption keys for traffic encrypted by isolated ports. Isolated ports would each have a unique encryption key. Another way to look at it is that there is, in IPsec terms, a set of security associations from the isolated ports to a common promiscuous port. Many-to-one topology, in contrast to the usual one-to-many we see in multicast. On the other hand, the same topology could be achieved by having each isolated node use a /31 subnet, or some flavor of unnumbered subnet, and have the promiscuous node present some aggregated subnet to the larger routing system. So I'm not sure precisely what problem this solves. It seems to have an assumption that it is worthwhile to reduce the number of VLANs in the system, but I'm not completely sure why this is a problem. Limiting IDB consumption by subinterfaces perhaps? _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Vlans
Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans
i thought this is an appropriate link for all, who first want to learn how to search the web and then do it right. http://www.hq.nasa.gov/office/hqlibrary/pathfinders/nethelp.htm and here is the info you should have found at www.cisco.com on VLANs: http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VLANs _and_Trunking:802.1Q - Original Message - From: "Roberts, Timothy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:36 PM Subject: Private Vlans Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Vlans
Thank you, "nobody" for helping teach common sense - but Timothy DID indicate he did try to find the information on Cisco's site before he posted his query to the group. PRIVATE VLANs are the latest switching hype to come out of Cisco. Our local Cisco rep recently did a presentation which covered this - and there's so little information that explains this topic well, even HE was confused. I quickly scanned the link you provided on www.cisco.com for more information information on private VLANs. Perhaps you could provide Timothy and myself with a more direct link? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nobody Sent: February 27, 2001 4:44 PM To: Roberts, Timothy; [EMAIL PROTECTED] Subject: Re: Private Vlans i thought this is an appropriate link for all, who first want to learn how to search the web and then do it right. http://www.hq.nasa.gov/office/hqlibrary/pathfinders/nethelp.htm and here is the info you should have found at www.cisco.com on VLANs: http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VLANs _and_Trunking:802.1Q - Original Message - From: "Roberts, Timothy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:36 PM Subject: Private Vlans Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Vlans
I did not ask for general information regarding vlans. I asked if anyone knew about any specific links regarding PRIVATE VLANS. You know, something that has more than one line pertaining to PRIVATE VLANS. But thank you very much for your assitance. It was greatly appreciated. I just hope that everyone else on this list can benefit from your woderful words of wisdom. -Original Message- From: nobody [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 27, 2001 3:44 PM To: Roberts, Timothy; [EMAIL PROTECTED] Subject: Re: Private Vlans i thought this is an appropriate link for all, who first want to learn how to search the web and then do it right. http://www.hq.nasa.gov/office/hqlibrary/pathfinders/nethelp.htm and here is the info you should have found at www.cisco.com on VLANs: http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VLANs _and_Trunking:802.1Q - Original Message - From: "Roberts, Timothy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:36 PM Subject: Private Vlans Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans
sorry, my oversight. i already responded to timothy, but if you go to www.google.com and type in private vlans you should be at the begining of you search. i only skimmed through the first few links and it seems worth a while ;-) p. - Original Message - From: "Leigh Anne Chisholm" [EMAIL PROTECTED] To: "nobody" [EMAIL PROTECTED]; "Roberts, Timothy" [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 4:11 PM Subject: RE: Private Vlans Thank you, "nobody" for helping teach common sense - but Timothy DID indicate he did try to find the information on Cisco's site before he posted his query to the group. PRIVATE VLANs are the latest switching hype to come out of Cisco. Our local Cisco rep recently did a presentation which covered this - and there's so little information that explains this topic well, even HE was confused. I quickly scanned the link you provided on www.cisco.com for more information information on private VLANs. Perhaps you could provide Timothy and myself with a more direct link? -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of nobody Sent: February 27, 2001 4:44 PM To: Roberts, Timothy; [EMAIL PROTECTED] Subject: Re: Private Vlans i thought this is an appropriate link for all, who first want to learn how to search the web and then do it right. http://www.hq.nasa.gov/office/hqlibrary/pathfinders/nethelp.htm and here is the info you should have found at www.cisco.com on VLANs: http://www.cisco.com/cgi-bin/Support/PSP/psp_view.pl?p=Internetworking:VLANs _and_Trunking:802.1Q - Original Message - From: "Roberts, Timothy" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, February 27, 2001 1:36 PM Subject: Private Vlans Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Vlans
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd /vlans.htm is what I use for understanding/configuring PVLANs. This explains the technology and how to deploy it. I wouldn't consider this marketing information. ""Roberts, Timothy"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Can someone please provide me with a link to some good information on Private Vlans. I checked out Cisco's site but the only thing that I could find took me to marketing information on the 6500. Thanks _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Vlans
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sft_6_1/configgd /vlans.htm http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/tech/c65sp_wp.htm Give a good idea of configuring and deploying PVLAN's Thank you, "nobody" for helping teach common sense - but Timothy DID indicate he did try to find the information on Cisco's site before he posted his query to the group. PRIVATE VLANs are the latest switching hype to come out of Cisco. Our local Cisco rep recently did a presentation which covered this - and there's so little information that explains this topic well, even HE was confused. I quickly scanned the link you provided on www.cisco.com for more information information on private VLANs. Perhaps you could provide Timothy and myself with a more direct link? -- Leigh Anne Stan M. Hoffman, MCSE, CCNA Senior Network Engineer RealEC Houston, TX _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
ElephantChild wrote: RFC 1918, section 3: "[...]Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, *and packets with private source or destination addresses should not be forwarded across such links.*" ...But that's not what's happening in the case of the traceroute which started this discussion. The only reason we're seeing those private addresses is because we're basically snooping around in someone else's network. RFC 1918 is still being upheld - privately-addressed traffic is not being forwarded over inter-enterprise links. The difference is this: "information about private networks shall not be *propogated*"...meaning my routers must not actively advertise my private networks to external ASes. Well, okay - the ISP isn't doing that. But when we trace through a network using private addresses, we will see them - we're snooping around, but the routers aren't actively propogating those private numbers. I'm excited about IPv6...but if we can make v4 last a little while longer, hey, let's do it. ;-) BJ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
Really? So you wouldn't recommend using RFC 1918 addressing in a transient network, say, for a customer (end user) production network, as a means of securing the routers/switches that transport the data? The servers used direct server return (http://www.foundrynet.com/genFaqDSR.html), and didn't incur the performance penalty usually associated with NAT... I'm not sure what you mean by a transient network. But if the hosts on that network connect to the Internet, they should: 1. Tunnel to endpoints using private address space (i.e., you are building a VPN) 2. Use registered address space 3. Use private address space and NAT on the proivider side. It concerns me, however, that private address space, without being discussed along with explicit filtering and other complementary security mechanisms, can be thought of as adding any reliable level of security. Yes, you may not be reachable in the global Internet. But without other controls, you might be quite accessible from other customers of the same providers. Private addressing does have a place, and a good one. But it shouldn't EVER appear, IMNSHO, in ANY global Internet communications, whether those are the sources of packets or simply traceroute results. Too many operational and security implications. I don't think use of RFC 1918 for any form of Internet connectivity can be consistent with RFC 2828 and related anti-hacking measures. I've built several networks using this type addressing scheme, in conjunction with the use of OSPF and haven't had any problems... I realize that this is not the same class of network (ISP), but it was a design used for several e-commerce sites... I would just like to know other peoples' opinion on this practice, especially yours, Howard... :) Thanks Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Sunday, February 25, 2001 6:32 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing This remains a continuing thread on NANOG. My personal view is that the world has certain ISPs, such as cais.net DSL and apparently US West in your example, that exist for the same reason as do warthogs: to make roses even more beautiful. Several major ISPs have this pernicious practice, which confuses traceroute (in several ways), reverse DNS, and MTU path discovery. They are ISPs with significant allocations of address space and should be able to get more. I personally believe that anyone that uses private address space in a path where public traffic will EVER route through one of the addresses, is, at best, being irresponsible. Sort of like looking for the gas leak with a lighted match. I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
Where I'm located, it seems that "major" ISP's are being bought left-right-and-center. I would think that with some of the acquisitions that have been made, what could have been a simple "merging" of networks would get a little ugly, trying to remove the duplicate "private internet addressing" routes from all the providers, replacing these configurations with new addressing schemes. Or am I still missing the boat? (-: -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: February 26, 2001 7:44 AM To: [EMAIL PROTECTED] Subject: RE: Private Internet Addressing Really? So you wouldn't recommend using RFC 1918 addressing in a transient network, say, for a customer (end user) production network, as a means of securing the routers/switches that transport the data? The servers used direct server return (http://www.foundrynet.com/genFaqDSR.html), and didn't incur the performance penalty usually associated with NAT... I'm not sure what you mean by a transient network. But if the hosts on that network connect to the Internet, they should: 1. Tunnel to endpoints using private address space (i.e., you are building a VPN) 2. Use registered address space 3. Use private address space and NAT on the proivider side. It concerns me, however, that private address space, without being discussed along with explicit filtering and other complementary security mechanisms, can be thought of as adding any reliable level of security. Yes, you may not be reachable in the global Internet. But without other controls, you might be quite accessible from other customers of the same providers. Private addressing does have a place, and a good one. But it shouldn't EVER appear, IMNSHO, in ANY global Internet communications, whether those are the sources of packets or simply traceroute results. Too many operational and security implications. I don't think use of RFC 1918 for any form of Internet connectivity can be consistent with RFC 2828 and related anti-hacking measures. I've built several networks using this type addressing scheme, in conjunction with the use of OSPF and haven't had any problems... I realize that this is not the same class of network (ISP), but it was a design used for several e-commerce sites... I would just like to know other peoples' opinion on this practice, especially yours, Howard... :) Thanks Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Sunday, February 25, 2001 6:32 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing This remains a continuing thread on NANOG. My personal view is that the world has certain ISPs, such as cais.net DSL and apparently US West in your example, that exist for the same reason as do warthogs: to make roses even more beautiful. Several major ISPs have this pernicious practice, which confuses traceroute (in several ways), reverse DNS, and MTU path discovery. They are ISPs with significant allocations of address space and should be able to get more. I personally believe that anyone that uses private address space in a path where public traffic will EVER route through one of the addresses, is, at best, being irresponsible. Sort of like looking for the gas leak with a lighted match. I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
As part of this thread, several people have mentioned that one of the problems created is "breaking MTU path discovery." Could someone explain what this means? Thanks -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 25, 2001 11:21 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing and the reason an ISP would be considered "clueless" for using RFC1918 on internal point to points is..? Brian Let's see... It confuses troubleshooting because valid routes may appear to be looping, with the same address traversed more than once. The addresses can't be resolved with reverse DNS. It breaks MTU path discovery. It violates the spirit of RFC 2827 and reverse path verification. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing: MTU Path Discovery
Maximum Transfer Units (MTU) have an significant impact on the efficiency of traffic flow. MTU's are set on a per link basis and describe the maximum datagram size permitted on a link. Should a datagram size exceed the particular MTU on a link, the datagram is either dropped or fragmented depending on the state of the DF (do not fragment) bit in the datagram header. In the even of a drop, an ICMP Destination Unreachable message is sent from the router who dropped the datagram to the source. MTU path discovery involves a process where the source tries to figure out what the lowest MTU is across a set of links from source to destination. Figuring this out allows the pending transmission to be optimized from an MTU perspective. The process as described in RFC 1191, indicates that a source will send a datagram with the DF bit set (ie do not fragment) and an MTU equal to the size of its Next_Hop router which it already knows. Should this MTU be the lowest, the transmission will succeed. Should another MTU be lower along the path, an ICMP message indicating a need to unset the DF bit will be returned by the particular router with the lower MTU setting. Upon receiving this message, the source can either retest with a lower MTU, or decide to unset the DF bit. However, should that particular router happen to have a link address out of the 1918 block, the likelihood of the source ever receiving the ICMP notification is significantly diminished due to best practises filtering policies which hopefully have been enacted with other AS's. Hence, the source will be unable to successfully complete this process. Hope that helps Pete *** REPLY SEPARATOR *** On 2/26/2001 at 10:44 AM Kane, Christopher A. wrote: As part of this thread, several people have mentioned that one of the problems created is "breaking MTU path discovery." Could someone explain what this means? Thanks -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 25, 2001 11:21 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing and the reason an ISP would be considered "clueless" for using RFC1918 on internal point to points is..? Brian Let's see... It confuses troubleshooting because valid routes may appear to be looping, with the same address traversed more than once. The addresses can't be resolved with reverse DNS. It breaks MTU path discovery. It violates the spirit of RFC 2827 and reverse path verification. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
On Mon, 26 Feb 2001, Bradley J. Wilson wrote: ElephantChild wrote: RFC 1918, section 3: "[...]Because private addresses have no global meaning, routing information about private networks shall not be propagated on inter-enterprise links, *and packets with private source or destination addresses should not be forwarded across such links.*" ...But that's not what's happening in the case of the traceroute which started this discussion. The only reason we're seeing those private addresses is because we're basically snooping around in someone else's network. RFC 1918 is still being upheld - privately-addressed traffic is not being forwarded over inter-enterprise links. and the packets being sourced or destined are not being done from rfc1918 space, just passing thru it. The difference is this: "information about private networks shall not be *propogated*"...meaning my routers must not actively advertise my private networks to external ASes. Well, okay - the ISP isn't doing that. But when we trace through a network using private addresses, we will see them - we're snooping around, but the routers aren't actively propogating those private numbers. I'm excited about IPv6...but if we can make v4 last a little while longer, hey, let's do it. ;-) BJ _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-222-2638 x 109318-222-2638 x 101 Netjam, LLC http://www.netjam.net 1401 Oden St. Suite 18 Shreveport, LA 71104 Fax 318-221-6612 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
On Mon, 26 Feb 2001, Leigh Anne Chisholm wrote: Where I'm located, it seems that "major" ISP's are being bought left-right-and-center. I would think that with some of the acquisitions that have been made, what could have been a simple "merging" of networks would get a little ugly, trying to remove the duplicate "private internet addressing" routes from all the providers, replacing these configurations with new addressing schemes. Or am I still missing the boat? (-: This is common in both Enterprise and ISP situations. NAT can be made to deal with this. When two networks have duplicate private addressing, you can use NAT to remedy this. --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-222-2638 x 109318-222-2638 x 101 Netjam, LLC http://www.netjam.net 1401 Oden St. Suite 18 Shreveport, LA 71104 Fax 318-221-6612 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
On Mon, 26 Feb 2001, Leigh Anne Chisholm wrote: Where I'm located, it seems that "major" ISP's are being bought left-right-and-center. I would think that with some of the acquisitions that have been made, what could have been a simple "merging" of networks would get a little ugly, trying to remove the duplicate "private internet addressing" routes from all the providers, replacing these configurations with new addressing schemes. Or am I still missing the boat? (-: Well, their are many evils when being an ISP, and you have to choose the lesser of the evils. I don't use RFC1918 for PtP's in our network, but we do use it heavily behind NAT'ed boundries. One of the drives to use private addressing is because ISP's tend to have alot of /30's. ARIN may give huge chunks of space to big players, with or without the same levels and degree of justification that is required of say a smaller regional ISP. These ISP's are trying to squeeze every bit of efficiency out of their addressing...where players like PSInet can just chunk down a /24 for any customer they feel like giving one to. Brian -- Leigh Anne -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: February 26, 2001 7:44 AM To: [EMAIL PROTECTED] Subject: RE: Private Internet Addressing Really? So you wouldn't recommend using RFC 1918 addressing in a transient network, say, for a customer (end user) production network, as a means of securing the routers/switches that transport the data? The servers used direct server return (http://www.foundrynet.com/genFaqDSR.html), and didn't incur the performance penalty usually associated with NAT... I'm not sure what you mean by a transient network. But if the hosts on that network connect to the Internet, they should: 1. Tunnel to endpoints using private address space (i.e., you are building a VPN) 2. Use registered address space 3. Use private address space and NAT on the proivider side. It concerns me, however, that private address space, without being discussed along with explicit filtering and other complementary security mechanisms, can be thought of as adding any reliable level of security. Yes, you may not be reachable in the global Internet. But without other controls, you might be quite accessible from other customers of the same providers. Private addressing does have a place, and a good one. But it shouldn't EVER appear, IMNSHO, in ANY global Internet communications, whether those are the sources of packets or simply traceroute results. Too many operational and security implications. I don't think use of RFC 1918 for any form of Internet connectivity can be consistent with RFC 2828 and related anti-hacking measures. I've built several networks using this type addressing scheme, in conjunction with the use of OSPF and haven't had any problems... I realize that this is not the same class of network (ISP), but it was a design used for several e-commerce sites... I would just like to know other peoples' opinion on this practice, especially yours, Howard... :) Thanks Brant I. Stevens Internetwork Solutions Engineer Thrupoint, Inc. 545 Fifth Avenue, 14th Floor New York, NY. 10017 646-562-6540 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Howard C. Berkowitz Sent: Sunday, February 25, 2001 6:32 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing This remains a continuing thread on NANOG. My personal view is that the world has certain ISPs, such as cais.net DSL and apparently US West in your example, that exist for the same reason as do warthogs: to make roses even more beautiful. Several major ISPs have this pernicious practice, which confuses traceroute (in several ways), reverse DNS, and MTU path discovery. They are ISPs with significant allocations of address space and should be able to get more. I personally believe that anyone that uses private address space in a path where public traffic will EVER route through one of the addresses, is, at best, being irresponsible. Sort of like looking for the gas leak with a lighted match. I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that
RE: Private Internet Addressing
On Mon, 26 Feb 2001, Kane, Christopher A. wrote: As part of this thread, several people have mentioned that one of the problems created is "breaking MTU path discovery." Could someone explain what this means? The smallest MTU in the path of a link is the Path MTU. How do routers know what size MTU to use, when the link may consist of 10 hops and a varying degree of routers and media types? This can be done via path mtu discovery. Two systems establish a connection, they let eachther know their MTU/MSS sizes. The lessor of the two is used. Packets are sent using this size, and with the DF bit set, so that they won't be fragmented. If a transited router receives the packet with the DF bit set, and its too big, it will send back a "ICMP Can't Fragment" to the source. This tells the source to re-attempt at a lower size. Once a packet can make it all the way thru with the DF bit set, then the Path MTU has been discovered. Brian Thanks -Original Message- From: Howard C. Berkowitz [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 25, 2001 11:21 PM To: [EMAIL PROTECTED] Subject: Re: Private Internet Addressing and the reason an ISP would be considered "clueless" for using RFC1918 on internal point to points is..? Brian Let's see... It confuses troubleshooting because valid routes may appear to be looping, with the same address traversed more than once. The addresses can't be resolved with reverse DNS. It breaks MTU path discovery. It violates the spirit of RFC 2827 and reverse path verification. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-222-2638 x 109318-222-2638 x 101 Netjam, LLC http://www.netjam.net 1401 Oden St. Suite 18 Shreveport, LA 71104 Fax 318-221-6612 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Private Internet Addressing
I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
The key as I understand it, is this is not propogated between providers. As this is internal to one provider, you can use private networks to conserve address space. We do this all the time with firewalls,etc. You won't be able to get to the address from outside our network though. ""Leigh Anne Chisholm"" [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
well did you try to ping them ?? or maybe telnet to them?? Perhaps those routes are "internal" to US West. The routes themselves are probably not being "advertised" on the internet. I just tried to ping them from two very physically different connected sources - with no response. Of course, my two ISPs may well be blocking them. (as they should be) Traceroute just told you how it got there, not necessarily that those addresses are available to the world. Kevin Wigle - Original Message - From: "Leigh Anne Chisholm" [EMAIL PROTECTED] To: "Cisco@Groupstudy. Com" [EMAIL PROTECTED] Sent: Sunday, 25 February, 2001 17:01 Subject: Private Internet Addressing I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
On Sun, 25 Feb 2001, Leigh Anne Chisholm wrote: I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? Yes you did. You can use RFC1918 addresses internal to your network. In the above, uswest is using the space internal to their network. Its ok to build internal PtP links using rfc1918, since traffic isn't source/destined directly for these links, only thru them. The down side is you may end up with some Path MTU discovery issues. Also, you should not see the 192.168.x.x in your trace route, if your blocking rfc1918 inbound at your border, which is always a good idea. Brian -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] --- I'm buying / selling used CISCO gear!! email me for a quote Brian Feeny,CCDP,CCNP+VAS Scarlett Parria [EMAIL PROTECTED] [EMAIL PROTECTED] 318-222-2638 x 109318-222-2638 x 101 Netjam, LLC http://www.netjam.net 1401 Oden St. Suite 18 Shreveport, LA 71104 Fax 318-221-6612 _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: Private Internet Addressing
The IP addresses showed up in the traceroutes are the "source IP addresses" in the returning packets. Normally, routers route packets using the destination IP addresses in the packets. The destination IP address in the returning packets is your machine's IP address, that how you were able to receive the traceroute info, but the info displayed is the IP addresses of the hosts who sent the returned packets, so you can still receive traffic sourced from machines with private IP addresses. HTH, Rog -Original Message- From: Leigh Anne Chisholm [mailto:[EMAIL PROTECTED]] Sent: Sunday, February 25, 2001 5:01 PM To: Cisco@Groupstudy. Com Subject: Private Internet Addressing I did a traceroute to one of US West's customers... got some interesting results: 13 206 ms 179 ms 123 ms gig0-0-0.phnx-sust1.phnx.uswest.net [206.80.192.253] 14 1016 ms 151 ms 975 ms 207.224.191.2 15 233 ms 124 ms 123 ms 192.168.8.1 16 151 ms 179 ms 123 ms 192.168.100.147 17 247 ms 192 ms 151 ms vdsl-130-13-102-120.phnx.uswest.net [130.13.102.120] RFC 1918 - "Address Allocation for Private Internets" indicates 192.168.0.0 through 192.168.255.255 (192.168/16 prefix) is reserved for private internets. Hops 15 and 16 in my traceroute show that addresses within this range are being used publically. Did I miss something? Have the "for private use only" IP addresses now been given the green light to be used within the internet? -- Leigh Anne _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: Private Internet Addressing
me thinks that Chuck is heavy into "lab date is almost here studying mode" Kevin Wigle - Original Message - From: "ElephantChild" [EMAIL PROTECTED] To: "Leigh Anne Chisholm" [EMAIL PROTECTED] Cc: "Cisco@Groupstudy. Com" [EMAIL PROTECTED] Sent: Sunday, 25 February, 2001 17:52 Subject: Re: Private Internet Addressing big snip ObWhereAreTheyNow: Anyone heard from Chuck? I don't remember seeing any posts from him lately. -- According to Joyce Melton, "respondability" is cromulent. _ FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]