Does anyone here know the approximate cost of a dedicated T1 from the west
coast to Japan. Doesn't need to be exact I just need rough numbers. I
apologize for being off subject.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7i=15184t=15184
I've had that error before. It was between 2 PIX's though. The fix ( on
both sides ) was to do a "clear crypto ipsec sa" and "clear crypto isakmp
sa". And then it worked. It was like the SA's got outa sync or something.
Or one side had a valid SA and the other didn't. On a side note - have
x Firewall Issue
Does anyone know of a vpn client for Windows 2000, I have Cisco Secure but
it doesnt run on 2000, I need to implement a vpn solution for my company
that will integrate with the PIX 515 that I just purchased..
Regards,
Kevin
From: "Kenny Sallee" [EMAIL PROTECTE
Actually it's not a good idea to do a 'conduit permit icmp any any'. If you
want ping traffic to originate inside then do this:
conduit permit icmp 208.184.23.0 255.255.255.0 any echoreply
Think about the way ping works - your workstation sends an icmp echo - the
end station sends an icmp
Haven't you heard of the new high speed 'token ring ethernet adaptor' as
defined in RFC 2549 ;)
Kenny
"Albert Ip" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
Token Ring and Ethernet does not operate on the same principles as
Ethernet.
Ethernet uses
Try to disable fast switching..
Kenny
""Ron Tan"" [EMAIL PROTECTED] wrote in message
001401c08f43$aa521220$47755fca@rontan">news:001401c08f43$aa521220$47755fca@rontan...
2 sites are connect to each other by ISDN Bri. Both are configured to =
react by Dialer profile. Both links are ok and
Use access lists on both sides. You can apply it to the ethernet interfaces
as an inbound ACL. For instance:
Map:
1.1.1.0/24RouterA---frameRouterB-3.3.3.0/24
2.2.2.0/24 sec
4.4.4.0/24 secondary
router configs:
RouterA
interface e0
ip address 1.1.1.1 /24
ip address 2.2.2.2/24
Actually the implied mask is all 0's - so this acl will only permit a route
which is all 0's - or normally the default route.
Kenny
"suaveguru" [EMAIL PROTECTED] wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
I also think it will permit all because in access-list
we use wild
clear config all
- Original Message -
From: "Lists Wizard" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; "'Cisco group study'"
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, October 17, 2000 7:23 PM
Subject: Resetting Switch configuration
Hello Networkers,
I have a 6500 series
OK since there were no responses I'll pay 50
dollars for a November date and 100 dollars for October! After the
swap is complete of course.
Kenny
- Original Message -
From:
Kenny
Sallee
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, September 14
I'm scheduled for Jan 13th in San Jose. If
anyone would like to swap dates with me preferrably in October/November please
email or call me.
Thanks
Kenny
[EMAIL PROTECTED]
503-205-1404
There's a DTE/DCE button on the SUP module. Use a paper clip or something
to push it. Check it out.
Kenny
- Original Message -
From: "Circusnuts" [EMAIL PROTECTED]
To: "jh" [EMAIL PROTECTED]; "Henrique Issamu Terada"
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Sunday, September 03,
Do you understand routing on a stick? Just imagine the MSFC as an external
router with a trunk connection to the switch and sub-interfaces ( VLAN
interfaces ) create for each VLAN. Actually if you do a "sh trunk" on a
cat6k with an MSFC you'll see an ISL trunk to the MSFC.
Kenny
-
On router 2 do this:
router bgp 1
network 1.0.0.0 backdoor
where 1.0.0.0 is the major network you are
routing. This will cause the admin distance for that route to change to
200. It will not advertise the network. Check out Halabi pg 324 or
Jason, you should be careful posting your entire config on groupstudy.
Also, the password on the vty's is easily breakable so you should change it
right away. Your config looks OK but it's hard to say without knowing your
complete topolgy/policies. If you have the network in your local BGP
There's also supposed to be a new catalyst 6000 code that's ios like. I
don't think I'd like it though. It's easier with the set commands when
messing with a bunch of ports and differnet vlans...Just my opinion.
Kenny
- Original Message -
From: "Kevin Welch" [EMAIL PROTECTED]
To:
Also, iBGP neighbors will not advertise a route it learned from another iBGP
neighbor to another iBGP neighbor.
Says that somewhere in Halabi
Kenny
- Original Message -
From: "Lists Wizard" [EMAIL PROTECTED]
To: "'Frank Wells'" [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent:
I would check your translation rules in the firewall. I think most
firewall's require some sort of translation, whether it be NAT/PAT or static
or keep original address. Also, is the subnet between router A and B
routeable? Is it NAT'd? Does the firewall have a route for that subnet?
Can the
Has anyone used the above? And if so is it a
good solution/stable to use in a production environment, or is it more marketing
hype Cisco has thrown on thier website?? Would it be worth using to run
BGP to a data center provider?
Thanks for any opinions...
Kenny
You need the conduit to allow traffic to the outside global IP. Same with
the ACL. Not to the private address. Unless you are NAT'n on the outside
router ( why?) then the static would have to change. Also, your conduit is
wrong in syntax:
conduit permit tcp host routeable_ip eq 80 any
Kenny
You are correct, equal cost static routes are load balanced on Cisco
routers. That's why in a case like that you would want 1 of the statics to
have a higher admin weight assigned to it. So the wireless could be
ip route 0.0.0.0 0.0.0.0 172.16.2.10 200
and the fiber could be
ip route 0.0.0.0
The only thing I can think of is with that setup you have, any traffic from
source .1.0 to destination 2.0 will be routed via the loopback and thus
droppedCan't think of anything else
Kenny
"Adrian Chew" [EMAIL PROTECTED] wrote in message
8lskht$quq$[EMAIL
;.
Kenny
- Original Message -
From:
Kenny
Sallee
To: [EMAIL PROTECTED]
Sent: Tuesday, July 11, 2000 6:20
PM
Subject: WIN2K and PIX
Has anyone needed to allow all Win2k admin BS
through a PIX firewall? RPC is about the only thing not working.
I've got it ope
How can you configure the same IP subnet on more
than one interface in a Cisco router?
Kenny
From the workstations, can you ping the Exchange server by netbios name? By
hostname? Is anything else slowing down? Why forward udp broadcasts? If
you are using WINS this will do nothing for you but send unnecessary traffic
across the backbone. I wouldn't say its a "network" issue as the
From the first post I thought you solved it.
With enabling "directed broadcasts" depending on your addressing range will work
- only cuz you are not using WINS. If using WINS then all should have been
fine -- *I think*. The MS stuff is starting to fade away...
For the second problem - DHCP
"We'll never need more than 640k of memory". What they said in the "old
days".
Kenny
- Original Message -
From: "John Neiberger" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Monday, July 03, 2000 9:17 AM
Subject: Re: Switch backplace capacity - how much do you need?
I've wondered
If you have 2 links, why not utilize them the best you can? Here's what I
would do:
1.) Run HSRP on the routers inside interfaces. Configure it to track the
serial interfaces on both routers.
2.) Run BGP and learn FULL internet routing table on both routers. Run a
cross over cable between
nal Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Kenny Sallee
Sent: Monday, July 03, 2000 10:31 AM
To: John Neiberger; [EMAIL PROTECTED]
Subject: Re: Switch backplace capacity - how much do you need?
"We'll never need more than 640k of memory". Wh
difference
PS - I've got an old keyboard at home you can have. It's missing a few
keys, but using it would be the same as using a Linux router in place of a
Cisco router :)
Kenny
- Original Message -
From: "Jay Hennigan" [EMAIL PROTECTED]
To: "Kenny Sallee"
Sure - go ahead and send it. I'll see what I can do.
Kenny
- Original Message -
From: "James Kavenaugh" [EMAIL PROTECTED]
To: "Kenny Sallee" [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, July 03, 2000 4:35 PM
Subject: Re: Switch backplace capacity - how muc
Actually, BGP can go through NAT. One of our engineers did it in our lab.
It was through a Cisco PIX firewall. The neighbor statement on the outside
was to a NAT'd address on the inside. BGP uses tcp/ip for it's neighbor
establishment. So all you would need is a static translation and a rule
So you are doing DLSW through a firewall? The NAT and firewall issue would
seem to be the problem, but with a firewall, even if the inside initiates
the session, assuming it's a stateful firewall, will the outside still be
able to initiate a ping from outside to inside? On a stateful firewall,
When you upgrade to a new version of code on the PIX - do you have to
upgrade the VPN clients as well? What version of the client is compatable
with 5.1.2 of the PIX? Thanks
Kenny
- Original Message -
From: "Akuinnen" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, June 29,
Actually - I think it's possible on everything from the 2600 up. I *think*
the GSR's only support CEF though.. I've personnaly used it on 3600, 4000,
and all 7000. Can't remember using it on 2600's but I'm sure you can. May
even be available on the 1600 and 1700 series.
Though I don't think
That's a good point. According to some Cisco guys here at networkers,
TurboACLs are even less CP intensive than static routes to null0cool
Kenny
- Original Message -
From: "Erick" [EMAIL PROTECTED]
To: "Robert Cabeca" [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent:
There are certain dip switch settings required on the USR. I can't remember
them but they can be found on CCO.
Kenny
- Original Message -
From: "Feliz, Edgar" [EMAIL PROTECTED]
To: "Tan Choh Koon" [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Tuesday, June 27, 2000 9:30 PM
Subject: RE:
For those who don't have the book, the problem is
mutual redistibution from rip to ospf and ospf to rip. The admin distance
of OSPF is lower so without any distro lists or filters, a routing loop is
formed.
What he is saying makes sense - you don't want to
advertise a route redistributed
If you chose the answer C you would have to change the network statement to
172.16.0.0 255.255.252.0. This would summarize networks 172.16.0.0,
172.16.1.0, 172.16.2.0, and 172.16.3.0. So you would summ an extra
etwork( the 172.16.0.0 /24 ). The answer B then is more correct. The
second
the pings, in that the first 5
time-out while the SA is built. after that the pings are successful. but
when i use the following...
acc 132 per gre ho 135.7.1.3 ho 135.7.1.5 log
the ipx pings never bring up the line. shouldn't the above acl cover gre
encapsulated packets?
From: "Kenny
Maybe it would help if you ( Ryan ) sent the configs you know work. I would
also like to take a look. vr4drvr, we can't help you if you don't post the
configs. I always rule out config error before I move on.
Kenny
- Original Message -
From: "Ryan Moffett" [EMAIL PROTECTED]
To:
If you are using 10.100.7.0 as an IP you will have problems. Try changing
it to .1 instead of .0.
Kenny
- Original Message -
From: "Bartlett, DS1" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Wednesday, June 07, 2000 5:16 PM
Subject: PIX Firewall and 2509 Access Router
I have a
Actually -- I thought that in a partial mesh and no sub-if's, you must
disable it. Or the Hub will not advertise to spoke 1 the routes it learned
from spoke 2 - cuz it is configured on the major interface and thus will not
advertise a network it learned on that interface, out that
I don't think it will work. The router will send out an arp-request for the
directed IP MAC. Of course, no-one will answer and the router will not
forward the packet. I just tried and I got an incomplete arp entry and
output from debug ip packet looks like:
1w5d: IP: s=192.168.168.29 (local),
With a partial mesh and -all subinterfaces, you should use splithorizon and
is enabled by default. The router treats each subinterface and a separate
logical interface. Therefore, you should leave split-h at it's default
here. If you are using all physical interfaces - in the same subnet, then
Why not start by doing a "sh int s0" to check the physical connectivity?
Kenny
- Original Message -
From: "Benjamin Walling" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, June 06, 2000 10:17 AM
Subject: Re: OSPF configuration - Please help
Are you able to ping the other
Maybe you should post a specific problem. This list is not a free
consultancy mechanism. Most of us are consultants who spend most of our
time billing for the info you are requesting. If you want to pay I will
gladly spend time helping youIf you post a problem, I will help if I can
and if
I've moved sc0 from vlan1 several times. There should be no reason you
can't. Here's how our lab switch is setup now and working fine:
set interface sc0 15 192.168.168.251 255.255.255.0 192.168.168.255
I would suspect an IP addressing/subnet mask or a configuration problem
here. Also, since
Sure it will work -- if you redistribute. This is where you will possible
see routing loops.
You can also create a tunnel interface on both EIGRP routers and share
EIGRP info that way. This way they will both look like they are directly
connected. Here's a possible config for the tunnel:
Anyone dealt with the ServerIron?
Specifically the firewall load balancing option? Does it
suck?
Kenny
You can also do :
service timestamps debug datetime msec
To get an accurate picture of the timeline for each
debug message.
Kenny
- Original Message -
From:
Tatyana
Shekhtman
To: Tan Choh Koon ; CiscoGroupStudy
Sent: Wednesday, May 24, 2000 10:06
AM
Subject:
Can you post the relevant sections of the config? Also if you could
email it to me @ [EMAIL PROTECTED] I would appreciate it. Thanks
Kenny
"Aaron K. Dixon" [EMAIL PROTECTED] wrote in message
8g1sh4$ch1$[EMAIL PROTECTED]">news:8g1sh4$ch1$[EMAIL PROTECTED]...
Yes it is possible. We
Receive keepalives..
- Original Message -
From: "Ross Bernardo" [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Thursday, May 11, 2000 9:16 AM
Subject: Line is up, protocol down
What do you do to have the protocol up on an serial interface?
Thanks
Ross V. Bernardo
ESRI - Network
53 matches
Mail list logo
