cancel
Showing results for 
Search instead for 
Did you mean: 

Answer Questions

  • Security best practices white paper - ( 11-01-2001 )
  • Other Collaboration Subjects
  • There is a new white paper available on CCO on suggested best practices to keep a Unity 3.0 server secure.<br><A HREF="http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/whitpapr/security.htm" target="_new">http://www.cisco.com/univercd/cc/td/doc/product/voice/c_unity/whitpapr/security.htm</A><br><br>Anil Verma<br>Cisco Systems<br>anilve@cisco.com
    View more
11-01-2001
Cancel Post

  • Database Security from DMZ - ( 10-30-2001 )
  • Other Security Subjects
  • OK, I need help. I have a web page serving up database files. It is on a DMZ with only port 80 allowed to it from the Internet and then that server can query (ODBC) on a custom port to the internal database server. I need to layer this design to not allow the web server direct access to our key database system. This is for security reasons. I have a Pix firewall with 6 interfaces and I want to put the relay/proxy/middleware on a network seperate from the web server. Firewall rules are not the problem I need to find the software to solve this problem. Do any of you have experience with this? What type of proxy, or relay, or middle ware will help solve this problem?Thanks,Pat
    View more
10-30-2001
Cancel Post

  • CES 7200/3600 - ( 10-30-2001 )
  • Other Network Architecture Subjects
  • Query re CES functionality between 7204VXR and 3640:-Two 7204VXRs (IOS 12.1(5)T9 IP Plus) equipped with PA-A2-4E1XC-OC3SM and used to connect two PBXs work ok.However if one of the above 7204VXRs is also connected to a 3640 (IOS 12.1(2)T IP Plus) and equipped with NM-1A-OC3SML-1V and VWIC-1MFT-E1. Despite a similar configuration the trunk between the PBXs constantly alarms and will not function.Does anyone have any working experience with this combination of CES cards?
    View more
10-30-2001
Cancel Post

  • ATM ILMI STATE - ( 10-30-2001 )
  • Application Networking
  • I have been working on an atm issue and the ilmi state is stucked in - restarting and WaitDevType . The software ver is the latest..... 12.0 and up. I CCO says these errors are related to the following bugs ....CSCdt47492, CSCdm26756, CSCdr28332.Why would ilmi be stuck in ... restarting... if the snmp-server community string is configured right ?Shut/no shut on the interface did not help.Thanks.
    View more
10-30-2001
Cancel Post

  • Gigastacking GBIC - ( 10-30-2001 )
  • Other Network Architecture Subjects
  • In a stack of two 3524's, connected together using the Gigastacking GBIC when a third 3524 switch is daisy chained to create a half duplex 1 Gb stack what is the normal process of link negotiation?Should all the links flap and then become stable or should the link between the new switch and its neighbour only flap? (3 GBICs are used).
    View more
10-30-2001
Cancel Post

10-29-2001
Cancel Post

  • Question about the Firewall loadbalance - ( 10-28-2001 )
  • Application Networking
  • I have a case in constructing a City Broadband Network. Now I have two CSS 11800 and 4 PIX firewall,the Customer wants 4 PIX 535/525 to do NAT to translate the private ip address to Public address at 2 export. I want to know if one CSS 11800 can handle two firewall loadbalance while the PIX do the NAT.I tried to do them as Server Loadblance but failed. Beacause I cannot make so many Vip address as the Public address.Is there any other way to solve the problem? If they cannot ,I guess if 2CSS can handle 2PIX while two firewall loadbalance while the PIX do the NAT ?I found the doc. of the CSS advanced config ,Chapter of PIX firewall loadbance .In the Chapter it noted that the PIX cannot do the NAT. So can anybody give me the Help ? i really need the exactly detailed configuration ,Thanks . My email: evanchen@eccom.com.cn
    View more
10-28-2001
Cancel Post

  • Network Associate Sniffer - ATM Captures - ( 10-26-2001 )
  • Other Network Architecture Subjects
  • I am a network analyst who spends a majority of time analyzing ethernet and T1. I am being tasked with an assigment which requires me to do some work with native atm and atm lane. Does anyone of you "nerds" (:0)) out there have any good example sniffer captures off an atm network. And if the answer is yes would you be willing to share some of them with a fellow "nerd"? Any help anyone could give me on this would be greatly appreciated.
    View more
10-26-2001
Cancel Post

10-26-2001
Cancel Post

10-24-2001
Cancel Post

10-23-2001
Cancel Post

  • Cisco support for diff-serv - ( 10-22-2001 )
  • Other Security Subjects
  • While Cisco claims support for Diff-serv via IPV6 implementation. I have seen very little from Cisco of actual product implementation. Most Cisco SE's and employees either have little knowledge of diff-serv.I was wondering if anyone knows of any sites or discussion groups that talk extensively about Cisco's diff-serv product support???
    View more
10-22-2001
Cancel Post

  • Cisco IDS Active Update Bulletin #5 - ( 10-22-2001 )
  • Other Security Subjects
  • Cisco IDS Active Update Bulletin #5http://www.cisco.com/go/idsMonday, October 22, 2001-----------------------------------------------------As always, please feel free to message us directly if you have any comments or questions (mailto:ids-news@cisco.com). We also encourage you to participate in the Cisco IDS User's Forum at http://www.cisco.com/discuss/security.Best regards,--The Cisco IDS Product Team-----------------------------------------------------In This Issue:1) Release of IDSM 3.0 for the Catalyst 6K Line Card.2) In The News: Cisco IDS Takes Top Honors in Network World Review.3) Subscription Information.-----------------------------------------------------1) Release of IDSM 3.0 for the Catalyst 6K Line Card-----------------------------------------------------This section describes the new features for the Catalyst 6000 family IDSM software release 3.0(2)S6. · Module Overrun Indicator: Ability to report when the IDSM reaches saturation and begins to drop packets. · De-obfuscation: The IDSM signature set has been enhanced with deobfuscation capability. · DoS Mitigation: The IDSM can now detect network Denial of Service (DoS) attacks; for example, the IDSM can detect SYN floods.· Response Action: The IDSM now has shunning capability.· The IDSM can now automatically push its log files to remote systems using FTP.· Automatic Signature Updater: The apply command has been enhanced to allow you to set up automatic signature updates.· Direct Telnet to IDSM: You can now Telnet directly to the IP address assigned to the IDSM command and control interface. · Enhanced exclusion/inclusion of Signatures: The user may exclude or include (to override exclusions) signatures based on the following criteria: Source and Destination IP ranges.Documentation on IDSM 3.0 is available on CCO (Cisco Connection Online) at:http://www.cisco.com/univercd/cc/td/doc/product/iaabu/csids/idsm/idsm_2/index.htmCustomers running 2.5 software on their IDSM may upgrade to 3.0 by first downloading and installing the base software for 3.0. This is available at the following CCO site:http://www.cisco.com/cgi-bin/tablebuild.pl/ids30-cat6000This can be further updated to the latest (currently S6) signature release found here:http://www.cisco.com/cgi-bin/tablebuild.pl/ids30-cat6000-updateThe version 2.2.x Unix Directors and CSPM 2.3.x must have the S9 or greater signature update in order to configure a 3.0(2)S6 Intrusion Detection System Module (IDSM). If the Unix Director or CSPM already has the S9 or greater Signature Update, the update does not need to be reapplied.Note You must follow special steps if you are using the Director version2.2.3 and upgrading the IDSM from version 2.5 to 3.0. See the "Upgrading the IDSM from Version 2.5 to Version 3.0(2)S6" section of the Release Notes for more information. The latest versions of CSPM (including the s(9) update for CSPM 2.3.2i) & the Unix Director are available for download at: http://www.cisco.com/cgi-bin/tablebuild.pl/cspm (CSPM)http://www.cisco.com/cgi-bin/tablebuild.pl/ids221-dir-update (Unix Director)-----------------------------------------------------2) In The News: Cisco IDS Takes Top Honors in Network World Review-----------------------------------------------------This article reviewed the top five commercial IDS products with Cisco's IDS finishing first. This review looked at Cisco, ISS, Enterasys Networks, Intrusion.com, and Computer Associates. Links: http://www.nwfusion.com/reviews/2001/1008rev.htmlhttp://www.nwfusion.com/reviews/2001/1008revnetr.html-----------------------------------------------------3) Subscription Information-----------------------------------------------------If you'd like to unsubscribe from this bulletin.http://www.cisco.com/warp/public/779/largeent/it/ids_news/subscribe.htmlWe'd like to know what you think about the bulletin and what information you'd like to see in future editions. E-mail your comments to: ids-news@cisco.com.Copyright (c) 2001 Cisco Systems, Inc.
    View more
10-22-2001
Cancel Post

  • Implementation of Time-based QOS/CAR, using "time-range" command - ( 10-21-2001 )
  • Optical Networking
  • We would like to configure a Time-based QOS/CAR Policy to allow our ISP Customer to have more Burst BW during Weekends then weekdays. In our setup, we color all Burst traffic of all Customers with precedence 1 and then allocate some amount of BW to this shared Pool for precedence 1. So, using Cisco's Technology of "time-range", we have done following config to achieve the said objective. But we are not able to achieve the automatic activation of weekday CAR despite the fact that weekend acces-list/Car gets automatically get deactivated when week-end is over and weekday access-group i.e. 197 gets activated (gets activated but no match in access-group & CAR, can see using show access-list & sh interface rate-limit | include access-group 199 command)Would appreciate yr valuable input to achieve the desired task.Configuration :Interface HSSI 2/0/0rate-limit output access-group 199 6000000 32000 32000 conform-action transmit exceed-action droprate-limit output access-group 197 5000000 32000 32000 conform-action transmit exceed-action dropGlobal Coonfig :access-list 197 permit ip any any precedence priority time-range WEEKDAYSaccess-list 199 permit ip any any precedence priority time-range WEEK-ENDtime-range WEEK-ENDperiodic weekend 00:00 to 23:59!time-range WEEKDAYSperiodic weekdays 00:00 to 23:59Note : Customer's Burst Pkts have already been colored with precedence bit 1 i.e priority in CAR statement which are above of these two CAR statements(these CAR statements come in last).
    View more
10-21-2001
Cancel Post

  • QOS and CAC - ( 10-19-2001 )
  • Other Collaboration Subjects
  • An earlier post questioned whether it was better to employ RSVP or utilize the Call Manager for CAC and I want to share my own experience.If my take on the subject is incorrect, by all means add a follow up to correct the facts. I have only been involved in this for 5 months and my input is based on endless hours of cramming and hindsight into our own deployment of VoIP.RSVP creates a reservation of Bandwidth meted out on demand. One CAC feature of Call Manager is the locations bandwidth. CM allocates this resource in 24k chunks. If you have properly deployed your structure to use G729, CM still allocates bandwidth in 24k chunks. Without defining your locations bandwidth with this in mind, CM will think you are out of bandwidth before you really are.For example, you have a 128k circuit and you are using G729 compression, RTP header-compression, etc. You see the opportunity to make 10 individual calls at 12k each. You define your location in CM as 128k and find that CM will only let you make 5 calls before you get the NO Bandwidth message. CM allocates 24k, by default for each of your 12k calls. You aren't using 24k of bandwidth for the call but CM does reduce your total available bandwidth by 24k for each call from a given location and can make it appear you are out of resources before you really are. If your RSVP config on your router and the bandwidth for locations in CM were properly matched, your RSVP config on your router would still have bandwidth available for allocation on demand for 5 more calls.RSVP, RTP Priority, RTP header compression, CBWFQ, and Call Admission Control in the Call Manager work in unison to provide true QOS.Even if you aren't actively deploying VoIP, take a look at CBWFQ. I had no idea what was happening on my WAN circuits until I employed this. For once I could easily identify the volume of time sensitive traffic as well as limited the traffic which was harmful to VoIP and Terminal Services traffic, all from the CLI.My own case for these tools is this. I commonly see 8 gigs of traffic cross a router's ethernet interface from remote sites to our hub location in a 24 hour period. Max jitter has been reduced and stabilized and it is not unusal to go a week at a time without seeing a SINGLE dropped packet.Just my two cents.
    View more
10-19-2001
Cancel Post

  • HP OpenView Network Node Manager / CiscoWorks Integration - ( 10-18-2001 )
  • Other Network Architecture Subjects
  • Hi, I am the OpenView guy at Hewlett-Packard that developes the integration with Cisco products such as CiscoWorks and Cisco WAN Manager.I would like to make available the interactive site that I maintain that describes this really cool integration. Check out http://neutron.external.hp.com for more details. I just created a new step-by-step demo with NNM->CiscoWorks VLAN/ATM solution that you see actual screenshots of this integration solution.We also have a Smart Service Management Solution for Cisco Environments (manage Cisco Networks as a service) at http://neutron.external.hp.com/cisco-main.htm .We are coming out with a new add-on for Network Node Manager this year called NNMET (Network Node Manager Extended Topology), this add-on allows NNM to manage layer-2 and layer-3 connectivity....stay tuned
    View more
10-18-2001
Cancel Post

  • NFS between subnets problems - ( 10-16-2001 )
  • Other Network Architecture Subjects
  • I have a two-node cluster, version Compaq Tru64 UNIX V5.1 (Rev. 732), which is a NFS server for a large farm of Linux clients. I have some client in the same subnet as the cluster, 16.11.0/24 and can successful copy large files, 1 minute to copy. Then I have clients in subnet 16.11.1/24 which receive an'Input/output error' every time. A work around to this problem was to reduce the wsize to 1024, now I can copies these large files but it take 10 minutes or more to copy.It looks like packets are being lost between the NFS client and the router. I have some tcpdump outputs that show this. The network looks simething like this:linux -100M- cisco 5505 -100M-+ | cisco 7507 |Tru64 -100M - cisco 5900-Fddi-+any help would be appreciated.LouB.
    View more
10-16-2001
Cancel Post

10-15-2001
Cancel Post

  • SAA RTR RESPONDER - ( 10-10-2001 )
  • Other Network Architecture Subjects
  • I would like run SAA for jitter measures over Internet, but for do it is necessary a rtr-responder... so I’m looking for publics rtr-responders in main networksSomeone know any public rtr-responder?ThanksMatias.-
    View more
10-10-2001
Cancel Post

  • SAA RTR RESPONDER - ( 10-10-2001 )
  • Other Collaboration Subjects
  • I would like run SAA for jitter measures over Internet, but for do it is necessary a rtr-responder... so I’m looking for publics rtr-responders in main networksSomeone know any public rtr-responder?ThanksMatias.-
    View more
10-10-2001
Cancel Post

  • Routing via Aironet 340 Wireless Bridge - ( 10-09-2001 )
  • Other Network Architecture Subjects
  • I have a Cisco 3620 router with 4 fast ethernet, 2 serial ports and 1 ISDN BRI S/T. To connect to my ISP, I'm using an Aironet 340 Wireless Bridge, tunneled through Fast Ethernet 0/0 on router. Is that configuration correct? Because I'm paying 128 Kbps to get 64 Kbps to my ISP. Do I have to connect the Aironet to the router via serial ports?
    View more
10-09-2001
Cancel Post

  • Policy Based Traffic Forwarding (port 80) - ( 10-08-2001 )
  • Other Network Architecture Subjects
  • Hi everyone,I'm having some difficulty forwarding port 80 traffic from the inside LAN of a clients NW to a public proxy type filtering server which resides within my corporate NW. It is not behind a firewall but is right off of our internet router (I know, "real secure"). In the past I used normal policy based mapping to do this at my old company, and can not find that I am missing anything going over my old configs. Any other direction??ThanksJosh.
    View more
10-08-2001
Cancel Post

  • Merging ISPs - ( 10-03-2001 )
  • Other Network Architecture Subjects
  • Hi,I work for an ISP who has recently bought out another ISP and integration has been planned. We have one 17Mb upstream connection via our transit provider and the company we have taken over has two upstream connections (one with our transit provider and another one). We each have an AS number and two separate /19 blocks from RIPE. What is the best plan for integration of these ISPs? How would we go about merging them and creating an effective BGP policy?Any help or guidance to links would be appreciated,thanksIan
    View more
10-03-2001
Cancel Post

  • excessive network broadcast flooding - ( 09-29-2001 )
  • Other Network Architecture Subjects
  • I currently have many 2900's switch's & one mainswitch Cisco 5000. Last Friday my network was halted.The LAN was flooded with Broadcast's between 2 NIC's,the unit's was running symantec Ghost 6.5. The session was not a Multi-cast session. Both unit's had assigned static IP addresses via from Boot-up Floppy's. During this operation, my network was flooded with Broadcast's. I performed this function many of times without network problems. Any ideas.thanks Dave
    View more
09-29-2001
Cancel Post

  • Multiple routing tables - ( 09-28-2001 )
  • Other Network Architecture Subjects
  • Dear Sirs,I would like to know if IOS is capable of using several separate routing tables, automatically associated (maybe using ACLs, calling ID, calling number, etc.) with the relevant "customer ID". The issue naturally appears when implementing telco class access servers with PRI links, and each incoming call needs to be treated according to the settings of its class. For instance, such an access server should route each call to a different RADIUS server for authentication, or each caller should use a certain addressing plan, maybe conflicting with other addresses from another customer. Here, the customers could be ISPs that get dial-up bulk services from the telco access server, or large enterprises, and the telco avoids imposing addresses to the customers.In a larger context, if we want to service leased-line access, is there any solution (apart from MPLS) to this problem?Thanks
    View more
09-28-2001
Cancel Post