Slashdot Mirror

From the article:

"In addition to that, the Cisco PSIRT Security Vulnerability Policy is available at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html - for any customer, with our without a service contract, which might be interested in contacting us.
Thanks,
Dario "

... I don't understand why anyone would connect any machine directly to the Internet without some type of hardware firewall.

That is what the Internet is for. You're projecting Windows' problems onto real computers. There is no reason why a router or hardware firewall should be necessary to add security -- they're both computers with instructions and flaws. Increasing the number of hardware pieces increases the number of failure points at the cost of also increasing latency and reducing actual bandwidth.

There are only three reason why a computer needs to be isolated from the Internet:

• There are not enough addresses in the IPV4 space to expand forever. IPV6 fixes that.
• The network administrator's convenience.
• Experience has shown the software provider doesn't know how to write or fix network code. These links can help with that.

MCP certification is 1 exam
MCSA certification is 4 exams
MCSE certification is 7 exams
http://www.microsoft.com/learning/mcp/mcse/windows 2003/default.mspx

An OC-192 is 9953.28 Mbit/s buddy. And an OC-768 is 38,486.016 Mbit/s. Also the CRS-1 multi-chassis system can scale to 92 Tbps.

An OC-192 is 9953.28 Mbit/s buddy. And an OC-768 is 38,486.016 Mbit/s. Also the CRS-1 multi-chassis system can scale to 92 Tbps.

An OC-192 is 9953.28 Mbit/s buddy. And an OC-768 is 38,486.016 Mbit/s. Also the CRS-1 multi-chassis system can scale to 92 Tbps.

And the best part is that because SNMP traps are UDP, they are the first thing to get thrown away when the shit hits the fan.

Amazingly there was only one intelligent thing said in the whole article. "Digital switching is key" is correct. Whats amazing is that some consulting has the balls to act like $great_prophet when proclaiming it. I mean, its not like Cablelabs hasn't been hard at work on the technologies to address the bandwidth issue. Both DOCSIS 3.0 (http://www.cablemodem.com/specifications/specific ations30.html) and Modular CMTS (http://www.cablemodem.com/specifications/m-cmts.h tml are designed to address this problem. M-CMTS basically works to divide cable plant into smaller sections by pushing the RF interfaces further out to the edge. This is done by placing fairly dumb/inexpensive edge QAM's out in the plant, these devices encapsulate DOCSIS frames into Gigabit Ethernet to carry them back to a packet processing engine. What this buys the operator is the ability to use fewer RF channels but gain more bandwidth at the cost of having some additional backhaul (to carry the GigE). Now some people might wonder if this consulting company is merely championing an idea that hasn't been developed, but sadly that isn't the case either. Many manufacturers are already producing EQAM's including big hitters like Cisco (http://www.cisco.com/en/US/products/hw/cable/ps22 09/products_implementation_design_guide_chapter091 86a00807c73c7.html/) These same EQAM's also handle switching of digital video so cable companies save on both switched video and normal IP traffic. DOCSIS 3.0 allows for bonding DOCSIS channels to create far more bandwidth, which is likely to be used for business services as well as more rich IP services. Comcast in my area already offers multiple HD on demand channels, for example HBO and Showtime. (http://www.comcast.com/HBOondemand/ and http://www.tvweek.com/news/2007/03/comcast_launche s_showtime_hdvo.php/)

Quite honestly it sounds like the "consultant" needs to do some research.

Sounds like you got bad TAC advice. Which is a shame because I seem to get better support from the Australian TAC than even San Jose.

Yeah, but the informed user knows Cisco sucks and would rather have a Juniper. :-)

What most people consider full-featured Cisco includes IOS, and I doubt they're planning to put IOS on a home wireless router (certainly not for $50).

Ethernet ... beat everything else to get to 100Mbps.

Are you forgetting FDDI/CDDI? As I recall, it was available before 100 Mbps Ethernet.

"The Fiber Distributed Data Interface (FDDI) specifies a 100-Mbps token-passing, dual-ring LAN using fiber-optic cable."

"Copper Distributed Data Interface (CDDI) is the implementation of FDDI protocols over twisted-pair copper wire."

Likely related.

http://www.cisco.com/warp/public/707/cisco-sa-2007 0724-arp.shtml

Are you saying that tftp is no longer support in ROMMON on a 7200/G2NPE? I have a few deployed and haven't had any crash yet nor had a reason to tinker in their ROMMON. So knowing more about this type of scenario would be helpful. Latest Cisco docs (last updated this month/link below) still shows TFTP recovery procedures. http://www.cisco.com/en/US/products/hw/routers/ps3 59/products_tech_note09186a00800a750e.shtml/

hmmm...

Take your pick. That's just for one controller series. Who knows which Cisco hardware Duke is using, but the problems associated with LEAP (lightweight extensible authentication protocol) are of particular interest.

I'm not pointing fingers either. I have to many broken of my own.

Theoretically, every packet that you send needs an ARP entry, which means that every packet sent to something that isn't in your machine's ARP table would generate an ARP request.

In reality, it seems that your router tends to substitute its own MAC address for non-local ARP entries (since all non-local packets go through the router, you really don't have to know what the real MAC address is)

So, the real point is NOT that this is for a single household, but rather that you drastically reduce the number of intermediaries required for a network point of presence. This drastically reduces the cost of fibre-to-the-home. The last mile problem really isn't one in urban centres -- there is plenty of fibre to go around, but not enough money to make the transmission of content worthwhile.

And , yes, the article is a not-so-subtle advertisement for the Cisco CRS-1 routing system. Hopefully others will follow with this kind of model...

Here's a link to the machinery behind the connection. /cry

http://www.cisco.com/en/US/products/ps5763/index.h tml

This is a good thing to notice and be aware of, but it is fairly normal for ISPs to not put a firewall in place between business-class service at the colo level to verify source addresses and filter out spoofed traffic from other netblocks owned by that ISP.

The trick for this to be useable for anything beyond a mildly cloaked DoS is that you either have to use source routing so that the answers come back to you, or you have to be close enough to the subnet being spoofed that you can fiddle with the router which sends it to that subnet or to yours.

Think of ARP spoofing, think of using ICMP router redirects, think of RIP or BGP advertisements, think of spoofing a VLAN header and waving the magic wand at the switch and claim that your connection is really a trunk port (and then repeat with the ARP spoofing :-).

(hums a banal Woody Guthrie tune)
"This route is YOUR route, this route is MY route, this route is OUR route..."

In Cisco ISO-speak, to do such checking is called "Reverse Path Forwarding". See RFCs 1812 and 2267 and perhaps you can give your ISP a security clue, or take advantage of the opportunities to experiment, depending. :-)

http://www.cisco.com/univercd/cc/td/doc/product/so ftware/ios111/cc111/uni_rpf.htm

IMNSHO, I offer an opinion on this debate on Cisco's blog: "CAGE MATCH: Google v. Microsoft v. Cisco" Read post here: http://blogs.cisco.com/news/2007/06/cage_match_goo gle_v_microsoft.html

Net net is: "Which is the best place to work? There is some scuttlebutt in the blogosphere and reported in ComputerWorld about a post written by a former-Google, now-Microsoft employee that Microsoft is a better place to work. Let me put this argument to rest...the best place to work is Cisco..."

In Cisco terms presence doesn't mean finding your physical location it means having you available no matter where you are. It ties the cell phone, deskphone, blackberry and IM together.

Disclaimer: I have more then a passing knowledge of the company who's products are mentioned in this article but I'm not a sales drone. Just passing a long a more technical link then the article presented since it doesn't paint an accurate picture.

http://www.cisco.com/en/US/products/ps6837/index.h tml

Um, the point of a VPN is to set up a secure tunnel to get to your destination network with the traffic encrypted en route, so it doesn't matter whether your ISP is snooping on your traffic or not. Now, if you wanted to host your destination server or network somewhere like Canada or someplace with less intrusive government monitoring, that might well be a good thought.

The problem is that the US via CALEA is requiring things like Cisco routers used to terminate many VPN connections be wiretap-friendly, so using a VPN tunnel might not be as safe as it was before that law came about. Cisco has a page about this, but it doesn't actually give you much specific info:

http://www.cisco.com/wwl/regaffairs/lawful_interce pt/

The Worthlessness of the CISSP certification. It depends what cert you're after. Right now I'm studying for the CCIE Security certification. Does it matter? Yes I do believe this is one of the ones that do. Why? You're not just reading to pass a test. If it were that easy, there would be more than 906 CCIE Security engineers worldwide. GIAC vs. CISSP? I'd take a GIAC over a CISSP any time. I've met CISSP's who understood the concept of an attack, an attacker, but couldn't perform an attack to save their lives. I believe in the security industry, one should know everything from the ground up. So what you understand the core of it all... My opinion. As for MS certs', sure if you want to live in an MS world. Same goes for Sun, etc.,

EEE 802.1X is an IEEE standard for port-based Network Access Control; it is part of the IEEE 802 (802.1) group of protocols. It provides authentication to devices attached to a LAN port, establishing a point-to-point connection or preventing access from that port if authentication fails.

You might want to read the documents you refer to. I guess, what you meant was NAC - Network Admission Control

Are you really doing synchronous replication over a 100km distance with SRDF?

I think one of our longest legs is currently about 100 fiber km. That's pretty much the accepted limit for synchronous as far as we know. We've begun deploying Cisco Storage Services Modules to make use of Fibre Channel Write Acceleration. You may have heard of it before. We've begun using it in areas where there are applications with a lot of small block size writes. In addition, we're currently testing SRDF/A over FCIP to use from New York to London.

Thanks for the nick complement. I begun using this one when I forgot the password to my four digit ID :-)

Are you really doing synchronous replication over a 100km distance with SRDF?

I think one of our longest legs is currently about 100 fiber km. That's pretty much the accepted limit for synchronous as far as we know. We've begun deploying Cisco Storage Services Modules to make use of Fibre Channel Write Acceleration. You may have heard of it before. We've begun using it in areas where there are applications with a lot of small block size writes. In addition, we're currently testing SRDF/A over FCIP to use from New York to London.

Thanks for the nick complement. I begun using this one when I forgot the password to my four digit ID :-)

Perhaps you missed the part I wrote about maintaining anonymity? Preventing DDoS is very easy without needing to identify people. I also said that most countries don't control the Internet because corporate entities do. I was not advocating this be changed. Only that we provide guidelines to those entities that peer with other providers. If you implement some basic techniques at the peering locations then you can prevent the vast majority of DDoS attacks because it can be aggregated enough to cause problems. Then the regional personnel can handle the problem with whatever policy they see fit, whether it be through shutting off the subscribers bot infested machine or just simply ignoring the problem. As long as it doesn't go past the next peering point then the problem won't become an aggregate problem and DDoS will be gone and no government has any new way to censor beyond their current abilities.

Control and freedom are not mutually exclusive, everyone at my office can go to whatever website they like. My firewall will filter out 99% of any malware they encounter. Local access privileges restrict the last 1% from actually causing any harm so my users can do what they like without worry, plus they don't have to see myspace ads. I don't have to track them to provide a little control over them. I'm getting rid of the bad while allowing them to continue on their merry way.

In short, I fail to see how anything I said that would appeal to an authoritarian regime as it would prevent them from launching DDoS attacks on their neighbors. That's the whole point, it is nothing but a net gain so I don't understand why there would be any resistance to something like this

What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...

What would QoS do at this level except overwhelm your processor? Unicast Reverse Path Forwarding would be the better solution nowadays. Cat 6500 info... If networks were built correctly from the ground up, these attacks wouldn't even happen as much. If three networks were connected and all had uRPF or filtering in place, no three networks would be able to spoof addresses and cause attacks. They'd be forced to attack using a valid address on their network which would make tracking easier...

Likely they're talking about some sort of 'Traffic Storm' (which is some type of data). I have seen and heard of a lot of devices that are very poorly designed and don't expect a lot of extraneous data on their lan. Most commonly these are things like PBX'es and small 'appliance' devices that have some simple SNMP or web mgmt capabilities. You stick them on an internal lan with lots of broadcast traffic, where there may be other interesting things going on and i've seen them either die under the interrupt load (insufficent cpu for the 10Mb or 100Mb they negotiate) or just lock-up because of what it thinks is a corrupted frame.

For starters, unix systems are not routers, they can be used as such, I use one at home. But for a backbone connection with millions of packets per second, they are a poor choice. They cannot keep up with a good cisco or foundry router.

For starters, unix systems are not routers, they can be used as such, I use one at home. But for a backbone connection with millions of packets per second, they are a poor choice. They cannot keep up with a good cisco or foundry router.

For starters, unix systems are not routers, they can be used as such, I use one at home. But for a backbone connection with millions of packets per second, they are a poor choice. They cannot keep up with a good cisco or foundry router.

Maybe Verizon is a bigger Cisco customer than Vonage is.

sigh. I'm quite familiar with the capabilities of much of the Cisco product set. Remotely upgrading code is a PITA (and not entirely risk-free), and tftp across a link with packet-loss is even worse. Better is straightforward FTP, due to TCP's retransmission properties.

In general, most space science software is nowhere near cutting edge, because the engineers (rightly) want code which is known to work always. Cisco is still in the "adding significant features" mode with its IPv6 implementations (various chunks of DHCPv6 were being added in 12.3(14)T, for instance, and aren't available for any of the high-end ISR line [28xx, 38xx] at all). The proof is here. I'll leave the implications of the freshness of the code for you to figure out.

IPv6 is stable and ready for deployment. It has been for a long time.

For this configuration exploit, this SNMP vulnerability, this IP sequence generation problem, this ICMP vuln, this H.323 problem, and this buffer overflow.

NOTE: Some of the listed problems indicate a "Cisco 3200 Catalyst", which may not be the same as the orbiting "Cisco 3200 Mobile Access Router". IANACG (I am not a Cisco geek).

Valid prior art would be some form of H.323 to PSTN gateway (called a H.323 Gatekeeper), or maybe any sort of way to bridge PSTN with IP.

FWIW, Cisco's IOS v11.3 implemented this functionality, which puts it around 1999

The PDF to the H.323 standard is at http://www.itu.int/rec/dologin_pub.asp?lang=e&id=T -REC-H.323-200606-I!!PDF-E&type=items but I believe it was finalised in 1996, which puts it a bit too late. I think we'd need to be looking at SS7 Gateways to bust this patent.

I have a 20Mbps symmetrical fiber connection through Surewest in Sacramento, CA and they don't seem to do much. Originally their ToS said you couldn't use more than 40GB per month (up or down, whichever is more) and charged you a modest amount extra per GB for that month, but they originally came up with those terms when they only offered 10Mbps and DSL. Since then, they have introduced 20Mbps and 50Mbps packages, and I have heard (yet not confirmed) that they have increased the monthly quota up to 100-200GB, depending on what speed package you have. I let a friend of mine who is on a slow DSL connection (384kbps, he is at the edge of service area) remote desktop into one of my computers and download a lot of torrents, and then later burns them on CD/DVD. On some months, between the both of us, we download a lot of stuff. I used to run pfSense, and the MRTG software built-in showed that I had transferred atleast 500GB one month. I have yet to hear anything from Surewest regarding that. I once was in contact with an employee via email who told me they don't enforce their caps unless a user is abusing the service. I guess one could say that I abuse the service, but I think they mean in terms of impacting other customers' connection speed in the neighborhood. Since they have 100Mbps to each customer, and up to 10Gbps neighborhood backbones, I don't think they'll be running low on bandwidth anytime soon.

This is a neat step forward, but really only experimentally viable.

The real advacement will be when they can implement their mesh technology with a swam of airborne drones, which automatically place themselves for optimal coverage of a specified area based on throughput and interference avoidance.

I'd give it 10 year, TOPS.

(Cisco's current technologies already support this on a rudimentary level. If you don't know much about wireless mesh networking, here's a wikipedia: http://en.wikipedia.org/wiki/Wireless_mesh_network and Cisco: http://cisco.com/en/US/netsol/ns703/netbr0900aecd8 0364a60.html)

Now, once you have flashed it, you can use additional channel space that is normally unavailable to use as it is reserved bandwidth. I forget which channel ID it is, channel 14 I think is not normally accessible in the USA. Change to that channel and most of your interference should go away from other competing devices.

Nice to see someone recommend you break the FCC rules (which I believe puts you in violation of a Federal Law)... *Sigh*. The FCC for all it's problem does actually do the frequency splits for a real honest to god good reason. Everything above 11 is outside the USA frequency range, you use 14, because that puts you the furthest away (which leaves you less overlap with 11, each channel overlaps with the next 4 or 5 channels). As to what is usable where, see this page from Cisco. What the parent is recommended is an FCC violation, probably punishable by a fine. Not sure if it's punishable by jail time. In general, what you'd like to do is actually work with the people in the area to work out a workable system. While this local optimization might work for you, if everyone does it, it's a problem. Along with the fact that it will cause problems for whoever actually is using the licensed equipment in that frequency range. First figure out if you have crappy equipment, or figure out if you have the wireless spectrum in your area is just flooded. If it is, work as a with the folks you live near to mitigate this. They are flooding your network, you are flooding theirs. Set up one network, setup multiple networks and coordinate channel usage. Get everyone to tone down their power settings (thus the signal won't go through walls). As several others have suggested, use directional antennas. Use a different technology to for single room access and use wired for long haul.

Kirby

No, it' sonly illegal to go over the maximum power output regulations. As long as you do not combine and modify equipment to operate above regulation, it's legal. That's why you can buy higher dBm antennas in Walmart, they're designed to stay within spec. It's not illegal to boost power at all, it's only boosting power over regulation that's illegal. Here's a link to a Cisco support page listing some specs.

• There are several mechanisms for running IPv4 and IPv6 side by side, and that was a major part of the discussion in the IPv6 rollout early on. Medium sized chunks of the net were running IPv6 for quite a while, and were routed in and out of fairly seamlessly. transition mechanisms were designed, long before IPv6 was adopted by the IETF. (the linked RFC is from 1995).
• IPv6 designers also put in tools designed to provide for mobile endpoints, although better designs have come out since.
• IPv6 provides and uses multicast addresses as part of it's initial design, and its multicast is being used successfully.

I call shenanigans. I've worked for an ISP on more than one occasion and the method you speak of consists of analyzing every single byte of every single user in real time and that's simply not going to happen.

NBAR: Dynamic Identification of Flows

Cisco's newest method of classification is Network Based Application Recognition (NBAR). For clarity, NBAR is actually only an identification tool, but it will be referred to here as a classification tool. As with any classification tool, the hard part is identifying the traffic. Marking the packet later is relatively easy. NBAR takes the identification portion of classification to another level. Looking deeper into the packet, identification can be performed, for example, to the URL or MIME type of an HTTP packet. This becomes essential as more applications become web-based. You would need to differentiate between an order being placed and casual web browsing. In addition, NBAR can identify various applications that use ephemeral ports. NBAR does this by looking at control packets to determine which ports the application decides to pass data on.

NBAR adds a couple of interesting features that make it extremely valuable. One feature is a protocol discovery capability. This allows NBAR to baseline the protocols on an interface. NBAR lists the protocols that it can identify and provides statistics on each one. Another feature is the Packet Description Language Module (PDLM), which allows additional protocols to be easily added to NBAR's list of identifiable protocols. These modules are created and loaded into Flash memory, which then is uploaded into RAM. Using PDLMs, additional protocols can be added to the list without upgrading the IOS level or rebooting the router.

I call shenanigans. I've worked for an ISP on more than one occasion and the method you speak of consists of analyzing every single byte of every single user in real time and that's simply not going to happen.

NBAR: Dynamic Identification of Flows

Cisco's newest method of classification is Network Based Application Recognition (NBAR). For clarity, NBAR is actually only an identification tool, but it will be referred to here as a classification tool. As with any classification tool, the hard part is identifying the traffic. Marking the packet later is relatively easy. NBAR takes the identification portion of classification to another level. Looking deeper into the packet, identification can be performed, for example, to the URL or MIME type of an HTTP packet. This becomes essential as more applications become web-based. You would need to differentiate between an order being placed and casual web browsing. In addition, NBAR can identify various applications that use ephemeral ports. NBAR does this by looking at control packets to determine which ports the application decides to pass data on.

NBAR adds a couple of interesting features that make it extremely valuable. One feature is a protocol discovery capability. This allows NBAR to baseline the protocols on an interface. NBAR lists the protocols that it can identify and provides statistics on each one. Another feature is the Packet Description Language Module (PDLM), which allows additional protocols to be easily added to NBAR's list of identifiable protocols. These modules are created and loaded into Flash memory, which then is uploaded into RAM. Using PDLMs, additional protocols can be added to the list without upgrading the IOS level or rebooting the router.

the routers aren't gaining capacity to route packets as quickly as the number of packets to route is rising. No amount of extra fiber will help if the routers can't keep up. Setting up more routers in the same interconnect centers will bring either bigger routing tables or higher latencies depending on how they're connected to one another.

Exactly how fast do you need your router to go? Cisco and Juniper both have routers that can route at 40Gbps and have a massive amount of ports on them. The CRS-1 from Cisco can expand to 1152 slots each doing 40 Gbps. Drop a couple of those around and you've got a backbone that's going to handle the next 10-15 years. Juniper has the T640, pretty soon the T1280 that can expand to a multi-shelf design.

Cisco CRS-1

Juniper T640

Well, it depends on the equipment you buy - a lot. The el-cheapo crap i have at home (a Level-One ADSL-Ethernet Bridge, a Linksys WRT54GL) came both wide open, with no reminder to change defaults. The Linksys also came with a fully open WLAN by default.

On the other hand, these 5 new access points i bought for my companies office Cisco 1131AG, came with a disabled radio interface. It had to be brought up manually. However, their web interface still sucks, and didn't remind me ot change passwords (which was a non-issue, since i had to include them into radius, enable ssh, etc. pp.).

proprietary "VPN through Internet Explorer" solution

Most likely Citrix Access Gateway, I have seen it used a lot. Works reasonably well, few bugs though and no security certifications.

In either case, PPTP is a routing protocol,

Nope, PPTP is not a routing protocol. EIGRP and BGP are routing protocols.

PPTP is PPP over a GRE connection with a control session for GRE on TCP 1723.
and despite pulling the wool over your eyes, you do NOT have an IP on the system physical subnet.
 
  Got a link on this one? There is no reason you can't give out an IP address from a PPTP server which is on the same subnet as the ethernet card of the PPTP server.

Broadcasts such as NetBIOS and mdns do not cross subnet barriers.

Broadcast? No, ARP? Yes.

ARP does work across a PPP link, so you might find that a customer is using ARP for name resolution. That really wouldn't be the brightest move as far as I was concerned, but it's a possibility.

The other alternative is that as people connect into their PPTP servers, they are given WINS server settings which will assist in them being able to see a browse list

Name resolution doesn't get you network neighborhood population.

Actually if it's WINS, it will do it nicely.

She was using a Firebox firewall to do the pptp vpn, and apparently you can't push the search parameter. yay

My guess here is that you are talking about sending multiple DNS server suffixes through DHCP.

The intention to do this really hasn't been picked up by too many people. It was first discussed in RFC 3397 but Microsoft hasn't implemented it yet, Apple might have for zeroconf and ISC has done so for DHCPd.

My personal opinion here is that you need to learn a bit more about how windows name resolution works (The old way, before AD) as you seem a bit confused.

For future reference, even though I would consider it dilapidated, WINS does do the job of allowing machines to discover other machines across subnets quite well.

The other suggestion I would have had would have been to just provide a link on the desktop to the NAS so that way DNS is involved only, and nothing more. Either that or just mount up the required shares and close the call

Berny

proprietary "VPN through Internet Explorer" solution

Most likely Citrix Access Gateway, I have seen it used a lot. Works reasonably well, few bugs though and no security certifications.

In either case, PPTP is a routing protocol,

Nope, PPTP is not a routing protocol. EIGRP and BGP are routing protocols.

PPTP is PPP over a GRE connection with a control session for GRE on TCP 1723.
and despite pulling the wool over your eyes, you do NOT have an IP on the system physical subnet.
 
  Got a link on this one? There is no reason you can't give out an IP address from a PPTP server which is on the same subnet as the ethernet card of the PPTP server.

Broadcasts such as NetBIOS and mdns do not cross subnet barriers.

Broadcast? No, ARP? Yes.

ARP does work across a PPP link, so you might find that a customer is using ARP for name resolution. That really wouldn't be the brightest move as far as I was concerned, but it's a possibility.

The other alternative is that as people connect into their PPTP servers, they are given WINS server settings which will assist in them being able to see a browse list

Name resolution doesn't get you network neighborhood population.

Actually if it's WINS, it will do it nicely.

She was using a Firebox firewall to do the pptp vpn, and apparently you can't push the search parameter. yay

My guess here is that you are talking about sending multiple DNS server suffixes through DHCP.

The intention to do this really hasn't been picked up by too many people. It was first discussed in RFC 3397 but Microsoft hasn't implemented it yet, Apple might have for zeroconf and ISC has done so for DHCPd.

My personal opinion here is that you need to learn a bit more about how windows name resolution works (The old way, before AD) as you seem a bit confused.

For future reference, even though I would consider it dilapidated, WINS does do the job of allowing machines to discover other machines across subnets quite well.

The other suggestion I would have had would have been to just provide a link on the desktop to the NAS so that way DNS is involved only, and nothing more. Either that or just mount up the required shares and close the call

Berny

When I read the summary I thought they'd be competing with Cisco's service provider grade box http://www.cisco.com/en/US/products/ps5763/index.h tml

Guess they'll need to come up with some pretty fast interfaces b/c I dunno if Frys/CompUSA carries OC-192/768 interfaces for the PC.

Sounds like another LEAF project http://leaf.sourceforge.net/

true today's SP networks aren't capable of handling tomorrow's traffic, but as we all know in the tech world, no one stands still. SP's are in the beginning phases of major network overhauls to handle tomorrow's traffic - http://newsroom.cisco.com/dlls/tln/exec_team/domin guez/perspectives.html