Slashdot Mirror

http://a957.g.akamai.net/7/957/3680/v0001/standard s.ieee.org/reading/ieee/std/lanman/802.1D-1998.pdf

For background reading, you might consider some of these articles:

Source Routing and the Spanning-Tree Protocol
http://developer.novell.com/research/appnotes/1991 /august/01/apv.htm

Understanding Spanning-Tree Protocol
http://www.cisco.com/univercd/cc/td/doc/product/rt rmgmt/sw_ntman/cwsimain/cwsi2/cwsiug2/vlan2/stpapp .htm

Understanding Spanning Tree Protocol -- the Fundamental Bridging Algorithm
http://www.oreillynet.com/lpt/a//network/2001/03/3 0/net_2nd_lang.html

Metro vendors question Spanning Tree standard
http://www.nwfusion.com/archive/2001/123588_08-06- 2001.html

You're going to need a minimum of three routers and two switches to do anything approching interesting, you're also going to need 4+ endpoint computers.

Start with:

• 2501
• 2620 + WIC-1T or WIC-2T
• 1005
• 2924XLEN
• 5002
• 2xCAB-TC-5 see Here
• misc ethernet cables

Quick check of ebay says you can get the above for around $5000-6000 USD. Other people will tell you to rent time, but again, if you're serious, you will want your own lab to (a) keep your skills up in a potenially stagnant work environment or (b)keep going up the ladder in Cisco certifications.

General comments:

• You will need the endpoint computers - it's not enough to route between routers, sometimes you need to route between networks. They are also useful for seeing the vagarities of odd protocols - you were going to learn IPX and Appletalk right - they're on the test.
• And add routers as you can find them. Anything will be useful, and keep an eye out for AGS or AGS+ machines - they run older IOS only, but they can really help out as they are actually 7500 class routers that are way past their due date and getting cheaper by the day.
• You will need another fast ethernet port sooner as opposed to later, so look for another 262x or 36x0+NM-1FE as well.
• You're going to have to add token ring to the mix if you're planning on passing, so plan for it by looking for 2502s or getting a 2513 instead of the 2501 above.
• 25xx series routers are going to need an ethernet AUI adapter - about $30 new.
• Don't cheap out and skip anything - you do need the 500x switch to get an idea of what CatOS is like, it's almost-IOS but not quite.
• ISDN is on almost all tests, but not too cheap to simulate in a lab - there is a product from Adtran called the Atlas 550 or 800 that will emulate an ISDN or PRI switch so you can do DDR backup links. If you can find one, sub in a 2503+NT1 for the 2501 above.
• \
• Another interesting and usually cheap system is the AS5100 - it's three 2511's in a 3com modem chassis - great way to have a couple of routers and a console server (use one 2511 plus an octal (or two) RJ45serial cable(s) Here) to control the big mess of routers you've got through reverse telnet to those serial interfaces.
• Stay clear of anything that doesn't run standard IOS (19xx switches, 700 series routers) since they're pretty close to useless these days and interesting only as a side project
• Read everything you can get your hands on, you're going to spend a fortune on dead trees, so read as much as you can out of the Cisco Documentation Library before you buy a Cisco Press book.
• Also keep in mind that you can tell the level of the book by whether or not there is an ISO 7-layer triangle in the first chapter (if you don't get this joke now, you will soon.)
• This is a lab that a friend of mine is setting up - gives you an idea of what you can accomplish - he's waiting patiently on a cheap 500x switch and for some reason he hasn't listed his 1005 on here.

Email me if you've got detailed questions and you're planning on getting a real CCxx rather than a 'I did the test so pay me lots of money' CCxx and I'll help when I can. Apologies for sounding like an old fart, but I'm tired of people who don't really understand their work, but are really good at passing tests.

You're going to need a minimum of three routers and two switches to do anything approching interesting, you're also going to need 4+ endpoint computers.

Start with:

• 2501
• 2620 + WIC-1T or WIC-2T
• 1005
• 2924XLEN
• 5002
• 2xCAB-TC-5 see Here
• misc ethernet cables

Quick check of ebay says you can get the above for around $5000-6000 USD. Other people will tell you to rent time, but again, if you're serious, you will want your own lab to (a) keep your skills up in a potenially stagnant work environment or (b)keep going up the ladder in Cisco certifications.

General comments:

• You will need the endpoint computers - it's not enough to route between routers, sometimes you need to route between networks. They are also useful for seeing the vagarities of odd protocols - you were going to learn IPX and Appletalk right - they're on the test.
• And add routers as you can find them. Anything will be useful, and keep an eye out for AGS or AGS+ machines - they run older IOS only, but they can really help out as they are actually 7500 class routers that are way past their due date and getting cheaper by the day.
• You will need another fast ethernet port sooner as opposed to later, so look for another 262x or 36x0+NM-1FE as well.
• You're going to have to add token ring to the mix if you're planning on passing, so plan for it by looking for 2502s or getting a 2513 instead of the 2501 above.
• 25xx series routers are going to need an ethernet AUI adapter - about $30 new.
• Don't cheap out and skip anything - you do need the 500x switch to get an idea of what CatOS is like, it's almost-IOS but not quite.
• ISDN is on almost all tests, but not too cheap to simulate in a lab - there is a product from Adtran called the Atlas 550 or 800 that will emulate an ISDN or PRI switch so you can do DDR backup links. If you can find one, sub in a 2503+NT1 for the 2501 above.
• \
• Another interesting and usually cheap system is the AS5100 - it's three 2511's in a 3com modem chassis - great way to have a couple of routers and a console server (use one 2511 plus an octal (or two) RJ45serial cable(s) Here) to control the big mess of routers you've got through reverse telnet to those serial interfaces.
• Stay clear of anything that doesn't run standard IOS (19xx switches, 700 series routers) since they're pretty close to useless these days and interesting only as a side project
• Read everything you can get your hands on, you're going to spend a fortune on dead trees, so read as much as you can out of the Cisco Documentation Library before you buy a Cisco Press book.
• Also keep in mind that you can tell the level of the book by whether or not there is an ISO 7-layer triangle in the first chapter (if you don't get this joke now, you will soon.)
• This is a lab that a friend of mine is setting up - gives you an idea of what you can accomplish - he's waiting patiently on a cheap 500x switch and for some reason he hasn't listed his 1005 on here.

Email me if you've got detailed questions and you're planning on getting a real CCxx rather than a 'I did the test so pay me lots of money' CCxx and I'll help when I can. Apologies for sounding like an old fart, but I'm tired of people who don't really understand their work, but are really good at passing tests.

Cisco Icons, assuming you trust cisco.

I started off as a untrained (dont even have high school) IRC freak on galaxynet and after 9 months joined a local IRC/ISP, started off as a helpdesk operator and was exposed to redhat5.0 (all boxes was running either SCO or linux) and beginner WAN, with time and initiative, i progressed to larger WAN/LAN and later went for CCNA, RHCE & CCNP, i was promoted to manager level but instead choosed to leave in pursuit of my degree ...

Well all these years i found out everything is up to your initiative and the best place to learn is start from a small shop or ISP where linux is prevalent ... you would get bogged down by work but you would learn, of course there's the pay cut you've to take. Of course the other method is to join a major ISP, but the major pitfalls is in such environments what you learnt is limited and you get quickly bored of it.

I've known friends from that environment whom approached me to teach them about boxes and such and major push factors are like rigid work scope, non-departmental transferability which means low scope of internetworking on LAN/WAN.

Now I only wonder if big companies out there would accept your experiences and professional certificates instead of only pure degrees and such, while i'm stuck down under for 2 years to gain this crappy paper which doesn't teach me anything at all ...

I started off as a untrained (dont even have high school) IRC freak on galaxynet and after 9 months joined a local IRC/ISP, started off as a helpdesk operator and was exposed to redhat5.0 (all boxes was running either SCO or linux) and beginner WAN, with time and initiative, i progressed to larger WAN/LAN and later went for CCNA, RHCE & CCNP, i was promoted to manager level but instead choosed to leave in pursuit of my degree ...

Well all these years i found out everything is up to your initiative and the best place to learn is start from a small shop or ISP where linux is prevalent ... you would get bogged down by work but you would learn, of course there's the pay cut you've to take. Of course the other method is to join a major ISP, but the major pitfalls is in such environments what you learnt is limited and you get quickly bored of it.

I've known friends from that environment whom approached me to teach them about boxes and such and major push factors are like rigid work scope, non-departmental transferability which means low scope of internetworking on LAN/WAN.

Now I only wonder if big companies out there would accept your experiences and professional certificates instead of only pure degrees and such, while i'm stuck down under for 2 years to gain this crappy paper which doesn't teach me anything at all ...

Clause in Microsoft employment contract: All your intellectual output are belong to us
It's true, I swear it!

Whatever you may think about Linus, he certainly remains pretty noncommittal about the future of Linux, and that has to make some PHBs somewhat uncomfortable. I wouldn't be suprized to see someone put some spin on:

"If I were to make a prediction right now, which I?m not going to, if that prediction actually came true, I?d be really disappointed."

indicating a lack of direction. But, with mention of IBM and the way the license has been set up, he almost seems willing to pass on the torch.

"People are doing things with Linux that I?m frankly not that interested in, and that?s fine."


Who's editing content for Cisco? At the time I hit the link this was displayed at the bottom:

if (_sv==10){if (document.cookie.indexOf("CP=")!=-1){_ce="y";}else { document.cookie="CP=null*; path=/; expires=Wed, 1 Jan 2020 00:00:00 GMT"; _ce=(document.cookie.indexOf("CP=")!=-1)?"y":"n";} ;if((_rf=="undefined")||(_rf=="")){_rf="bookmark"; }; _x2="

Also, the document was posted twice. I hope most readers here realized this before they read the entire document 2 times.

You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.

Read more about requirements + configuration of ssh on IOS routers here and for further ssh-related reading on Cisco platforms, go here.

You are so wrong with the above statement. Provided you have an encryption Feature Set (IPSEC 3DES or IPSEC 56) you can ssh to your router. No matter if it's a 801, a 12416 or anything else in between.

Read more about requirements + configuration of ssh on IOS routers here and for further ssh-related reading on Cisco platforms, go here.

That's pretty open... you'd normally limit vty access to perhaps a single host on a network and you may want to apply anti-spoofing access lists to your interfaces.

Another tool to use is a TACACS+ server. Cisco produce both a Commercial Cisco server ($$$) and an open source TACACS+ server called tac_plus.

tac_plus allows you to implement AAA (Accounting, Authorisation & Authentication). Which basicly means this:

* Central User Access Authentication for all your Routers, Firewalls & Switches.
* Authorisation for each individual command entered (on a per user, per host basis)
* Accounting (read logging) of all configuration changes on networking equipment.

Tac_plus is open source and compiles on nearly all platforms. More information can be obtained here: at Cisco.com

Perhaps that documentation is out of date. Support is a lot more pervasive than that now.

Cisco claims to have added support for ssh for the 3600's as of IOS 12.1.

2. Programming mistakes are not the only, or even the primary, reason for firmware updates. Mostly, it's new features

3. For someone who gripes about programming mistakes, you type quite carelessly.

You're not very aware. Cisco Foundry Juniper [fill in the blank here]

CND was supposedly designed as an XML formatted network diagram tool. The idea was that the data picked up from autodiscovery could be manipulated into part numbers, and exported into ordering programs and accounting systems, and exchanged with network management systems. Cisco has been pushing hard to get into XML for communication between all their applications, with varying degrees of success. As one person at a conference said "It takes management only 2 seconds to make the decision to go with the latest buzzword (XML), but first implementation takes 2 years of hard work with plenty of resources. And if during those 2 years a new buzzword comes along, kiss most of that work goodbye".

I have no real understanding of the underlying technology, CND is just a tool that works. You might try googling, and digging around cisco and netformx sites for more info.

the AC

I can't remember but if this was ever true, but it isn't now.

Extreme Networks and Cisco both have long haul GBICs available, and have done for a little while.

I don't have info on the Cisco models available right now (Ciscos website is BIG!), but Extreme have a 1000BaseLX-70, that will do 70 km on singlemode dark fibre. On top if this they do what I could best call a gigabit fibre line driver in the form of a "SummitGbX"[tm]. They claim it will definately do 80 km, and possibly up to 100 km, I have heard one claim that these units managed to reach 120 km. Basically, you hook these up to your 1000BaseSX interfaces at each end, and it does some wibbly-bits to bridge the 80 km or whatever length of fibre :)

I would love to verify all this independently :) but I never even dared ask the prices :/

Of course, all this doesn't really help your cause much... you might be able to find a friendly telco that will blow fibre in for you. Apart from that, your realistic options might not include wireless.
At that range, you will have to go for some sort of microwave transmission, and even then you will probably have problems due to the Fresnel effect, which bends and scatters photons at the earths surface. The maths escapes me at this moment, but to reach 45 miles in one hop you would probably need to have each end nearly 200 foot up in the air in order to clear inconvenient obstacles in between, like buildings and trees (how careless to put them there!). To do it in several smaller hops might be easier, but then you have to rent or buy locations to put your repeater stations on.
Another possible thing to do would be to link all the schools locally to a central point using some easily available method. Microwave links might be suitable here, as well as optical wireless links, T1 leased lines, or whatever you chose. The most usefull central point would be a telco CO, which means that you will only have to rent backhaul bandwidth on the telco's network without having to pay for an expensive tail to anywhere else. Almost all CO's will be served by fibre now, which makes renting a fast connection very much cheaper and easier to provision. As you well know, it is that last mile that makes it expensive.

I wish you good luck :) maybe you'll let us know how it turns out?

Here are some URLs you might find interesting: HPWREN (featured here recently) have a 45mb backbone using western multiplex tsunami kit, and 802.11b access points. They use solar power and batteries to power some backbone nodes.

Some other people using mostly 802.11b kit who will have some information you can use: BAWUG PersonalTelco.net NoCat.net Freenetworks.org

Using 802.11b or similar tech, you should expect each wireless hop to add about 5ms of latency, maybe a little more depending on distance. You can quite easily build a repeater by connecting two bridges together by a X-over cable. You could probably do this with Linksys WAP11 or similar, but over this type of distance you will find it much easier to use something like the high-spec version of Cisco Aironet 350 bridges (the 100mW versions will push the signal a lot further - 25 miles with 24dBi antennas - you can use Cisco's own, alternatives include Superpass (based in Waterloo), HyperLinkTech and others.

Aironet bridges let you set the distance of the link which modifies timing parameters (a slight problem with standard 802.11b over long distances), and their security is better than WEP.

There's plenty of homebrew opportunities for antennas and other related kit, although I guess they're probably of more use to people who don't have a budget to play with (: There's a collection of links on this page with a particular focus on homebrew kit.

Surprisingly enough, this comes only 1 day after Cisco's similar announcement, recalling power supplies for their 826, 827, 827-4V and SOHO 77 routers.

Well, I have to say, Visio is really the tool you are looking for. Visio Network Edition to be exact(although i think the normal version will do, but VNE includes a incredibly large amount of stencils)
On the free software side of things, there is KIVIO which aims to be a Visio clone for X.
I can't tell you how far it has gotten, but it looks decent, and if there would be(i just don't know if the formats are compatible) a way to import stencils from visio it might just do0 the job.
Nevertheless, if you have a really large network to draw, my suggestions is to go with visio.
It is very capable and extremely easy to use.

Just don't forget to export the files to pdf or ps(maybe also html, but last i checked the html output of visio wasn't too fantastic)
As for standard symbols, check out some of cisco CCO's network maps.
You'll find a example of pretty much every way of connecting network equipment there, generally with nice example maps.
DO I sound like a Cisco Borg?;-)
The way these maps are structured and also the set of symbols is pretty much the standard(IMHO this is the way to draw network maps, but then again i could be wrong).
Before you start i suggest you think what kind of map you want(how much detail, just logical or real topology, do you want to use generic or product specific - generally i would say, go with generic symbols)
Another way to go would be to use on of the expensive NMS packages(cisco works, HP Openview) with which you can draw very nice network maps(actually that's just a effect of managaing via this products, maybe there already exists one of this products at your company
One problem might be to export this maps(i can't tell, have'nt used one of these packages extensively) and the map formats are proprietary.

For normal "drawing" of maps, Visio is definitely the best choice

It all depends on the codecs they run. g.729a can get voice down to 12kbps with another 12kbps of protocol overhead (if you're running frame relay with FRF.11 you can use compressed TCP headers and keep it about 16kbps). Vast improvement over g.711 64kbps standard PSTN calls use.

Cisco's way ahead of the game on all of this. Their 79x0 line of phones with CallManager on the backend rocks. Granted, it's not as bloated as the AT&T phone looks to be, but it's got XML and basic graphics capabilities built-in.

The also have a "soft phone" as well that runs great when you're not near you regular desk phone (so you can pick up calls remotely).

Someone was mentioning fear of tapping VoIP packets. Why even go that far? Until everything is on VoIP, you still need to have a connection to the PSTN, and that's where they'll be tapping things for a long while. If you're concerned about sniffing VoIP packets, run a VPN with encryption back to your office's PSTN... of course they can still use a classic wiretap once you hit the office PRI and on to the PSTN.

I'd like to see a pricetag on these phones and the backend servers they're talking about. Cisco's solution isn't cheap, and you know the telco's aren't going to be any better priced. Of course, they want you hooked up to their servers and paying monthly fees, not taking a free ride.

It all depends on the codecs they run. g.729a can get voice down to 12kbps with another 12kbps of protocol overhead (if you're running frame relay with FRF.11 you can use compressed TCP headers and keep it about 16kbps). Vast improvement over g.711 64kbps standard PSTN calls use.

Cisco's way ahead of the game on all of this. Their 79x0 line of phones with CallManager on the backend rocks. Granted, it's not as bloated as the AT&T phone looks to be, but it's got XML and basic graphics capabilities built-in.

The also have a "soft phone" as well that runs great when you're not near you regular desk phone (so you can pick up calls remotely).

Someone was mentioning fear of tapping VoIP packets. Why even go that far? Until everything is on VoIP, you still need to have a connection to the PSTN, and that's where they'll be tapping things for a long while. If you're concerned about sniffing VoIP packets, run a VPN with encryption back to your office's PSTN... of course they can still use a classic wiretap once you hit the office PRI and on to the PSTN.

I'd like to see a pricetag on these phones and the backend servers they're talking about. Cisco's solution isn't cheap, and you know the telco's aren't going to be any better priced. Of course, they want you hooked up to their servers and paying monthly fees, not taking a free ride.

Cisco's done this. It's apparently basically a 386 with a sound card and ethernet. It uses dhcp and tftp to grab config info. One of its more abusable features is the fact that you can download wav files to it to replace the ring.

I never did quite get around to getting on the serial port and trying to netboot linux,tho...

And in my business NAS means network access server (e.g. Cisco).

Quite a few DSL/Cable router box manufacturers have their manuals posted on their web site. It doesn't take long to get familiar with these devices' capabilities by reading the instructions. Just a few:

Linksys
D-Link
Netgear
Cisco (expensive but flexible)

Cisco product information is here.

Cisco 2600 Series
http://www.cisco.com/warp/public/cc/pd/rt/2600/

I'm using IOS 12.2.X
http://www.cisco.com/warp/public/732/releases/rele ase122.shtml

Cisco 2600 Series
http://www.cisco.com/warp/public/cc/pd/rt/2600/

I'm using IOS 12.2.X
http://www.cisco.com/warp/public/732/releases/rele ase122.shtml

Being a Cisco guy myself, I'd have to say if money isn't an issue, and security is the main idea, go with Cisco's PIX Firewall. It's actually not that bad if you compare it to their higher end gear (small office 506 is $2K, 515R is at least $3K, and it goes up real fast from there). Plus, you can run IPSEC and connect to anything else running the same (or even PPTP/L2TP). The thing I like is that all of the PIX line runs the same code, so anything you can do on a big ISP-size 535 you can do on 501. Plus, the new 6.0(1) code adds the ability to load the new PDM code (PIX Device Manager) which is a Java-based SSL web interface to allow easier programming in an interface very simular to Checkpoint's Firewall-1, etc.

Any Cisco security engineer-wannabees should really consider this option, since it's a cheap way to practice with the exact same interface as the high-end gear.

"Performance
The Cisco PIX 501 Firewall provides competitive performance in a compact form-factor:
* 10 Mbps cleartext firewall throughput
* 6 Mbps DES VPN throughput
* 3 Mbps 3DES VPN throughput
* Supports 3,500 concurrent connections
* Supports up to 5 VPN/IKE peers concurrently

PIX 501 10 User/DES Bundle, PIX-501-BUN-K8, $595
PIX 501 10 User/3DES Bundle, PIX-501-BUN-K9, $695
"

Oh, and compared to some of the "Cable/DSL" routers out there like Linksys, this is a huge step up. You can do NAT/PNAT from multiple external pools to specific internal ranges, or even port redirection so that multiple global addresses forwards different ports to multiple internal servers, or one-to-one static NATing if you require, or even "NAT 0" (internal and external addresses are the same) but still firewalled. Built-in DHCP, basically everything and anything you could want or expect from a firewall middle-box is here.

http://cisco.com/go/pix

Being a Cisco guy myself, I'd have to say if money isn't an issue, and security is the main idea, go with Cisco's PIX Firewall. It's actually not that bad if you compare it to their higher end gear (small office 506 is $2K, 515R is at least $3K, and it goes up real fast from there). Plus, you can run IPSEC and connect to anything else running the same (or even PPTP/L2TP). The thing I like is that all of the PIX line runs the same code, so anything you can do on a big ISP-size 535 you can do on 501. Plus, the new 6.0(1) code adds the ability to load the new PDM code (PIX Device Manager) which is a Java-based SSL web interface to allow easier programming in an interface very simular to Checkpoint's Firewall-1, etc.

Any Cisco security engineer-wannabees should really consider this option, since it's a cheap way to practice with the exact same interface as the high-end gear.

"Performance
The Cisco PIX 501 Firewall provides competitive performance in a compact form-factor:
* 10 Mbps cleartext firewall throughput
* 6 Mbps DES VPN throughput
* 3 Mbps 3DES VPN throughput
* Supports 3,500 concurrent connections
* Supports up to 5 VPN/IKE peers concurrently

PIX 501 10 User/DES Bundle, PIX-501-BUN-K8, $595
PIX 501 10 User/3DES Bundle, PIX-501-BUN-K9, $695
"

Oh, and compared to some of the "Cable/DSL" routers out there like Linksys, this is a huge step up. You can do NAT/PNAT from multiple external pools to specific internal ranges, or even port redirection so that multiple global addresses forwards different ports to multiple internal servers, or one-to-one static NATing if you require, or even "NAT 0" (internal and external addresses are the same) but still firewalled. Built-in DHCP, basically everything and anything you could want or expect from a firewall middle-box is here.

http://cisco.com/go/pix

I've been thinking long and hard about the Cisco 827 ADSL router. True you need DSL, but for $500 it seems like a steal. Provides NAT, stateful packet inspection, VPN's with IPSEC 3DES. Might be overkill for Joe gamer, but if you're working from home or running a business, I think it's worth the $500. You can check out the stats here.

Cisco has support for IPv6 in the newer versions of IOS (12.1T and above I believe). Check the Cisco Web Site for more information.

umm, that's an old communications protocol. I think you mean 25X.

Go search the cisco web site for aironet and antenna, they have a few other antenna types, including a nice +21dB parabola not available in Europe.

Because 802.11b devices are being sold to consumers, they are required to have "non-standard" connectors not readily available on the market so people can NOT modify the antennas to boost range. That is a requirement in the U.S. and Europe, so all 802.11b manufacturers use Reverse-TNC or Reverse-SMA connectors.

The article had it wrong when it said the units had standard connectors. Clearly the author just bought two boxes and hooked them up and they worked, just like the TFM says. This article didn't deserve a /. listing, but in these last few hot summer days, the news is pretty thin.

the AC

I just tried to post the advisory here, but Slashdot's software -- in its infinite wisdom -- rejected it with the message "junk character post" (perhaps it was sensitive to the boxes drawn with text characters). So, go to http://www.cisco.com/warp/public/707/cisco-cbos-we bserver-pub.shtml to see it.

Alternatively, disabling the Web access completely will also prevent this vulnerability from being exploited. This can be done by entering the following command while in enable mode:

cbos# set web disabled

You can find Qwest's current recommendations to Washington DSL custoomers at http://www.qwest.com/dsl/customerservice/downloads /Red_Virus_Patch.pdf

If you are trying to argue that these two documents are incorrect, then I would like to see a bit more than an anecdotal "I did this to make sure Code Red wouldn't affect me," because I did considerably less and also remained unaffected. I disabled web access to my 678 the day I got it from Qwest -- long before Code Red. I haven't upgraded the firmware, changed the web server port number, or re-jiggered NAT.

That says to me that if Qwest had followed accepted procedure and disabled the unused service in the default configuration supplied to customers, then the problem of infinitely looped DSL routers never would have surfaced in the first place.

Also, the article talks about "Microsoft software" that some Cisco devices where using. What software was that? IIS runs embedded in Cisco stuff now?

I'm afraid that seems to be the case. Just look at this Cisco security advisory:

"The following Cisco products are vulnerable because they run affected versions of Microsoft IIS:

• Cisco CallManager
• Cisco Unity Server
• Cisco uOne
• Cisco ICS7750
• Cisco Building Broadband Service Manager
• IP/VC 3540 Application Server"

.. according to Cisco, there are several products that use IIS in one form or another, though from that list I don't see anything that should be running on public, non-firewalled IPs.

If any of you guys have Cisco switchs then you can use Vlan Management Policy Server. It allows you to assign students to vlans based on mac addresses. I designed a system built around this switching feature. When a student plugs into a dorm port, the first packet they send triggers the switch to look up their mac address in a central database. Barring an entry they are dumped into a fallback VLAN where I position a DHCP, DNS, HTTP multihomed server. The DHCP assigns them a non-routable IP address to communicate with one side of the box. I then instruct them(through check-in documentation) to open their browser. I wrote a tricked out named.conf, that no matter what domain they request, it always returns the IP of my server. Thus, they will connect to my server and I can collect information, including their Mac address from the arp cache...they fill out the form and their data is dumped into a database, a perl script is called to add their mac address and vlan assignment to the VMPS database(a flat text file) and fire out a SNMP packet out the public interface to tell the VMPS switch to grab the VMPS file and refresh it's tables. Viola! Totally automatic...we were having trouble keeping up with the volume of activations, so I had to think of something(there are 3 of us for 3500 ports, and 2 are student aides).

2. I have not yet seen an access point that really gives you the freedom to use whatever the client wants. Typically, you have to configure the access point to certain strategy (40 bit, 128 bit encryption), and every single client must know the key and follow that everyone sharing the same encryption key.

I have not personally used these since their release but here's ciscos new access points that are suppose to support unique keys per client and other things, but the new crack would invalidate this improvement too.

Anyone have details or use this cisco stuff??

This is a "Good Thing" for several reasons. For one thing, it's quicker, as IP addresses are variable length, whereas MPLS labels are fixed. It also allows a lot more granular traffic control and shaping. Also, you can encapsulate just about anything inside MPLS, not just IP. And you can do QoS, CoS, VPN and lots of other stuff.

This is a VERY simplified version of what MPLS is and does. For more information try the following:

• The MPLS FAQ (http://www.mplsrc.com/mplsfaq.shtml)
• The MPLS Tutorial (http://www.iec.org/online/tutorials/mpls/)
• The Cisco MPLS home page (http://www.cisco.com/warp/public/732/Tech/mpls/).
• Finally, there's a big huge thread on the NANOG mailing list about MPLS VPNs. It's a higher level discussion, so read the FAQs and stuff above first. :) The thread starts here (http://www.merit.edu/mail.archives/nanog/msg06053 .html).

Just to clarify, it seems that pppoe only increases the header by 8B... the max MTU is 1492 instead of 1500.

http://www.cisco.com/warp/public/794/router_mtu.ht ml

http://www.qwest.com/dsl/customerservice/win675ups .html

I think that 2.4.1 was one of the patches that resolved this security issue:

http://www.cisco.com/warp/public/707/CBOS-multiple .shtml

Woa, finally got this link right. I'm tired..

Although the article you refer to appeared on Slashdot, it was basically uninformed, hysterical speculation. MS doesn't have sufficient inroads on the Internet to impose a proprietary protocol. If any company does, it's Cisco, but they're happy to use open standards anyway, for obvious reasons. Furthermore, Sun owns a large portion of the server market, and they don't exactly get along with MS after the Java deal.

TCP/IP is on its way out the door anyway, with IPv6 promising to provide an open standard that implements most of what was claimed for "TCP/MS" in the article.

I have an iPAQ with a PCMCIA card slot, sometimes hooked to a AirCard card (sweet wireless 128k download speeds in a taxi!), and sometimes to a Cisco Aironet wireless LAN card. We recently demoed this working through a Tachyon 1.5 meter dish satelite connection, routed to a wireless base station. I was streaming MP3s to a cow farm in Germany. Amazing applications, but one Achilies heel...

The problem: Power. My battery (even with the extra battery in the PCMCIA sleeve) runs out in less than 2 hours. As soon as I pop in an 1 Gig IBM Microdrive, it drops to about 1 hour, if lucky. To counter this, I've build a little laptop backpack that has 4 rechargable D-cells putting out the 5V DC that the iPAQ wants... backed up by a 12V DC-AC car converter and 3 solar cells mounted on the backside of the backpack (yes, I know it looks geeky, but stick on a couple Rage Against the Machine stickers and people think it's just a fashion statement, the latest in do-it-yourself geek-wear.)

So, the bottom line is now I carry a bag as big as a laptop whose sole purpose is to power my handheld laptop. Of course, I also charge my Digital Camera and Cell Phone off the same bundle, but I still feel like I'm missing something...

Sure you can. Register for Cisco Connection Online, almost any integer will work for the contract number. After you are logged into the CCO, you can download updates for any Cisco product. The firmware updates for the 600 series are here. Whee!

Cisco's vulnerability report (read the date!) says that 2.4.1 is OK.
My ISP is recommending 2.4.2, but I don't know why.
It's all academic to me, because I haven't found a place to download either.
--

wishus
---

wishus
---