I have a 2960X that i have a VTC client plugged into. I'm running a sniffer on the VTC client and I see DSCP markings leaving the device with markings on it. On the switch itself I have a monitor session configured to mirror the VTC port and I'm sniffing traffic in that location too. The sniffer connected to the monitor port is NOT seeing any markings for DSCP?
Any idea on what could be causing this issue?!
SITE-OPS-AS-01#show mls qos
QoS is disabled
QoS ip packet dscp rewrite is disabled
... View more
I'm trying to use 'method-est' for enrollment on solution I'm working and whenever I start the process of 'crypto pki authenticate <TRUSTPOINT>' it fails. I'm not getting any sort of response whatsoever I believe because of a TLS handshake failure I'm seeing with wireshark. There is not much documentation for EST on cisco.com so I'm struggling to figure out what my next steps are. I'm using a CertAgent CA from InfoSecCorp and it has EST enabled because I can request the root cert fine when I use postman and just do a GET request.
crypto pki trustpoint RED-CA
enrollment profile RED-CA-PROFILE
rsakeypair SITE-OPS-IE-01.key 4096
crypto pki profile enrollment RED-CA-PROFILE
authentication url https://10.1.12.29:443/.well-known/est/certagent/ca7/cacerts
enrollment url https://10.1.12.29:443/.well-known/est/certagent/ca7/simpleenroll
reenrollment url https://10.1.12.29:8443/.well-known/est/certagent/ca7/simplereenroll
enrollment credential RED-CA
Here is the debug:
Feb 4 20:17:54.724: EST_CLIENT: Process timer event
Feb 4 20:17:54.724: EST_CLIENT: Process queue event
Feb 4 20:17:54.724: EST_CLIENT: Process starting enrollment
Feb 4 20:17:54.733: EST_CLIENT: CSR created successfully
.... TRUNCATED .........
Feb 4 20:17:54.733: EST_CLIENT : En/Re enroll URL : https://10.1.12.29:8443/.well-known/est/certagent/ca7/simpleenroll/simpleenroll
Feb 4 20:17:54.733: EST_CLIENT: Send http request
Feb 4 20:17:54.734: EST_CLIENT: have http response 3 tid
Feb 4 20:17:54.734: status_code : 0
Feb 4 20:17:54.734: status_string :
Feb 4 20:17:54.734: content_type :
Feb 4 20:17:54.734: content_encoding :
Feb 4 20:17:54.734: content_length : 4294967295
Feb 4 20:17:54.734: Location :
Feb 4 20:17:54.734: Server :
Feb 4 20:17:54.734: EST_CLIENT: Process queue event
Feb 4 20:17:54.734: EST_CLIENT: enrollment response status = 0
Feb 4 20:17:54.734: EST http send request failed
Feb 4 20:17:54.734: EST_CLIENT: retrying in 30 seconds
... View more
I've been trying to get 2547oDMVPN with 'mpls nhrp' setup in a VIRL environment and I have gotten it work with some of the examples I've seen online, but all the examples online have had the hub as the route reflector and have used the Tunnel interface for BGP peering. If I use my Tunnel interface as my iBGP peer source things work, but if I don't, then for some reason things stop?
Here is the output of some of my show commands that I believe to be the issue, but I don't know how to fix. In the 'show ip cef vrf CLASS detail' I see the prefix and it gets recursively resolved to my tunnel interface. In the 'show mpls forwarding-table' it says to drop the labels? I attached my entire VIRL topology in case that would be helpful. Thank you in advance for any help.
show mpls forwarding-table
IR-01#show mpls forwarding-table Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or Tunnel Id Switched interface 305 202 0.0.0.0/0[V] 0 drop 307 205 10.10.1.0/24[V] 0 drop 308 No Label 10.30.1.0/24[V] 0 aggregate/CLASS 313 307 10.50.1.0/24[V] 0 drop
IR-01#show ip cef vrf CLASS detail IPv4 CEF is enabled and running VRF CLASS 17 prefixes (17/0 fwd/non-fwd) Table id 0x2 Database epoch: 0 (17 entries at this epoch)
0.0.0.0/0, epoch 0, flags [rib defined all labels, default route] local label info: other/305 recursive via 10.10.0.251 label 202 recursive via 10.10.0.250/31 nexthop 188.8.131.52 Tunnel102 0.0.0.0/8, epoch 0 Special source: drop drop 0.0.0.0/32, epoch 0, flags [receive] Special source: receive receive 10.10.1.0/24, epoch 0, flags [rib defined all labels] local label info: other/307 recursive via 10.10.0.251 label 205 recursive via 10.10.0.250/31 nexthop 184.108.40.206 Tunnel102 10.30.1.0/24, epoch 0, flags [attached] local label info: other/308 attached to Null0 10.30.1.0/31, epoch 0, flags [attached, connected] attached to Loopback1 10.30.1.1/32, epoch 0, flags [receive, local, source eligible] Interface source: Loopback1 flags: local, source eligible receive for Loopback1 10.30.1.32/30, epoch 0, flags [attached, connected, cover dependents, need deagg] Covered dependent prefixes: 2 need deagg: 2 attached to GigabitEthernet0/2.20 10.30.1.32/32, epoch 0, flags [receive] Interface source: GigabitEthernet0/2.20 flags: none Dependent covered prefix type cover need deagg, cover 10.30.1.32/30 receive for GigabitEthernet0/2.20 10.30.1.33/32, epoch 0, flags [receive, local, source eligible] Interface source: GigabitEthernet0/2.20 flags: local, source eligible receive for GigabitEthernet0/2.20 10.30.1.35/32, epoch 0, flags [receive] Interface source: GigabitEthernet0/2.20 flags: none Dependent covered prefix type cover need deagg, cover 10.30.1.32/30 receive for GigabitEthernet0/2.20 10.50.1.0/24, epoch 0, flags [rib defined all labels] local label info: other/313 recursive via 10.50.0.251 label 307 recursive via 10.50.0.250/31 nexthop 220.127.116.11 Tunnel102 127.0.0.0/8, epoch 0 Special source: drop drop 18.104.22.168/4, epoch 0 Special source: drop drop 22.214.171.124/24, epoch 0, flags [receive] Special source: receive receive 240.0.0.0/4, epoch 0 Special source: drop drop 255.255.255.255/32, epoch 0, flags [receive] Special source: receive receive
... View more