About sylvain.munaut

sylvain.munaut · 03-31-2014

Hi.I have a setup working on a Cisco 1812 running 15.1(4)M7.I'm starting from a working setup (but a rather large config, so not practical to post and sanitize here) and I'm trying to add new WAN link and use this new links for the users of one of th...

sylvain.munaut · 08-08-2013

I mean seriously ... it's 2013 and AFAICT the 3750-X which is a pretty recent switch still doesn't support some pretty important features when it comes to IPv6.Things like VRF and PBR are apparently not supported and I'd really need one of them (I ca...

sylvain.munaut · 03-07-2013

Hi,I have a Cisco 1921 which has a IPSec connection to the outside, but despite this, it seems the hw accelerator module is not used because the stats are all zeros (see below). Also, I can see that the module is enabled ( using show crypto engine br...

sylvain.munaut · 02-13-2012

Hi,I have a router that has a IPSec / L2TP dial in VPN and uses zbf for firewalling, including the self zone.The same router also has VTI gre/ipsec tunnels to other sites.For the static VTI GRE/IPsec tunnel, I had to allow isakmp and esp to/from the ...

sylvain.munaut · 02-13-2012

Hi,I've noticed something when having some traffic inspected.Imagine you have a zone A and a zone B and a policy allowing all connection from A to B:class-map type inspect match-any cm_all match protocol icmp match protocol tcp match protocol udppoli...

sylvain.munaut · 08-19-2014

It works now. AFAIR I just updated IOS ....

sylvain.munaut · 04-29-2014

By "Not talk directly to the internet" ? You mean no outgoing connections to the internet either ? Because yeah sure, if they don't need to access the internet at all, it doesn't matter much. But if they have outgoing connections, you'll need one of ...

sylvain.munaut · 04-29-2014

Well, there is no down sides to having global IPs.I assume you want your machines to have internet ipv6 connectivity. So if you want to not have public IPs locally you have two choices : - You use NAT-PT to translate an entire prefix to and ULA prefi...

sylvain.munaut · 04-01-2014

I'd just put all the clients on the 2801. Then use the ASA as another WAN links (or just don't use it at all), then use PBR to split your two user groups and use SLA monitoring to switch over when detecting one or the other link is down.

sylvain.munaut · 04-01-2014

The :deny ip any 10.0.0.0 0.255.255.255isn't even strictly necessary, but yeah, that made it work.

Member Since	‎03-25-2008 03:15 AM
Date Last Visited	‎04-04-2018 12:36 AM
Posts	106
Total Helpful Votes Received	29

User Statistics

User Activity

Policy Based Routing breaks DHCP ???

Catalyst 3750-X IPv6 feature support (or lack thereof)

Cisco 1921: On board hw module not used ?

ZBF self zone and IPSec/L2TP dialin

ZBF: Required to 'pass' icmp errors in the reverse direction ?

It works now. AFAIR I just

By "Not talk directly to the

Well, there is no down sides

I'd just put all the clients

The :deny ip any 10.0.0.0 0