Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About sylvain.munaut
04-04-2018
Stats
Member since
03-25-2008
106
Posts
29
Helpful
4
Solutions
Created by
sylvain.munaut
in Switching
in Switching
11-18-2014
02:39 AM
11-18-2014
02:39 AM
Hi,
It seems that even the latest fw for the C3750-X doesn't support PBR for IPv6.
The SDM template seems to have some entries reserved for it :
sw-stack#show sdm prefer
...
number of IPv6 policy based routing aces: 0.25K
...
But there still isn't any ipv6 policy command available on the L3 interfaces.
Any idea if this is in the works and when we can expect it ?
What I need to do is pretty simple, I just want everything coming from one given SVI interface to always go to a given gateway. I used to do that with VRFs, but unfortunately I now need some other part of the traffic to cross that boundary so I intended to replace it with just PBR but I can only do that for v4 and not v6.
Any other way to achieve this that I would have missed ?
Cheers,
Sylvian
... View more
Labels:
04-29-2014
07:01 AM
By "Not talk directly to the internet" ? You mean no outgoing connections to the internet either ? Because yeah sure, if they don't need to access the internet at all, it doesn't matter much. But if they have outgoing connections, you'll need one of the two solutions above. - NAT-PT being stateless, if you screw up your firewall, you'll have the same issue as with global IPs. - IPv6 NAT overloading : Does that even exist at all ? I've never looked ... But as a side note, you shouldn't let silly person manage your firewall :p Because without a good rule, if your ISP is nasty (or compromised), it could very well send you packet with a RFC1918 destination IP and the stateful firewall is the only thing protecting you there.
... View more
04-29-2014
06:46 AM
Well, there is no down sides to having global IPs. I assume you want your machines to have internet ipv6 connectivity. So if you want to not have public IPs locally you have two choices : - You use NAT-PT to translate an entire prefix to and ULA prefix. But then whatever global prefix you use, any one on the internet can use the global prefix + the last 64 bits of the local address to address any of the local machines - You use some kind of overloading like on IPv4 to have a single outgoing IPv6. In both cases for best practice, you still need a stateful firewall that will keep track of the sessions and work independently of what's described above. But in either case: - There is no real security benefit. The stateful firewall will ensure the same level in both cases - There is additional load on the router, because the router needs to rewrite the packet header (and update checksum) rather than just forward it. - If any protocol (like SIP / IPSec or whatever) has some hidden IPs inside the packet payload, then you'll need the same kind of workaround and hacks as IPv4 NAT needs ... So I'd say : embrace global IPs and let firewall ensure security and don't rely on some NAT for this.
... View more
04-25-2014
06:43 AM
I know that full officially supported autonomous config for 3700 will only be out in a few month according to TAC. But I mean the point of a site survey is to see what kind of performance you get in a real environment, right ? And that's exactly what I wanted to see, but without being able to use 80 MHz channels, you can't test the full AP capability ...
... View more
04-25-2014
01:24 AM
Did you ever get this fixed ? I seem to have the exact same issue: 802.11n client see the network and associate, but of course only using 40MHz. And 802.11ac client can't see the network at all. And if I reconfigure it to 40 MHz only, then both can see and connect (and the 802.11ac client will use aX.Y data rates, but on a 40MHz channel only). Even though in another topic someone reported connecting 802.11ac client to a 80 MHz channel using the latest 15.2(4)jB4 IOS (which I'm using).
... View more
04-01-2014
12:47 AM
I'd just put all the clients on the 2801. Then use the ASA as another WAN links (or just don't use it at all), then use PBR to split your two user groups and use SLA monitoring to switch over when detecting one or the other link is down.
... View more
04-01-2014
12:31 AM
The : deny ip any 10.0.0.0 0.255.255.255 isn't even strictly necessary, but yeah, that made it work.
... View more
04-01-2014
12:24 AM
Ok, so turns out adding a match address did fix the issue. The important part was to make sure that the route-map wouldn't match the src=0.0.0.0 dst=255.255.255.255 that's used in the discovery message. So just using the same acl as I use for the NAT worked fine (which only limits the source address to the local range).
... View more
03-31-2014
11:42 AM
I'm assuming that a 0.0.0.0/0.0.0.0 default route doesn't count as a "route entry for the destination" then ? Because from what I observe, it doesn't seem to count. With that PBR config, it seems that if I have a specific route to a destination it will take it, and if not, it will take what the PBR says (essentially "replacing" the default route with the PBR one, which is exactly what I want, so that they get access to all internal ranges/destination but for the wide internet, it takes the PBR). * Yes, I am using self zones woth zbfw * And yes, if I remove the PBR from Vlan20, then the client on that Vlan get an IP (and they get internet as well through the "old" WAN link).
... View more
03-31-2014
11:11 AM
My understanding was that by using : set ip default next-hop 1.1.1.1 instead of : set ip next-hop 1.1.1.1 then only the default route (i.e. anything that doesn't match something more specific than 0.0.0.0) would be affected by the route-map. Also something I forgot to say is that the server is also the DNS server/cache for the VLAN and this also works fine ... so the router processes seems to have no problem communicating with the client of the vlan. Not sure why DHCP is different. Maybe something to do with broadcast addresses ? VRFs here are not an option because only the WAN has to be different, but there are a bunch of routes to VPNs or other VLANs that are common.
... View more
03-31-2014
09:30 AM
Hi. I have a setup working on a Cisco 1812 running 15.1(4)M7. I'm starting from a working setup (but a rather large config, so not practical to post and sanitize here) and I'm trying to add new WAN link and use this new links for the users of one of the Vlan. Since I'm already using the FastEthernet0 and FastEthernet1 for other things, I put this new WAN link as Vlan100. Here's what I added to the config : interface Vlan100 ip address 1.1.1.2 255.255.255.252 ip nat outside ip virtual-reassembly in zone-member security zone_wan ip access-list extended acl_src_newwan permit ip host 1.1.1.2 any route-map pbr-local permit 30 match ip address acl_src_newwan set ip default next-hop 1.1.1.1 route-map nat_newwan permit 10 match ip address acl_nat match interface Vlan100 ip nat inside source route-map nat_newwan interface Vlan100 overload route-map pbr-newwan set ip default next-hop 1.1.1.1 interface Vlan20 ip policy route-map pbr-newwan A few comments : The zone_wan security zone is the same zone as the previous/other wan links. The pbr-local routemap is used for ip local policy route-map pbr-local and has entries 10/20 already for two other WAN links. This makes sure that local packet are sent down the right link and this works fine. The NAT setup is also a cut and paste from the NAT of the other two WAN links Now when I do this, clients on Vlan20 actually have internet access through the new WAN link and this works exactly as designed. BUT DHCP on Vlan20 stops working ... new clients can't get IPs anymore. If you fix the IP or if they got an IP previously it works fine but can't get a new one or renew or lease or anything ... Here's the config for Vlan20 and the DHCP pool for it : ip dhcp pool dhcp-pool-guest network 10.0.20.0 255.255.255.0 default-router 10.0.20.1 dns-server 10.0.20.1 lease 3 interface Vlan20 ip address 10.0.20.1 255.255.255.0 no ip redirects ip dns view-group dns-query-other ip nat inside ip virtual-reassembly in zone-member security zone_guest Any one has any idea of what could be going on here ??? Cheers, Sylvain
... View more
Labels:
03-26-2014
12:24 AM
I could only see those two order codes in my provider web interface : AIR-CAP3702I-E-K9-MESH-RAIL-R?BDL AIR-CAP3702E-E-K9-BRACKET-RAIL?BDL And given their difference, I thought that the part after the -K9 was just the hardware mounting options. I might have to email them to confirm. Another question though : In another topic, you mentionned the 3700 in autonomous mode was not full featured and was just for "site survey" ( https://supportforums.cisco.com/discussion/12053331/cisco-aironet-3702i-channel-size-issue ). I know this comment was for version 15.2(4)jB3a and now there is a 15.2(4)jB4 version. Although the latest release notes are not as explicit, they still say "3700 (site-survey only)" in the supported hw list. But OTOH it wouldn't be the first time there is a cut&paste error in cisco's documentation from earlier doc ... So is this latest released full featured ? Will I be able to use it as a normal access point to serve client ?
... View more
03-25-2014
06:06 PM
Can you report your experience with autonomous mode on the 3700 series ? Does it work well ? Are all features available ?
... View more
03-25-2014
05:09 PM
Ok, so if I get the "AIR-CAP 3702 I-E-K9-MESH-RAIL-R?BDL" from my provider (the only order code for the 3700 series I could find at my dealer), and get a SMART{Net,Care} for it, I should be able to download ap3g2-k9w7-tar.152-4.JB4.tar and install it on it and then use the access point on its own, without controller and with full functionality ? Did I understand that right ?
... View more
11-18-2014
Hi, It seems that even the latest fw for the C3750-X doesn't support PBR
for IPv6. The SDM template ...
04-29-2014
By "Not talk directly to the internet" ? You mean no outgoing
connections to the internet either ? B...
04-29-2014
Well, there is no down sides to having global IPs.I assume you want your
machines to have internet i...
04-25-2014
I know that full officially supported autonomous config for 3700 will
only be out in a few month acc...
04-25-2014
Did you ever get this fixed ?I seem to have the exact same issue:
802.11n client see the network and...
04-01-2014
I'd just put all the clients on the 2801. Then use the ASA as another
WAN links (or just don't use i...
04-01-2014
The :deny ip any 10.0.0.0 0.255.255.255isn't even strictly necessary,
but yeah, that made it work.
04-01-2014
Ok, so turns out adding a match address did fix the issue.The important
part was to make sure that t...
03-31-2014
I'm assuming that a 0.0.0.0/0.0.0.0 default route doesn't count as a
"route entry for the destinatio...
03-31-2014
My understanding was that by using :set ip default next-hop
1.1.1.1instead of :set ip next-hop 1.1.1...
03-31-2014
Hi.I have a setup working on a Cisco 1812 running 15.1(4)M7.I'm starting
from a working setup (but a...
03-26-2014
I could only see those two order codes in my provider web interface
:AIR-CAP3702I-E-K9-MESH-RAIL-R?B...
03-25-2014
Can you report your experience with autonomous mode on the 3700 series ?
Does it work well ? Are all...
Public Statistics
| Date Registered | 03-25-2008 03:15 AM |
| Date Last Visited | 04-04-2018 12:36 AM |
| Total Messages Posted | 106 |
| Total Helpful Votes Received | 29 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 3 | |
| 9 | |
| 5 | |
| 9 | |
| 5 |
.jpg "Hall of Fame Community Legend"){kind=icon}
Helpful Votes From
