Hi all,We have a global NAC setup, using ISE3.1 and Cisco 9200/9300 switches, with physical ports configured with a priority of dot1x/mab, but with an order of mab/dot1x. This is due to a set of security audit requirements for granular mab ACLs kicki...
Hi all,First off, yes this is about BGP on an ASA so it kinda fits between the routing community and firewall community but, as the key issue is BGP, I thought routing was a better choice I have a very simple scenario - I have an ASA [9.16(3)] runnin...
Hi there,We've got a pair of CSRv's (v17.3.4a) running in AWS on c4.2xlarge instances but the CPU's are running a tad hot (75% sustained during the work day due to high IPSEC loads but well within their licenses, but the underlying AWS instances have...
Hi all,I've got an ISR4331 running 12.16.4 set up to be our office edge device running NAT overload to the ISP (using VRF-aware NAT) and ZBF inside-out with a match-any that includes UDP and ICMP (and other stuff above of course). It works perfectly ...
Hi all,We have a new ISR4331 (16.12.4) that was mistakenly enrolled with the CiscoOne FoundationSuiteK9 and AdvUCSuiteK9 suites (license boot suite <suite>) by our partner. Subsequently it has been moved to SLR as it's in an uber-secure part of our n...
Thanks Arne! That's exactly what I was after - can believe that this isn't advertised more in the ISE/NAC documentation. I'm going to head over to the lab and test.Thanks again! JB.
Just to complete the story, the answer is yes. You can change the instance type without borking the CSR.However, going from the AWS c4 to c5 instance families does mean the new instance will use enhanced networking interfaces, so you have to enable t...
Hi!Did you get an answer to this? It seems to affect my 9x00 stacks running 17+ code but the pre-17 stacks are still using their hostname. This PID/UDI is a real pain to cross-reference to an actual device.Regards, JB.
I have this exact setup for 100+ offices using local internet breakout and DMVPN services.You have to use some route-maps and force traffic in the routes - crazy as it sounds...So, you have your "ip route vrf ISPA 0.0.0.0 0.0.0.0 N1.N2.N3.N4" so the ...
