Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About gp1200x
Stats
Member since
06-09-2007
216
Posts
20
Helpful
3
Solutions
Created by
gp1200x
in Optical Networking
in Optical Networking
03-23-2020
12:59 PM
03-23-2020
12:59 PM
Our new cores to replace the dual 6509s will only have fiber module cards installed. I was only going to use 40/100 Gb cards but may add the 1/10/25 card only because of a couple of copper 1Gb connections that I want in the core directly and not in a switch stack attached to the core. I know I can bump a 40 Gb down to a 10Gb with a CVR but I doubt it will bump down to a 1Gb speed with any available converters. If I install a 1/10/25 optic card I am assuming I can put a few of the 1Gb twist pair optics like the GLC-T into the slots. My question is this...does the GLC-T only run at FD or does it autonegotiate? I no longer remember since I haven't use them in a long time. Any other options?
... View more
Labels:
03-10-2020
09:12 PM
Why is it that I can buy a 9500 with 24 100 Gb ports and SVL them and yet the 24 port cards in the 9606 using a SUP1 can only support 12 100Gb ports (2.4Tb) at this time?? COME ON! It has been a year and still these bandwidth restrictions. I am only going to wait another month for a SUP2 and then select a different vendor. Why build a 25Tb box if you can't utilize it when you market it? We will not repurchase another set of cards for it in 2-3 years!
... View more
- Tags:
- 9606
Labels:
03-02-2020
09:39 PM
What parts are interchangeable between the 3850 and 9300 series switches?? Fans? Power supplies? 750 and 1100 WAC power stack cables? data cables? I know the network modules from the 3850 will work in a 9300 but what about the stuff above? Thanks
... View more
- Tags:
- 9300
Labels:
02-20-2020
07:53 PM
I am upgrading our network solely and decided on the 9500 and 9600 to replace our 6509s since they are aging and have limited life left. For the cores I will use two 9606 with SVL and only install 40/100 interfaces probably. At some of the smaller sites remote sites (they all have multiple SM fiber paths connecting to the core and adjacent sites) I plan on using possibly the 9500-32C Here are my questions... The 9500-32C supports 32 40 or 32 100 Gb interfaces. Can I assume I can intermix the 40 and 100 Gb optics in any port combinations without any kind of limitation? I plan on using QSA adapters to support older switch stacks are not yet upgraded. Can any port support these without limitations? Meaning could I have one port using a QSA and all other 31 ports running at 100Gb ?? except for the SVL wich I think have a 40Gb limit still. For the 9606 line card 40/100 is the same allowed or do I have combination limitations. The data sheets don't cover this info. Thanks.
... View more
- Tags:
- 9500
Labels:
01-21-2020
08:55 AM
I found a problem with our ASAs when trying to create two crypto maps from a remote ASA to two ASAs at our core site. Basically the outside Internet address of the remote ASA is being injected into the routing table from both core ASAs even though neither should even be doing this! I am trying to figure out how to prevent these remote addresses (dynamic IPs on the remote site ASAs) from being imported into the core routing table by the core ASAs. Since the remote ASAs are creating branch to branch tunnels to the main core site, I still need the core ASAs to be able to inject those routes for the remote site lans into the core routing tables. The remote sites can have small subnets of these three networks so any route must get injected (imported) into the routing table at the core. 10.42.0.0 /16 192.168.0.0 /16 172.22.0.0 /16 I want to block any other route from being injected into the core routing table by the core ASAs. I do not even know if what I am trying to do will work...so far no success....below is what I tried on my last test. I have a simulated setup to test any route-policy. MAIN CORE SITE TEST ASA interface Ethernet0/0 nameif outside security-level 0 ip address 173.22.122.82 255.255.255.0 ospf cost 800 ospf authentication-key OCIS ospf database-filter all out ospf authentication ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.42.199.155 255.255.255.240 ospf cost 100 ospf authentication-key OCIS ospf authentication access-list OSPF-DENY standard permit any access-list OSPF-PERMIT standard permit 10.0.0.0 255.0.0.0 access-list OSPF-PERMIT standard permit 172.22.0.0 255.255.0.0 access-list OSPF-PERMIT standard permit 192.168.0.0 255.255.0.0 route-map OSPF permit 10 match ip address OSPF-PERMIT match ip next-hop OSPF-PERMIT ! route-map OSPF deny 20 match ip address OSPF-DENY match ip next-hop OSPF-DENY ! router ospf 100 router-id 10.42.199.155 network 10.0.0.0 255.0.0.0 area 0 log-adj-changes redistribute static metric 111 route-map OSPF ANY IDEAS would be helpful...thanks!
... View more
- Tags:
- ASA route policy map
Labels:
01-16-2020
09:03 PM
I also just tested code version 9.2.3 on the remote site ASA with the same type of setup and it had the same issue at the core site with the importing of the remote site external IP address. Core sites were still running 8.2.59 I may try to update to 9.2.3 but they are production so it is difficult.
... View more
01-16-2020
10:36 AM
Yes you are correct. It is the outside IP address of the remote ASA that is getting imported into the core site ASA and the remote sites have no OSPF routing taking place. I have probably a hundred tunnels to our core and this only showed up for the first time when I tried to install the two separate crypto maps on the remote ASA. If you delete the crypto map for OCIS-Voice (or OCIS-Data) and reboot the remote ASA, that remote IP external address never gets imported into the core routing table (which is what I want). I have seen the remote site IP address get imported from both the core ASAs at the core. I looked the config over many times and haven't seen any reason for it.....maybe I am shooting a code bug for that level??? THANKS
... View more
01-16-2020
07:21 AM
Yes I mean the public IP address of the remote ASA is being imported into the routing table of the core ASA and then pushed to the core switch for distribution. Remote ASAs do not run any routing protocol. They use DHCP and obtain their IP and default route from the ISP. Core ASA config ! hostname ASA-DC1 domain-name dcny.gov enable password 8CM8MUrMx35VJZSB encrypted passwd 8CM8MUrMx35VJZSB encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ip address 17.100.171.125 255.255.255.0 ospf cost 800 ospf authentication-key OCIS ospf database-filter all out ospf authentication ! interface Ethernet0/1 nameif inside security-level 100 ip address 10.42.199.150 255.255.255.240 ospf cost 100 ospf authentication-key OCIS ospf authentication ! interface Ethernet0/2 shutdown no nameif no security-level no ip address ! interface Ethernet0/3 shutdown no nameif no security-level no ip address ! interface Management0/0 shutdown no nameif no security-level no ip address ! banner exec banner exec banner exec WARNING: Configuration changes are dynamic! banner exec banner exec WARNING: Violators are subject to dismissal and prosecution. banner exec banner login banner login **************************************************************** banner login * WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! * banner login ************************************************************ banner login * Access to and use of this device and/or other devices is * banner login * restricted to authorized users only. Unauthorized * banner login * individuals attempting to access this device may be * banner login * subject to prosecution. * banner login ************************************************************ banner login boot system disk0:/asa825-59-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns domain-lookup outside dns domain-lookup inside dns server-group DefaultDNS retries 10 name-server 10.42.196.36 name-server 4.2.2.1 domain-name dcny.gov same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list External_in remark "External packets allowed in" access-list External_in extended permit icmp any any echo-reply access-list External_in extended permit icmp any any unreachable access-list External_in extended permit icmp any any time-exceeded access-list External_in extended permit icmp any any source-quench access-list Internal_out remark "Allow outbound traffic" access-list Internal_out extended permit ip any 10.0.0.0 255.0.0.0 access-list Internal_out extended permit ip any 172.22.0.0 255.255.0.0 access-list Internal_out extended permit udp any any eq biff access-list Internal_out extended permit tcp any any eq pop3 access-list Internal_out extended permit tcp any any eq smtp access-list Internal_out extended permit tcp any any eq https access-list Internal_out extended permit tcp any any eq www access-list Internal_out extended permit tcp any any eq domain access-list Internal_out extended permit udp any any eq domain access-list Internal_out extended permit tcp any any eq ftp access-list Internal_out extended permit tcp any any eq ftp-data access-list Internal_out extended permit tcp any any eq telnet access-list Internal_out extended permit icmp any any access-list Internal_out extended permit tcp any any gt 1024 access-list Internal_out extended permit udp any any gt 1024 access-list Internal_out extended permit tcp any any eq 465 access-list Internal_out extended permit tcp any any eq 993 access-list Internal_out extended permit tcp any any eq 995 access-list Internal_out extended permit tcp any any eq imap4 access-list Internal_out extended permit tcp any any eq ssh access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0 access-list NONAT extended permit ip any 172.22.0.0 255.255.0.0 access-list NONAT extended permit ip any 192.168.0.0 255.255.0.0 access-list SPLIT-TUNNEL remark "From secure network to VPN user" access-list SPLIT-TUNNEL extended permit ip 10.0.0.0 255.0.0.0 any access-list SPLIT-TUNNEL extended permit ip 172.22.0.0 255.255.0.0 any access-list 999 extended permit ip any 172.22.0.0 255.255.0.0 access-list 999 extended permit ip 172.22.0.0 255.255.0.0 any pager lines 24 logging enable logging timestamp logging buffer-size 1048576 logging asdm-buffer-size 512 logging console emergencies logging monitor emergencies logging buffered debugging logging trap emergencies logging history informational logging asdm emergencies logging facility 21 logging device-id hostname no logging message 106023 no logging message 401004 mtu outside 1500 mtu inside 1500 ip local pool vpn-pool 10.42.199.151 ip verify reverse-path interface outside ip verify reverse-path interface inside ip audit name idsattack attack action alarm drop reset ip audit name idsinfo info action alarm ip audit interface outside idsinfo ip audit interface outside idsattack ip audit interface inside idsinfo ip audit interface inside idsattack ip audit info action alarm drop reset ip audit attack action alarm drop reset no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any unreachable outside icmp permit any echo-reply outside icmp permit any time-exceeded outside icmp permit any echo-reply inside icmp permit any unreachable inside icmp permit any echo inside icmp permit any time-exceeded inside asdm image disk0:/asdm-761.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (inside) 0 access-list NONAT nat (inside) 1 0.0.0.0 0.0.0.0 access-group External_in in interface outside access-group Internal_out in interface inside ! router ospf 100 router-id 10.42.199.150 network 10.0.0.0 255.0.0.0 area 0 log-adj-changes redistribute static metric 111 subnets ! route outside 0.0.0.0 0.0.0.0 173.50.171.1 1 route inside 0.0.0.0 0.0.0.0 10.42.199.145 tunneled timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL http server enable http 10.0.0.0 255.0.0.0 inside snmp-server host inside 10.42.196.238 community sico snmp-server host inside 10.42.202.140 community sico snmp-server location ASA-DC1 snmp-server contact Grant Hait snmp-server community sico snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog snmp-server enable traps ipsec start stop snmp-server enable traps entity config-change fru-insert fru-remove snmp-server enable traps remote-access session-threshold-exceeded sysopt connection preserve-vpn-flows auth-prompt prompt Please provide proper credentials for Authentication. auth-prompt accept Thank you. Your credentials have been verified for access. auth-prompt reject Rejected! Your credentials are invalid. service resetinbound service resetoutside crypto ipsec transform-set MAX esp-aes-256 esp-sha-hmac crypto ipsec transform-set MED esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 86300 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DYN-DCNY 40 set pfs group5 crypto dynamic-map DYN-DCNY 40 set transform-set MAX crypto dynamic-map DYN-DCNY 40 set security-association lifetime seconds 86300 crypto dynamic-map DYN-DCNY 40 set security-association lifetime kilobytes 4608000 crypto dynamic-map DYN-DCNY 40 set reverse-route crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY crypto map DCNY interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp ipsec-over-tcp port 10000 crypto isakmp disconnect-notify telnet 0.0.0.0 0.0.0.0 inside telnet timeout 10 ssh scopy enable ssh 100.40.222.0 255.255.255.240 outside ssh 204.130.200.0 255.255.255.0 outside ssh 100.40.157.24 255.255.255.248 outside ssh 173.50.171.0 255.255.255.192 outside ssh 64.72.67.128 255.255.255.224 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 10 console timeout 30 management-access inside priority-queue outside threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ntp authenticate ntp server 10.42.199.145 source inside prefer tftp-server inside 10.42.205.106 / webvpn group-policy ocisadmingroup internal group-policy ocisadmingroup attributes dns-server none vpn-idle-timeout 60 vpn-session-timeout 480 vpn-tunnel-protocol IPSec pfs enable ipsec-udp enable split-tunnel-policy tunnelspecified split-tunnel-network-list value SPLIT-TUNNEL username dutchess password izZSjKs6QEroqcJJ encrypted privilege 15 username verizon password mmJzopA9lPGcK6W6 encrypted privilege 15 username 412eb8a0 password 0SRHIJRFeU2QiC00 encrypted privilege 15 username pwalker password 0Ja1AJcVnhJ8TNwh encrypted privilege 15 username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 10 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key DCNY#131485506#OCIS isakmp keepalive threshold 20 retry 3 tunnel-group DefaultRAGroup general-attributes authentication-server-group (outside) LOCAL tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group (outside) LOCAL tunnel-group DefaultWEBVPNGroup ipsec-attributes isakmp keepalive threshold 20 retry 3 tunnel-group ocisadmingroup type remote-access tunnel-group ocisadmingroup general-attributes address-pool vpn-pool authentication-server-group (outside) LOCAL default-group-policy ocisadmingroup tunnel-group ocisadmingroup ipsec-attributes pre-shared-key DCNY#131485506#OCIS isakmp keepalive threshold 20 retry 3 ! class-map Voice class-map VOIP-TRAFFIC match access-list 999 class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 id-randomization id-mismatch action log policy-map QOS-TRAFFIC-OUT class VOIP-TRAFFIC class class-default shape average 35000000 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect http inspect ctiqbe inspect icmp inspect icmp error inspect ils inspect ipsec-pass-thru inspect mgcp inspect pptp inspect snmp inspect ip-options policy-map tets class Voice policy-map PRIORITY-POLICY class VOIP-TRAFFIC priority ! service-policy global_policy global privilege cmd level 1 mode exec command disable privilege cmd level 10 mode exec command ping privilege show level 10 mode exec command running-config privilege show level 10 mode exec command capture privilege show level 2 mode exec command interface privilege show level 2 mode exec command ip privilege show level 10 mode exec command isakmp privilege show level 10 mode exec command ipsec privilege show level 2 mode exec command blocks privilege show level 2 mode configure command interface privilege show level 10 mode configure command logging privilege show level 2 mode configure command ip privilege show level 10 mode configure command isakmp privilege show level 10 mode configure command ipsec prompt hostname context no call-home reporting anonymous Remote site ASA config hostname HEALTH-MSt domain-name dcny.gov enable password 8CM8MUrMx35VJZSB encrypted passwd 8CM8MUrMx35VJZSB encrypted names ! interface Ethernet0/0 description outside switchport access vlan 500 ! interface Ethernet0/1 description Data switchport access vlan 10 ! interface Ethernet0/2 description Data switchport access vlan 10 ! interface Ethernet0/3 description Data switchport access vlan 10 ! interface Ethernet0/4 description Wireless switchport access vlan 10 ! interface Ethernet0/5 description Voice switchport access vlan 10 ! interface Ethernet0/6 description Voice switchport access vlan 172 ! interface Ethernet0/7 description Voice switchport access vlan 172 ! interface Vlan10 nameif Data security-level 100 ip address 10.42.198.145 255.255.255.248 ! interface Vlan172 nameif Voice security-level 100 ip address 172.22.198.145 255.255.255.248 ! interface Vlan500 nameif outside security-level 0 dhcp client update dns ip address 100.40.222.10 255.255.255.0 ! banner exec banner exec WARNING: Configuration changes are dynamic! banner exec banner login banner login ************************************************************ banner login * WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! * banner login ************************************************************ banner login * Access to and use of this device and/or other devices is * banner login * restricted to authorized users only. Unauthorized * banner login * individuals attempting to access this device may be * banner login * subject to prosecution. * banner login ************************************************************ banner login boot system disk0:/asa825-59-k8.bin ftp mode passive clock timezone EST -5 clock summer-time EDT recurring dns server-group DefaultDNS retries 10 domain-name dcny.gov same-security-traffic permit inter-interface same-security-traffic permit intra-interface access-list External_in remark "External packets allowed in" access-list External_in extended permit icmp any any echo-reply access-list External_in extended permit icmp any any unreachable access-list External_in extended permit icmp any any time-exceeded access-list External_in extended permit icmp any any source-quench access-list OCIS remark "Packet for VPN tunnel" access-list OCIS extended deny ip any host 10.42.198.150 access-list OCIS extended deny ip host 10.42.198.150 any access-list OCIS extended permit ip 172.22.198.144 255.255.255.248 any access-list OCIS extended permit ip 10.42.198.144 255.255.255.248 any access-list OCIS-Voice extended permit ip 172.22.198.144 255.255.255.248 any access-list OCIS-Data remark "Packet for VPN tunnel" access-list OCIS-Data extended deny ip any host 10.42.198.150 access-list OCIS-Data extended deny ip host 10.42.198.150 any access-list OCIS-Data extended permit ip 10.42.198.144 255.255.255.248 any access-list NONAT remark "Packets not natted" access-list NONAT extended permit ip any 10.0.0.0 255.0.0.0 access-list NONAT extended permit ip any 172.22.0.0 255.255.0.0 access-list NONAT extended permit ip any 192.168.0.0 255.255.0.0 access-list NONAT remark "Packets not natted" access-list tcp-traffic extended permit tcp any any access-list tg-nonVoice-out extended permit ip 10.42.198.144 255.255.255.248 any access-list tg-nonVoice-out extended permit ip 172.22.198.144 255.255.255.248 an y access-list tg-nonVoice-in extended permit ip any 10.42.198.144 255.255.255.248 access-list tg-nonVoice-in extended permit ip any 172.22.198.144 255.255.255.248 access-list IP-ANY extended permit ip any any access-list Voice-In extended permit ip any 172.22.198.144 255.255.255.248 pager lines 24 logging timestamp logging asdm-buffer-size 512 logging console debugging logging monitor emergencies logging buffered emergencies logging trap emergencies logging history emergencies logging asdm emergencies logging facility 21 logging device-id hostname no logging message 106023 no logging message 401004 mtu Data 1500 mtu Voice 1500 mtu outside 1500 ip local pool vpn-pool 10.42.198.150 ip verify reverse-path interface outside ip audit name idsattack attack action alarm drop reset ip audit name idsinfo info action alarm ip audit interface Data idsinfo ip audit interface Data idsattack ip audit interface Voice idsinfo ip audit interface Voice idsattack ip audit interface outside idsinfo ip audit interface outside idsattack ip audit info action alarm drop reset ip audit attack action alarm drop reset no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any echo-reply Data icmp permit any unreachable Data icmp permit any echo Data icmp permit any time-exceeded Data icmp permit any echo-reply Voice icmp permit any unreachable Voice icmp permit any echo Voice icmp permit any time-exceeded Voice icmp permit any unreachable outside icmp permit any echo-reply outside asdm image disk0:/asdm-771-150.bin asdm history enable arp timeout 14400 nat-control global (outside) 1 interface nat (Data) 0 access-list NONAT nat (Data) 1 10.42.198.144 255.255.255.248 nat (Voice) 0 access-list NONAT nat (Voice) 1 172.22.198.144 255.255.255.248 access-group External_in in interface outside route outside 0.0.0.0 0.0.0.0 100.40.222.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authentication telnet console LOCAL aaa authentication serial console LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL http server enable http 0.0.0.0 0.0.0.0 Data http 10.0.0.0 255.0.0.0 Data snmp-server location DACC snmp-server contact Grant Hait snmp-server community ***** snmp-server enable traps snmp authentication linkup linkdown coldstart snmp-server enable traps syslog sysopt connection preserve-vpn-flows auth-prompt prompt Please provide proper credentials for Authentication. auth-prompt accept Thank you. Your credentials have been verified for access. auth-prompt reject Rejected! Your credentials are invalid. service resetinbound service resetoutside crypto ipsec transform-set MAX esp-aes-256 esp-sha-hmac crypto ipsec transform-set MED esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 86300 crypto ipsec security-association lifetime kilobytes 4608000 crypto ipsec security-association replay window-size 1024 crypto dynamic-map DYN-DCNY 40 set pfs group5 crypto dynamic-map DYN-DCNY 40 set transform-set MAX crypto dynamic-map DYN-DCNY 40 set security-association lifetime seconds 86300 crypto dynamic-map DYN-DCNY 40 set security-association lifetime kilobytes 46080 00 crypto map DCNY 5 match address OCIS-Data crypto map DCNY 5 set pfs group5 crypto map DCNY 5 set connection-type originate-only crypto map DCNY 5 set peer 17.100.171.125 crypto map DCNY 5 set transform-set MAX crypto map DCNY 5 set security-association lifetime seconds 86300 crypto map DCNY 5 set security-association lifetime kilobytes 4608000 crypto map DCNY 9 match address OCIS-Voice crypto map DCNY 9 set pfs group5 crypto map DCNY 9 set connection-type originate-only crypto map DCNY 9 set peer 100.50.157.55 crypto map DCNY 9 set transform-set MAX crypto map DCNY 9 set security-association lifetime seconds 86300 crypto map DCNY 9 set security-association lifetime kilobytes 4608000 crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY crypto map DCNY interface outside crypto isakmp identity address crypto isakmp enable outside crypto isakmp policy 10 authentication pre-share encryption aes-256 hash sha group 5 lifetime 86400 crypto isakmp policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto isakmp policy 30 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 crypto isakmp policy 65535 authentication pre-share encryption 3des hash sha group 2 lifetime 86400 no crypto isakmp nat-traversal crypto isakmp ipsec-over-tcp port 10000 crypto isakmp disconnect-notify telnet 0.0.0.0 0.0.0.0 Data telnet 0.0.0.0 0.0.0.0 Voice telnet timeout 10 ssh scopy enable ssh 0.0.0.0 0.0.0.0 Data ssh 0.0.0.0 0.0.0.0 Voice ssh 100.40.222.0 255.255.255.240 outside ssh 204.130.200.0 255.255.255.0 outside ssh 100.40.157.24 255.255.255.248 outside ssh 173.50.171.0 255.255.255.192 outside ssh 64.72.67.128 255.255.255.224 outside ssh timeout 10 console timeout 30 management-access Data dhcpd dns 8.8.8.8 8.8.4.4 dhcpd lease 28800 dhcpd ping_timeout 2000 dhcpd domain dcny.info ! dhcpd address 10.42.198.147-10.42.198.149 Data dhcpd dns 10.42.196.36 10.42.192.92 interface Data dhcpd wins 10.42.196.36 10.42.192.92 interface Data dhcpd lease 86400 interface Data dhcpd ping_timeout 2000 interface Data dhcpd domain dcny.gov interface Data dhcpd enable Data ! dhcpd address 172.22.198.147-172.22.198.150 Voice dhcpd dns 10.42.196.36 10.42.192.92 interface Voice dhcpd wins 10.42.196.36 10.42.192.92 interface Voice dhcpd lease 86400 interface Voice dhcpd ping_timeout 2000 interface Voice dhcpd domain dcny.gov interface Voice dhcpd option 150 ip 172.22.97.3 172.22.196.3 interface Voice dhcpd enable Voice ! priority-queue outside queue-limit 938 tx-ring-limit 10 threat-detection basic-threat threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 averag e-rate 200 ntp authenticate ntp server 10.42.196.1 source Data prefer tftp-server Data 10.42.205.106 / webvpn username dutchess password izZSjKs6QEroqcJJ encrypted privilege 15 username 412eb8a0 password 0SRHIJRFeU2QiC00 encrypted privilege 15 username pwalker password 0Ja1AJcVnhJ8TNwh encrypted privilege 15 username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 10 tunnel-group DefaultL2LGroup ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group DefaultRAGroup ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group DefaultWEBVPNGroup ipsec-attributes isakmp keepalive threshold 20 retry 3 tunnel-group ocisadmingroup type remote-access tunnel-group ocisadmingroup general-attributes address-pool vpn-pool tunnel-group ocisadmingroup ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 96.233.200.42 type ipsec-l2l tunnel-group 96.233.200.42 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 96.233.200.34 type ipsec-l2l tunnel-group 96.233.200.34 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 64.72.67.142 type ipsec-l2l tunnel-group 64.72.67.142 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 96.233.200.44 type ipsec-l2l tunnel-group 96.233.200.44 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 100.40.157.26 type ipsec-l2l tunnel-group 100.40.157.26 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 100.40.157.27 type ipsec-l2l tunnel-group 100.40.157.27 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 173.50.171.125 type ipsec-l2l tunnel-group 173.50.171.125 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 17.100.171.125 type ipsec-l2l tunnel-group 17.100.171.125 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 tunnel-group 204.130.200.200 type ipsec-l2l tunnel-group 204.130.200.200 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 3 ! class-map TG-NonVoice-Out match access-list tg-nonVoice-out class-map TG-Voice-Out match dscp ef match tunnel-group 100.40.157.26 class-map Voice-In match access-list Voice-In class-map TG-Voice-In match dscp ef class-map TCP-Traffic match access-list tcp-traffic class-map inspection_default match default-inspection-traffic class-map policing_traffic match access-list IP-ANY class-map TG-NonVoice-In match access-list tg-nonVoice-in class-map Voice-Out match dscp ef match tunnel-group 100.40.157.26 class-map Voice-IN match dscp ef match tunnel-group 100.40.157.26 ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 id-randomization id-mismatch action log policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options policy-map qos class TG-Voice-Out priority class TG-Voice-In police input 2000000 class TG-NonVoice-Out police output 15000000 class TG-NonVoice-In police input 30000000 class TCP-Traffic police output 15000000 police input 35000000 class class-default police output 2000000 police input 5000000 policy-map Policing class Voice-Out priority class Voice-In police input 6000000 1125000 class policing_traffic police input 135000000 25312500 police output 135000000 25312500 ! service-policy global_policy global privilege cmd level 1 mode exec command disable privilege cmd level 10 mode exec command ping privilege show level 10 mode exec command running-config privilege show level 10 mode exec command capture privilege show level 2 mode exec command interface privilege show level 2 mode exec command ip privilege show level 10 mode exec command isakmp privilege show level 10 mode exec command ipsec privilege show level 2 mode exec command blocks privilege show level 2 mode configure command interface privilege show level 10 mode configure command logging privilege show level 2 mode configure command ip privilege show level 10 mode configure command isakmp privilege show level 10 mode configure command ipsec privilege cmd level 1 mode cache command disable prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DD CEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily
... View more
01-15-2020
10:07 PM
I have multiple ASAs attached to a network core. The core controls all OSPF routing and provides the default route for all subnets. The ASAs at the core location participate in the OSPF routing and add their crypto remote subnets to the routing table along and update their routing tables from the core switch. Each of the ASAs has their own default route to the Internet and that overrides the default route published by the core switch. All remote site ASAs simply have a default route from the ISP and do not participate in the OSPF routing. The remote ASAs have a cypto map for interesting traffic that needs to reach the core subnets. Here is a simplification of what I do....I pass voice and data to remote sites using a single ASA for both voice and data to a single ASA at the core switch...no issues and QOS works fairly well. For larger remote sites with heavy traffic we use two ASAs at a remote site and apply QOS to both still...one ASA goes to a voice ASA at the core site and one ASA goes to a data ASA at the core site...again no issues and works well. For remote sites with a single ASA the ISP provides the external IP using DHCP and the remote site always originates the branch to branch tunnel. Here is where my issue is now. At some sites I want to use a single ASA for both voice and data but instead of having a single crypto to an ASA at the core for both voice and data traffic, I wanted to have two separate crypto maps to send voice to a voice ASA at the core and one crypto map to send data to a data ASA at the core. But when I create the crypto maps something different takes place in my routing. For some reason the remote site's external IP address is being imported into the core routing table at the core switch. Since I am trying to create to separate crypto tunnels via two distinct ASAs at the core, one of the tunnels will fail. This is because at the core one of the ASAs will think it needs to go back internally to reach the outside address of the remote ASA since it imported the route from the core switch, which had imported the route to the remote sites external IP address from the first ASA that had completed a tunnel to the remote site. Now here is the weird issue. The external IP address of a remote site is never in the core routing table when ONLY one crypto map is created on the remote ASA. It is only when I add a second crypto map to another different ASA that this issue pops up. And it is reproducable over and over...not a fluke. As an example I show the two different cryptos below. Below is the remote site ASA crypto map for connecting to a single ASA at the core location - the remote site ASAs' external IP address is never seen in the routing tables at the core location crypto map DCNY 10 match address OCIS crypto map DCNY 10 set pfs group5 crypto map DCNY 10 set connection-type originate-only crypto map DCNY 10 set peer 173.150.173.125 173.150.173.123 crypto map DCNY 10 set transform-set MAX crypto map DCNY 10 set security-association lifetime seconds 86300 crypto map DCNY 10 set security-association lifetime kilobytes 4608000 crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY crypto map DCNY interface outside crypto isakmp identity address crypto isakmp enable outside Below is the same remote site but now trying to create two separate tunnels to two different ASAs at the core location....failure occurs...now the remote site ASAs' external IP address is imported into the cores routing table when the first branch to branch tunnel is made.....so only one tunnel will complete successfully so this scenario fails. The peers are addresses at the core location via different core ASAs. crypto map DCNY 9 match address OCIS-Voice crypto map DCNY 9 set pfs group5 crypto map DCNY 9 set connection-type originate-only crypto map DCNY 9 set peer 105.40.157.26 105.40.157.27 crypto map DCNY 9 set transform-set MAX crypto map DCNY 9 set security-association lifetime seconds 86300 crypto map DCNY 9 set security-association lifetime kilobytes 4608000 crypto map DCNY 10 match address OCIS-DATA crypto map DCNY 10 set pfs group5 crypto map DCNY 10 set connection-type originate-only crypto map DCNY 10 set peer 174.250.171.125 175.50.171.123 204.130.200.200 crypto map DCNY 10 set transform-set MAX crypto map DCNY 10 set security-association lifetime seconds 86300 crypto map DCNY 10 set security-association lifetime kilobytes 4608000 crypto map DCNY 50 ipsec-isakmp dynamic DYN-DCNY crypto map DCNY interface outside Any ideas would be helpful...thanks
... View more
- Tags:
- ASA routing
Labels:
Created by
gp1200x
in Wireless and Mobility
in Wireless and Mobility
12-08-2019
08:42 PM
12-08-2019
08:42 PM
We have probably 15 subnets each with a unique ME setup running on them with groups of APs in each ME. Each acts as a unique ME. ( I know only one ME is allowed per subnet.) I preconfigured a bunch of APs (3802Is) on one subnet so they would have the lastest code and they were set using DHCP for the WAP IP address. Usually if I just boot one in a subnet that already has an active ME they join in that ME instance and I then hardcode an IP on them (don't like using dhcp on running APs). I normally DO NOT even have to hit the reset button for 20 seconds for this to happen. All MEs were at 8.5.140 for the last year. I upgraded sites to 8.5.151. I placed a few preconfigured APs from another subnet into a new subnet that was already running ME with a primary controller and AP3802is. I did NO do a reset on them first. To my surprise they did NOT join the local subnet but instead joined in the ME that was in a different subnet on the other side of the wan! They came up using dhcp (no surprise there) but managed to find the ME instance running in another subnet (the one they were originally configured in) and joined into that ME group. TO MY surprise the Open Internet SSID WORKED which was a trunked vlan BUT NOT the correct vlan id for that site it was sitting in. The vlans IDs were different from the site it joined and the site it was residing in. Totally preplexed me but I was out of time to really look into how it worked and why it joined an ME running in another subnet. I realize it got the info for the ME controller address from its previous config but I never had this happen before. A 22 second reset press on the access points reset them and they joined the ME in the local subnet after they rebooted. So my question is...was this normal because I never had it happen before (new code function??) and can you actually have a setup with ME controller in one subnet supporting APs in other IP subnets? Maybe it would work okay in a local site with multiple vlans .......but APs crossing over a wan link to communicate with the ME primary controlller??? you would most likely have a mismatch with different vlan ids on the trunked interface. Thanks
... View more
Labels:
11-26-2019
08:40 PM
Trying to help a church with wireless in their buildings. Cabling is very limited and I am trying to find them cheap solutions without installing new cables everywhere which is not possible. We use the higher end business Cisco networking equipment (3750, 38xx, 39xx) which is way too much for what they need. But I want them to use AP3802i access points with vlans for multiple SSIDs. I have to cascade switches in some areas so I am looking for a small switch that can support vlans (not many ...3 or 5 most) on a trunked interface for both interconnecting the switches and for the AP3802 connection along with 30 watts of power on at least one port for the access point. I know I can use injectors but POE+ cuts down on cutter and cables. I also need the switch to support Gb speeds on the ports. Any ideas of which switches to use if there even are any ....like an 8 port that fits the bill....older refurbs would be fine too. I have some older 3750Gs but 24 ports is overkill and still needs and injectors for 30 watts. I really on need 4 ports on the switches but I doubt they exist (with Gb, POE+ and vlan support!). Thanks!!
... View more
Labels:
10-07-2019
11:43 AM
I have a lot of different switch models....3750, 3750G, 3750E,3750X,3750V2, 3850 and I am really hesitant to add another model to our running mix but I think the 9300 may have a lot more lifespan than 3850s (which I get refurbed now). I only have about 30-40 3850s but hundreds of the 3750 model mixtures which will need replacing in a couple of years. Here is my question....I can use the same power supplies in the 3850 and 3750X models which comes in handy. The network modules are not swappable however. Can I use the same power supplies, network modules, powerstack and data stacking cables between the 9300 series and the 3850 series?? Thanks
... View more
Labels:
08-30-2019
07:52 AM
Is there any way to connect single or 10G interfaces to this model using some type of breakout cable or step down speed interface? 10G breakout cable...please explain the 10G breakout cable to 40Gb...is it simple using a portchannel on the 10Gb side to combine 4 10Gbs to 40Gb? If so why couldn't I use this cable on a 9500-32c to connect a single 10Gb switch interface to the box....pretending that only one of the 4 10Gb interfaces is up on the portchannel. Please explain how this really works??
... View more
Labels:
Created by
gp1200x
in Wireless and Mobility
in Wireless and Mobility
08-20-2019
09:05 PM
08-20-2019
09:05 PM
It turns out it they were throwing storage errors during the updating after the tftp but if I did a manual reload from the command line they did eventually convert to ME, sometimes it took a couple of tries on some of them. I just ignore the messages it puts out now during the updating process since they seem to fix themselves anyway. Seeing the messages though makes you think the process had failed. These all came preloaded with the IOS code....cheaper price than the preloaded xxxC model pricing.
... View more
03-23-2020
Our new cores to replace the dual 6509s will only have fiber module
cards installed. I was only goin...
03-10-2020
Why is it that I can buy a 9500 with 24 100 Gb ports and SVL them and
yet the 24 port cards in the 9...
02-20-2020
I am upgrading our network solely and decided on the 9500 and 9600 to
replace our 6509s since they a...
01-21-2020
I found a problem with our ASAs when trying to create two crypto maps
from a remote ASA to two ASAs ...
01-16-2020
I also just tested code version 9.2.3 on the remote site ASA with the
same type of setup and it had ...
01-16-2020
Yes you are correct. It is the outside IP address of the remote ASA that
is getting imported into th...
01-16-2020
Yes I mean the public IP address of the remote ASA is being imported
into the routing table of the c...
Created by
gp1200x
in Wireless and Mobility
12-08-2019
12-08-2019
We have probably 15 subnets each with a unique ME setup running on them
with groups of APs in each M...
10-07-2019
I have a lot of different switch models....3750, 3750G,
3750E,3750X,3750V2, 3850 and I am really hes...
Created by
gp1200x
in Wireless and Mobility
08-20-2019
08-20-2019
It turns out it they were throwing storage errors during the updating
after the tftp but if I did a ...
Public Statistics
| Date Registered | 06-09-2007 12:21 PM |
| Date Last Visited | 03-30-2020 01:00 PM |
| Total Messages Posted | 216 |
| Total Helpful Votes Received | 20 |
.jpg "VIP Mentor"){kind=icon}
Helpful Votes From
