Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About rmorenobb
Stats
Member since
02-13-2013
39
Posts
5
Helpful
3
Solutions
09-04-2019
03:05 PM
I have a pretty straight forward change I need to make to several devices at one site; I need to change the OSPF process ID. The site has 2 edge routers, 1 L3 switch stack that connects all 3 floor IDFs all via OSPF. All devices are using the following OSPF config router ospf 20 router-id 10.0.0.1 (this changes based off of device) auto-cost reference-bandwidth 10000 area 0 authentication message-digest passive-interface default no passive-interface GigabitEthernet1/0/47 (this changes based off of device uplink) no passive-interface GigabitEthernet1/0/47 (this changes based off of device uplink) default-information originate I want to change all device(s) OSPF from process 20 to process 100 router ospf 100 router-id 10.0.0.1 (this changes based off of device) auto-cost reference-bandwidth 10000 area 0 authentication message-digest passive-interface default no passive-interface GigabitEthernet1/0/47 (this changes based off of device uplink) no passive-interface GigabitEthernet1/0/47 (this changes based off of device uplink) default-information originate interface uplink configuration looks like this on all devices ip address 10.1.1.1 255.255.255.252 ip ospf message-digest-key 1 md5 7 072416185D0D3F175F10 ip ospf network point-to-point ip ospf 65400 area 0 also all Vlans have OSPF So, what I'm planning to do is script out the changes and manually apply the script. I figured I'd start with the 3 Floor IDFs 1st floor IDF switch stack change conf t no router ospf 20 router ospf 100 router-id 10.2.1.1.1 auto-cost reference-bandwidth 10000 area 0 authentication message-digest passive-interface default no passive-interface TenGigabitEthernet1/1/1 no passive-interface TenGigabitEthernet2/1/1 ! int te1/1/1 no ip ospf 20 area 0 ip ospf 100 area 0 ! int te2/1/1 no ip ospf 20 area 0 ip ospf 100 area 0 ! int vlan 10 no ip ospf 20 area 0 ip ospf 100 area 0 ! end once i have all the floors updated, then i plan to update the layer 3 core switch stack conf t no router ospf 20 router ospf 100 router-id 10.0.1.1 auto-cost reference-bandwidth 10000 area 0 authentication message-digest passive-interface default no passive-interface TenGigabitEthernet1/1/1 no passive-interface TenGigabitEthernet1/1/2 no passive-interface TenGigabitEthernet1/1/3 no passive-interface TenGigabitEthernet1/1/4 default-information originate ! int range te1/1/1-4 no ip ospf 20 area 0 ip ospf 100 area 0 ! And lastly edge routers conf t no router ospf 20 router ospf 100 router-id 10.4.4.4 auto-cost reference-bandwidth 10000 area 0 authentication message-digest passive-interface default no passive-interface GigabitEthernet0/0/0 no passive-interface GigabitEthernet0/0/1 default-information originate metric 100 ! int range gi0/0/0-1 no ip ospf 20 area 0 ip ospf 100 area 0 ! end So, one thing I think I need to add to the end of each is to clear the process ID for re convergence? I'd like to do this remotely but not sure if I'll lose connectivity to the devices, which is why I figured I'd make the changes to the floor IDF switch stacks and then update the L3 core switch stack than the edge routers. I'm still doing some research into this, to make this change smooth, and to not lose connectivity to any of the devices. I'm still learning OSPF so I'm a bit hesitant with this change, for those that are knowledgeable in OSPF does this sound like the proper change?
... View more
Labels:
03-04-2019
07:21 AM
Thanks! I've been reading up on any effects, and haven't seen anything that could pose an issue, so I agree. The only piece I don't like with the FMC/FTDs is having to make the adjustment via flexconfig.
... View more
02-28-2019
01:50 PM
Hi,
I have a few production Site to Site VPN Peers, one of these peers, the vendor is requesting if we can adjust our window size to 1024.
I found this bug, that is has a workaround for flexconfig, but I'm curious if you can apply that to only the one Peer, and not globally? Perhaps I need to create a new policy map for this peer, and use Flexconfig to adjust the window size of only that peer with that associated policy map?
Or if it is a global option only, what I should be aware of, i.e., how will that change effect the other peers?
I found the bug for this (link below), no software releases resolve the bug, so the flex config is the only work around, that I can find.
Any ideas?
CSCvg87675 - FTD VPN FMC should have an option to customize the IPSec Anti-Replay Window size
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvg87675/?rfs=iqvred
... View more
Labels:
01-25-2019
06:55 AM
Yesterday evening, around 5:30 p.m., which I felt was safe to try the command, worked, with no impact. My concern was that by removing the ip dhcp snooping vlan x,x,x,x.. command, that it might cause connectivity issues, but it didn't.
So I guess I answered my own question, well except I only know to fully remove the statement, and not just remove one vlan within the statement.
... View more
01-24-2019
11:24 AM
Hi, no, I want to remove Vlan 20 from dhcp snooping all together, but I don't want to impact the other vlan bindings.
Up to this point, I've been removing the entire statement no ip dhcp snooping vlan 1,2,3, etc.
and then putting it back without the vlan 20.
this is what ive been doing
conf t no ip dhcp snooping vlan 20,90,100,200,400 ip dhcp snooping vlan 90,100,200,400 ! end wri mem !
that works, but it obviously wipes out the entire dhcp snooping database, the database will rebuild but i prefer not to do this method.
... View more
01-24-2019
10:06 AM
Hi,
I currently have DHCP snooping enabled on a site switch stack, as follows:
ip dhcp snooping vlan 20,90,100,200,400
no ip dhcp snooping information option
ip dhcp snooping
DHCP snooping is working fine, no issues, but I need to modify the vlans configured, I want to remove vlan 20.
I found that the only way to do this is to do the following:
conf t
no ip dhcp snooping vlan 20,90,100,200,400
ip dhcp snooping vlan 90,100,200,400
end
That works, but what it does is clear the ipdhcp snooping binding database, and it does rebuild, I don't know how to only remove 1 vlan??
I've only did the above after business hours for other sites, but curious if this can be done during production hours without any impact in connectivity for end points?
... View more
Labels:
12-04-2018
10:42 AM
Well that scares me, but I'll give it a look, I may just continue on the path I'm doing, it's not that involved, so might be worth limiting the risk for now.
Thank you though!
... View more
12-04-2018
09:43 AM
Hi,
Was looking for a way to kickoff a script to upgrade the IOS of switches on my network.
I have a large number of devices that need IOS upgrades, and was looking at way to kick off the upgrades in groups.
What I'd do before the IOS upgrade is stage the IOS image in the flash: of each switch stack.
Then at a certain time after business hours, kick off the upgrade.
I'd like to have it automated so that all the following is entered without my intervention.
software install file flash:iosversion.bin
yes to proceed on all prompts
reload yes
Just thought I'd look into this. I do have Cisco Prime, but no software imaging staging server, hence why I would tftp all IOS images before the upgrades manually. If I can do it to Prime so that I don't have to answer the prompts for reload, etc., that would be good too.
... View more
Labels:
Created by
rmorenobb
in Other Security Subjects
in Other Security Subjects
11-16-2018
08:31 AM
11-16-2018
08:31 AM
I implemented DHCP snooping a couple of weeks ago, went smooth, not issues.
Attempted to implement DAI for only 1 floor with two IDFs.
We found a few hours later, ports started disabling, and the errors we were seeing in the logs were
Nov 14 22:20:21.718 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 400.([34f3.9a02.17e6/10.0.60.32/0000.0000.0000/10.0.60.254/22:20:21 MST Wed Nov 14 2018]) Nov 14 22:20:22.717 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 400.([34f3.9a02.17e6/10.0.60.32/0000.0000.0000/10.0.60.254/22:20:22 MST Wed Nov 14 2018]) Nov 14 22:20:23.717 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 400.([34f3.9a02.17e6/10.0.60.32/0000.0000.0000/10.0.60.254/22:20:23 MST Wed Nov 14 2018]) Nov 14 22:20:24.715 MST: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Gi1/0/21, vlan 400.([34f3.9a02.17e6/10.0.60.32/0000.0000.0000/10.0.60.254/22:20:24 MST Wed Nov 14 2018])
around 80 ports disabled, and we reverted the DAI commands, and enabled the ports.
When we implemented DAI we made no change to the defaul arp packets, left it at the default 15.
We have software (altiris) that does software updates on all end points, and has peer to peer scanning enabled, we're thinking this may be contributing to the issue we saw.
We plan to do another test implementation, and will manually increase the default packet rate, only issue is we're trying to find a way to understand how to determine a baseline for the pps.
So for now, DAI isn't working, and I'm working with TAC on this, they also don't have much input on why numerous ports started disabling.
... View more
Created by
rmorenobb
in Other Security Subjects
in Other Security Subjects
10-25-2018
09:09 AM
10-25-2018
09:09 AM
Hello, I need assistance configuring DAI/DHCP snooping for two different sites, one is a small site, one switch, the other as a larger site, with a core switch with uplinks.
Here are my notes/information
Need to know – What about Option 82? Is it needed?
*All L3 Vlans with DHCP IP Helpers* Vlan90 10.0.1.0 Vlan100 10.0.2.0 Vlan200 10.0.3.0 Vlan400 10.0.4.0
These are all static Vlans – no change to config here Vlan 10, 20, 50, 70, 500
Implement DHCP Snooping Script Conf t Ip dhcp snooping Ip dhcp snooping vlan 90 Ip dhcp snooping vlan 100 Ip dhcp snooping vlan 200 Ip dhcp snooping vlan 400
Implement DAI Script Conf t Ip arp inspection vlan 90 Ip arp inspection vlan 100 Ip arp inspection vlan 200 Ip arp inspection vlan 400
Implement DAI Script on build1-main-mdf-sa01 Conf t ?? -- > Interface Te1/0/12 Ip arp inspection trust Interface Te2/1/4 Ip arp inspection trust Interface Te1/0/11 Ip arp inspection trust
Implement DAI Script on ALL IDF switches Example build1-2ndfloor-idf-sa01 Conf t ?? -- > Interface Te2/1/4 Ip arp inspection trust Interface Te1/1/4 Ip arp inspection trust
For L2 Vlans on downstream switches ???
Ip arp inspection vlan 90 Ip arp inspection vlan 100 Ip arp inspection vlan 200 Ip arp inspection vlan 400
... View more
Labels:
10-25-2018
09:01 AM
I did
conf t
no crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA
no crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
that took the tunnel down
and when I was done testing, i added the lines back to bring the tunnel back up
conf t
crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA
crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
So thank you! It worked nicely.
... View more
10-16-2018
02:56 PM
I got an error trying to remove the acls , said it was in use. I'll have to try again tomorrow.
... View more
10-16-2018
02:33 PM
Thanks! Yah, that's not what I want to do, as I have two other active tunnels that I cannot bring down, I only want to bring down the one tunnel.
... View more
10-16-2018
02:17 PM
How to shut down ASA Site to Site VPN tunnel without removing it? I only want to temporarily shut down the VPN tunnel for testing on another firewall, since the peers have similar interesting traffic, but I don't want to remove the existing VPN tunnel, just shut down temporarily.
This is an old ASA 5510
crypto map XXCryptoMap 16 set peer 1.1.1.1 2.2.2.2
crypto map XXCryptoMap 16 set ikev1 transform-set ESP-AES-128-SHA
crypto map XXCryptoMap 16 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map XXCryptoMap 16 set nat-t-disable
I've read you can remove the ACL for it, but it doesn't seem to be working.
asafirewall01# sh access-list OO_temp_XXCryptoMap16
access-list OO_temp_XXCryptoMap16; 2 elements; name hash: 0xe3fb223a (dynamic)
access-list OO_temp_XXCryptoMap16 line 1 extended permit ip host 10.0.1.2 host 1.1.1.1 (hitcnt=1815) 0x27ad149d
access-list OO_temp_XXCryptoMap16 line 2 extended permit ip host 10.0.1.3 host 2.2.2.2 (hitcnt=2) 0x1d4b9726
peer address: 1.1.1.1
Crypto map tag: XXCryptoMap, seq num: 16, local addr: 10.0.1.2
access-list OO_temp_XXCryptoMap16 extended permit ip host 10.0.1.2 host 1.1.1.1
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.:2.2.2.2/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 7ACD4800
current inbound spi : 72AF7097
inbound esp sas:
spi: 0x72AF7097 (1924100247)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap
sa timing: remaining key lifetime (kB/sec): (4374000/27260)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x7ACD4800 (2060273664)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
slot: 0, conn_id: 63479808, crypto-map: BBCryptoMap
sa timing: remaining key lifetime (kB/sec): (4374000/27260)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
... View more
Labels:
Created by
rmorenobb
in Network Management
in Network Management
05-29-2018
01:11 PM
05-29-2018
01:11 PM
My laptop crashed, so I had to install Cisco Analyzer on my new laptop; since then, have had no issues. I'm not sure why it stopped working on the last laptop.
... View more
09-04-2019
I have a pretty straight forward change I need to make to several
devices at one site; I need to cha...
01-25-2019
Hi, yes, the crypto map for the peer that you're trying to keep up, the
static route host ip must fa...
01-24-2019
Hi, I currently have DHCP snooping enabled on a site switch stack, as
follows: ip dhcp snooping vlan...
12-04-2018
Well that scares me, but I'll give it a look, I may just continue on the
path I'm doing, it's not th...
12-04-2018
Hi, Was looking for a way to kickoff a script to upgrade the IOS of
switches on my network. I have a...
11-26-2018
Hello, Sort of a shot in the dark to see if this issue can be solved,
but worth a try. I'll say up f...
11-26-2018
Hello, Sort of a shot in the dark to see if this issue can be solved,
but worth a try. I'll say up f...
Created by
rmorenobb
in Other Security Subjects
11-16-2018
11-16-2018
I implemented DHCP snooping a couple of weeks ago, went smooth, not
issues. Attempted to implement D...
11-16-2018
The issue with the sla monitor not working, was specifically the crypto
map protected networks. Sinc...
Public Statistics
| Date Registered | 02-13-2013 03:21 PM |
| Date Last Visited | 09-18-2019 01:01 AM |
| Total Messages Posted | 39 |
| Total Helpful Votes Received | 5 |
