Hi all,   Does anyone know if there is a plan for Catalyst 9800 wireless controllers running on IOS-XE to add a feature into WebUI to kind of "preview commands" before they are applied into the device? Kind of something possible by Cisco ASDM (ASA firewall management GUI interface).   So basically I believe it would be nice to get CLI output (preview of all commands to be applied once something is configured in GUI) for future reference or future re-use on the additional C9800 instance.   Though it is not possible now or I haven't seen it.   Just wondering if anyone knows about it or not. Kind of very nice to have feature :-)   Thanks, Martin     ... View more

Dear all, It might be very easy, but I'm just wondering if Cisco ASA firewall (running 9.8 release for completeness) is somehow doing also route-lookup for source interface and IP address of the packet? I know it is done for destination IP address, but had an impression same is performed for the source (kind of traffic validity check).   Therefore will ASA firewall permit traffic (of course ACL is in place) on the interface from where is comming a traffic with source IP address which doesn't belong there (shouldn't appear there) as per routing table? Route table consists static routes (nothing dynamic).   As I can see in the logs permitted traffic but what is confusing to me is fact that log entry shows: - please note that source IP 10.10.10.1 belongs to SegmentA as per routing.   Log example: x.x.x.x %ASA-6-106100  Nov 24 07:51:05  access-list segmentB_access_in permitted udp SegmentB/10.10.10.1(67) -> SegmentA/10.10.10.20(67) hit-cnt 1 first hit [0xad85a144, 0x00000000]   From syslog number here is definition: %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} protocol interface_name/source_address(source_port)(idfw_user, sg_info) interface_name/dest_address(dest_port) (idfw_user, sg_info) hit-cnt number ({first hit | number-second interval})   Thanks ... View more

Hi all,   Anyone experienced or figured out if there is a possibility to provide some feedback to the guest account which account is about to expire and is allowed to change password, so feedback would help to met password requirements? At the moment we have faced couple of justified issues where guests tried to change their password but were not able to, since they didn't know what password requirements we have set from administration point of view.   Therefore is there a way which would display a specific response to the guest during setting up of the new password? We don't want to disclose our password policy right away but rather looking into possibility to provide feedback like (missing numberic character, missing upper case letter, missing symbol, not allowed symbol etc.) which would tell to the guest a feedback how new password needs to be structured so it can be corrected and at the end accepted by the ISE password guest policy.   At the moment ISE just shows "Password policy requirements were not met" (or similar)...and that is not really of any help. Any clue if such feature exists or were posibilities already explored by someone?   Thanks in advance. Martin   ... View more

Dear all,   What are you using for an APs to discover their controllers? I suppose quite often is being used DNS based discovery CISCO-CAPWAP-CONTROLLER.localdomain.   However how you deal with fact if you have two separate wireless controller environment running in parallel? Older APs are managed by WLC controllers while new APs would be managed by Catalyst 9800 controllers.   Is there any recommended way how to force AP to join the right controllers? Nice would be that new AP models will support second DNS entry which would match Catalyst controllers, but doubt this is something in place.   1. We can use DHCP option, but then it means for each and every AP model we need to define exactly what controller AP should associate with. And managing DHCP options for thousand of locations is not an easy. Also might be that each location will have to have all APs supported by Catalyst controller so no mixed environment is in place to prevent roaming issues etc.   2. We can just keep DNS discovery in place, always point to WLC environment and once AP joins, to manually distribute (configure controller IP manually) it to correct controller whether it would be WLC or Catalyst one. Then config is stored in NVRAM and after reload it joins the correct/intended controller.   Any other thoughts or you already deal with?   Thanks /Martinwlc   ... View more