Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Seth Bjorn
Stats
Member since
10-20-2004
79
Posts
20
Helpful
5
Solutions
Created by
Seth Bjorn
in Network Management
in Network Management
01-12-2016
11:49 AM
01-12-2016
11:49 AM
Does anyone have a working link to the Prime Infrastructure 3.0 Administrator guide? All the ones I have found either give a 404 error or redirect to the 2.2 version of the guide.
... View more
Labels:
07-07-2015
02:05 PM
Is there a rackmount kit for the ASA-5545-X devices? It came with a cabinet rail kit but we plan on installing in a traditional 19" Telco rack.
... View more
Labels:
05-07-2015
11:05 AM
You can't do exactly as you wish with just an ASA firewall. You could get a reverse proxy and/or webapplication firewall to handle this for you. However you should note that if these webservers use SSL or not as there are complications with using SNI.
... View more
03-03-2015
10:29 AM
For my authorization profile result in ISE for PI, I use the following: Access Type = ACCESS_ACCEPT cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN cisco-av-pair = NCS:role0=Root Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using. My successful login is shown below (however I don't see the Virtual port type): Source Timestamp 2015-03-03 10:23:56.123 Received Timestamp 2015-03-03 10:23:56.123 Policy Server MYISESERVER Event 5200 Authentication succeeded Failure Reason Resolution Root cause Username mycoolusername User Type Endpoint Id Endpoint Profile IP Address Identity Store MYADIDENTITYSTORE Identity Group Audit Session Id Authentication Method PAP_ASCII Authentication Protocol PAP_ASCII Service Type Network Device PISERVERNAME Device Type Network Management Location Corporate Office NAS IP Address PI-IP-ADDRESS NAS Port Id NAS Port Type Authorization Profile Cisco-Prime-Infrastructure Posture Status NotApplicable Security Group Response Time 19 Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.
... View more
02-24-2015
04:24 PM
Try this instead: url-server servers vendor websense host *.*.*.* protocol tcp version 4 connections 8
... View more
02-24-2015
04:00 PM
Does WSA support filtering/inspection of TLS 1.2? If so what cipher suites are supported?
... View more
02-18-2015
02:22 PM
A DOS attack to a layer 2 port is when a rogue host floods the interface with mac addresses. The switch will learn as many as it can until it fills it's mac address table. Once the mac address table is full, the switch will essentially turn into a hub and will begin flooding packets to all ports as it cannot do it's normal forwarding based on the mac address table. Different switches have different capacities, but in general every host port should be protected from this flood attack by limiting the amount of mac addresses it will learn on each port. http://en.wikipedia.org/wiki/MAC_flooding
... View more
02-18-2015
02:15 PM
You can protect against DOS by using port security. This should be done on every non trunk port. interface gig0/1 switchport port-security maximum 3 switchport port-security switchport port-security violation restrict This will allow only 3 active mac addresses on port gig0/1. In order to protect against MAC spoofing you would need either dot1x security or dynamic arp inspection (which requires DHCP snooping and you are using static ips).
... View more
02-17-2015
11:57 AM
From my experiences, a single T1 line for 8 users is insufficient bandwidth with any video content beyond an office user type workload. I would check the pool settings as well as the teradici pcoip group policy settings for your pool in question. Maybe you have build-to-lossless turned off or something. From the network side I would check MTU first from the branch side. Make sure you can ping your connection servers with the do not fragment bit enabled and be sure the MTU you are using is correct. As far as the QOS is concerned, you really should just have UDP 4172 matched and not all the HTTP and HTTPS and other ports you have. You could be congesting your queue as you've cast a pretty wide net there. Can you post show policy-map interface ser1/0 on your 7206? Also do similar for the branch interfaces on their routers. Here is some nice reading material from VMware's documentation (link)
... View more
12-12-2014
10:15 AM
What you're asking is possible to do on each SVI with an access-list. As you've noticed the full features of IOS aren't available in their switches so it will be a little tedious to manage.
... View more
10-15-2014
10:34 AM
I won't show my exact config file, but I will post the details below. Basically what I did was modified the "Host *" template uncommenting what configuration items I wanted to change. You can leave the other sections commented out and openssh will continue to use default for things you have not specified. So step one is to uncomment Host *. Uncomment Ciphers and MAC lines. Change any order you prefer for the Ciphers and MAC lines. Save the file an reboot the linux OS. I exited the shell and typed reload in the CLI to reboot the linux OS. My system took around 5 minutes to fully reboot and load PI into it's usable state.
... View more
10-14-2014
02:14 PM
Thanks Marvin, modified the /etc/ssh/ssh_config file making the necessary changes. Now PI uses SHA1. Hopefully no future patches get clobber because of this! haha
... View more
Created by
Seth Bjorn
in Network Management
in Network Management
10-14-2014
09:54 AM
10-14-2014
09:54 AM
Is there any way to change the SSH2 encryption and hash settings PI 2.1 uses to connect to it's managed devices? Right now it is using AES-128 and MD5, but I would like to change it to AES-256 and SHA1.
... View more
Labels:
01-12-2016
Does anyone have a working link to the Prime Infrastructure 3.0
Administrator guide? All the ones I ...
Created by
Seth Bjorn
in Firewalls
07-07-2015
07-07-2015
Is there a rackmount kit for the ASA-5545-X devices? It came with a
cabinet rail kit but we plan on ...
05-07-2015
You can't do exactly as you wish with just an ASA firewall. You could
get a reverse proxy and/or web...
03-03-2015
For my authorization profile result in ISE for PI, I use the following:
Access Type = ACCESS_ACCEPTc...
02-24-2015
Try this instead: url-server servers vendor websense host *.*.*.*
protocol tcp version 4 connections...
02-24-2015
Does WSA support filtering/inspection of TLS 1.2? If so what cipher
suites are supported?
02-18-2015
A DOS attack to a layer 2 port is when a rogue host floods the interface
with mac addresses. The swi...
02-18-2015
You can protect against DOS by using port security. This should be done
on every non trunk port.inte...
02-17-2015
From my experiences, a single T1 line for 8 users is insufficient
bandwidth with any video content b...
12-12-2014
What you're asking is possible to do on each SVI with an access-list. As
you've noticed the full fea...
10-15-2014
I won't show my exact config file, but I will post the details below.
Basically what I did was modif...
10-14-2014
Thanks Marvin, modified the /etc/ssh/ssh_config file making the
necessary changes. Now PI uses SHA1....
Public Statistics
| Date Registered | 10-20-2004 02:04 PM |
| Date Last Visited | 10-12-2018 12:22 AM |
| Total Messages Posted | 79 |
| Total Helpful Votes Received | 20 |
Helpful Votes From
.jpg "Hall of Fame Guru"){kind=icon}
