Good morning gentlemen I'm configuring a pair of Nexus C93180YC-EX switches, NX-OS 9.3(1). Main customer is using these switches with Internet distribution layer function: - connect other customers - using a transit VLAN for each customer - perform a bandwith restriction for each customer (using policy-map / class-default / police / service policy input/output at each customer int vlan) - ospf routing to uplink Internet routers (only Ipv4) We are referring about 65 customer connections (and bandwith policies) today (may increase until about 100). Reading Nexus 9000 guide, and configuring switches, I verified we can't configure service-policies at interface VLANs. This case, I tried using service-policies applied directly to customer transit vlans (layer2 vlan). Switches permit to apply it input/ingress direction (it worked fine). But in egress/output direction, switch asked for carving TCAM. I need a help in which TCAM part I can carve and how to perform it. Nexus guide explais about allocate TCAM for VLAN QOS and QOS Egress, but not sure about them. This is the TCAM allocation today (default): brbzqrtd1ist3fd# show hardware access-list tcam region NAT ACL[nat] size = 0 Ingress PACL [ing-ifacl] size = 0 VACL [vacl] size = 0 Ingress RACL [ing-racl] size = 1792 Ingress RBACL [ing-rbacl] size = 0 Ingress L2 QOS [ing-l2-qos] size = 256 Ingress L3/VLAN QOS [ing-l3-vlan-qos] size = 512 Ingress SUP [ing-sup] size = 512 Ingress L2 SPAN filter [ing-l2-span-filter] size = 256 Ingress L3 SPAN filter [ing-l3-span-filter] size = 256 Ingress FSTAT [ing-fstat] size = 0 span [span] size = 512 Egress RACL [egr-racl] size = 1792 Egress SUP [egr-sup] size = 256 Ingress Redirect [ing-redirect] size = 0 Egress L2 QOS [egr-l2-qos] size = 0 Egress L3/VLAN QOS [egr-l3-vlan-qos] size = 0 Ingress Netflow/Analytics [ing-netflow] size = 0 Ingress NBM [ing-nbm] size = 0 TCP NAT ACL[tcp-nat] size = 0 Egress sup control plane[egr-copp] size = 0 Ingress Flow Redirect [ing-flow-redirect] size = 0 Ingress RACL Lite [ing-racl-lite] size = 0 Ingress PACL IPv4 Lite [ing-ifacl-ipv4-lite] size = 0 Ingress PACL IPv6 Lite [ing-ifacl-ipv6-lite] size = 0 Regards and thanks for  helping me Christian ... View more

Good afternoon   I have to configure anyconnect on a firewall ASA context. I could configure it, but installing anyconnect accessing firewall URL via browser failed. Message presented is "Internal Server Error".   Searching other discussions, it seems that firewall contexts are not supporting anyconnect webdeploying. I tried via predeploying (installing by myself on user machine) and it's working fine. But what's the procedure for future upgrades? Do I have only to upgrade images on user machine or do I have also to upgrade anyconnect images on firewall? An what about this kind of configuration, should I keep this even for predeploying? anyconnect image shared:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1 anyconnect image shared:/anyconnect-macos-4.7.02036-webdeploy-k9.pkg 2 anyconnect image shared:/anyconnect-linux64-4.7.02036-webdeploy-k9.pkg 3 Regards Christian     ... View more

Good morning   Is there any impact disabling this feature ("no cluster run") on a switch in production? I don't remember using this kind of cluster feature.   Regards Christian ... View more

Good Morning   I have to migrate firewall Checkpoint configuration to a Cisco ASA 5585X device.   Checkpoint has many "accept", "drop", "encrypt" rules. But I could find some rules with action "Client Auth". By Client Auth rules, a user in an user group, when accessing a destination, returns a kind of portal to user device asking user for authentication. When user is authenticated (by a Cisco ACS for example), user device is allowed to access destinations presented on associated Checkpoint access rule. How can I implement this in a similar way on firewall ASA? I really don't know if "aaa authentication, etc" could perform this. I think I have to: - configure user groups (or search for user groups in a TACACS/ACS server) - have a access rule to a destination conditioning access to a kind of aaa user authentication Thanks and best regards Christian ... View more

Good morning   We have a cisco router 1921 with IOS 15.2(3).T3. Searching for a new IOS, we found 15.4(3)M9(ED) and 15.5(3)M7(MD) as candidates We need no new features, only fix vulnerabilities.   1 - Which IOS do you recommend to consider for this router for upgrading? 2 - The most important part: should I have only substitute 15.2(3)T3 for the new IOS in one-step or do I have to consider intermediary IOSs (ex: 15.3.x)? I'm afraid of losing config or other surprises. I could not find any exact procedure for this kind of IOS upgrade Regards Christian ... View more

Good morning   I have an ASA firewall, version 9.1.7 pure. It's not clear for me, checking de Cisco bug ID: - this bug only affects 9.1.7(16) release or any 9.1.7.x release? - does this bug affect ASA asdm/ssh access or only VPN access? - how can I check in ASA configuration the vulnerability? Regards Christian ... View more

Good morning We have 4 switches: C1, C2, D1, D2. C1 is the designated router for all LAN segments containing those 4 routers. C1 and C2 are the only ones in area 0. All 4 routers are in area 1. There's no other OSPF area in the network. We have to deactivate switches C1 and C2. But we are afraid what happens in OSPF (an impact to our customers in production) when C1 and C2 are out of service. 1 - Moving area 0 segment from C1->C2 to D1->D0 can stop OSPF, or OSPF can still run fine only in area 1 until area 0 segment migration? 2 - We will configure "ip ospf priority" larger in D1. But it would only works after a OSPF process restart. What kind of impact (and how long) we could face after OSPF process restart (or shutting down C1 to elect new DR)? Which switches I'd have to restart OSPF process to have D1 as DR before deactivate C1 and C2 switches? Regards Christian ... View more

Good afternoon My ASR 1001x is using release/patch 3.16.4a.S. Last patch available in Cisco site is 3.16.5S. Cisco IOS Checker presents vulnerabilities only fixed in 3.16.6, not available for download. Do you know when 3.16.6 will be released or where can I download this? Or any other ASR 1001X release stable and without vulnerabilities? Regards Christian ... View more

Gentlemen Need your help, because it's not clear the affected ASA version. ASA 5540 we take care has asa917-k8.bin. Bug informs only affected 9.1(2) and 9.2. Last release for 9.1.x available in Cisco site is asa917-11-k8.bin. Should I upgrade ASA version or 9.1(7) is clean for this bug? Regards Christian ... View more