HI all, I understand Meraki now support BGP (beta), this means that when we enable BGP on the uplink which has AUTOVPN enabled so it can now participate in underlay routing on WAN uplink and we can now choose some traffic to go via the underlay and not overlay on the same physical interface? Thanks, Aamir
... View more
Hi,
DC is on left and HO is on right, DC local internet is the Internet connected on DC-Internet-RTR, apart from PE1 and PE2 i can control all routers.
Thanks,
Aamir
... View more
HI all,
As per the diagram the primary path for Branch to access internet is via DC (left) and backup path is via HO (Right). However users in HO (connected via HO-WAN-RTR) should use internet via HO only. DC-WAN-RTR at DC advertises default route to PE1 and PE2 when a default route is received from the DC Local Internet.
But HO-WAN-RTR should advertise default route to PE1 and PE2 only when default route is received from its local Internet AND NOT RECEIVED from the DC site, how can we achieve this via BGP conditional route and i believe we need iBGP link between DC-WAN-RTR and HO-WAN-RTR?
Thanks,
Aamir
... View more
Dear, While logging into DCNM in the inventory->switches I have couple of nexus 5K, on some of N5K the status its showing decryptionError, anyone has any idea what this error is, is it related to SNMP? Thanks, Aamir
... View more
Dear *, I know that Nexus layer 3 card has forwarding rate of 160Gb only, does it meant that the forwarding rate of the whole Nexus box will drop down to 160Gb even if some traffic is only layer 2? Also is it true that with Layer 3 card the max FEX supported is only 8? Thanks,
... View more
Dear *, I have a layer 2-2960 switch where all my dhcp clients are connected. On this same switch i have a windows DHCP server also. I have created sub-interfaces on the ASA firewall which is the default gateway for clients and servers. My client vlan is 21 and servers vlan is 501. i have enabled DHCP snooping for vlan 21 and put the server port as dhcp snooping trusted. I have a P2P vlan between the 2960 switch and ASA for management so there are no client / server SVI on the switch. I have configured the firewall a dhcp relay point to the server which connected to the 2960 switch and enable relay on the client sub-interface on ASA. Now the clients are not getting the IP from the server but as soon as remove the DHCP snooping for vlan 21 onthe 2960 switch the clients get the IP. I even enabled dhcp snooping trusted on the trunk link between switch and ASA but still nothing. Any ideas? Is this related to option 82 maybe? Thanks, Aamir
... View more
Dear all, Is there a specific design guide when using ASA clustering with Nexus vPC? Basically I have two ASA which will be deployed in a clustering manner. The two ASA will then connect to two Nexus 5K in vPC mode. The security team wants to connect the ASA cluster control link via Nexus 5K also instead of back to back because in future they might add a third ASA in the cluster which they can then connect to N5K. Now is my question is: 1) How should i physically connect the two ASA with the two Nexus cluster control link? Do i put one link from each ASA to each N5K (option1) or do i do a cross connection which is from each ASA to both N5K (option2). Option 1: ASA 1 ASA 2 | | | | | | | | N5K1------vPc---------N5k2 The problem i see here is that both the ASA are no interconnected and there is a lot of traffic that goes on the cluster control link to maintain the cluster. Here when ASA 1 send any cluster keepalive to ASA 2 it will reach not ASA 2 because vPC will not allow traffic that was RECEIVED over a VPC peer-link to be sent out a vPC member port, which means N5K2 will not forward that traffic to ASA 2 coming ASA 1, am i right in this? ofcourse since both ASA are cluster i will put both its interface in LACP and same in both N5K also. Thanks, Aamir
... View more
Dear, yes i also realize that port channel number should be same under the TenGig interface, i guess i made a type error. Also i need to ask in a state where the port channel was configured wrong and switches are in VSS state that is their interface are re-numbered, would changing the port channel and restarting the switches solve the problem or i would have to first convert them in stand alone mode and then do VSS config all over again? Thanks, Aamir
... View more
Dear, Since it was a live environment i had to roll it back to normal mode, however i remember doing "show redundancy" and it was showing me only one active processor. Dont remember if it was showing Simplex mode or not? But incase if it does show Simplex mode even after VSS configuration what does that mean? And what else could have gone wrong? Thanks, Aamir
... View more
I did the following config for VSS: Core 1: switch virtual domain 1 switch 1 switch 1 priority 110 switch 2 priority 100 interface port-channel 71 switch virtual link 1 no shut interface range tenGigabitEthernet 5/4 – 5 channel-group 177 mode on no shut Core 2: switch virtual domain 1 switch 2 switch 1 priority 110 switch 2 priority 100 interface port-channel 72 switch virtual link 1 no shut interface range tenGigabitEthernet 5/4 – 5 channel-group 177 mode on no shut When i put the following on both core switches: switch convert mode virtual they got restarted and on Core 1 i got this message: Jun 29 01:25:30.363: %PFREDUN-6-ACTIVE: Initializing as ACTIVE processor for this switch *Jun 29 01:25:31.107: %VSLP-5-RRP_NO_PEER: No VSLP peer found. Resolving role as Active *Jun 29 01:25:31.739: %VSLP-2-VSL_DOWN: VSL links down and not ready for any traffic *Jun 29 01:25:32.743: %OIR-SW1_SP-6-CONSOLE: Changing console ownership to route processor Both the core switches interfaces got re-numbered but they did not become VSS and were working as independent. What could be the problem? After reboot the port-channel 177 was up also. Even i put this command "switch accept mode virtual" but no luck. (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(33)SXI9 VS-S720-10G Thanks, Aamir
... View more
Dear *, Based on the below cisco link: http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html#wp1159517 SSL Termination Overview SSL termination occurs when the ACE, acting as an SSL proxy server, terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server. When the ACE terminates the SSL connection, it decrypts the ciphertext from the client and transmits the data as clear text to an HTTP server. Now i would like to clarify the following: •1) When ACE terminates an SSL connection from a client and then establishes a TCP connection to an HTTP server, in this case what is the source IP that the server will see? Will it see client IP or ACE IP as source? I believe it should see the source IP of the ACE Or here the ACE only terminates and re-initiates the TCP session without changing the source IP? •2) If we don’t want to use SSL can ACE work as normal proxy, can we terminate a connection from the client and then establish a new session to the HTTP server? If yes then servers will see the source IP of ACE? Thanks, Aamir
... View more
Dear *, I have ASA with AIP module. I have initialized the AIP module and on ASA redirected the traffic coming from outside to the IPS module going to the internal network. IPS is in inline mode: ASA(config)# access-list my-ips-acl permit ip any 10.10.0.0 255.255.0.0 ASA(config)# class-map my-ips-class ASA(config-cmap)# match access-list my-ips-acl ASA(config-cmap)# policy-map my-ips-policy ASA(config-pmap)# class my-ips-class ASA(config-pmap-c)# ips inline fail-open ASA(config-pmap-c)# service-policy my-ips-policy interface outside I am also getting hits on the ASA ACL: access-list my-ips-acl line 1 extended permit ip any 10.10.0.0 255.255.0.0 (hitcnt=76498) 0xcf914892 What i would like to know is on AIP module how i can check if it is getting or processing the traffic? Also do i need to enable any signatures or there are some well known signatures already enabled by default? Thanks, Aamir
... View more
Dear *, I have a simple setup with a core switch and FWSM. From the FWSM I am able to ping from the inside interface (interface between FWSM and MSFC) of the FWSM to other vlan on the core switch and to the internet however when i source the ping from another vlan of FWSM to internet or other vlan of core switch, no reply. Here is my config on FWSM: FWSM-1# sh run : Saved : FWSM Version 4.0(4) ! hostname FWSM-1 enable password 8Ry2YjIyt7RRXU24 encrypted names dns-guard ! interface Vlan102 description *** Servers *** nameif SRVR security-level 50 ip address 10.10.2.1 255.255.255.0 ! interface Vlan103 description *** Servers Mgmt *** nameif SRVR-mgmt security-level 50 ip address 10.10.3.1 255.255.255.0 ! interface Vlan174 description LAN/STATE Failover Interface ! interface Vlan175 description *** Inside Interface to MSFC *** nameif inside security-level 100 ip address 10.10.75.2 255.255.255.0 ! passwd 2KFQnbNIdI.2KYOU encrypted ftp mode passive same-security-traffic permit inter-interface access-list inside-in extended permit ip any any access-list inside-in extended permit icmp any any access-list SRVR-in extended permit ip any any access-list SRVR-mgmt-in extended permit ip any any access-list SRVR extended permit icmp any any access-list SRVR-mgmt extended permit icmp any any pager lines 24 mtu SRVR 1500 mtu SRVR-mgmt 1500 mtu inside 1500 failover failover lan unit primary failover lan interface FAIL Vlan174 failover key ***** failover replication http failover link FAIL Vlan174 failover interface ip FAIL 192.168.74.1 255.255.255.252 standby 192.168.74.2 icmp permit any echo SRVR icmp permit any SRVR icmp permit any echo SRVR-mgmt icmp permit any SRVR-mgmt icmp permit any inside no asdm history enable arp timeout 14400 access-group SRVR-in in interface SRVR access-group SRVR-mgmt-in in interface SRVR-mgmt access-group inside-in in interface inside route inside 0.0.0.0 0.0.0.0 10.10.75.1 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout sip-invite 0:03:00 sip-disconnect 0:02:00 timeout uauth 0:05:00 absolute http 10.10.0.0 255.255.0.0 SRVR http 10.10.0.0 255.255.0.0 inside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart service reset no-connection telnet 10.10.0.0 255.255.0.0 SRVR telnet 10.10.0.0 255.255.0.0 SRVR-mgmt telnet 10.10.0.0 255.255.0.0 inside telnet timeout 5 ssh timeout 5 console timeout 0 ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect netbios inspect rsh inspect skinny inspect smtp inspect sqlnet inspect sunrpc inspect tftp inspect sip inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:0cc9eda46d5882ff1d4d2d7046e76c30 : end FWSM-1# FWSM-1# ping inside 4.2.2.2 Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 130/140/150 ms FWSM-1# ping in FWSM-1# ping inside 10.10.10.1 Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms FWSM-1# ping in FWSM-1# ping SRV 4.2.2.2 FWSM-1# ping SRVR 4.2.2.2 Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds: ????? Success rate is 0 percent (0/5) FWSM-1# ping SRVR 10.10.10.1 Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: ????? Core Switch: interface Vlan175 description *** Connected to FWSM *** ip address 10.10.75.1 255.255.255.0 end interface Vlan100 description *** NQA-mgmt *** ip address 10.10.1.1 255.255.255.0 end ip route 10.10.2.0 255.255.255.0 Vlan175 ip route 10.10.3.0 255.255.255.0 Vlan175 Any help is appreciated as this is the first time i am configuring FWSM. Thanks, Aamir
... View more