Cisco Community
English
Register
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Marcin Latosiewicz
‎09-21-2018
Marcin Latosiewicz
Member since ‎01-03-2008
Cisco Employee
CCIE - Security.
2897
Posts
1617
Helpful
391
Solutions
Recent Badges
300 Accepted Solution
150 Accepted Solution
50 Accepted Solution
15 Accepted Solution
1 Accepted Solution
View All
Recent Badges
Awards

Of course you're correct.

Created by Marcin Latosiewicz Cisco Employee in Security Documents
‎08-07-2017 04:29 AM
‎08-07-2017 04:29 AM
Of course you're correct. Reference: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml Unfortunately I can't rate your answer, the rating button is not available :{ ... View more

NHRP is L2 protocol, VTI is a

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎09-16-2016 06:54 AM
‎09-16-2016 06:54 AM
NHRP is L2 protocol, VTI is a L3 encapsulation. So yes, you do need GRE (default). ... View more

ASA does not support virtual

Created by Marcin Latosiewicz Cisco Employee in Security Blogs
‎05-23-2016 04:53 AM
‎05-23-2016 04:53 AM
ASA does not support virtual interfaces for VPN - it does support IKEv2 for Remote access and L2L VPN tho.  1800 series routers' images do not have IKEv2 compiled in.  ... View more

Mind that I haven't been

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎03-18-2016 07:41 AM
‎03-18-2016 07:41 AM
Mind that I haven't been working on this tech for almost 3 years. The aaa authorization rule is not defined under AAA, you have it defined only in IKE.  Maybe newer IOS don't require it? The old ones did.  ... View more

Spoke doesn't have an

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎03-15-2016 06:25 AM
‎03-15-2016 06:25 AM
Spoke doesn't have an identity cert. Enroll the spoke to CA (yes, itself). Also make sure you have the right EKU (If this restriction was not relaxed recently).  ... View more

Split tunnelling being

Created by Marcin Latosiewicz Cisco Employee in Security Blogs
‎02-17-2016 11:24 PM
‎02-17-2016 11:24 PM
Split tunnelling being enabled or disabled is a matter of policy typically, this particular example outlines some of advantages of logical interfaces irt traffic flow.  Yes it could solve the u-turn problem by essentially not sending traffic towards the headend, but it requires additional configuration. It's also worth mentioning that the two features are not exclusive, you can run VTI with split tunnelling.  ... View more

Is the OS using CGA? 

Created by Marcin Latosiewicz Cisco Employee in Switching
‎11-26-2015 01:45 AM
‎11-26-2015 01:45 AM
Is the OS using CGA?  https://en.wikipedia.org/wiki/Cryptographically_Generated_Address ... View more

Mohan, 

Created by Marcin Latosiewicz Cisco Employee in Unified Computing System Discussions
‎10-16-2015 02:04 AM
‎10-16-2015 02:04 AM
Mohan,  But there is no data plane routing on FIs, NXOS. Let me demonstrate.    bdsol-6296-01-B (nxos)# show ip route IP Route Table for VRF "default '*' denotes best ucast next-hop '**' denotes best mcast next-hop '[x/y]' denotes [preference/metric] bdsol-6296-01-B(nxos)# show ip route vrf management No IP Route Table for VRF "management" bdsol-6296-01-B(nxos)# sh run int mgmt 0 !Command: show running-config interface mgmt0 !Time: Fri Oct 16 11:02:50 2015 version 5.2(3)N2(2.23d) interface mgmt0 shutdown force ip address 10.48.43.82/25   Hope that clears things up.   M. ... View more

UCS/Fabric Interconnects are

Created by Marcin Latosiewicz Cisco Employee in Unified Computing System Discussions
‎10-15-2015 01:46 PM
‎10-15-2015 01:46 PM
UCS/Fabric Interconnects are not routing devices. The operate either in end host or FC/Ether switching modes (the former being recommended for most deployments).  ... View more

 tunnel mode ipsec ipv4 <---

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎10-14-2015 06:53 AM
‎10-14-2015 06:53 AM
 tunnel mode ipsec ipv4 <--- NHRP in IP world, may not work ...  Try with GRE?    1544368: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: Tunnel mode changed from 'Uninitialized tunnel mode' to 'GRE over point to point IPV4 tunnel mode' 1544369: Oct 14 12:58:56.881 CEST: NHRP: Virtual-Access3: NHRP not enabled     interface Virtual-Template10 type tunnel  ip unnumbered Tunnel0 <--- why tunnel 0 and not the LAN    VRF configuration?  ... View more

Do you mean the capability

Created by Marcin Latosiewicz Cisco Employee in Unified Computing System Discussions
‎10-11-2015 03:26 AM
‎10-11-2015 03:26 AM
Do you mean the capability catalog? If so, Cisco is releasing upgraded version (/revisions) of components all the time. Compatibility catalog is a way to have those new subsystems function without a new to upgrade the core systems (NXOS, UCSM etc).   Catalog upgrade is seamless and does not require any reloads. There should not be a need to rollback a capability catalog upgrade, it's a pretty small XML file containing known/supports UCS components.      ... View more

In quite practical terms IKE

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎09-29-2015 04:54 AM
‎09-29-2015 04:54 AM
In quite practical terms IKE phase 1 authentication and rekey authentication should be using separate RSA key pair. Check out the redundant KS design in GETVPN DIG. DIG A.2.1.   Yes your TEK will be propagated across entire domain and used for encryption. DIG 3.5.3   Indeed a rekey happens when a new policy (what to encrypt and how to encrypt) is set , but also periodically to avoid encryption key from being compromised, as is usual with IPsec encryption. DIG 3.5.3.      ... View more

Probably best doc we have is

Created by Marcin Latosiewicz Cisco Employee in Other Data Center Subjects
‎09-28-2015 05:36 AM
‎09-28-2015 05:36 AM
Probably best doc we have is from MDS family:  http://www.cisco.com/c/en/us/products/collateral/storage-networking/mds-9700-series-multilayer-directors/white_paper_c11-729444.html   Long story (very) short is that you can detect ports spending prolonged time waiting for credits to be returned.  There are also some default actions FC switches will perform.  I don't believe there's a specific document out for Nexus 5k family.  ... View more

Truth be told best way to

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎09-28-2015 05:31 AM
‎09-28-2015 05:31 AM
Truth be told best way to check who's starting QM exchange causing those SPIs to be introduced.  I can't do it for you, but we've written a guide a couple of years back: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html   Experience wise, I have not seen IOS introduce in IKEv1 a transform set it's not configured to use.  IKEv2 and smart defaults are a bit different.  ... View more

Look into NHRP holdtimes and

Created by Marcin Latosiewicz Cisco Employee in VPN and AnyConnect
‎09-28-2015 05:28 AM
‎09-28-2015 05:28 AM
Look into NHRP holdtimes and registration timers.  The default values are quite long. ... View more
Public Statistics
Date Registered ‎01-03-2008 12:25 AM
Date Last Visited ‎09-21-2018 06:40 AM
Total Messages Posted 2,897
Total Helpful Votes Received 1617
Helpful Votes Given To
Helpful Votes From