turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Seb Rupik
Seb Rupik
Member since
06-01-2013
.jpg){kind=icon}
VIP Advocate
Network Engineer contractor based in the UK.
Personal Web Page : http://configif.wordpress.com
1925
Posts
1761
Helpful
368
Solutions
Recent Badges
Awards
02-15-2019
02:48 AM
hmmm, well if you are not using webssl, perhaps you have AnyConnect over IKEv2. Can you share the crypto config from your ASA?
cheers,
Seb.
... View more
02-15-2019
02:25 AM
Hi there,
AnyConnect will use UDP/443 and TCP/443 as a fallback. Check that both destination ports are allowed into the SRX zone that the ASA is positioned in.
cheers,
Seb.
... View more
02-14-2019
12:22 PM
Can you share the entire running config of the switch, and tell us which switchport the ISP router is connected to?
cheers,
Seb.
... View more
Created by
Seb Rupik
in VPN and AnyConnect
Seb Rupik
in VPN and AnyConnect
02-14-2019
07:36 AM
02-14-2019
07:36 AM
I know with the ASA you can initiate an IPSec connection with one end of the connection having a dynamic IP address, but I do not believe it is possible with two dynamic endpoints.
Cheers,
Seb.
... View more
02-14-2019
01:28 AM
HI there,
When you use the archive download-sw command why don't you use the /image-only argument, this will remove all other files/ folders.
If you just want the .bin file at root, why not download the .bin image and position it manually with the copy command?
Cheers,
Seb.
... View more
02-14-2019
12:21 AM
Hi there,
My first thought without testing it would be you need to specify a source interface for your ping. The link-local FE80 address provides no information to the router (subnet prefix) to tell it which connected interface to source the ping from.
cheers,
Seb.
... View more
Created by
Seb Rupik
in VPN and AnyConnect
Seb Rupik
in VPN and AnyConnect
02-13-2019
11:24 PM
02-13-2019
11:24 PM
Yes, you will still have internet connectivity, but the AnyConnect client will adjust you routing table as @Dennis Mink points out, which will send any traffic not destined to the local subnet (except the encrypted tunnel traffic itself) via the tunnel.
Once your traffic arrives at the ASA you will need to have the correct routing and firewall policy in place to allow access to the internet.
cheers,
Seb.
... View more
Created by
Seb Rupik
in VPN and AnyConnect
Seb Rupik
in VPN and AnyConnect
02-13-2019
02:52 AM
02-13-2019
02:52 AM
Hi there,
It sounds like once the VPN is established all of your traffic non-local traffic is being sent to the ASA endpoint and hitting various polices.
If you want to maintain a local connection to the internet you will need to configure split-tuneling for the anyconnect VPN. This will allow you to specify which subnets you can reach via the VPN, everything else will leave via the local LAN gateway.
This is viewed as a security risk in most situations.
cheers,
Seb.
... View more
Created by
Seb Rupik
in VPN and AnyConnect
Seb Rupik
in VPN and AnyConnect
02-13-2019
02:42 AM
02-13-2019
02:42 AM
Hi there,
On your ISP routers, have you forward the following protocols/ ports to the RV340 inside (192.168.100x) address from the public interface:
protocol 50 (ESP)
UDP/500
UDP/4500
cheers,
Seb.
... View more
02-12-2019
07:41 AM
@Joseph W. Doherty
:) I had overlooked multicast.
Are you sure a about PC2 responding to an ARP request from PC1?
PC1 will know PC2 is in a different subnet so will only be ARP'ing for the local gateway. Agreed that PC2 will see the broadcast, but its network stack will discard it once it sees the ARP payload.
I had thought about adding the notion of ARP spoofing to this thread, ie PC2 sending an ARP reply for the PC1 ARP request for its local gateway. Is this ARP cache poisoning (done by both PCs) the basis of the unicast communication you mention?
... View more
02-12-2019
03:23 AM
Assuming at either end of the trunk link, both switchports are configured with:
!
switchport mode trunk
switchport trunk allowed vlan all
!
...the tagged frames will transit the link fine, however the two PCs will remain in separate VLANs so will be unable to communicate. You need a Layer3 interface to make this topology work.
If your switches are configured like:
! SW1
!
switchport mode trunk
switchport trunk vlan 10
!
!SW2
!
switchport mode trunk
switchport trunk vlan 20
!
...broadcast frames will transit the link however they will be silently dropped by the receiving switch as they are received on a switchport which has not been configured to receive that VLAN ID.
cheers,
Seb.
... View more
02-12-2019
03:17 AM
An access to access connection will strip out all VLAN information from the frames in transit. I've used this kludge several times on production networks when receiving a connection from a third party and I need to put it in a different VLAN with a different ID to fit the local allocation. Try it :)
... View more
02-12-2019
03:02 AM
Yes if it is leaving via a mode access port, then there will be no VLAN ID on the frame, therefore SW2 can receive it on its own access port and it will end up in VLAN20.
... View more
02-12-2019
02:33 AM
Sounds like it could be an STP issue.
Is your PC connected to the 2960? Is the 2960 the root bridge for the VLAN you are connected to?
On both the 2960 and SG 350 what is the output of:
sh spanning-tree vlan <your_vlan_id>
cheers,
Seb.
... View more
02-12-2019
02:14 AM
Adding to @Mark Malone, you can further secure your access-layer with DHCP Snooping and DAI which will prevent users from using IP addresses which have not be received from trusted DHCP servers.
cheers,
Seb.
... View more
06-04-2016 05:43 AM
hmmm typicaly for you to enlist in the Eduroam service you will need to
have a home domain of your o...
06-04-2016 05:25 AM
You can achieve the same result without enabling and using Policy Sets.
Yes you are correct, if the ...
06-03-2016 03:10 PM
Hi Yahya, You probably need to enable them:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ad...
10-09-2015 12:57 AM
This document details the steps for using ISE to authenticate Eduroam
users. Janet is the name of th...
Created by
Seb Rupik
in Networking Documents
04-02-2014 01:27 PM
04-02-2014 01:27 PM
Current Cisco configuration documentation shows the use of 3des
encryption and MD5 hashing functions...
Created by
Seb Rupik
in Networking Documents
01-27-2014 09:18 AM
01-27-2014 09:18 AM
Under Win7 Device Manager can you see the new COM port listed?
Public Statistics
| Date Registered | 06-01-2013 12:13 PM |
| Date Last Visited | 02-15-2019 12:10 PM |
| Total Messages Posted | 1,925 |
| Total Helpful Votes Received | 1761 |
Helpful Votes Given To
Helpful Votes From
Awards
Cisco Designated VIPs
2019 Switching, Small Business, Routing
Community Spotlight Award
Doc/Video
Community Spotlight Award
Rookie Award September 2013
