Hi there, RADIUS accounting will not give the level of fidelity that you require to determine what config changes have been made.   What you may want to do is enable config logging: ! archive log config logging enable notify syslog ! This will record every config command entered by a user to the configured syslog server: ! logging server <SYSLOG_SERVER_IP> ! Between this and rancids periodically config snapshots, you should be covered.   cheers, Seb. ... View more

Hi there, You are still receiving the decrypt errors: RADIUS: response-authenticator decrypt fail, pak len 20 ...which indicates a RADIUS secret mismatch.   Can you use a simple secret like cisco or cisco123 on the switch and Windows Server and re-test.   cheers, Seb.   ... View more

….in which case ERSPAN is probably not available on your device either.   What is the device you are trying to capture on?  Is the host traffic which is being captured routed on a device that supports EPC further upstream?   If not, then your best option is to have someone connect a laptop locally to the switch and configure a SPAN port which you can capture directly from.   cheers, Seb. ... View more

Hi there, This message is simply telling you that no security policy (ie ACL) has been configured to permit this traffic, so it is being dropped. https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs1.html#con_4768882   You can filter out these messages with the following config command: no logging message 106006 Since you say you are seeing a great deal of these messages, I suggest you track down 10.107.0.32 (it is a private address so should reside somewhere on your company network) and determine why it is trying to reach 10.113.13.67 ? Is 10.113.13.67 a syslog server that should be receiving logs from 10.107.0.32, in which case perhaps you should explicitly permit the traffic though.   cheers, Seb. ... View more

In my experience you are normally performing packet captures on fairly sizeable switches/ firewalls so the capture process has very little impact.   If the devices which you are looking at do not have the feature to save monitor sessions to internal buffers, you also have SPAN: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3se/network_management/configuration_guide/b_nm_3se_3850_cg/b_nm_3se_3850_cg_chapter_0111.html   Keep in mind that will be caveats/ limitations depending on platform, but it is at least available on every cisco switching platform.   cheers, Seb. ... View more

Hi there, You will find this scenario with any home internet wifi-router.  There are plenty of times when I am both connected physically and wirelessly, with both interfaces providing my laptop with a default route. Crucially the routing table entry for the physical interface will have a lower metric to eliminate asymmetric routing.   cheers, Seb. ... View more

Hi there, the command is: ! int vlan xx mac-address aaaa.bbbb.cccc ! ...but this command has limited platform support.   It is worth pointing out that the switch SVIs all having the same MAC address will not cause any Layer2 issues for your two PCs in the supplied topology.   cheers, Seb.   ... View more

Hi there, There is EPC for most switches: https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-embedded-packet-capture/116045-productconfig-epc-00.html   ...and a similar function on the ASA firewalls. Both allow you to read the contents of the buffer, but not do great analysis. For that you need to export the buffers to PCAP and feed into wireshark off-box.   There isn't anything like the monitor traffic interface command from Junos.   cheers, Seb. ... View more

Hi there, RIPv1 is a classful routing protocol, it does not provide subnet masks in routing updates and will always summarise around class boundaries.   RIPv2 is classless, and it will send subnet masks in routing updates. However, this feature needs to be enabled, ie: ! router rip version 2 no auto-summary ! cheers, Seb. ... View more

Hi there, Do you have SNMP write access? You could issue some set commands to initiate a TFTP session to copy the running config from the device, allowing you to check the password hash again.   cheers, Seb. ... View more

Hi there, I recognise that quote ;)   The PSIRT API is only available to cisco users with Partner Service Contracts. You could contact TAC and see if you could be granted access.   @Omar Santos , can you give us an indication of why the Cisco PSIRT openVuln API has now got restricted access?   cheers, S eb. ... View more