Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Craddockc
08-15-2019
Stats
Member since
05-30-2008
259
Posts
39
Helpful
3
Solutions
08-07-2019
01:49 PM
Harold, Thank so much for taking time to answer my questions. I did need some clarification on the Gloabl Routing Prefix/Site prefix and the Subnet ID. My understanding is as follows: Global Routing Prefix/Site prefix: This is a prefix that is owned and allocated to a certain ISP, it identifies the a portion of the "address domain" allocated to the ISP itself? Subnet ID: This is a prefix that identifies the internal IPv6 address space of the private site connected to that ISP? Thanks.
... View more
08-06-2019
02:22 PM
Harold, I apologize for making you come back to this thread but did have a few other questions. Under what circumstances would you choose to use a Unique Local Address (ULA) over a Global Unicast Address (GUA) for your hosts? If GUA's are globally unique all over the world, in what situations would using ULA's be appropriate? Since there is no NAT in IPv6, im assuming that the ULA will be used for all internal communications between internal subnets and GUA address is used for anything that needs to go external? From a routing table perspective, if you are using GUA's internally, will the routing table in the router just be filled with GUA addresses? I've never worked with IPv6 so these address types and use cases are little confusing. I appreciate your help!
... View more
08-06-2019
02:11 PM
Thank you both very much for your responses! They are very helpful!
... View more
07-19-2019
01:26 PM
Dear Community, I am currently studying for the CCNP-ROUTE exam in an attempt to pass it before the February 2020 deadline. I am currently studying section 1.3b that has to do with IPv4 and IPv6 fragmentation and I had a couple of questions: 1) When the originating host decides that it needs to fragment the IPv4 packet, how does the host itself know that a downstream MTU is smaller than some of the packet sizes and that the packets need to be fragmented. 2) If an IPv4 packet that is not fragmented needs to be fragmented in transit, or is fragmented already and needs to be fragmented again, can an intermediate router in the path perform the fragmentation? if so, under what circumstances would this occur? I know these questions may be a little "in the weeds" for the exam but I always try to be as prepared as possible. I appreciate any feedback you can provide regarding the fragmentation process of IPv4. Thanks!
... View more
Labels:
07-18-2019
09:58 AM
Dear Community, I would like to know if there is a way for the ASA to send an SNMP trap or inform everytime the CPU utilization on the ASA goes above a certain threshold. We are using Solarwinds as our NMS and I already have alerts set up to email us when the ASA experiences a CPU spike. However, sometimes the ASA experiences transient spikes that last maybe a few seconds and then normalizes and Solarwinds does not always catch these spikes. I was hoping there is a way to configure the ASA to send a SNMP Trap or Inform to the NMS the moment is experiences a CPU spike above a certain threshold. Is this possible? Thanks!
... View more
Labels:
07-17-2019
10:11 AM
Harold, I apologize for hijacking the thread but I also had some questions about IPv6. I am trying to study for and pass the CCNP ROUTE exam before the February deadline and I ashamedly admit that I dont really know much about IPv6. I am currently getting a grasp of it so that I can actually understand how to configure and troubleshoot IPv6 routing for the exam. I had a couple of questions if you would be so inclined to assist: Global Unicast Address: I gather that this is the equivalent to a "public" IPv4 address but for IPv6 and that your internal addresses would be NATed to one of these addresses for routing on the internet? Im assuming the ISP doles these out to their customers the same as they do public IPv4 addresses? Unique-Local Address: I gather that this is equivalent to a private IPv4 address that is only routable on the internal network? Is this an address you would give out internally via DHCP? Link-Local Address: I gather that this is always autoassigned by the NIC to itself (similar to an APIPA address) and is used for local broadcast domain communications only? With all these different address types, Im assuming that an IPv6 NIC could have one or more of these addresses assigned to it at any one time? Thanks for any feedback you can provide.
... View more
Created by
Craddockc
in VPN and AnyConnect
in VPN and AnyConnect
04-22-2019
08:55 PM
04-22-2019
08:55 PM
Dear Community, I am currently studying for the CCNA-Security exam and am doing a deep dive on IPSec and VPN's. I may be going too deep on some of these topics for the exam but I resolved to REALLY try to understand what is going on "underneath the hood" so to speak. I work as a Network Engineer and have configured, maintained and troubleshot many Site to Site IPSec VPN issues. But, I must admit that I dont really completely understand exactly how some of it works and how it all sort of "fits together". So I am using this exam as motivation to do the deep dive. I have written down several questions as Ive been studying and I am hoping you can help to answer some or all of them. -In Diffie-Hellman, the group # dictates the size of the key. Is this referring to the "common symmetrical secret key" the DH Alg on both sides eventually arrives at in secret? If so, how is this dictated ahead of time when the DH Alg hasnt even run yet? Is this achieved via using a large enough "random secret" number to perform the log function against? Or by choosing large enough prime numbers up front? -In IKE Phase 1 Main mode, what is the point of encrypting the IDentity and Auth info in the late stages of setting up the ISAKMP SA (packet #5 and 6) if all you have to do is look at the IP header to get the IP address of the sending device? Doesnt the ID Payload contain the same info (IP Address of sending device)? -During Quick Mode IPSec SA negotiations, is the encryption domain/proxy ID (ACL defining interesting traffic) info shared with the peer as part of the proposal? -in IKEv1, If you use AH only, does this mean that the data that is being sent using the Phase 2 SPI is NOT encrypted? if so, this seems to defeat the entire purpose of Phase 1 right? Thanks in advance for any answers you can provide.
... View more
Labels:
02-15-2019
08:40 AM
Marius, This particular PC has 2 physical interfaces associated with it, G0/4 and G0/5. It was being used in the past but is no longer being used. The other 6 physical interfaces are already being used for other purposes. By removing the PC2, this will free up 2 physical interfaces, one of which (G0/4) will be used as the new outside interface. Thanks for the feedback!
... View more
02-14-2019
10:05 AM
Marius, Thank you so much for your comments and help. I have decided to go with Method 1 in an attempt to keep the configs as consistent as possible. I have all the relevant CLI configs in a script ready to go as you suggested. here is a synopsis of my work plan: 1) shutdown interface on the switch going to the secondary ASA: QTS-AGG-1B# int po5 shut 2) shutdown failover interface on secondary ASA: qts-fwprod-1a# interface GigabitEthernet0/7 shut 3) change the configuration on standby ASA 3a) Remove the Po2 subinterface 2.1101: qts-fwprod-1a# no interface Port-channel2.1101 3b) Remove the Po2 port channel interface: (This PC is not being used for anything, one of its member ports Gi0/4 will be used as the new outside interface) qts-fwprod-1a# no interface Port-channel2 3c) Remove the Po1 subinterface 1.1001 (current outside interface) qts-fwprod-1a# no interface Port-channel1.1001 3d) Configure Gigibitethernet0/4 as the new outside interface interface GigabitEthernet0/4 nameif outside security-level 0 ip address 64.x.x.6 255.255.255.128 standby 64.x.x.7 3e) Reconfigure NAT Rules that were deleted when old outside interface was deleted (separate file) 3f) Reconfigure Site to Site IPSec VPN that was deleted when old outside interface was deleted (separate file) 3g) Apply access list "outside_in" to new outside interface qts-fwprod-1a# access-group outside_in in interface outside 3h) Reconfigure static default route that was deleted when old outside interface was deleted qts-fwprod-1a# route outside 0.0.0.0 0.0.0.0 64.x.x.1 3i) Physically connect Gi0/4 of firewall to port G1/0/46 on Edge Switch B 4) shutdown port on the switch going to primary ASA QTS-AGG-1A# int po4 shut 5) no shutdown on interface on the switch going to the secondary ASA QTS-AGG-1B# int po5 no shut Test changes If all is OK, take full backup of running configuration, pull the power on the primary ASA and no shutdown interface on switch going to primary ASA (Po4) as well as failover interface on standby (G0/7). Add power back to primary ASA and verify configuration is successfully copied to the primary (standby) ASA. failover back to primary ASA
... View more
02-13-2019
08:04 AM
Marius, Thanks so much for the reply. I appreciate the thoughtful response. For Method 2, is this done on the Primary/Active Firewall? This seems like a much cleaner approach that would only cause a minor traffic interruption when the IP address is moved to the new outside2 interface. Also, will the access list associated with the old outside interface (outside_in) be deleted from the running config when the old outside interface is deleted from the config? Or will it persist? Labbing it up on my spare ASA here it doesn't look like the ACL is removed after deleting the interface, but I just wanted to check what your experience was. I know the NAT rules and VPN configs will be deleted. Thanks.
... View more
02-12-2019
11:09 AM
Dear community, We have a pair of ASA 5545X firewalls in an Active/Failover HA pair. The configuration of our external "outside" interface is in a port channel with the rest of our internal interfaces. I have to do some work this weekend to change that. I will be deleting the port channel sub interface that acts as the "outside" interface and configuring an unused physical interface to be the new outside interface. My question is this: Should I keep the HA connection connected while first working the Standby unit? The reason I ask is because if I break HA, then both units will go Active, I do not want that. I want the Primary (Active) unit to continue servicing traffic while I work on the Standby unit. Once I am done with the standby unit and have verified that all the rules and NATs etc pertaining to the outside interface are back in place, I want to power down the Primary/Active unit and make the Secondary/Standby unit the Active unit. Once I am satisfied that everything is working, I want to power up the Primary unit again and force the config changes to be propagated to the Primary unit. Does this sound like a reasonable approach? How would you approach this situation? Any help would be appreciated. Thanks.
... View more
Labels:
Created by
Craddockc
in Cisco Cafe Blogs
in Cisco Cafe Blogs
01-23-2019
01:26 PM
01-23-2019
01:26 PM
Congratulations Peter! Much deserved!
... View more
11-12-2018
10:03 AM
Peter,
I know im about 4 years late to the game on this post but, are there any negative design considerations when using VLAN SVI's as the L3 interfaces in OSPF vs using physical L3 interfaces? VLAN SVI's dont typically go down unless all of the physical links carrying that VLAN go down, how can this fact impact OSPF operation?
Thanks.
... View more
10-24-2018
10:23 AM
Thank you Reza/Leo,
Im assuming if I gamble and dont upgrade the ROMmon it could potentially cause some system instability if I try running the new code on the old ROMmon version?
... View more
08-07-2019
Harold,Thank so much for taking time to answer my questions. I did need
some clarification on the Gl...
08-06-2019
Harold,I apologize for making you come back to this thread but did have
a few other questions. Under...
07-19-2019
Dear Community,I am currently studying for the CCNP-ROUTE exam in an
attempt to pass it before the F...
07-18-2019
Dear Community,I would like to know if there is a way for the ASA to
send an SNMP trap or inform eve...
07-17-2019
Harold,I apologize for hijacking the thread but I also had some
questions about IPv6. I am trying to...
04-29-2019
Dear community,Allow me to apologize in advance for the lengthy post but
I wanted to understand what...
04-22-2019
Dear Community,I am currently studying for the CCNA-Security exam and am
doing a deep dive on IPSec ...
04-16-2019
Dear community,When running the impact assessment on the Nexus 9K it
states that the install will be...
04-16-2019
Dear community,is it possible to FTP or TFTP files in bootflash between
two Nexus switches. I am att...
02-15-2019
Marius,This particular PC has 2 physical interfaces associated with it,
G0/4 and G0/5. It was being ...
Public Statistics
| Date Registered | 05-30-2008 12:26 PM |
| Date Last Visited | 08-15-2019 11:36 PM |
| Total Messages Posted | 259 |
| Total Helpful Votes Received | 39 |
Helpful Votes Given To
.jpg "VIP Advisor"){kind=icon}
Helpful Votes From
