Originated from a system solution background, mainly working with active directory infrastructure NT4,2K,2K3, then fell into networking and started to support manufacturing LAN/MAN campus networks.
Currently working for AT&T in project engineering supporting Healthcare and Civil nuclear accounts.
Hello
@no_prop wrote:
Hey @luis_cordova.
Thanks for taking a look.
Both Vcenter and UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL.
Thanks again for looking.
IP access list Vcenter_ACL
10 permit ip addrgroup Vcenter any
20 permit ip addrgroup Server_Team any
30 permit ip addrgroup Veeam_System any
40 permit ip addrgroup Radius_ISE any
60 permit ip addrgroup UCS_Internal_Management any
70 permit ip addrgroup SNMP any
80 permit ip addrgroup UCS_Systems addrgroup Vcenter
90 permit ip addrgroup PURE_Array addrgroup Vcenter
100 permit ip addrgroup Unity_Array addrgroup Vcenter
110 permit ip addrgroup 8th_Floor addrgroup Vcenter
Interface Vlan22
ip access-group Vcenter_ACL out
Please note the established keyword would be only applicable for tcp, Have a look at the example below to deny your subnets to initiate tcp connection towards vlan22 but to be allowed connection if an established tcp connection from within vlan 22 is initiated. IP access list Vcenter_ACL permit tcp Vcenter any established deny tcp Vcenter any permit tcp Veeam_System any established deny tcp Veeam_System any permit tcp Radius_ISEany established deny tcp Radius_ISEany etc..... permit ip any any int vlan 22 ip access-group Vcenter_ACL out
... View more
Hello
How I see it is you have static routes stating that the two 192.168 x.x/24 subnets are reachable via their related next hops, Then you are then stating via a pbr deny statement to normal route any traffic related to 192.168.0.0/16.
So PBR will take precedence but due to the deny statement any 192.168.0.0/16 traffic will be routed normally be it by your static route statements
... View more
Hello
@praveenmathew27 wrote:
Lets say I have the below config.
If i do "default interface GigabitEthernet0/0/1" , will it remove the sub-interfaces as well?
No it will not remove the sub-interfaces it will just default the physical interface only to its default config, the same if you perform a default to a sub-interface, it will just default that specific sub-interface.
... View more
Hello
i assume you 4500 is the L3 for your lan estate and this new 9400 will be wanting to take on this role?
If so how are you planning migrate the L3 over to the new core - staged or all in one change?
depending on this will affect on how you go about Interconnecting the new core to the existing one
... View more
Hello
@ant0879 wrote:
Why would you trunk VLANS in between core nodes? Doesn't OSPF handle routing for IPs behind the vlans from one layer 3 to another?
I am assuming you mean a collapsed core/distribution design in relation the L2 extended vlans across that core/distribution - then reason why would be to extend the L2 capability and the only way to do that would is by l2 trunks.
The way to negate this would mean having a L3 access design, However that would mean you wouldn't be able to have multiple vlans on the access switches, they will need to be single vlan specific will dual l3 interfaces into the core/distribution advertised within the IGP you have chosen.
... View more
Hello
@netopia wrote:
Clients now are able to authenticate and get a PPPoE address, but are unable to reach the gateway, or indeed, anywhere else.
From ppoe client does it have a default route?
sh ip route
If not either apply a static default route or enable an ipcp default to the client dallier interface conf t ip route 0.0.0.0 0.0.0.0 dialer x or int dialer x ppp ipcp route default <--restart interface after applying
... View more
Hello
Looks like you have eigrp applied on the hub but the on the spoke you have a static default within in a vrf pushing everything out of the physical interface of the DMVPN tunnel which shouldnt be the case.
Also the physical interface on the spoke is hardcorded to 100mbs but the CIR of that connected physical interface is stating its 10mps circuit.
What are the interface statistics for the physical interface on the spoke? Check the isakmp/ipsec lifetimes are correct between hub/spoke. spoke sh interface gig0/0 sh ip interface gig0/0 sh crypto ipsec security-assoc lifetime show crypto ipsec sa peer 10.13.198.4 show crypto ipsec sa peer 10.13.198.5 show crypto isakmp sa detail
... View more
Hello
@geoffwynn wrote: Hello, sure, good idea although 10.1.2.5 is a small PC on the other side of
Also make sure that there isnt any software fw on that pc restricting icmp
... View more
Hello
Providing you have the switchport attaching this router to the switch as a trunk, the switches are running are hosts and the clients are in the correct vlans then this should work
What is host 10.1.2.5 ? sh ip arp | in 10.1.2.5
What you can try is remove the sub-interface for vlan 1 and apply the subnet address directly on to the physical interface and test again.
example: conf t no interface FastEthernet0/0.1
int fa0/0 ip address 10.1.1.20 255.255.255.0
... View more
Hello
If the switch is L3 compatible then that switch will have two L3 interfaces (usually Switched Virtual Interfaces) for those two subnets and each end host will be attached to a port on that switch in a vlan related to those SVI's example switch:
interface vlan 10 ip address 10.10.13.254 255.255.255.0 interface vlan 11 ip address 10.11.13.254 255.255.0.0 vlan 10,11 exit ip routing int x/x description vlan10 host switchport access vlan 10 int x/x description vlan11 host switchport access vlan 11
... View more
Hello
If you want to specify a mac host then you need to tell the acl that, what you have specified is an any any statement with ffff.ffff.ffff any
try this: mac access-list extended Allowed-User-MAC-ACL-IN permit host xxxx.xxxx.xxxx any
... View more