About paul driver

paul driver · ‎02-15-2019

Hello @no_prop wrote: Hey @luis_cordova. Thanks for taking a look. Both Vcenter and UCS_Internal_Management are object groups in Vlan22. UCS_Internal_Management is an object group for Vlan 22's subnet. The other groups are hosts and subnets not in vlan 22. None of the servers can communicate outside the vlan except to hosts and addresses included in an object group defined below. Adding the line permit ip any addrgroup UCS_Internal_Management... allows traffic to exit the network/VLAN22 and obviously defeats the purpose of the ACL. Thanks again for looking. IP access list Vcenter_ACL 10 permit ip addrgroup Vcenter any 20 permit ip addrgroup Server_Team any 30 permit ip addrgroup Veeam_System any 40 permit ip addrgroup Radius_ISE any 60 permit ip addrgroup UCS_Internal_Management any 70 permit ip addrgroup SNMP any 80 permit ip addrgroup UCS_Systems addrgroup Vcenter 90 permit ip addrgroup PURE_Array addrgroup Vcenter 100 permit ip addrgroup Unity_Array addrgroup Vcenter 110 permit ip addrgroup 8th_Floor addrgroup Vcenter Interface Vlan22 ip access-group Vcenter_ACL out Please note the established keyword would be only applicable for tcp, Have a look at the example below to deny your subnets to initiate tcp connection towards vlan22 but to be allowed connection if an established tcp connection from within vlan 22 is initiated. IP access list Vcenter_ACL permit tcp Vcenter any established deny tcp Vcenter any permit tcp Veeam_System any established deny tcp Veeam_System any permit tcp Radius_ISEany established deny tcp Radius_ISEany etc..... permit ip any any int vlan 22 ip access-group Vcenter_ACL out

paul driver · ‎02-14-2019

Hello How I see it is you have static routes stating that the two 192.168 x.x/24 subnets are reachable via their related next hops, Then you are then stating via a pbr deny statement to normal route any traffic related to 192.168.0.0/16. So PBR will take precedence but due to the deny statement any 192.168.0.0/16 traffic will be routed normally be it by your static route statements

paul driver · ‎02-14-2019

Hello My understanding VSS isnt support on the catalyst 9Ks it only stack-wise virtual

paul driver · ‎02-14-2019

Hello @praveenmathew27 wrote: Lets say I have the below config. If i do "default interface GigabitEthernet0/0/1" , will it remove the sub-interfaces as well? No it will not remove the sub-interfaces it will just default the physical interface only to its default config, the same if you perform a default to a sub-interface, it will just default that specific sub-interface.

paul driver · ‎02-13-2019

Hello i assume you 4500 is the L3 for your lan estate and this new 9400 will be wanting to take on this role? If so how are you planning migrate the L3 over to the new core - staged or all in one change? depending on this will affect on how you go about Interconnecting the new core to the existing one

paul driver · ‎02-12-2019

Hello @ant0879 wrote: Why would you trunk VLANS in between core nodes? Doesn't OSPF handle routing for IPs behind the vlans from one layer 3 to another? I am assuming you mean a collapsed core/distribution design in relation the L2 extended vlans across that core/distribution - then reason why would be to extend the L2 capability and the only way to do that would is by l2 trunks. The way to negate this would mean having a L3 access design, However that would mean you wouldn't be able to have multiple vlans on the access switches, they will need to be single vlan specific will dual l3 interfaces into the core/distribution advertised within the IGP you have chosen.

paul driver · ‎02-12-2019

Hello ASA conf t configure factory-default reload save-config noconfirm Switch write erase delete flash:vlan.dat reload

paul driver · ‎02-12-2019

Hello Another possible reason is that your running the wrong sdm template -Can you post the following: show sdm prefer

paul driver · ‎02-12-2019

Hello Remove stp portfast off the trunk towards the AP, shutdown/restart the interface and test again.

paul driver · ‎02-11-2019

Hello @netopia wrote: Clients now are able to authenticate and get a PPPoE address, but are unable to reach the gateway, or indeed, anywhere else. From ppoe client does it have a default route? sh ip route If not either apply a static default route or enable an ipcp default to the client dallier interface conf t ip route 0.0.0.0 0.0.0.0 dialer x or int dialer x ppp ipcp route default <--restart interface after applying

paul driver · ‎02-11-2019

Hello Looks like you have eigrp applied on the hub but the on the spoke you have a static default within in a vrf pushing everything out of the physical interface of the DMVPN tunnel which shouldnt be the case. Also the physical interface on the spoke is hardcorded to 100mbs but the CIR of that connected physical interface is stating its 10mps circuit. What are the interface statistics for the physical interface on the spoke? Check the isakmp/ipsec lifetimes are correct between hub/spoke. spoke sh interface gig0/0 sh ip interface gig0/0 sh crypto ipsec security-assoc lifetime show crypto ipsec sa peer 10.13.198.4 show crypto ipsec sa peer 10.13.198.5 show crypto isakmp sa detail

paul driver · ‎02-11-2019

Hello @geoffwynn wrote: Hello, sure, good idea although 10.1.2.5 is a small PC on the other side of Also make sure that there isnt any software fw on that pc restricting icmp

paul driver · ‎02-11-2019

Hello Providing you have the switchport attaching this router to the switch as a trunk, the switches are running are hosts and the clients are in the correct vlans then this should work What is host 10.1.2.5 ? sh ip arp | in 10.1.2.5 What you can try is remove the sub-interface for vlan 1 and apply the subnet address directly on to the physical interface and test again. example: conf t no interface FastEthernet0/0.1 int fa0/0 ip address 10.1.1.20 255.255.255.0

paul driver · ‎02-11-2019

Hello If the switch is L3 compatible then that switch will have two L3 interfaces (usually Switched Virtual Interfaces) for those two subnets and each end host will be attached to a port on that switch in a vlan related to those SVI's example switch: interface vlan 10 ip address 10.10.13.254 255.255.255.0 interface vlan 11 ip address 10.11.13.254 255.255.0.0 vlan 10,11 exit ip routing int x/x description vlan10 host switchport access vlan 10 int x/x description vlan11 host switchport access vlan 11

paul driver · ‎02-11-2019

Hello If you want to specify a mac host then you need to tell the acl that, what you have specified is an any any statement with ffff.ffff.ffff any try this: mac access-list extended Allowed-User-MAC-ACL-IN permit host xxxx.xxxx.xxxx any

paul driver

Congratulations Peter Very well deserved indeed.

Date Registered	‎06-12-2007 12:44 AM
Date Last Visited	‎02-15-2019 08:45 AM
Total Messages Posted	5,566
Total Helpful Votes Received	4467

Re: ACL on SVI

Re: Policy Based Routing

Re: VSS in Cisco 9410R

Re: If you default an interface, will a...

Re: Core switch Migration L3 Etherchann...

Re: Trunking VLANS/OSPF

Re: How to reset default factory comman...

Re: Cisco 3850 Policy-map Problems

Re: MAC flapping

Re: PPPoE Server is not routing properl...

Re: DMVPN issue

Re: Routing issue

Re: Routing issue

Re: How switch identify L3 network

Re: MAC address issue

Re: Congratulations Peter Paluch: Our Newest Hall of Fame Member