Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About Joshua Maurer
Stats
Member since
01-31-2014
36
Posts
0
Helpful
0
Solutions
03-20-2018
03:28 PM
I understand some of This is not setup for redundancy I am just trying to connect so that EIGRP is working.
I have a setup with 2 N7K, distribution switch 3650 and 2 N9Ks. I have a VLAN 5 10.5.5.0/28
7K 10.5.5.2 and .3. 9Ks 10.5.5.13 and .12. There is a vPC with the 7K to the 3560 with a trunk with VLAN 5 on it. I have a Trunk port on the 3560 going to each 9K. Again I am only concerned with getting EIRGP routing from each set of Nexus to all the equipment on the network.
I am able to ping ink from the 9Ks to the 10.5.5.2 and .3 when I have IP Router 0.0.0.0/0 10.5.5.2 and .3 in the table. But I am not receiving any EIGRP messages. I do see that the addresses are neighbors but routes are not being advertised. I have router EIGRP 10 with network 10.0.0.0/8 on all the devices. 9Ks have networks 10.15.0.0/24 that can not be reached from the 7Ks.
Is there something thing that needs to be set to allow advertisements across the VLAN 5 so itepuld work if directly connected to the interface of a router? I have no ip route and no interface-passive on the interface and though that would allow EIGRP to advertise out the interface.
... View more
Labels:
02-20-2018
11:08 AM
I understand this is a single point of failure for both ends. We are only paying for 1 connection that will need to be terminated in the DMARC. Even if I was able to get the fiber up to the top of the building where the server room resides. It would only be connected to one of the Nexus. When system maintenance occurs on that unit the connection will be lost.
I am trying to get this connection to work as a P2P to route traffic a crossed.
... View more
02-20-2018
11:02 AM
I have clients and servers on bother sides. This will be for an existing network to connect the 2 networks together. Each side has their own networks and servers. I would like to connect them with fiber instead of using VPN which is currently used.
... View more
02-20-2018
06:45 AM
I am trying to create a point to point layout between 2 sets of Nexus equipment. Normally you connect the connection directly into the device, but where this comes in it will connect to a switch on both ends for distribution and then connect to the core. I was trying to configure this using VLAN 115 and keeping the devices on their own but I can not get them to see or ping one another. I have VLAN 115 configured with the IPADDR. How can I keep the point to point configuration through L2?
N7K1
interface Vlan115 description * P2P DC1 to DC2 * no ip redirects ip address 10.115.0.2/28 hsrp 1 preempt delay minimum 300 reload 600 timers msec 250 msec 750 ip 10.115.0.1
N7K2
interface Vlan115 description * P2P DC1 to DC2 * no ip redirects ip address 10.115.0.3/28 hsrp 1 preempt delay minimum 300 reload 600 timers msec 250 msec 750 ip 10.115.0.1
N9K1
interface Vlan115 description * P2P DC1 to DC2 * no ip redirects ip address 10.115.0.13/28 hsrp 1 preempt delay minimum 300 reload 600 timers msec 250 msec 750 ip 10.115.0.14
N9K2
interface Vlan115 description * P2P DC1 to DC2 * no ip redirects ip address 10.115.0.12/28 hsrp 1 preempt delay minimum 300 reload 600 timers msec 250 msec 750
ip 10.115.0.14
3560
switchport mode trunk switchport trunk allowed vlan add 115
switchport nonego
... View more
Labels:
02-14-2018
06:45 AM
The ASA was configured correctly. The Palo Alto Firewall was having problems with the NAT traffic when it hit there interface. I am not sure what he fix was for their side but after they had the service call, the tunnel was working with no changes to my side.
... View more
01-26-2018
01:11 PM
I have tried using just 10.18.31.32 as the only host in 5024_LAN with no success on my side Cisco but the Palo Alto site is still able to successfully ping the device. I feel like it is a NAT problem on the Palo Alto side.
object-group network Servers_18 description: | 10.18.31.30 - 33 Servers | network-object host 10.18.31.50 network-object host 10.18.31.51 network-object host 10.18.31.52 network-object host 10.18.31.53 object-group network 5024_LAN description: | LAN to VEN 2018-01-18 | group-object Servers_18 object-group network 5024_VEN_LAN description: | To VEN LAN 5024 2018-01-18 | network-object host 8.X.X.240 access-list VPN_5024 remark VEN 2018-01-18 access-list VPN_5024 extended permit ip object-group 5024_LAN object-group 5024_VEN_LAN nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 tunnel-group 8.X.X.130 type ipsec-l2l tunnel-group 8.X.X.130 ipsec-attributes ikev1 pre-shared-key <WorldSecret> exit ! crypto ikev1 policy 11 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800 crypto map OCMAP 5024 match address VPN_5024 crypto map OCMAP 5024 set peer 8.X.X.130 crypto map OCMAP 5024 set ikev1 transform-set ESP-AES256-SHA crypto map OCMAP 5024 set security-association lifetime seconds 28800
... View more
01-26-2018
08:34 AM
Yes they are correct. I change the original IPADDRs since this information would be public. 50-53 or the Original 4th octet addresses. I missed that.
object-group network Servers_18 description: | 10.18.31.30 - 33 Servers | network-object host 10.18.31.30 network-object host 10.18.31.31 network-object host 10.18.31.32 network-object host 10.18.31.33
... View more
01-26-2018
08:10 AM
I am creating a VPN with Cisco 5525-X to a Palo Alto. I am not able to ping or connect to anything on their side but they are able to ping and connect to my side. I have the VPN configured like other VPNs and recently created one the same was with no problems. I ran the previous commands and looks like everything is good from what I see. Is this problem on my side or theirs?
object-group network Servers_18 description: | 10.18.31.30 - 33 Servers | network-object host 10.18.31.30 network-object host 10.18.31.31 network-object host 10.18.31.32 network-object host 10.18.31.33
object-group network 5024_LAN description: | LAN to VEN 2018-01-18 | group-object Servers_18
object-group network 5024_VEN_LAN description: | To VEN LAN 5024 2018-01-18 | network-object host 8.X.X.X
packet-tracer input INSIDE icmp 10.18.31.32 0 8 8.X.X.X
Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list
Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list
Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information: NAT divert to egress interface OUTSIDE Untranslate 8.X.X.X/0 to 8.X.X.X/0
Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information:
Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information: Static translate 10.18.31.32/0 to 10.18.31.32/0
Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information:
Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information:
Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information:
Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information:
Phase: 10 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information:
Phase: 11 Type: DEBUG-ICMP Subtype: Result: ALLOW Config: Additional Information:
Phase: 12 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information:
Phase: 13 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information:
Phase: 14 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information:
Phase: 15 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 545584830, packet dispatched to next module
Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
packet-tracer input INSIDE icmp 10.18.31.32 0 8 8.X.X.X DEtailed
Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac69786c0, priority=13, domain=capture, deny=false hits=11297500105, user_data=0x2aaac6324470, cs_id=0x0, l3_type=0x0 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0000.0000.0000 input_ifc=INSIDE, output_ifc=any
Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac5756460, priority=1, domain=permit, deny=false hits=5645177141, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=INSIDE, output_ifc=any
Phase: 3 Type: UN-NAT Subtype: static Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information: NAT divert to egress interface OUTSIDE Untranslate 8.X.X.X/0 to 8.X.X.X/0
Phase: 4 Type: CONN-SETTINGS Subtype: Result: ALLOW Config: class-map class-default match any policy-map global_policy class class-default set connection decrement-ttl service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad8c91540, priority=7, domain=conn-set, deny=false hits=1590620, user_data=0x2aaad8c18610, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 5 Type: NAT Subtype: Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information: Static translate 10.18.31.32/0 to 10.18.31.32/0 Forward Flow based lookup yields rule: in id=0x2aaad8736060, priority=6, domain=nat, deny=false hits=17244, user_data=0x2aaad02756a0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 6 Type: NAT Subtype: per-session Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac48cf110, priority=0, domain=nat-per-session, deny=true hits=381998060, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=any
Phase: 7 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac58a53c0, priority=0, domain=inspect-ip-options, deny=true hits=354656113, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 8 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: class-map inspection_default match default-inspection-traffic policy-map global_policy class inspection_default inspect icmp service-policy global_policy global Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac4fe3000, priority=70, domain=inspect-icmp, deny=false hits=12979109, user_data=0x2aaac65343c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 9 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaac57eb850, priority=66, domain=inspect-icmp-error, deny=false hits=25243051, user_data=0x2aaac5419f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 10 Type: FLOW-EXPORT Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaace778a30, priority=18, domain=flow-export, deny=false hits=171412652, user_data=0x2aaacd3552b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 11 Type: DEBUG-ICMP Subtype: Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: in id=0x2aaad6bef870, priority=13, domain=debug-icmp-trace, deny=false hits=653621, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=1 src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=any
Phase: 12 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaad000bfe0, priority=70, domain=encrypt, deny=false hits=16, user_data=0x38282a3c, cs_id=0x2aaad8dd0c90, reverse, flags=0x0, protocol=0 src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=OUTSIDE
Phase: 13 Type: NAT Subtype: rpf-check Result: ALLOW Config: nat (INSIDE,OUTSIDE) source static 5024_LAN 5024_LAN destination static 5024_VEN_LAN 5024_VEN_LAN description 5024 Additional Information: Forward Flow based lookup yields rule: out id=0x2aaacfede4c0, priority=6, domain=nat-reverse, deny=false hits=17241, user_data=0x2aaad8c9afb0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.18.31.32, mask=255.255.255.255, port=0, tag=any dst ip/id=8.X.X.X, mask=255.255.255.255, port=0, tag=any, dscp=0x0 input_ifc=INSIDE, output_ifc=OUTSIDE
Phase: 14 Type: USER-STATISTICS Subtype: user-statistics Result: ALLOW Config: Additional Information: Forward Flow based lookup yields rule: out id=0x2aaabd6e2a80, priority=0, domain=user-statistics, deny=false hits=410184676, user_data=0x2aaac6705cd0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=any, output_ifc=OUTSIDE
Phase: 15 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 545591009, packet dispatched to next module Module information for forward flow ... snp_fp_tracer_drop snp_fp_inspect_ip_options snp_fp_inspect_icmp snp_fp_translate snp_fp_dbg_icmp snp_fp_adjacency snp_fp_encrypt snp_fp_fragment snp_ifc_stat
Module information for reverse flow ...
Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
... View more
Labels:
01-17-2018
09:11 AM
Thank you.
Do I need to enable anything for ikev2? Or from what you said it looks for ikev2 policy first and tries ikev1.
Think I am over thinking this.
... View more
01-17-2018
08:22 AM
Can I have ikev1 and ikev2 both enabled for L2L VPN tunnels? I have not setup a ikev2 yet and just want to make sure I dont take down any of the other ikev1 tunnels.
I have a vendor that is asking for
Phase1:
Encryption: AES-256
Hash: SHA-512
DH: Group-20
Lifetime: 28800
Phase2:
Encryption: AES-256
Hash: SHA-512
DF: No-PFS
Lifetime: 28800
Lifesize: 10MB
... View more
Labels:
Created by
Joshua Maurer
in Switching
in Switching
10-23-2017
04:28 AM
10-23-2017
04:28 AM
The version of the N7K are:
Software BIOS: version 3.22.0 kickstart: version 6.0(4) system: version 6.0(4)
The cores are vPC with keepalives on (2) different module cards. I have EIGRP used only on the inside networks. Statics routes are used to point the Core out to the ASA's and the ASA's traffic inside. There are (2) different ASA pairs with different ISPs on each.
The Core has (5) different /16 on the inside interface and (2) /16 on the Guest Wireless interface with a default route of ip route 0.0.0.0 0.0.0.0 172.20.20.24.
Inside
(10.0 - 3.0.0/16)
10.100.0.0/16
Guest
(172.16 - 17.0.0/16)
172.20.20.24 is primary ISP 172.20.20.23 is secondary ISP - Guest Traffic Primary
When I need to happen is for the N7Ks to ping the ISP gateway's to verify if the like is alive or dead to see where they need to set the default route to.
... View more
Created by
Joshua Maurer
in Switching
in Switching
10-22-2017
11:45 PM
10-22-2017
11:45 PM
I am working with (2) Nexus 7009 in my core and have (2) different ISPs using (2) different ASA's pairs for redundancy. I am running EIGRP for my LAN computers. I have a secondary Data Center that will be connected later but these DC are running independent and connected by L3 connections.
I was looking into setting up IP SLA to track the state of the primary ISP1 and if the ISP's Gateway is unreachable it would switch to the secondary ISP2 without anyone noticing the change. But it looks like the feature is not available to activate on my Nexus 7009. What are my other options? Should I be using BGP or another protocol to manage this? How would the configuration look?
... View more
Labels:
09-14-2017
12:02 PM
With EEM I am seeing that I can create events for backups. Is there a way to have the backup with the hostname and time stamp like archive with Routers and Switches?
... View more
Labels:
02-15-2017
08:31 AM
I am looking to find a good logging server. I know of Kiwi and have looked at and installed graylog2. Graylog2 looks nice but I am having difficulty understanding how to set it up. I read some of the documentation but I think I need to see a video to understand. I have the same issue with Nagios till I seen it and loved it since.
I would like to keep track of users that are connecting to the equipment along with changes made. Also the state of the equipment. I have a range from ASAs, Nexus, Routers and switches. I am currently monitoring my devices using PRTG.
What is everyone using? Do you like it and is there anything out there that you might thing is nice.
... View more
Labels:
09-20-2016
10:51 AM
I am trying to understand how to use the MGMT port correctly on the ASA. I currently have a new 5508 but would like to update all my other firewalls. I have the OUTSIDE address 1.1.1.1 /30 the INSIDE address 172.16.16.5 /24 and MGMT 10.10.30.20/24.
ssh 10.10.30.0 255.255.255.0 MGMT
ssh 10.10.220.0 255.255.255.0 MGMT
route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.2
route INSIDE10.10.0.0 255.255.0.0 172.16.16.1
route INSIDE 10.20.0.0 255.255.0.0 172.16.16.1
route MGMT 10.10.30.0 255.255.255.0 10.10.30.1
When I remote in from any other network besides the 10.10.30.0/24 network I can not access the MGMT console from SSH. I am assuming that the route wants to send to the INSIDE interface and that is the reason for the non access.
Is there a way around this or can I not configure it this way and it has to be an OUT OF BAND network only interface?
I can configure the INSIDE interface for SSH, I wanted to try to use the MGMT interface for access and system needs.
... View more
Labels:
03-20-2018
I understand some of This is not setup for redundancy I am just trying
to connect so that EIGRP is w...
02-20-2018
I understand this is a single point of failure for both ends. We are
only paying for 1 connection th...
02-20-2018
I have clients and servers on bother sides. This will be for an existing
network to connect the 2 ne...
02-20-2018
I am trying to create a point to point layout between 2 sets of Nexus
equipment. Normally you connec...
02-14-2018
The ASA was configured correctly. The Palo Alto Firewall was having
problems with the NAT traffic wh...
01-26-2018
I have tried using just 10.18.31.32 as the only host in 5024_LAN with no
success on my side Cisco bu...
01-26-2018
Yes they are correct. I change the original IPADDRs since this
information would be public. 50-53 or...
01-26-2018
I am creating a VPN with Cisco 5525-X to a Palo Alto. I am not able to
ping or connect to anything o...
01-17-2018
Thank you. Do I need to enable anything for ikev2? Or from what you said
it looks for ikev2 policy f...
01-17-2018
Can I have ikev1 and ikev2 both enabled for L2L VPN tunnels? I have not
setup a ikev2 yet and just w...
Created by
Joshua Maurer
in Switching
10-23-2017
10-23-2017
The version of the N7K are: Software BIOS: version 3.22.0 kickstart:
version 6.0(4) system: version ...
Created by
Joshua Maurer
in Switching
10-22-2017
10-22-2017
I am working with (2) Nexus 7009 in my core and have (2) different ISPs
using (2) different ASA's pa...
09-14-2017
With EEM I am seeing that I can create events for backups. Is there a
way to have the backup with th...
02-15-2017
I am looking to find a good logging server. I know of Kiwi and have
looked at and installed graylog2...
Public Statistics
| Date Registered | 01-31-2014 06:32 AM |
| Date Last Visited | 04-12-2018 06:20 AM |
| Total Messages Posted | 36 |
.jpg "VIP Advocate"){kind=icon}
