Hi,   Considering the bellow scenario where i have a multilayer connecting to 2 different MPLS providers (international and local)We are receving and advertising routes via ospf to the MPLS provider.  If we would like to place a firewall in between the routing segment how do i best do this?  Let the firewall participate in OSPF?  Most likely multiple solutions for this?     I could use IBGP and run it through the firewall, this would give me advantages of network team being in control or routing. Another solution like this would be create a separate ospf area for the firewall and connect the isp to my backbone area using ospf virtual link.  Don't think this option is that good it will work but.  (in both cases I will see traffic passing the firewall. GRE for OSPF is also an option but then all my data packets will be encapsulated(firewall has the ability to inspect encapsulated traffic). Any other options?   Or just let the firewall participate in OSPF area 0?     ... View more

Hi , I have 2 5K's in L2 mode only using eVPC and  2 Fex extenders per 5K connected redundant.  To be able to capture trafic from a server connected to these fexes i would like to setup an ERSPAN session. By default the 5k has a management vrf with contains a default route.  I can ping the from this VRF to my capture station userd as ERSPAN destination.  I cannot use the managment vrf for ERSPAN session not allowed. Since my default VRF doesn't have any routes the ERSPAN session indicates no route to destination. It is operating in L2 mode only so how do i create a default route inside the default vrf?  Or use an additional vrf. I tried creating a new SVI and adding a static route but the route doesn't show up in default vrf routing table. The following featers have been enabled: dhcp                  1         enabled fex                   1         enabled interface-vlan        1         enabled lacp                  1         enabled lldp                  1         enabled sshServer             1         enabled tacacs                1         enabled udld                  1         enabled vpc                   1         enabled interfaces: Interface               VRF-Name                        VRF-ID  Site-of-Origin Vlan1                   default                              1  -- mgmt0                   management                           2  -- The VPC uplink port towards upstream switch has been configured as trunk. interface Port-channel3  description swi Nexus Server vPC100  switchport  switchport trunk allowed vlan 62,166,170-172,220,221,314,325,900,901,906,907  switchport trunk allowed vlan add 912-914,920,923,933  switchport mode trunk end I tried creating an SVI for vlan 220 assing an available ip to it and add static route in seperate vrf but it doesn't show the route and i am still unable to ping from the newly created vrf. Any help on approaching this would be nice. ... View more

Hi, Consider the following example: The ISP router is configured to send all incomming traffic towards firewall.  When i use the proxy i have an outgoing ip in the same subnet as the firewall.  How does the router handle this return traffic?  I assume it will check it already established sessions or arp table and send back towards .9 for proxy traffic? ... View more

Hi, I am trying to authenticate on Juniper NSM express using cisco ACS 5.2.  The request is arriving at the cisco ACS but i am getting the following error. RADIUS requests can only be processed by Access Services that are of type Network Access. The ACS is configured with service selection rule Default Device admin (single result selection). Can somebody point me into a good direction on how to solve this. I suspect the ACS needs to be switched to Rule based selection result for the Network Access type to work. Kind regards, Frederik De Muyter. ... View more