Answer Questions

Hi,I work as an IT engineer in a company with 200-500 employees, and I want to implement some concept of a zero trust model at the company network level. Currently, there are different networks with subnet of 255.255.255.0 for servers, databases, management, and user departments. But I want to make sure that even the devices on the same subnet could not communicate or reach each other, and only the permitted device can communicate with the other device. I can't create each subnet for a server or user device, as the amount and count would be large and complicated to manage. Is there any solution for this?Or is there a method that can be implemented on a large scale so that I can allow or deny the communication on the L2 level as well?Thank you.

Hi Team, While sending email to Outside domain users we received NDR for those users with different details. so can you please le me know if we want to verify attached users are legitimate or not?Please find attached users email id details for your reference. If you have any query or concern. please schedule call for the same.

Hello.I previously had Cisco AnyConnect downloaded on my computer, but I deleted it. Now I am attempting to reinstall it, but it will not let me as it says that it is already installed on my computer. However, I searched for every folder containing cisco in it and it does not appear to be on my computer. This is the link I am attempting to download it from: https://vpn-czbr4.moravia.com/CACHE/stc/3/index.html I would appreciate it if you could help me reinstall the VPN. 

We are very proud to announce Cisco ISE 3.4 Patch 1 a much-awaited General Availability release for COMMON POLICY. Following are the features and enhancements as part of this patch release. Common Policy: Common Policy can be your universal translator that connects the entirety of your network through one consistent language using Security Group Tags(SGT). It solves Network/Security administrator’s pain point of maintaining consistent security policy across network and security domains. Introduction: Typically, context information is created closer to the domain where it resides: the access layer for users and devices and in the data center or cloud for application workloads. This context is received and normalized to a group construct, namely a Security Group Tag (SGT), providing a unified mechanism to facilitate creating a consistent security policy in multiple domains. The normalized user, device, and app workload context is sent to each domain using Cisco ISE as the exchange hub. This enables security administrators to create consistent access and segmentation policies regardless of which domain they choose to enforce policy. For Common policy, ISE 3.4 patch 1 introduces Workload Connectors and support for multiple SGT's for workload classification rules. Workload Connector: This allows you to automatically classify cloud workloads and dynamically assign security group tags (SGTs) to be used in creating and enforcing access and segmentation policies. Initial providers will be Amazon Web Services (AWS), Azure, VMware vCenter and Google Cloud Platform (GCP).  Common Policy at a glance  pxGrid Direct enhancements: Building on the pxGrid Direct framework introduced in Cisco ISE 3.2, which simplified integration with Configuration Management Database (CMDB) servers lacking native pxGrid support, Cisco ISE 3.4 Patch 1 will bring forth several key enhancements:    Trigger Change of Authorization (CoA) upon attribute change: This will enable the triggering of CoA whenever an endpoint attribute is modified after Cisco ISE learns it through pxGrid Direct. Administrators will have the flexibility to specify which attributes should initiate a CoA when their values change.     Tags support:  Moving beyond simple key-value pairs, pxGrid Direct in Cisco ISE 3.4 Patch 1 will embrace tags, which are arrays of values. This empowers administrators to create more complex conditions for refined policy enforcement. For instance, they can easily define conditions based on a user belonging to one or more groups.     Calculate reauthentication timers:  Administrators can now establish dynamic reauthentication timers from CMDB using a timestamp learned from pxGrid Direct when an endpoint connects to the network. This enables the simultaneous disconnection of a group and its associated endpoints, providing a convenient way to enforce disconnections during weekends or at the end of the workday.   Use Integration Catalog Integrate Cisco pxGrid Cloud applications: This feature simplifies the user experience in provisioning pxGrid Cloud configuration using a nice workflow in Cisco ISE integration catalog. Cisco ISE integration catalog is a portal that facilitates easy integration with external systems/applications using pxGrid Cloud and other mechanisms in future. Please use the references below to plan your upgrade. References: Software download  Release Notes Administration Guide Upgrade Guide

I am starting an integration using the Web SDK for a web application. The login flow fits perfectly well with the example provided in the Duo Web SDK documentation, and we plan to implement it as described.However, our application includes a feature we call "administrative actions." These are sensitive operations (e.g., modifying user permissions..) that occur post-login and require two-factor authentication (2FA) verification before execution.Is the Web SDK the appropriate solution to handle these "administrative actions" flows, or would you recommend using a different approach? (How do you recommend implementing this flow while keeping the user on the page where the "administrative action" is performed?)Does the Web SDK have any limitations or constraints for handling multiple 2FA requests?Would implementing post-login 2FA for these flows with the Web SDK require any specific configuration changes or additional considerations beyond the default setup?If we decide to add mobile support for login, can the Web SDK be used as well? What about administrative actions?

I had an event happen last night, but was notified by a user rather than through alerting. Upon review of the integrations, it seems that the PagerDuty integration went into an Untested state from a prior Connected state. Creating a new integration with the same info made for another one in the Connected state. Are there ways to be notified if an integration loses connectivity? If not, how can this be a feature request?

we bricked an FPR1010. Booted into ROMMON and then used a FAT32 formatted USB to boot to 7.4.2. I simply want to get the file from the USB to the flash. I get this permissions error. FXOS troubleshoot guide is no help 

Good Morning my site just stood up a VCS-C and VCS-E on our classified network. We are receiving terrible audio latency but good video on our calls no matter if we are pointing to our neighbor peers or to our CMS Bridge. I checked the endpoints during a live call and we are receiving somewhere near 50-90 percent packet loss but only on the audio side. I have made sure mtu size matches between expressways and endpoints as well as our cms but not sure what could be causing this issue. The quality varies from an underwater sound to choppy to no audio at all. Any insight on this would be very helpful

We are trying to decide between ODBC and AD for our external DB.We are familiar with AD, but not with ODBC.Does the integration between ISE and ODBC work well?We would be grateful to know your experience.

Hi everybody,   I am trying to download all archived configurations for my network devices (switches) from CCC ver. 2.3.7.7. To do that, I am using a Python script connecting to the CCC API and I follow this approach: I list all the network devices using the API endpoint XXX/dna/intent/api/v1/network-device-config I build a list of fileId's for each configuration file for each device in the response I download the files using the API endpoint XXX/dna/intent/api/v1/file/${fileId} This approach works fine and I get a number of running and startup configs as well as vlan.dat files for each device. Testing with Postman shows the same result. The problem is that the running and startup configs looks like they are encrypted but the vlan.dat is not (I can see the correct VLAN names in the binary file) and I can confirm this by listing the files with the API endpoint XXXk/dna/intent/api/v1/file/namespace/${nameSpace} where you can see the difference below with no"encrypted": true or restrictedAccess": true under the VLAN.dat file: {"nameSpace": "ca-25","name": "xxx_RUNNINGCONFIG","downloadPath": "/file/f476afa7-xxxx-xxxx-8b2f-06504c095d69","fileSize": "45838","fileFormat": "application/octet-stream","md5Checksum": "xxx","sha1Checksum": "xxx"","sha2Checksum": "xxx","restrictedAccess": true,"sftpServerList": [{sftp-details}],"encrypted": true,"id": "xxx"},{"nameSpace": "ca-25","name": "xxx"_vlan.dat","downloadPath": "/file/acb05b06-xxxx-xxxx-9014-b24385d004b7","fileSize": "3384","md5Checksum": "xxx","sha1Checksum": "xxx","sftpServerList": [{sftp-details}],"id": "acb05b06-xxxx-xxxx-9014-b24385d004b7"} I cannot find any documentation or details about the encryption or file format of the running and startup configs so I have no way of decrypting the files. Can anybody help me with details about this so I can actually use the files?   Regards Lars Jakobsen

Hi There,I am working on a project where I need to authenticate corporate iphones with ISE. MDM is ManageEngine which doesn't have ISE integration. I was able to get TLS working with SCEP Cert deployed from internal CA.The only issue is the user would need to connect to an internal SSID, then get the profile for corporate SSID and certs from the CA. Is there a better way to do this? Is there a way to proxy SCEP internally without exposing my internal CA? Not sure what best practices in this case would be

Hi guys! This question is a bit theoretical but in area where Traffic Engineering is used why does the command trace route < IP - address > involve the label switching assigned labels, meanwhile the command trace route <router-id> doesn't and chooses the shortest path? What's the logic behind it? Thanks a lot!!

Hola queridos colegas, vengo en esta oportunidad para solicitar su apoyo tengo un enclosure que maneja varias maquinas virtuales; una de ellas se observa en la pantalla de end point search en el estado de transmisión attached y detached que podría ser ojo esto se maneja con un VPC en dos leaf diferente 

anyone know good online resource for Cisco Threat Grid (Secure Malware analytics) training for a novice to start.

This issue involves the failure of third-party SSO client relay URL interoperability with http/https based URLs. On the Cisco Jabber software, the customer has bypassed the SSO connection by modifying an application settings file (jabber-bootstrap.properties, specifically line 28). The customer is interested to know if a similar solution is possible using the SDK.

I want to upgrade my ASR router 1000-x memory from 4GB to 16GB. What are the things need to buy and what will be the cost for those products

Hi All,I'm trying to test the CML in devnet sandbox but when it's ready it requires me to connect to VPN.I tried to download AnyConnect and Secure Client but it requires a contract. I also tried to install OpenConnect via Homebrew but I need TUN/TAP driver which is not compatible with my macOS M3 Pro.Do you have any ideas how I can connect to their VPN so I can use the CML sandbox on my Mac M3?Thanks in advance.

Hi   We are having an issue with a new deployment of Umbrella Secure Client (Only Umbrella loaded) and Citrix VPN. When the client is enabled we are seeing 25-30%  more traffic going to the VPN IP. When the Secure Client is uninstalled it's gone, this results in hundreds of Megs worth of traffic when it should be K's. Clients are split tunneled, not using the on prem VA's for DNS so should be going over the cloud via split tunnel to Umbrella. Citrix is fully patched and we are using the latest Secure Client. Sniffer traces aren't telling us much and we have a case open with Umbrella but we are not making much progress. Anyone else have a similar experience?

Hello! Thank you all in advance.Right now, our users connect to the Cisco Secure Client when they work from home. When they come back into the office, they have to manually disconnect from the VPN. We have tried to write a PowerShell script that will disconnect them from the VPN when they come in to the office by placing an icon on their desktop. The script will disconnect Cisco Secure Client but a Meraki dialogue box appears and cant be closed out of (that we know of). This usually means that the user has to restart their machine, which is fine, but not exactly the best user experience.Has anyone else had this issue? Does anyone have a solution to this?

We are having issue dialing Zoom calls via CRC/SIP when there is no passcode and we need to dial in as the host from the Cisco Devicei.e. - MeetingID...HostCode@zoomcrc.comThe expressway is inserting random characters where the (3) dots are.  I believe it thinks the (3) dots are an ellipsis.  Looking to upgrade the Expressway but haven't done that yet.  Is this a known bug that is resolved with an upgrade? 

We have an FMC VM and an ASA 5516-x with Firepower services. We have been using classic licenses until now. However, that version of the license is reaching the end of support. Therefore, we need to purchase new replacement model SKUs that require a Smart Account. After assigning the licenses to the Smart Account, I registered the FMC using the Smart Account, but the licenses are not appearing in the FMC's Smart Licenses session. I assumed this happened because of Classic licenses are still being used by the FMC. I want to know if there is any way to remove these classic licenses and start using the Smart Licenses.

Good Morning, Trying to create an external paging trunk in cucm i cannot dial out to it from a voip phone in my internal network. how my lab is set up i have cucm that has a MGCP gateway(cisco 8300 router) that has an FXO port configured to communicate and connect to a fxs port on a 2801 router to ring a pots line that is also connected to the router. im trying to mock the paging system with the 2801 router. any assistance would be greatly appreciated.

Customer wants to integrate Cisco Intersight intersight-aws-eu-central-1 with CX Cloud.

Hello,is it possible to call to skill (like using skill ID/number) directly instead of calling to queue number assigned to team/skill?Thanks for help,Dawid

I get an issue when trying to assign bandwidth to a policy-map for DSCP bandwidth.Config:!ipv4 access-list ACL_GOLD10 permit ipv4 any any dscp af23!class-map match-all CM_GOLD match access-group ACL_GOLD end-class-map! Error:!! SEMANTIC ERRORS: This configuration was rejected by!! the system due to semantic errors. The individual!! errors with each failed configuration command can be!! found below.!policy-map QoSclass CM_GOLDbandwidth percent 20!class class-default!end-policy-map!!!% Policy manager does not support this feature: Action type "Minimum Bandwidth" not supported within policy-map type "qos"end