I am working on an IKEv1 L2L between IOS routers with crypto map and PKI. When I am configuring the crypto identity (to be used in the crypto map) the input is as follows:
crypto identity R1_R3_DN
dn CN=R3
The input is as in the lab configuration. I am working with 2 C1841 routers with ios c1841-adventerprisek9-mz.151-3.T2. When I look at the configuration the crypto identity is shown as follows:
crypto identity R1_R3_DN dn cn=R ! ! crypto map VPN 10 ipsec-isakmp set peer 136.1.38.3 set transform-set 3DES_MD5 set identity R1_R3_DN match address LO1_TO_LO3
So the cn is magically changed from R3 to R. And yes my vpn phase 2 does not work. The error shown is:
We have a few different vendors firewalls in production and was curious if there are any security implications of not filtering source ports <=1023? On the some vendors their implementation for default services is source port 1024-65535, some do 1-65535 and one even 0-65535.
How do you implement a peak shaping QoS policy on the Cisco ME 3600X. My aim to shape a service instance but to allow the shaper to burst over the shape value to a specified amount, if there is available bandwidth on the physical interface, queing any excess traffic.
I am trying to implement the policy below, except with a shape peak instead of average. However, I don't see the peak keyword under the shape command. I do see the following mentioned in the configuration guide however,
shape average{target bps | percentvalue}
Enter percent value to set the percentage of interface bandwidth for peak information rate. The range is 0 to 100 percent. The percentage is based on the port operational link speed. Setting the percent to 0 disables shaping.
I am not sure how to use this to implement my requirements.
If there is not a way to do this using shaping, then can I use policing instead?
class-map match-any VRFA match service instance ethernet 2121
policy-map PARENT-G012 class VRFA shape average 2000000 service-policy CHILD-G012
policy-map CHILD-G012 class NETWORK bandwidth percent 2 class VOICE police cir percent 10 conform-action transmit exceed-action drop priority class APP1 bandwidth percent 22 class APP2 bandwidth percent 24 class APP3 bandwidth percent 12 class APP4 bandwidth percent 5 class class-default bandwidth percent 25 random-detect
I really follow the WB and I completed all tasks but at the end I'm not able to athenticate session of the test PC A. This is what I see:
SW1#sh auth sessions
Interface MAC Address Method Domain Status Session ID Fa1/0/5 000c.853b.bea6 dot1x DATA Running 880113090000000500420F77 Fa1/0/5 0050.b60b.e514 mab VOICE Authz Success 88011309000000060046EB13
SW1# dot1x-ev(Fa1/0/5): Received an EAP Timeout dot1x-sm(Fa1/0/5): Posting EAP_TIMEOUT for 0x78000019 dot1x_auth_bend Fa1/0/5: during state auth_bend_request, got event 12(eapTimeout) @@@ dot1x_auth_bend Fa1/0/5: auth_bend_request -> auth_bend_timeout dot1x-sm(Fa1/0/5): 0x78000019:auth_bend_timeout_enter called dot1x-sm(Fa1/0/5): 0x78000019:auth_bend_request_timeout_action called dot1x_auth_bend Fa1/0/5: idle during state auth_bend_timeout @@@ dot1x_auth_bend Fa1/0/5: auth_bend_timeout -> auth_bend_idle dot1x-sm(Fa1/0/5): 0x78000019:auth_bend_idle_enter called dot1x-sm(Fa1/0/5): Posting AUTH_TIMEOUT on Client 0x78000019 dot1x_auth Fa1/0/5: during state auth_authenticating, got event 14(authTimeout) @@@ dot1x_auth Fa1/0/5: auth_authenticating -> auth_authc_result dot1x-sm(Fa1/0/5): 0x78000019:auth_authenticating_exit called dot1x-sm(Fa1/0/5): 0x78000019:auth_authc_result_enter called %DOT1X-5-FAIL: Authentication failed for client (000c.853b.bea6) on Interface Fa1/0/5 AuditSessionID dot1x-ev(Fa1/0/5): Sending event (2) to Auth Mgr for 000c.853b.bea6 %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'dot1x' for client (000c.853b.bea6) on Interface Fa1/0/5 AuditSessionID 880113090000000500420F77 dot1x-ev(Fa1/0/5): Received Authz fail for the client 0x78000019 (000c.853b.bea6) dot1x-ev(Fa1/0/5): Deleting client 0x78000019 (000c.853b.bea6) %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (000c.853b.bea6) on Interface Fa1/0/5 AuditSessionID 880113090000000500420F77 %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for client (000c.853b.bea6) on Interface Fa1/0/5 AuditSessionID 880113090000000500420F77 %AUTHMGR-5-FAIL: Authorization failed for client (000c.853b.bea6) on Interface Fa1/0/5 AuditSessionID 880113090000000500420F77 dot1x-sm(Fa1/0/5): Posting_AUTHZ_FAIL on Client 0x78000019 dot1x_auth Fa1/0/5: during state auth_authc_result, got event 22(authzFail) @@@ dot1x_auth Fa1/0/5: auth_authc_result -> auth_held dot1x-ev:Delete auth client (0x78000019) message dot1x-ev:Auth client ctx destroyed dot1x-ev:Aborted posting message to authenticator state machine: Invalid client SW1#
I tested both ways (anyconnect and NIC) and any of these ways work for me. Are you able to complete this taks without any issue?
I'm currently trying to deploy a DCNM 7.1.1 installation and I would like to check with you guys what port DCNM Lan and San would use to discover/talk/configure my Nexus devices.
What happens is all my mgmt0 nexus ports are behind a firewall, so I have to ask the firewall guys to permit some ports so the DCNM LAN/SAN can talk to my VDCs.
I have a question, which I am hoping someone can help clarify.
When running ISIS in ST for IPv6, "wide metrics" are not required.Thats is my understand, thats how I tested, as well, confirmed in the document output below.
However that documentation continues on to say, that IPv6 reachability is advertises using extended metrics? This is where I am confused...how can that be if they are not enabled?
IS-IS Single-Topology Support for IPv6
… …
When single-topology support for IPv6 is being used, either old- or new-style TLVs may be used. However, the TLVs used to advertise reachability to IPv6 prefixes use extended metrics. Cisco routers do not allow an interface metric to be set to a value greater than 63 if the configuration is not set to support only new-style TLVs for IPv4. In single-topology IPv6 mode, the configured metric is always the same for both IPv4 and IPv6.
IS-IS Multitopology Support for IPv6
… …
When multitopology support for IPv6 is used, use the metric-style wide command to configure IS-IS to use new-style TLVs because TLVs used to advertise IPv6 information in link-state packets (LSPs) are defined to use only extended metrics.
This is not correct that we have to add the redistribute connected under each process. Problem would be only if we had redistribute connected under each process before. In previous sections we had to only redistribute loopback 0 to OSPFv2 on R7 so only that route map has to be updated with other interfaces.
Below is my config from R7 and it works fine. For example R5 can see R7 conencted interfaces(Gi1.67 and Tu100)
Could one of you please assist with the following:
Why do point-to-point links shown as "link connected to: another Router" and as "link connected to: a stub network" whereas an actual Stub network only shows one LSA entry as "link connected to a Stub Network"?
I used VMWare passthrough to connect a couple of CSR's via a 3750 stack and I can't get sub interfaces to route. Regular interface config works fine. I couldn't see any encap data when debugging on the switch. If anyone has successfully been able to make it work I would love to know.
I know it wasn't the configs of the routers or switches that was the problem.
Am I right in thinking that in IOS 15.X, a poisoned summary route will NOT make it to the routing table and will NOT be advertise? Where in IOS 12.X, the summary route does not get placed in the routing table but still gets advertised? If my understanding is correct, I'm not sure I understand the purpose for creating a poisoned summary route in this lab. If the summary route is not in the routing table nor advertise, why bring them into EIGRP using the network command in the first place?
I amusing GNS3 to configure frame-relay. I have run into issue with eigrp propagation when using the frame-relay switch in GNS3 or when I configure a router as a frame-relay switch. When I used the FR switch in GNS3, I had EIGRP working but was failing on one frame-relay mappings no matter what i tried. Is this something common where GNS3 just doesn't coorperate?
So i configured a a router in GNS3 as a frame relay switch. No issues with frame-relay mapping - could go from spoke to spoke. I then tried configuring EIGRP and no neighbor formation what so ever. I can see via debug that the interfaces were sending eigrp hellos but not receiving. I disabled split-horizon at the hub. I tried adding the broadcast command to some of the frame-relay mapping but nothing.
I apologize for lenghty cofig details. Please note; all interfaces are up on the Fa0/0's.
Below is my topology and configurations
Image may be NSFW. Clik here to view.
Frame-Relay-Switch#sh run Building configuration...
Current configuration : 2099 bytes ! ! hostname Frame-Relay-Switch
Current configuration : 141 bytes ! interface Serial0/1 ip address 192.168.1.1 255.255.255.0 encapsulation frame-relay no ip split-horizon eigrp 1 clock rate 2000000 end ====================== R1#sh run int fa0/0 Building configuration...
Current configuration : 94 bytes ! interface FastEthernet0/0 ip address 10.10.1.1 255.255.255.0 duplex auto speed auto end ====================== R1#sh fram R1#sh frame-relay pvc | i DLCI DLCI = 102, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1 DLCI = 103, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/1 ====================== R1#sh frame-relay map Serial0/1 (up): ip 192.168.1.2 dlci 102(0x66,0x1860), dynamic, broadcast,, status defined, active Serial0/1 (up): ip 192.168.1.3 dlci 103(0x67,0x1870), dynamic, broadcast,, status defined, active ===================== R1#sh run | s router router eigrp 1 network 10.0.0.0 network 192.168.0.0 no auto-summary ==================== R1#sh ip route Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets C 10.10.1.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Serial0/1 ////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////
R2#sh run int se0/2 Building configuration...
Current configuration : 158 bytes ! interface Serial0/2 ip address 192.168.1.2 255.255.255.0 encapsulation frame-relay clock rate 2000000 frame-relay map ip 192.168.1.3 201 broadcast end ======================= R2#sh run int fa0/0 Building configuration...
Current configuration : 94 bytes ! interface FastEthernet0/0 ip address 10.10.2.1 255.255.255.0 duplex auto speed auto end
======================= R2#sh frame-rel R2#sh frame-relay pvc | i DLCI DLCI = 201, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/2 DLCI = 202, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/2 ======================= R2#sh frame-relay map Serial0/2 (up): ip 192.168.1.1 dlci 201(0xC9,0x3090), dynamic, broadcast,, status defined, active Serial0/2 (up): ip 192.168.1.3 dlci 201(0xC9,0x3090), static, broadcast, CISCO, status defined, active ======================= R2#sh run | s router router eigrp 1 network 10.0.0.0 network 192.168.0.0 no auto-summary ======================= R2#sh ip route Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets C 10.10.2.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Serial0/2 /////////////////////////////////////////////////// ////////////////////////////////////////////////// R3#sh run int se0/3 Building configuration...
Current configuration : 158 bytes ! interface Serial0/3 ip address 192.168.1.3 255.255.255.0 encapsulation frame-relay clock rate 2000000 frame-relay map ip 192.168.1.2 301 broadcast end
=================== R3#sh frame-relay pvc | i DLCI DLCI = 301, DLCI USAGE = LOCAL, PVC STATUS = ACTIVE, INTERFACE = Serial0/3 DLCI = 302, DLCI USAGE = UNUSED, PVC STATUS = ACTIVE, INTERFACE = Serial0/3 =================== R3#sh frame-relay map Serial0/3 (up): ip 192.168.1.1 dlci 301(0x12D,0x48D0), dynamic, broadcast,, status defined, active Serial0/3 (up): ip 192.168.1.2 dlci 301(0x12D,0x48D0), static, broadcast, CISCO, status defined, active =================== R3#sh run | s router router eigrp 1 network 10.0.0.0 network 192.168.0.0 no auto-summary ====================== R3#sh ip route Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets C 10.10.3.0 is directly connected, FastEthernet0/0 C 192.168.1.0/24 is directly connected, Serial0/3 ===================== R3#sh run int fa0/0 Building configuration...
Current configuration : 94 bytes ! interface FastEthernet0/0 ip address 10.10.3.1 255.255.255.0 duplex auto speed auto end ===================== R3#sh run int se0/3 Building configuration...
Current configuration : 158 bytes ! interface Serial0/3 ip address 192.168.1.3 255.255.255.0 encapsulation frame-relay clock rate 2000000 frame-relay map ip 192.168.1.2 301 broadcast end
I'm just trying to pick on brains here to see how possible is it, for me to achieve this. So here's the scenario, From the attached picture, there's already an existing IPsec VPN with the prefixes in blue it works great no issues at all. Now there's an addition of new prefix block to the network and there's need to have these new prefix block to go over the vpn tunnel to the ASP to access resource that are in the 192.168.200.0/23 subnet. The down side to this is, the ASP said the wouldn't add the new prefix block(172.25.4.0/22) to the interesting traffic ACL.
I know that I could use nat to achieve this, whereby natting the new block to the existing prefix that has access to the ASP. But i can't seem to wrap my head around how to get this done. Why i say this is because the 172.25.4.0/22 block are configured as SVI's on the multilayer switch. More like natting from inside to be translated by another inside IP address. But my fears is that doing this should not affect other pre-existing traffic.
Image may be NSFW. Clik here to view.
I really would appreciate gestures on how I could conqurer this situation.
A general question, regarding this task. is there a possibility two have several IP addresses in a transparent firewall. In this case, is s multi context setup. but I am curious about any other setup that imply several IP addresses
I am reading the CCIEv5 RS Official Cert Guide and I found a discrepency on one of the stated facts. Narbik says that VSS can support up to 256 EtherChannels. His explanation of the configuration was a little unclear, so I went to the DocCD to get a little clarification. The DocCD says that VSS supports up to 512 EtherChannels.
In the context of taking the written exam, which one do I believe?
I would think the DocCD would be the one to believe, since that is what is available to you during the lab exam.
I know they publish errata to the book occasionally, but this particular discrepency has not yet been examined.
It also makes me wonder how many other facts are incorrect in the book.
Could you recommend the solution to create remote lab for CCNA and CCNP in company like rackrental accessing from labtop or anywhere with secure connection, timing and session control? I have only ADSL connection to the Internet. Should I deploy virtualization or real devices in the lab?
