Hi,
from time to time I have a problem with one peer and I see that packets are encaps/decaps but they are not encrypt/decrypt:
#pkts encaps: 6687, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 7498, #pkts decrypt: 0, #pkts verify: 0
after a while (sometimes a reboot of the peer) everything is OK:
#pkts encaps: 168362, #pkts encrypt: 168362, #pkts digest: 168362
#pkts decaps: 194884, #pkts decrypt: 194884, #pkts verify: 194884
I don't change any configuration, probably the peer is Checkpoint and I don't know if they change anything in the config. I'm trying to guess what can be a reason of such symptoms, any idea?
↧
ASA - pkts encaps/decaps but not encrypt/decrypt
↧
Configure PIM RP on transit routers?
Hi all,
When using static RP, can I just configure the RP address on the first hop router, last hop router and the RP its self? Or do ALL routers in the transit path need to know the RP?
Thanks
B
↧
↧
ASA and DMVPN
Hi guys
i've recently bought a cisco asa 5506-x and i need to implement it in my network ,but i have multiple sites connected together through DMVPN
and i want to put the firewall behind the hub as described in the screenshot, also all spokes must be able to reach the server that is connected to r1 and the network that have the ASA, so guys i need help any ideas please :D
the things that i'm worried about is how to passthrough DMVPN traffic also the routing from asa to hub to r1 and versa
↧
DMVPN Based On PKI
Guys i need littel help in setting up DMVPN with PKI as of now my DMVPN is running with pre-shared key we have 2 ASR and what i am looking at is Subordinate CA server , primary HUB (root CA) config i am getting reference from various sites but where i am getting confused at is Subordinate CA can anyone please walk me through this ?
↧
Nexus 1000V questions
I'm still trying to figure out how Nexus 1000V work and have few question:
1. I know the bold part referring to ESXI-Host UUID. What is the front part for ?
vem X host id 0811e9e7-98cd-e411-1111-2222233333444
2. I'm using L3 mode VSM->VCenter->VEM. When VCenter register VEM, which IP it's using ? ESXI-host Management ip address ?
3. Are we usually using UCS management IP pool for this conection VCenter to VEM connection ? or special vlan for control/management ?
↧
↧
Routing over VPC
Hi Team ,
We have 4 boxes of 5k, which has 4 different vlans. 2 5k's are in one location and another set of 5k's are in another location. We have a Metro Ethernet connectivity on which we are running VPC.
Now my client is asking to run OSPF over these 4 boxes.
N5k1 -- N5K3
|| ||
N5k2 -- N5k4
↧
F-Port Trunking with NPV and FCoE
Hi, I'm having trouble getting F-Port trunking to work with NPV and FCoE for multiple VSANs and hoping someone can shed some light. My topology is very straightforward, I have N5K1 set up as an fcoe switch with npiv enabled, my second switch is N5K2 with fcoe-npv enabled. Int e1/1 is my link. Now, when I setup my interfaces (ethernet and vfc), I have absolutely no problem with a single VSAN (VSAN10). Below are the salient pieces of code and the output (you will note I have provisioned vlans 20 and 30 also and respective vsan config, but not yet using them):
N5K1:
feature fcoe
feature npiv
vlan 10
fcoe vsan 10
vlan 20
fcoe vsan 20
vlan 30
fcoe vsan 30
vsan database
vsan 10 name "fcoe-vsan10"
vsan 20 name "fcoe-vsan20"
vsan 30 name "fcoe-vsan30"
interface Ethernet1/1
switchport mode trunk
switchport trunk allowed vlan 10,20,30
spanning-tree port type edge trunk
interface vfc1
bind interface ethernet 1/1
switchport mode f
switchport trunk allowed vsan 10
no shutdown
N5K2:
feature fcoe-npv
feature lacp
feature lldp
vlan 10
fcoe vsan 10
vlan 20
fcoe vsan 20
vlan 30
fcoe vsan 30
vsan database
vsan 10 name "fcoe-vsan10"
vsan 20 name "fcoe-vsan20"
vsan 30 name "fcoe-vsan30"
interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 10,20,30
spanning-tree port type edge trunk
interface vfc1
bind interface ethernet 1/1
switchport mode NP
switchport trunk allowed vsan 10
no shutdown
N5K1 Outputs:
N5K1(config-if)# sh int vfc1
vfc1 is trunking
Bound interface is ethernet 1/1
Hardware is Ethernet
Port WWN is 20:00:54:7f:ee:3c:85:ff
Admin port mode is F, trunk mode is on
snmp link state traps are enabled
Port mode isTF
Port vsan is 1
Trunk vsans (admin allowed and active) (10)
Trunk vsans (up) (10)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
603 frames input, 68788 bytes
0 discards, 0 errors
701 frames output, 96936 bytes
0 discards, 0 errors
last clearing of "show interface" counters never
Interface last changed at Mon Aug 12 09:07:02 2013
N5K1(config-if)# sh vsan 10
vsan 10 information
name:fcoe-vsan10 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:up
N5K2 Outputs:
N5K2(config)# sh int vfc1
vfc1 is trunking
Bound interface is ethernet 1/1
Hardware is Ethernet
Port WWN is 20:00:54:7f:ee:21:3f:ff
Admin port mode is NP, trunk mode is on
snmp link state traps are enabled
Port mode is TNP
Port vsan is 1
Trunk vsans (admin allowed and active) (10)
Trunk vsans (up) (10)
Trunk vsans (isolated) ()
Trunk vsans (initializing) ()
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
164 frames input, 26088 bytes
0 discards, 0 errors
92 frames output, 13160 bytes
0 discards, 0 errors
last clearing of "show interface" counters never
Interface last changed at Mon Aug 12 09:17:33 2013
N5K2(config)# sh vsan 10
vsan 10 information
name:fcoe-vsan10 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:up
Okay, so we're good for VSAN 10.
Now, when I add VSANs 20 and 30 to each of the VFC interfaces on N5K1 and N5K2, such that my config now looks like this:
interface vfc1
bind interface ethernet 1/1
switchport trunk allowed vsan 10
switchport trunk allowed vsan add 20
switchport trunk allowed vsan add 30
no shutdown
I get the following (on both switches):
N5K1(config)# sh int vfc1
vfc1 is trunking
Bound interface is ethernet 1/1
Hardware is Ethernet
Port WWN is 20:00:54:7f:ee:3c:85:ff
Admin port mode is F, trunk mode is on
snmp link state traps are enabled
Port mode is TF
Port vsan is 10
Trunk vsans (admin allowed and active) (10,20,30)
Trunk vsans (up) (30)
Trunk vsans (isolated) ()
Trunk vsans (initializing) (10,20)
1 minute input rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
1 minute output rate 0 bits/sec, 0 bytes/sec, 0 frames/sec
625 frames input, 71556 bytes
0 discards, 0 errors
743 frames output, 104668 bytes
0 discards, 0 errors
last clearing of "show interface" counters never
Interface last changed at Mon Aug 12 09:17:21 2013
N5K-p3-1(config)# sh vsan 10
vsan 10 information
name:fcoe-vsan10 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:down
N5K-p3-1(config)# sh vsan 20
vsan 20 information
name:fcoe-vsan20 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:down
N5K-p3-1(config)# sh vsan 30
vsan 30 information
name:fcoe-vsan30 state:active
interoperability mode:default
loadbalancing:src-id/dst-id/oxid
operational state:up
I can't get all VSANs in the UP state, and for some reason, VSAN 30 has gone into 'UP' but VSAN 10 (which was previously UP) is now 'DOWN' and VSANs 10 and 20 just say 'initialising'.
I don't think it's something I have misconfigured, more that perhaps I'm missing something? Either that, or F-Port trunking (TF) is different to what I'm thinking, and that only a single VSAN can go between the switches?
Probably me and something very simple :-)
Thanks
Dominic
↧
Show memory VS show processes memory
hi,
can you please tell me which memory is meant in each show command ?
Show memory VS show processes memory
↧
WB v5 ATC - IP Routing - Reliable Policy Routing
When testing the failover on R6 to reach 150.1.5.5, R5 failed to have a return path via 155.1.0.3. This is due to the default route on R5 pointing to 155.1.0.1 but the tunnel0 interface is down on R1 to simulate the failover.
For a quick fix, but not necessarily to fix the whole failover sequence, just add the static route to 155.1.146.6 via 155.1.0.3 during the failover.↧
↧
using PKI with GETVPN
Hi;
I was reading GETVPN design and implement guide on Cisco website while noticed the writer has written that if we want to use certificates instead of the isakmp policy which is the very initial part of the configuration, we should generate an RSA key, e.g. KEY-1, but we should generate another RSA keys, e.g. KEY-2, for KS policy and sync process. the exact text that has been copied/pasted is as follows:
"RSA keys used for PKI are different than the RSA keys generated and used for KS synchronization and policy generation. The KS COOP RSA keys must be the same on all KS serving a group, while KS CA RSA keys should be unique"
so if we have just one KS in our network, can we use the same key (KEY-1) for both processes (initial registration of the GMs to the KS and KS policy/sync)? I meant we can generate an RSA key (KEY-1) with crypto key generate rsa key mod 1024 label KEY-1 command on KS and GM devices and take advantage of it during the whole process. why has the document generated 2 separate RSA keys?
↧
CLI "shortcuts" for remembering defaults? Tricks and Tips post
Hi all,
Im about to sit my lab exam and was wondering if others have "tips and tricks" in so far as using the Cisco IOS to our advantage to remember specific defaults. I know these defaults can be changed so we must be careful, but for the most part when taking the test we should already know what the defaults are, and if we are just under the pressure of the test, we should still be able to recognize a red flag based on information in our subconcious somewhere.
For example, useful ones that I've found, and hopefully they help for others is:
- Sh ip protocols (of course :D)
- sh ip port-map | i [port or application]. E.g. sh ip port-map | i bgp (shows how the IOS has ports programmed into its services; helpful for ACLs).
- sh ip nbar port-map | i [port or application]; similar to above, but not as many ports available to grep/parse for
- Remembering IP Precedence or DSCP formats/values:
1. Create "Fake" Class map
2. Match ip precendence (or DSCP) then ?; will list all precendence or DSCP values and their bit/number value
- of course we can look at the "sh run all | i [something]" but takes too long
Others?
↧
Written Experience - need suggestions
Afternoon,
Obviously without breaking any NDA's could anyone who’s passed the written just recently share their study sources for their success? Did you find a specific group of documents from the Cisco site more correct to the exam?
I took my first attempt just this week and though I was extremely prepared and nearly passed, I found myself missing some of the vaguer configuration specific questions. It felt like cisco was looking for me to read some specific white paper on a technology. Some of which I’m still searching for as I can't find definitive answers too them (to many of cisco’s new and old Doc’s contradict themselves or don’t mention it at all). I did far too much guessing on which Cisco felt was the right answer at the time vs what currently exists and i want to see if i can't fix that for round two, the exam is too expensive to guess on anything.
I really feel like though the Cert books and INE read list is great, and nearly got me there! There’s just some key things Cisco wants answered the Cisco way too pass.
Feel free to let me know if I’ve broken any rules and I’ll take this down.
Thanks,
↧
Netflow in Nexus ?
If want to capture netflow traffic between Clients inside a vlan, and clients to outside wolrd via gateway (svi on that vlan).
.
Is this the right way to do it ?
1. Between clients inside vlan :
vlan configuration X
ip flow monitor MONITOR input
ip flow monitor MONITOR output
2. clients to outside world via gateway (svi on that vlan)
interface vlan X
ip flow monitor MONITOR input
ip flow monitor MONITOR output
Note:
This's assuming flow recorder, flow exporter and flow monitor has been set up.
↧
↧
FCIP fspf cost
If there're 2 FCIP link and i want to make one of them primary, this is easy enough
Interface fcip 10
Fspf cost 1 vsan X
But if bundle both fcip 10 &20 into a port channel, is fcip 10 still the primary inside the port-channel ?
↧
CSR1000v Unable to communicate
I must be missing something stupid, but I can't figure it out.
I have 2 esxi hosts running 5.5. I have tried to install the CSR1000V on both, but have the same problem. I can get it installed, booted, assign IP addresses to the interface of Gi1. I cannot ping or get any kind of communication with any other device in the same VMware port group. I've tried this so many times.
On the same host, in the same port group, I have deployed 2 CSR1000v's, I also have two windows 2008 servers in the same portgroup. All are on the same subnet. The servers can communicate without issue, but they cannot ping the router, the router can't ping anything except for itself. ARP entries show as incomplete
I just don't get it.
↧
NAT on Interface
Hi,
On ASA you can NAT on the interface range (the IPs not being used). For example if the interface ip is 1.1.1.1/24 then you can use the rest for NAT (except the other side of course)
My question is , can we do the same thing on the router? check below config pls:
Int g0/1
ip add 1.1.1.1 255.255.255.248 (Considering .2 is the upstream device)
ip nat outside
Int g0/0
ip add 172.16.1.1 255.255.255.0
ip nat inside
Can i write the below one?
IP Nat inside source static tcp 172.16.1.100 80 1.1.1.4 80
It doesn't work when I test it , but if I create a loopback with a separate IP and NAT then works.
Thanks
Samy
↧
iBGP over vPC
Dear All,
Back to the subject that routing is not supported over vPC.
I am thinking it's possible to use iBGP routing over vPC port-channel with nexus 7Ks in case peer-gateway feature is enabled.
At least I can't prove opposite in the LAB.
↧
↧
Building INE's RSv5 topology on VIRL
Use this thread for discussion on building the INE RSv5 topology on VIRL.
Further resources:
VIRL Homepage - http://virl.cisco.com
VIRL Community Forum - http://community.dev-innovate.com/c/virl
↧
Books for CCNP Route
Hi,
So i've passed my CCNP - switch exam and starting to look into prepping for my route exam. What is the best books to use alongside the INE CCNP – route videos?
I used the Cisco official Cert guides for my CCNA and CCNP switch and felt some topics were either lightly covered or missed out. There is mixed reviews on the CCNP route official cert guide so that is putting me off it
Normal 0 false false false EN-GB X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:8.0pt; mso-para-margin-left:0cm; line-height:107%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-fareast-language:EN-US;}↧
PBR : Tcam Allocation Failure ?
7K(config-if)# interface vlan <>
7K(config-if)# ip policy route-map PBR
% Could not apply PBR route-map - Tcam Allocation Failure
I cannot apply on SVI but can apply on regular layer-3 interface.
Why is that ? Software bug ? Software limitation ? or i'm doing something wrong above.
↧