Not sure if I understand you right but the stack it is supposed to match
the traffic.
On Wed, Jun 20, 2012 at 11:59 PM, Mike Rojas mike_c...@hotmail.com wrote:
Something funny is happening to your class maps.. The stack does have
a match.. why would it match?
Mike
No I mean, if the packet is not mounted correclty, why would it have matches?
Saying, Ok it sees the Layer 2 header, fine, looks for the ethertype... 0x800
thats correct, but then.. then the IP header is missing... why would the stack
match.. if the IP header is missing?
Mike
Date: Thu,
I guess what I am trying to say is that it should be consistent, if the Stack
has missing information the stack class map should not have matches...
Here:
Class-map: TCP_STACK (match-all) 29 packets, 1817 bytes 5 minute
offered rate 0 bps
Match: field ETHER type eq
I was monitoring few routers and confirmed that they receive the same IP
address.
Pasting show dhcp lease taken from one of them and confirming that it gets
the same IP:
112_Yaletown#sh dhcp lease
Temp IP addr: XXX.XXX.166.74 for peer on Interface: FastEthernet4
Temp sub net mask:
Even, if it receives the same IP address, at the second there is no IP
address and hence that might be the reason.
With regards
Kings
On Thu, Jun 21, 2012 at 2:17 PM, Eugene Pefti eug...@koiossystems.comwrote:
I was monitoring few routers and confirmed that they receive the same IP
address.
Eugene,
can you snoop a bit on your DHCP traffic from the client router to see
how exactly it renews its DHCP address?
If you have a chance to build a lab, you can also try and put an extra
device in front of your router to take the hit of changing IP address.
HTH
A.
On 6/21/2012 6:05 PM,
Ta-da...!!!
I did build a lab with my CCIE Cisco gear and was surprised that my Ezvpn
remote router stays connected without dropping the tunnel.
Now I'm starting thinking if it has to do with ISP DHCP server otherwise
everything else is more or less identical. I don't think it could be the
folks
i have a query on lab 1 a task 1.11
the first part of the task asks to create a policy to check smtp for the domain
badspammer.com and then reset the connection
my config is as follows:
regex BadMail [Bb][Aa][Dd][Ss][Pp][Aa][Mm][Mm][Ee][Rr]\.[Cc][Oo][Mm]
policy-map type inspect esmtp
Hello Michael,
I'd say that the solution guide missed a definition of SMTP class-map that
matches for ACL SMTP.
Your solution is correct and it uses the default class inspection_default and
applies the L7 inspection to the global policy.
Task 1.11 solution gives an option to apply SMTP
What are use cases of this no-alias NAT option. All references I found in
Cisco docs say little to me.
Quoting:
* Autoaliasing of Pool Addresses:
Many customers want to configure the NAT software to translate their local
addresses to global addresses allocated from unused addresses from an
Hey Eugene,
Are you familiar with proxyARP? Basically, the router will answer arp for any
address that is on its range assigned to a particular interface associated with
a NAT right? well, this command will stop the router so it doesnt do it
anymore.
Mike
From: eug...@koiossystems.com
To:
Hi Mike,
Yes, I'm familiar with it. It's the same as you say sysopt noproxyarp on the
ASA.
My question is about why would you do it? Can someone will give me a good
example?
I'm doing a task and it asks to configure a peer for a pair of HSRP routers.
I'll have to give a sketch of the topology
Hi,
Assuming that the router 2 is not on transparent mode, taking it out it wouldnt
make much difference, because the packet will be routed to the next hop (R2),
assuming that there is a route for the network of the ASA to be behind router2
on the HSRP routers. It would make sense if they
Unfortunately it doesn't make sense to me either because R2 runs in the routed
mode.
I believe it's just the faulty solution in the first place. I'm not going to
point fingers who the solution provider is but it's not IPExperts ;)
From: Mike Rojas [mailto:mike_c...@hotmail.com]
Sent: Thursday,
Yep,
Anyone who think differently is very appreciated...
Mike
From: eug...@koiossystems.com
To: mike_c...@hotmail.com; ccie_security@onlinestudylist.com
Subject: RE: [OSL | CCIE_Security] Need help understanding no-alias NAT option
Date: Fri, 22 Jun 2012 03:17:55 +
Hi guys,
R4 (EZ remote) -R6(EZ SERVER) -- (EZ vpn client)
The crypto map on R6 is applied to both interfaces (the one facing R4 and
the one facing test pc) Both EzVPN clients are able to connect, however I
noticed one interesting thing.
The peer address on the clients must be the ip
Let's say the ASA is connected to a PVLAN enabled L2 network. In that case
I would use sysopt noproxyarp .
Hi Mike,
Yes, I'm familiar with it. It's the same as you say sysopt noproxyarp on
the ASA.
My question is about why would you do it? Can someone will give me a good
example?
I'm
Can you show the crypto maps applied to R6 interfaces?
From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Imre Oszkar
Sent: Thursday, June 21, 2012 8:48 PM
To: ccie security
Subject: [OSL | CCIE_Security] dual armed EZVPN
Hi guys,
R6#sh run | sec crypto
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EZ
key cisco
pool remote
acl split
crypto isakmp profile EZ
match identity group EZ
client authentication list EZ
isakmp authorization list EZ
client
Is having only one crypto map a requirement?
I'd have two different crypto maps applied to Fa0/1 and Ser0/1/0.
From: Imre Oszkar [mailto:oszk...@gmail.com]
Sent: Thursday, June 21, 2012 9:29 PM
To: Eugene Pefti
Cc: ccie security
Subject: Re: [OSL | CCIE_Security] dual armed EZVPN
R6#sh run | sec
20 matches
Mail list logo
