the configuration for cTCP is pretty straight forward, but I can't
find any references to it being used with DMVPN. Thanks!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
Free CCIE RS
I am just wondering if any if you have deployed the identity firewall feature
in a production environment so you can integrate ACLs with AD/Users/Groups?
How do you like it? Are there any gotchas and would you recommend it?
I am thinking of deploying this to allow only specific users and
.
Thanks!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
Free CCIE RS, Collaboration, Data Center, Wireless Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
Oh - to confuse me more, when I SSH directly to the admin context it looks
as I would expect - ASA/admin/pri/act#
So I am really wondering why when I SSH directly to the admin context I get
the full string but when I SSH to a user context I don't.
On Thu, Dec 12, 2013 at 1:23 PM, Joe Astorino
that received the packet.
What am I missing?
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
Free CCIE RS, Collaboration, Data Center, Wireless Security Videos ::
iPexpert on YouTube
about :-)
On Thu, Dec 12, 2013 at 1:40 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Say we have a hierarchical DMVPN environment. We have a west region
consisting of a hub and 2 spokes, an east region with a hub and 2 spokes
and a central hub tying it all together. The west and east hubs
) That was a hint ;-)
On Thu, Dec 12, 2013 at 3:29 PM, Joe Astorino joeastorino1...@gmail.comwrote:
1) no captures. At this stage it is purely educational and for my
amusement
2) based on the dissection of several LIVE! presentations, articles,
blogs and documentation I can almost assure
believe the one sent from the local hub is all that
matters, and the redirect received b the local hub milliseconds later from
the central hub is simply dropped.
On Thu, Dec 12, 2013 at 8:05 PM, Joe Astorino joeastorino1...@gmail.comwrote:
I think I might have it! When central hub gets
...@gmail.com
wrote:
As far as I know, ip admission is just the new command and ip auth-proxy
left for compatibility.
2013/11/25 Joe Astorino joeastorino1...@gmail.com
These two features seemingly are very much the same. I'm trying to
figure out what the difference is between them? Do
These two features seemingly are very much the same. I'm trying to figure
out what the difference is between them? Do they do different things or is
ip admission control simply a newer way to accomplish auth proxy?
Why would you use one over the other? Thanks!
--
Regards,
Joe Astorino
CCIE
, Collaboration, Data Center, Wireless Security Videos ::
iPexpert on YouTube: www.youtube.com/ipexpertinc
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
Free CCIE RS
information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab
, 2013 8:59 AM
*To:* Joe Astorino; ccie_security@onlinestudylist.com
*Subject:* Re: [OSL | CCIE_Security] 8.4 VPN Hairpin
** **
Joe;
(Stupid Outlook sorry for the previous e-mail)
object network obj_any
nat (any,outside) dynamic interface
Lets say that the VPN client goes out
down to the return traffic. Why would the return
traffic hit the nat (any,outside) rule and not just be unnatted going back
to where it came from based on the xlate table.
Thanks for any help
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying
industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
Oh crap. I fed the troll. If anybody moderates this list, please remove
my initial response!!! I was so excited for the guy, I didn't read the
whole email :(
On Wed, Jun 19, 2013 at 10:08 AM, Joe Astorino joeastorino1...@gmail.comwrote:
Hey Alice, congratulations!!! That is an amazing
, Jagdish Hamirge
jagdish.hami...@gmail.com wrote:
congratulations
On Wed, Jun 19, 2013 at 7:38 PM, Joe Astorino
joeastorino1...@gmail.comwrote:
Hey Alice, congratulations!!! That is an amazing accomplishment and I
know it is an amazing feeling when you pass. Way to go and good luck
Anybody? Really interested to know the answer. I have read everything I can
find on the topic.
Sent from my iPhone
On Jun 19, 2013, at 9:42 AM, Joe Astorino joeastorino1...@gmail.com wrote:
So another NAT question with 8.4 code. Say you have RA VPN configured such
that the VPN pool
Date: Wed, 19 Jun 2013 21:31:17 -0400
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin
Anybody? Really interested to know the answer. I have read everything I can
find on the topic.
Sent from my iPhone
On Jun 19, 2013, at 9:42 AM, Joe Astorino joeastorino1
Date: Wed, 19 Jun 2013 21:31:17 -0400
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] 8.4 VPN Hairpin
Anybody? Really interested to know the answer. I have read everything I can
find on the topic.
Sent from my iPhone
On Jun 19, 2013, at 9:42 AM, Joe Astorino joeastorino1
Any preference as to which one and why? Most examples I see are
referencing the auto NAT method for this purpose. I know manual NAT is
ahead of auto NAT from a precedence stand point, just wondering why one
might use one or the other?
Sigh...I miss the old way
--
Regards,
Joe Astorino
CCIE
- IPexpert, Inc.
URL: http://www.IPexpert.com
On Tue, Jun 18, 2013 at 6:13 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Hi guys,
Just starting down the road of the new ASA NAT. I have a simple question.
I see there are 2 ways you can do dynamic PAT
1) Auto NAT
object network obj_any
-any2
subnet 0.0.0.0 0.0.0.0
nat (inside,outside2) source dynamic interface
2) Manual NAT - Just create two rules
nat (inside,outside) source dynamic any interface
nat (inside,outside2) source dynamic any interface
Thoughts?
On Tue, Jun 18, 2013 at 2:49 PM, Joe Astorino joeastorino1
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He
I am playing with IOS IPS, specifically with CCP 2.6. Inside CCP we
can load two general types of signature files:
- .zip file specifically for use with CCP that is downloaded to the pc
OR
- .pkg file. We can point to a pkg file stored on flash or tftp, etc.
this would be the only file type we
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE
*From:* Joe Astorino joeastorino1...@gmail.com
*To:* Jay McMickle jay.mcmic...@yahoo.com
*Cc:* CCIE Security Maillist ccie_security@onlinestudylist.com
*Sent:* Monday, April 29, 2013 9:29 AM
*Subject:* Re: [OSL | CCIE_Security] CCIE Security, passed!
Jay! Congratulations man! I've been
anybody explain
why routing is happening POST nat here???
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
.
Hope I was helpful.
Good studies,
Kevin Sheahan
From: Joe Astorino joeastorino1...@gmail.com
Date: Monday, April 22, 2013 3:50 PM
To: OSL Security ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] 8.2 static outside NAT
I could really use some clarification here. Here is my
, 2013 at 4:44 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Hi Kevin,
Thanks for the reply, but your example is talking about what would happen
on an outside -- inside flow. In that case what you are saying makes
sense. However, when going from inside to outside I believe the rules
Hmapologies as that article is specifically for IOS routers and not
the ASA. I can't imagine why the ASA would behave differently. Anybody?
On Mon, Apr 22, 2013 at 4:46 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Also, please see
http://www.cisco.com/en/US/tech/tk648/tk361
it with 'sh
asp drop'.
Regards,
Piotr Matusiak
On 4/22/13 9:50 PM, Joe Astorino wrote:
I could really use some clarification here. Here is my setup
ASA running 8.2 code. nat-control is not enforced. Requirement is that
traffic destined to 192.168.10.241 on the inside will have
.
On Mon, Apr 22, 2013 at 5:01 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Thanks Piotr. So in this case I do not have a route for the mapped
address anywhere. I only have a default-route pointing inside. In my
case, based on what you are saying the following would happen
- routing
.
Regards,
Jay McMickle- 3x CCNP (RS,Security,Design), CCIE #35355 (RS)
--
*From:* Joe Astorino joeastorino1...@gmail.com
*To:* OSL Security ccie_security@onlinestudylist.com
*Sent:* Monday, April 22, 2013 2:50 PM
*Subject:* [OSL | CCIE_Security] 8.2 static
it helps :-)
--
Marta Sokołowska.
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
the not-advertise option available. To do that though, the route you want
unreachable on the inside would have to be redistributed into OSPF in the
first place.
On Wed, Apr 10, 2013 at 4:59 PM, Joe Astorino joeastorino1...@gmail.comwrote:
Yes, the prefix-list is one of those few commands where
this with the packet-tracer and then analyze the situation...=D
BR,
Bruno Silva
2012/12/19 Joe Astorino joeastorino1...@gmail.com
I appreciate that , but that does not make any sense to me per this
statement in the configuration guide:
Similarly, if you enable outside dynamic NAT or PAT, then all
nat-control enabled. The statement is in the section describing
nat-control, specifically in the section describing how nat-control
works in conjunction with dynamic outside nat.
I conclude that what I am seeing is normal.
On Fri, Dec 21, 2012 at 11:26 AM, Joe Astorino
joeastorino1...@gmail.com
Nobody?
On Thu, Dec 13, 2012 at 4:18 PM, Joe Astorino joeastorino1...@gmail.com wrote:
So in 8.2 code we had this concept of nat-control that when enabled
required a nat translation from higher to lower security level
interfaces. Fine, no problems. When we disable this feature via no
nat
...@fni-stl.com wrote:
To me it sounds like the statement from the configuration guide doesn't apply
to outside NAT then, and I have no experience that is applicable to offer any
other insights.
Brian
-Original Message-
From: Joe Astorino [mailto:joeastorino1...@gmail.com]
Sent
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking
interface passes
through to the inside interface with no NAT rule or NAT exemption
configured. Is this the expected behavior?
Thank You!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
, Piotr Matusiak pi...@howto.pl wrote:
Hi Joe,
You can use NULL encryption while configuring transform-set for a specific
crypto ACL.
Regards,
Piotr
On 12/13/12 6:52 PM, Joe Astorino wrote:
This may seem basic, but I was wondering -- Is there a way to send
traffic over a L2L VPN
Yes I don't see why straight up NAT-T would not work like others have said.
That is exactly what it is designed to do. The ESP will be encapsulated in
UDP 4500 datagrams after phase 1 determines there is NAT and negotiates
NAT-T
Sent from my iPhone
On Nov 22, 2012, at 1:13 PM, Adrian Campos
, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information
regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He
, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more
CCNA, CCSP, CCNP, CCIP, CCIE#35914
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE
free of charge (at least they did back in 2009 when
I took my lab)
On Wed, Jun 13, 2012 at 10:08 AM, Johan Bornman jo...@isc.co.za wrote:
Thanks, Joe. Much appreciated.
On 13 Jun 2012, at 15:43, Joe Astorino joeastorino1...@gmail.com wrote:
I had a good experience with the Wingate hotel
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born
Ooops I meant to say OSPF is NOT vendor specific of course lol
Sent from my iPhone
On Jun 12, 2012, at 4:47 PM, Joe Astorino joeastorino1...@gmail.com wrote:
RIP should be something on your tombstone, not something in your
network - Russ White : )
Seriously, unless you have some customer
,
Piotr
-Original Message- From: Joe Astorino
Sent: Tuesday, May 15, 2012 4:34 PM
To: Piotr Matusiak
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] DPD preemption?
I'm sure I am misunderstanding you, because as you know the ASA cannot
do dynamic routing over
: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Piotr Matusiak
Sent: Tuesday, May 15, 2012 7:50 AM
To: Joe Astorino
Cc: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] DPD preemption?
It's nothing uncommon. See
) ?
-Original Message-
From: Joe Astorino [mailto:joeastorino1...@gmail.com]
Sent: Tuesday, May 15, 2012 2:18 PM
To: Eugene Pefti
Cc: Piotr Matusiak; ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] DPD preemption?
So I labbed this up. I was able to get it working, but I am
training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more
after the primary comes back
up. Is there a way to accomplish that?
I would want it to fail back over to the primary because the primary
will be geographically closer and yield better response times.
Is there a better way to do something like this?
--
Regards,
Joe Astorino
CCIE #24347
http
and yield better response times.
Is there a better way to do something like this?
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading
to violate the NDA)
Best Regds,
Ruwan.
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe
Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more
*
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking
out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
.
With policing, Tc is the seconds for which tokens are put in the bucket.
With regards
Kings
On Mon, Apr 23, 2012 at 7:26 PM, Joe Astorino
joeastorino1...@gmail.comwrote:
The forumulas for calculating the Bc and Be for policing are how you have
defined, them but I would be careful with the use
regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
windows clients that receive IP addresses through IOS DHCP whereby the
pool is configured with hardware-address. The client is NOT using
BOOTP. So...there is my explanation.
On Tue, Apr 17, 2012 at 1:54 PM, Joe Astorino joeastorino1...@gmail.comwrote:
I have systems in production environment
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP
,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check
. It is using hardware address in the configuration and works fine
On Mon, Apr 16, 2012 at 12:32 PM, Kingsley Charles
kingsley.char...@gmail.com wrote:
So, hardware address can be only used with bootp request.
With regards
Kings
On Mon, Apr 16, 2012 at 7:17 PM, Joe Astorino
joeastorino1
FYI a good read on the topic from Ivan the great:
http://blog.ioshints.info/2008/06/static-dhcp-assignment-for-clients.html
On Mon, Apr 16, 2012 at 2:06 PM, Joe Astorino joeastorino1...@gmail.comwrote:
I never got that impression. Like I said, I have multiple clients setup on
a Cisco DHCP
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab
address.
Thanks
Simon
___
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading
:* Joe Astorino [mailto:joeastorino1...@gmail.com]
*Sent:* 22 March 2012 17:55
*To:* Piotr Kaluzny
*Cc:* Eugene Pefti; ccie_security@onlinestudylist.com
*Subject:* Re: [OSL | CCIE_Security] Application not inspected once
deniede
** **
So if I am understanding you correctly, the end
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking
. *
On Thu, Mar 22, 2012 at 4:27 PM, Joe Astorino joeastorino1...@gmail.com
wrote:
This is probably a dumb question, but I don't care : ) I don't
understand the logic of this situation. Why should the traffic be
inspected if it is explicitly denied in the first class map? At first
glance, I
, Christ...
In plain old English it should have said:
If you match the traffic for HTTP inspection in your custom class than the
ASA will not match the same HTTP traffic in the default class.
Correct ?
** **
*From:* Joe Astorino [mailto:joeastorino1...@gmail.com
why?
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE
/ccie_security@onlinestudylist.com/msg07563.html
On Tue, Mar 20, 2012 at 1:39 PM, Joe Astorino joeastorino1...@gmail.com wrote:
I am pretty sure this is possible to do, but I can't get it working.
The negotiation and tunnel works fine, but it always happens using
main mode by default. I have tried both
Coincidentally, I am running 12.4(15)T, lol. Thanks man.
On Tue, Mar 20, 2012 at 4:54 PM, Piotr Matusiak pi...@howto.pl wrote:
It can be done. It works on 12.4(24)T and above. It does not work on
12.4(15)T.
Regards,
Piotr
2012/3/20 Joe Astorino joeastorino1...@gmail.com
It appears
. That is going to cause some looping
of frame.
With regards
Kings
On Mon, Mar 19, 2012 at 2:34 AM, Joe Astorino joeastorino1...@gmail.com
wrote:
MAC addresses are not stored in tags. There is only a single source
and destination MAC address in the frame. As far as I understand it,
SW2
with 2 tags, the frame is only switched based on the
outside tag.
On Mon, Mar 19, 2012 at 2:51 AM, Joe Astorino joeastorino1...@gmail.com wrote:
I'm sure there is a reason why every document ever written on the
subject says that to prevent double tagging vlan hopping attack, one
solution
expires?
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE
please and thank you!
On Mon, Mar 19, 2012 at 10:20 AM, Joe Astorino
joeastorino1...@gmail.com wrote:
Hello,
My current understanding is that the TEK pushed down to GMs in GETVPN
is based on the IPSEC transform-set / profile configured on the KS.
Under the IPSEC profile we can set the SA
TEK lifetime of 24h, the rekey will trigger every 2h. This is
because there is pseudo-time delivered/sync between KS and GMs. The TEK does
not change every 2 hours tho.
2012/3/19 Joe Astorino joeastorino1...@gmail.com
I think I figured it out after doing some more reading. I am pretty
at 5:49 AM, Joe Astorino joeastorino1...@gmail.com
wrote:
Here is how I understand the attack. Let's imagine the following setup
ATTACKER SW1 --- SW2 --- VICTIM HOST
- The switch port the attacker is connected to is an access port in VLAN 1
- The native VLAN from SW1 -- SW2
, then double vlan
attack happens.
Or will sw2 it strip vlan 1 as it was the default vlan and again strip the
inner tag
With regards
Kings
On Sun, Mar 18, 2012 at 11:20 AM, Joe Astorino joeastorino1...@gmail.com
wrote:
The outside tag was 1, the inside tag was 10 in my example
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information
IPSEC transport mode as
described in the book?
Thanks everybody!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please
mike_c...@hotmail.com wrote:
___
For more information regarding industry leading CCIE Lab training,
please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
that is
identical in tunnel mode instead of just using IPSEC transport mode as
described in the book?
Thanks everybody!
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more
*
*
--
Sent from my mobile device
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
___
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE
the NBMA address is used.
Any tips on how do you keep straight which NHRP commands use the
tunnel IP vs the NBMA IP?
--
Sent from my mobile device
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
. In this case you instruct the router to send mcast traffic to Hub's
Public IP and this must be tunnel destination IP I suppose.
Regards,
Piotr
2012/3/16 Joe Astorino joeastorino1...@gmail.com
Can anybody shed some light on understanding why the ip nhrp map
multicast command on a spoke
point there HAS to be a mapping
because it is an NBMA network, just like frame-relay. I knew that CCIE
RS would be useful for something ;)
On Fri, Mar 16, 2012 at 10:47 AM, Joe Astorino
joeastorino1...@gmail.com wrote:
Thanks man, that actually helps me keep the logic straight. Obviously
CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Regards,
Joe Astorino
CCIE #24347
http://astorinonetworks.com
He not busy being born is busy dying - Dylan
1 - 100 of 184 matches
Mail list logo