Regarding parser view... Anyone have issues adding "interface" to the command list under a particular view. I feel like this problem was discussed a while back.
commands configure include interface OR commands configure include all interface % interface not configured or present workaround commands configure include interface f0/0 or all interface f0/0 This adds that command plus interface command....any other work around? I'm running 15 thoughts? On Mon, Sep 12, 2011 at 3:42 AM, <[email protected]>wrote: > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Re: YB Lab 1 - Role Based CLI. (Andrey) > 2. Re: vlan access-maps with match mac and ip (Kingsley Charles) > 3. Re: EzVPN server lending IP address from DHCP server > (Kingsley Charles) > 4. Re: Transparent IOS FW and syslog (Kingsley Charles) > 5. Re: YB Lab 1 - Role Based CLI. (Kingsley Charles) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 12 Sep 2011 13:16:50 +0600 > From: Andrey <[email protected]> > To: Adil Pasha <[email protected]> > Cc: "<[email protected]> Maillist" > <[email protected]> > Subject: Re: [OSL | CCIE_Security] YB Lab 1 - Role Based CLI. > Message-ID: > <CABqjxE4WMP2FMevhtenWevgd7EKK7s2de8=A8egQ=yaybj0...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi, > > You don't have to check priv level in ACS, > all you must do is specify cisco-av-pair: > cli-view-name=VIEW_NAME > > > -- > Best regards, > Andrey > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110912/0c546ad3/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 12 Sep 2011 12:59:49 +0530 > From: Kingsley Charles <[email protected]> > To: Andrey <[email protected]> > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] vlan access-maps with match mac and > ip > Message-ID: > <cahs0b05bfkmc6peypxmpn+honwpsfnyth_qdxzhgnzbfrsd...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Now consider the following configuration. In vlan access-map king 10, the > operation is OR between "123" and "124". If there is no match for > access-map > 10, then it goes for access-map 20. > > vlan access-map king 10 > action forward > match ip address 123 124 > vlan access-map king 20 > action forward > match ip address 125 > > > The route-maps and vlan access-maps uses nearly the same logic. In entry > 10, > either 123 or 124 should me matched which is OR operation and that is ANDed > with match length. So either 123 + match length or 124 + match length is > the > matching criteria for entry 10. > > If there is no match for 10, 20 is checked for. > > > route-map king permit 10 > match ip address 123 124 > match length 100 200 > > route-map king permit 20 > match ip address 125 > > > Now with vlan access-maps, you can't define two match criterias within an > entry that can be ANDed like we do for route-maps. Hence there is concept > of > AND operation in vlan access map. The exception to this is the following > one > which has the match ip and mac. Since the match is in different lines, they > should ANDed. > > So my question, is the following valid which ANDs a mac IP and mac mac? > > > vlan access-map king > action forward > match mac address macking > match ip address 123 > > > > With regards > KIngs > > On Sun, Sep 11, 2011 at 2:16 PM, Andrey <[email protected]> wrote: > > > Kingsley, > > > > I do not quite understand your interpretation of the rules, > > just clarify how I understand: > > > > It is "OR" inside sequence of access-map, > > and "AND" between sequences. > > > > Piotr, > > > > I agree with you in all except one - > > "When a flow matches permit ACL entry, the associated action is taken and > > the flow is not checked against the remaing sequences" > > > > My understanding - it is not checked against the remaining entries in > same > > sequence, but checked against the remaining sequences. > > > > Best regards, > > Andrey > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110912/dd1c8f1e/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Mon, 12 Sep 2011 13:06:03 +0530 > From: Kingsley Charles <[email protected]> > To: Piotr Matusiak <[email protected]> > Cc: [email protected] > Subject: Re: [OSL | CCIE_Security] EzVPN server lending IP address > from DHCP server > Message-ID: > <cahs0b07eje5v4odthyk4nyijwodtvbyficcs3cneav-v2wp...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > Hi Piotr > > The DHCP server 10.20.30.42 is directly connected to the EzVPN. I am using > an IOS router as the DHCP server. The issue is that the EzVPN server > doesn't > seem to be sending a DHCP request message at all. > > > With regards > Kings > > On Sun, Sep 11, 2011 at 10:42 PM, Piotr Matusiak <[email protected]> wrote: > > > This works only because you used loopback interface and RIP inside your > > network. > > > > Let me describe how it works to understand what's the issue with Kings' > > config. > > The EzVPN Server work as a DHCP client (relay) once you configure 'dhcp > > server' command under the group. You can troubleshoot it using 'debug > dhcp > > packet' command. > > > > When client connects, the EzVPN server uses IP address configured in > 'dhcp > > server' command and sends relayed information. Relayed, so that they must > > have GIADDR (Gateway IP Address) configured in the packet so that the > DHCP > > server knows from what pool assign IP address to the client. > > If nothing is configured using 'dhcp giaddr' command, the IP address in > the > > DHCPDISCOVER will be outgoing interface's IP address towards DHCP server. > > If configured, this will be the IP address where the DHCP server sends > the > > DHCPOFFER to. This is very important! If you don't have route back to > that > > IP address on DHCP server it will fail (I guess this could be an issue in > > Kings' example). > > > > The best solution heret is to configure loopback with IP address space of > > your EzVPN Client's pool. Once this is advertised using some dynamic > routing > > protocol the server knows where to send the returning packet to. It must > be > > also specified as 'dhcp giaddr' command. Of course, best way to do that > is > > using DVTI. > > > > Hope it helps. > > > > Regards, > > Piotr > > > > > > > > 2011/9/11 Andrey <[email protected]> > > > >> Kingsley, > >> > >> I labbed your case and it worked, my scheme: > >> > >> ACS--10.0.0.0/24---R2---136.1.23.0/24----R3---136.1.100.0----PC > >> > >> Configs: > >> > >> RIP between R2&R3 > >> Default route on ACS to R2 > >> Default route on PC to R3 > >> > >> R3 config: > >> > >> Rack1R3(config)#do sh run | s aaa|crypto > >> aaa new-model > >> aaa authentication login con none > >> aaa authentication login vty line > >> aaa authentication login ezvpn local > >> aaa authorization network ezvpn local > >> aaa session-id common > >> crypto isakmp policy 10 > >> encr 3des > >> hash md5 > >> authentication pre-share > >> group 2 > >> crypto isakmp client configuration group DHCP > >> key cisco > >> dns 10.0.0.100 > >> domain INE.com > >> acl ezacl > >> dhcp server 10.0.0.100 > >> dhcp giaddr 20.0.0.10 > >> crypto isakmp profile isapro1 > >> match identity group DHCP > >> client authentication list ezvpn > >> isakmp authorization list ezvpn > >> client configuration address respond > >> client configuration group DHCP > >> virtual-template 1 > >> crypto ipsec transform-set ezset esp-3des esp-md5-hmac > >> crypto ipsec profile ipspro1 > >> set transform-set ezset > >> set reverse-route tag 100 > >> set isakmp-profile isapro1 > >> ! > >> interface Loopback1 > >> ip address 20.0.0.10 255.255.255.0 > >> ! > >> router rip > >> redistribute connected > >> ! > >> ip access-list extended ezacl > >> permit ip 10.0.0.0 0.0.0.255 any > >> ! > >> interface Virtual-Template1 type tunnel > >> ip unnumbered FastEthernet0/1 > >> tunnel mode ipsec ipv4 > >> tunnel protection ipsec profile ipspro1 > >> > >> ACS's ip 10.0.0.100, dhcp zone configured on it 20.0.0.1-20.0.0.254, > >> excluded addresses 20.0.0.1-20.0.0.10 > >> > >> PC client received IP 20.0.0.11 & i see it allocated in dhcp console. > >> > >> -- > >> Best regards, > >> Andrey > >> > >> > >> _______________________________________________ > >> For more information regarding industry leading CCIE Lab training, > please > >> visit www.ipexpert.com > >> > >> Are you a CCNP or CCIE and looking for a job? Check out > >> www.PlatinumPlacement.com > >> > > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110912/d2e7bccd/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Mon, 12 Sep 2011 13:09:10 +0530 > From: Kingsley Charles <[email protected]> > To: Jim Terry <[email protected]> > Cc: CCIE Security Maillist <[email protected]> > Subject: Re: [OSL | CCIE_Security] Transparent IOS FW and syslog > Message-ID: > <cahs0b04ss7gqgmdqtf1euncdz8hpqhe1_wzohw_7e-j9lge...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > What is the class map configuration? > > With regards > Kings > > On Mon, Sep 12, 2011 at 9:39 AM, Jim Terry <[email protected]> wrote: > > > Hi all, > > > > I was not able to 'inspect' syslog like this: > > > > class-map type inspect cmapall > > > > policy-map type inspect pmapout2in > > class-map type inspect cmapall > > inspect > > > > > > I had this applied to both interfaces(via my zones) and only when I > > changed the default class to pass did my syslog go through. > > > > Is that correct? I would have assumed my syslog would have been > > inspected by the 'class-map type inspect cmapall'- since it inspected > > all protocols. > > > > Thanks, > > > > JT > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110912/3ee73385/attachment-0001.html> > > ------------------------------ > > Message: 5 > Date: Mon, 12 Sep 2011 13:12:22 +0530 > From: Kingsley Charles <[email protected]> > To: Adil Pasha <[email protected]> > Cc: "<[email protected]> Maillist" > <[email protected]> > Subject: Re: [OSL | CCIE_Security] YB Lab 1 - Role Based CLI. > Message-ID: > <CAHs0B060aXOBTYAaFaLwC=6zq+exks7fhce+kb2r67gwgjo...@mail.gmail.com > > > Content-Type: text/plain; charset="iso-8859-1" > > If you check priv 15 in ACS, is the cli view working as expected? > > With regards > Kings > > On Mon, Sep 12, 2011 at 6:30 AM, Adil Pasha <[email protected]> wrote: > > > Guys, > > > > For Role Based CLI do we have to have Priv level checked under Shell Exec > > on the ACS? > > > > Here is the issue. > > > > If I do not check Pril Level using 15 I get to "enable" non-privilege ">" > > prompt. Where I can do config t and it shows me my VIEW name. I know it > is > > due to the IOS. It works OK. But there is a minor issue. I can type "ena" > at > > ">" and then login password and I am in the router with Pril Level 15. > > Please tell me why and how to fix the login issue? > > > > If I check Priv Level 15 on ACS then I get to EXEC prompt "#" and I am in > > correct VIEW and limited privileges. Is this the correct answer? > > > > YB lab 1 does not show to use Priv Level 15 on ACS for role based cli. > > > > Thanks in advance. > > > > Best Regards. > > ______________________ > > Adil > > > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > </archives/ccie_security/attachments/20110912/bcbfe289/attachment.html> > > End of CCIE_Security Digest, Vol 63, Issue 24 > ********************************************* >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
