Search found 9918 matches

Return to advanced search

by ibarrere

Fri Sep 19, 2014 12:21 pm
 
Forum: Cisco Routing and Switching
Topic: Destination-based hierarchical QoS
Replies: 8
Views: 1333

Re: Destination-based hierarchical QoS

I think you're on the right track... but wouldn't the service-policy underneath the branch office section need to be MPLS as well, to have it apply the DSCP-based QoS within each branch? For the record, the DSCP values are tagged at the network edge, so the packets are already tagged when they get ...
by ibarrere

Fri Sep 19, 2014 4:03 am
 
Forum: Cisco Routing and Switching
Topic: Destination-based hierarchical QoS
Replies: 8
Views: 1333

Re: Destination-based hierarchical QoS

Would it not be simpler to have the MPLS provider implement an outbound policy that prioritises EF traffic in the same way that you do? I already do. The MPLS provider prioritizes things in the same way that I do, but I think the issue is on my router. It seems that the queue gets too deep when the...
by ibarrere

Thu Sep 18, 2014 3:37 pm
 
Forum: Cisco Routing and Switching
Topic: Destination-based hierarchical QoS
Replies: 8
Views: 1333

Re: Destination-based hierarchical QoS

Huh, so it doesn't seem to work. I have it configured like I specified above, and it works for shaping based on destination IP, so each site gets only as much traffic as their local circuit can handle, but matching based on DSCP within that doesn't seem to work. Showing the policy-map output just sh...
by ibarrere

Thu Sep 18, 2014 2:51 pm
 
Forum: Cisco Routing and Switching
Topic: Destination-based hierarchical QoS
Replies: 8
Views: 1333

Re: Destination-based hierarchical QoS

I think you're on the right track... but wouldn't the service-policy underneath the branch office section need to be MPLS as well, to have it apply the DSCP-based QoS within each branch? For the record, the DSCP values are tagged at the network edge, so the packets are already tagged when they get t...
by ibarrere

Thu Sep 18, 2014 1:29 pm
 
Forum: Cisco Routing and Switching
Topic: Destination-based hierarchical QoS
Replies: 8
Views: 1333

Destination-based hierarchical QoS

Hi guys, Let's say I have six sites all connected together by MPLS. One site is a datacenter and has a 50Mbps circuit, the other five are offices and have either 10 or 20Mbps circuits. Outbound QoS is applied on all sites to (a) shape the traffic down to the size of the local circuit and (b) give pr...
by ibarrere

Fri Mar 28, 2014 3:26 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

stroemblad wrote:I did't really get what your solution was. Or did everything even work now?


Disabling the firewall on the Windows host he was trying to ping. ;)

There may have been some NAT changes along the way that fixed something, but it was essentially a non-issue from the start.
by ibarrere

Fri Mar 07, 2014 9:24 pm
 
Forum: Cisco Security
Topic: default interface sucurity
Replies: 1
Views: 646

Re: default interface sucurity

Are you talking about an IOS device or an ASA? They operate in fundamentally different ways. IOS devices, by default, don't subject traffic to any sort of security policy, so a default interface will pass whatever traffic its given. An ASA's behavior will vary based on the security-level of the inte...
by ibarrere

Wed Mar 05, 2014 2:46 pm
 
Forum: Cisco Security
Topic: ASA Site to Site VPN
Replies: 6
Views: 1421

Re: ASA Site to Site VPN

deanwebb wrote:Easiest thing to do is to use the wizard in ASDM. It just works. If it doesn't, scrap the VPN and start over and be more careful in your typing.


ASDM is fruit of devil.
by ibarrere

Wed Mar 05, 2014 5:14 am
 
Forum: Cisco Security
Topic: ASA Site to Site VPN
Replies: 6
Views: 1421

Re: ASA Site to Site VPN

You don't have a transform set attached to the crypto map, so the ASA will view it as incomplete. Adding this to both devices should fix it:

Code: Select all
crypto map ASA1VPN 10 set transform-set ASA1TS
by ibarrere

Tue Mar 04, 2014 6:49 pm
 
Forum: Cisco Voice and Video
Topic: ASA5505 and CATALYST 2960 and VoIP
Replies: 5
Views: 2229

Re: ASA5505 and CATALYST 2960 and VoIP

QoS with switching can get pretty tricky, particularly with the 2960 (and similar platforms). You need to have a very good understanding of the queueing architecture in order to not make things worse. If you really want to dive in there I'd suggest you start with the Cisco documentation. The good ne...
by ibarrere

Tue Mar 04, 2014 6:25 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

No problem, live and learn. Good luck, and definitely stick with Linux for the troubleshooting. :)
by ibarrere

Tue Mar 04, 2014 5:41 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

OK, well at least this means I'm not losing my mind. It's not an ASA issue; seeing those packets printed up on the screen means the ASA is allowing the traffic through and sending it out the inside interface. At this point it's just basic network troubleshooting to determine why we're not getting re...
by ibarrere

Tue Mar 04, 2014 5:20 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

The purpose of that last statement is to exempt NAT from inside to outside, so it's to allow response traffic. Anyway, this method is clearly not getting us anywhere, so let's try some actual troubleshooting. I should have asked this before embarking on this wild goose chase, but how exactly are you...
by ibarrere

Tue Mar 04, 2014 4:38 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

So it's definitely something implicit, which makes me think it's gotta be NAT related since you have VPN traffic bypassing security policy (that's what sysopt connection permit-vpn does). Oh, since we changed the VPN pool subnet we'll need to make a new NAT exempt statement for it as well. Do this: ...
by ibarrere

Tue Mar 04, 2014 2:43 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

Packet-tracer can give you some misleading results, and this could be a case of that, but it's worth investigating. The ID of the step at which it's dropped is what we're interested in. Run the command show asp table classify interface outside , that will give you a huge list of security policy item...
by ibarrere

Tue Mar 04, 2014 2:25 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

Well, having your VPN pool on the same subnet as the inside can cause weird, unexpected problems, so I figured it may have been causing this. Post the output of the following command: packet-tracer input outside icmp 10.2.3.10 8 0 10.2.2.10 detail Both IPs are just dummies, but I want to see what th...
by ibarrere

Tue Mar 04, 2014 2:21 pm
 
Forum: Cisco Routing and Switching
Topic: DSCP down-marking on Nexus 3048
Replies: 0
Views: 427

DSCP down-marking on Nexus 3048

Anybody know if it's possible to mark down the DSCP value for excess traffic on a Nexus 3048? It looks like it doesn't support policing in policy-maps, so I'm not sure. I can definitely mark the traffic to begin with, but I can't find any way to only mark it up to a particular threshold.
by ibarrere

Tue Mar 04, 2014 10:03 am
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

I just noticed that you're using the same subnet for your VPN pool as you are on the inside interface of the firewall. That's generally a bad idea, you should replace your VPN pool with a different subnet, like 10.2.3.0/24 or something. The ASA handles the VPN pool like a directly-connected interfac...
by ibarrere

Mon Mar 03, 2014 6:59 pm
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

Sorry I had to reply fast when I saw your input and I didn't think about what I was saying. Anyway, why should I remove that? That is for Split tunneling. It's not for split-tunnel. The only two requirements in your group-policy for split-tunnel are as follows: split-tunnel-policy tunnelspecified s...
by ibarrere

Mon Mar 03, 2014 9:26 am
 
Forum: Cisco Security
Topic: Anyconnect
Replies: 29
Views: 4564

Re: Anyconnect

Huh, nothing glaringly obvious. Try removing the VPN filter in the group policy though: group-policy Anyconnect attributes no vpn-filter value ACL_Split_Tunnel Also, since your DNS servers are public addresses you'll need the (outside,outside) NAT statement in order to be able to NAT VPN traffic to ...
Next

Return to advanced search