• Ronnie Wong

    @Michael-McKenney,

    It was the frame-relay switch configuration?

    posted in Cisco read more
  • Ronnie Wong

    @Daniel-Del-Borrello,

    My apologies for not seeing your post here. I'm thinking that we may need a little more information to help out.

    If DNS is the issue on the server side, select the other test machine and see if you can use the network utility for a DNS test to the server. If it resolves via hostname the issue is probably more of a client side issue.

    If you get a return try to clear the dns cache of the problematic machine and see if that allows you to now connect.

    posted in Apple read more
  • Ronnie Wong

    @Michael-McKenney,

    Ok. So that leaves you with ONE solution currently with ITProTV which is for you to use practice-labs. I recommend that you take a cisco lab, use NYWAN1, you can configure FR on it. You can turn NYEDGE1 into the DTE for your FR switch.

    As I've stated, you're not going to encounter this for CCNA or CCNP R/S. If you see it anywhere it would be for something like the CCNP SP exam. I'm not sure it would even be there now.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler,

    remember on traffic between vlans. The inbound and outbound terminology are weird. We have to think of directionality for the processing. ip access-group 120_in in when applied to the vlan interface is (from within the VLAN 120 outbound to another) . And ip access-group 120_in out when applied to the vlan interface means (from outside the vlan 120 heading in to the vlan).

    so it's a bit twisted in our syntax to the meaning of the ACL.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler said in nxos and inter-vlan ACLs:

    I also am getting no statistic counters or log entries indicating the rule is being actively applied to packets.

    You need at least one permit statement.

    SW1# show access-list 120_in
    
    IP access list 120_in
            statistics per-entry
            10 deny ip any any log [match=0]
            20 deny icmp any any log [match=0]
            30 permit ip any any [match=0]
    

    I'm still working the answer for the other part... let me get some more information
    are you doing this between vlans on the same switch? or between vlans on different switches?

    posted in Cisco read more
  • Ronnie Wong

    @Michael-McKenney ,

    right, so you've got then two options still

    You can work with practice-labs.com . It's CCNP labs already have a FR lab setup. The only time you'll configure a FR switch is on the CCNP Service Provider Exam. So the lab is setup for you to create a frame relay router. But having said that, you can configure the NYWAN1 as a frame-relay switch, it has serial interfaces, you'll have one client NYEDGE1.

    If you have a router that is not currently in use that has serial interfaces, you can setup a FR switch on those as well.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler said in keychain vs key string?:

    You mention that a key-string should not be used in production. Is the key-chain feature specific to the Cisco platform?

    I'm not sure if the concept is only specific to Cisco or not. I can only tell you that cisco requires a key-string to be attached to the a key-chain. I'm no so familiar with the sonic firewall.

    I am able to get OSPF going with "Message Digest", but the command on the Cisco side I am using on the interface is "ip ospf message-digest-key 1 md5 0 MYKEYSTRINGHERE". This is not recommended? Even though the traffic is technically still traversing an encrypted tunnel?

    The use of single key that is unchanging is not recommended in production, even when you're using a VPN tunnel.

    Is all of this logic around key-string and key-chain the same for HSRP authentication or do the rules change?

    As far as I know, it shouldn't change

    So, in a key-chain, the string is processed again within the timeframe you specify to produce a unique authentication string which rotates. Assuming you used the same rotation time and original key-string, each side should get the same result. That sounds all well and good to me, am I on the right track?

    Yes

    If so, what is the significance of setting a year in your rotation time-frame?
    You're just trying to set a temporary key that can only be used for that time period. If you set multiple keys within the key-chain without time, they are all active all the time. I'm not sure how you would make them rotate without the time

    Wouldn't you want the key to rotate indefinitely? What happens if the year you use is in the past? Or does the firewall automatically update it as the string is processed?

    Yes and no. You do want it to change regularly. No, not indefinitely. You could have a router that loses connection or dies. What happens if the key has changed on one side while the router is down, you're not sure what key it's using at the current time.
    Setting a time in the past doesn't affect it, it just goes active from that past date until you set an end date. I'm not sure about what the sonic firewall would do.

    In my question 1 above I give an example of a key-string I used to get OSPF authentication working between a Cisco device and a SonicWALL. Can you tell me what the significance of the "1" is in the Cisco command?

    It is the key number on the key-chain to be used. So a 1 is the first key on the key-chain.

    For example, if I were to run a similar command to get OSPF going on a different interface would it be okay to still use "1", or is that globally applicable beyond the interface somehow? For example, would I need to use "2" if I wanted to use a different key-string on a different interface?

    So these authentication commands are on a per interface basis, so a 1 on different interfaces is not necessarily the same as a 1 on another interface.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler said in keychain vs key string?:

    What is all of this? What is the difference between a keychain and a key-string? If I specify a message-digest-key "1" for an interface to negotiate OSPF, should I not use "1" again? Is there a show that deep dives into this I can watch?

    I believe we go over this in the CCNA show (maybe), CCNA Security show and CCNP ROUTE...

    But here's a summary
    Think of the key-chain as being the container or "set" of keys.
    Think of the key-string as the individual "key" can can be used.

    Routing authentication relies on a key on keychain to function. Before authentication can be used, a keychain with one one key (minimally) must be created. It's a hierarchy, that allows the association of multiple key-strings to a single key-chain. You set a time send and receive time for each key-string. This is useful if the connection is over a public network so that security keys are changed on a regular basis. Though you can set a single key, this is only good in a testing environment, in a production environment you want the keys to change. This has to be manually done if you only setup one key.

    Setting up multiple keys allows routers to to use a single key for a period of time. Then the routers use two keys for a limited period of overlapping time, then use the next key only in key-chain for a period of time, while the first key expired.

    e.g.
    create what needs to be used for authentication. I created a key-chain and 2 key-

    R1#configure terminal
    R1(config)#key chain MYCHAIN
    R1(config-keychain)#key 1
    R1(config-keychain-key)#?
    Key-chain key configuration commands:
      accept-lifetime          Set accept lifetime of key
      cryptographic-algorithm  Set cryptographic authentication algorithm
      default                  Set a command to its defaults
      exit                     Exit from key-chain key configuration mode
      key-string               Set key string
      no                       Negate a command or set its defaults
      send-lifetime            Set send lifetime of key
    R1(config-keychain-key)#key-string securetraffic1
    R1(config-keychain-key)#accept-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019
    R1(config-keychain-key)#send-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019
    R1(config-keychain)#key 2
    R1(config-keychain-key)#key-string securetraffic2
    R1(config-keychain-key)#accept-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019
    R1(config-keychain-key)#send-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019
    R1#
    

    Apply the Key-Chain to interface to use for authentication

    R1#configure terminal
    R1(config)#interface g0/0
    R1(config-subif)#ip authentication mode eigrp 10 md5
    R1(config-subif)#ip authentication key-chain eigrp 10 MYCHAIN
    R1(config-subif)#end
    R1#
    

    This allows for both keys to be used, the time-limits set on each key-string will tell the router when to use them.

    You do the same thing for R2 and the interface that connects to R1. If these do not match key-strings, it will not work.

    posted in Cisco read more
  • Ronnie Wong

    @Michael-McKenney,

    So, if you don't have a cisco contract, you've got the option I mentioned with practice-labs.

    If you have a colleague from another company who has cisco contract, you might see if they do and can get an image for you to use educationally.

    posted in Cisco read more
  • Ronnie Wong

    @Michael-McKenney,

    You can only customize the base configuration so much and cannot do a reboot to clear the config. But it's possible.

    You just choose the NYWAN1 router as your Frame switch...
    choose your interface....
    e.g. config...
    I think there's a lab that is setup for you to configure this one as a frame relay dte because the frame-switch is already setup...but you can create it using the NYWAN1 serial and using NYEDGE1 serial port

    If you want to do a full blown lab you can always use a 7200 vxr IOS15.x image and import that into GNS3 to create your frame switch with serial ports too, which was more realistic.

    posted in Cisco read more
  • Ronnie Wong

    @Jorge-Sosa-0,

    If DNS IP information is being handed out using DHCP, you could change the DHCP lease to include your new DNS server's IP (192.168.1.42) as a DNS server. Get everyone to renew the lease to get the new DNS information. Then decommission your 192.168.1.4. You would still have to do a manual reconfig of static VMs or boxes with the NEW DNS information. But it sounds as if you already have DNS running on other servers...So how are those accessed by the current LAN hosts?

    A Cisco router is not going to help you in this instance since the DNS server is on the same subnet and not going to another subnet. NAT is not going to help either because we're not doing any inside or outside interfaces. ASA isn't helping because you're still on the trusted network within the same trusted network.

    So someone else may have a better solution but I think what I mentioned may be considered.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler said in nxos and inter-vlan ACLs:

    Why does this work?

    You must view this from the standpoint of the vlan interface: So don't look at it independently but something similar to the following e.g. :

    interface Vlan1
    ip access-group 1_out in

    should be viewed as more as inside to outside

    interface Vlan1
    ip access-group 1_out out

    should be viewed as more as outside to inside

    according to https://community.cisco.com/t5/switching/acl-between-vlans-on-3560g/td-p/1539959

    This is why this works.

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler,

    try this...I think I messed up and forgot that when using match statements, the extended ACL to use must permit, then match can drop it (yeah, intuitive right?). Try this. I don't have a complete lab setup for testing only the NX-OS demo.

    SW1(config)# show running-config aclmgr
    
    !Command: show running-config aclmgr
    !Time: Wed Apr 10 10:20:24 2019
    
    version 7.3(0)D1(1)
    ip access-list DENY2VLAN1
      10 permit ip 192.168.120.0/24 any
      20 permit icmp 192.168.120.0/24 any
    vlan access-map DENY2VLAN1MAP 10
            match ip address DENY2VLAN1
            action drop
    vlan filter DENY2VLAN1MAP vlan-list 120
    

    hopefully that works...
    or try ..and configure the filter on vlan 1 instead?
    this is me is relatively confusing since these things don't have ingress or egress attached to them. sigh

    posted in Cisco read more
  • Ronnie Wong

    @Adam-Tyler said in nxos and inter-vlan ACLs:

    IP access list test
    10 deny ip 192.168.120.0 0.0.0.255 any
    20 deny icmp 192.168.120.0 0.0.0.255

    try the following to see what shows up:

    show running-config aclmgr
    show vlan filter
    show vlan access-map

    You may have to consider using VLAN ACLs (VACL) instead of traditional ACLs.

    switch(config)# show running-config aclmgr
    
    !Command: show running-config aclmgr
    !Time: Tue Apr  9 20:23:04 2019
    
    ip access-list DENY_ACL_MAP
      10 deny ip 192.168.120.0/24 any
      20 deny icmp 192.168.120.0/24 any
      30 permit ip any any
    vlan access-map DENY_TEST 10
            match ip address DENY_ACL_MAP
            action drop
    vlan filter DENY_TEST vlan-list 120
    

    Now run the same verification commands now
    show running-config aclmgr
    show vlan filter
    show vlan access-map

    Let me know if I've not missed your point completely.

    posted in Cisco read more
  • Ronnie Wong

    @Dustin-Richeson,

    I'm looking for an alternative now..but I haven't found one that is freely available. I'm not sure why it was discontinued. We'll be reshooting this series this year and I need to find an alternative that can work or be available.

    posted in Cisco read more
  • Ronnie Wong

    @Penny-Witherspoon,

    please submit a support ticket to support@itpro.tv with the following information:

    What course are you currently viewing so they can see if it's an account issue or a technical issue with the labs and practice tests.

    This will get you the best direct and most immediate helpful response!

    Thanks for being a member!

    posted in General Discussion read more
  • Ronnie Wong

    @Gabriel-Castro,

    Por favor envie um email para support@itpro.tv.
    Copie e cole o texto acima nesse email. Isso serĂ¡ notado pelo suporte oficial.

    posted in General Discussion read more
  • Ronnie Wong

    @fabio-teles,

    You need to have NPS role installed and functional on Windows Server.
    You need to have an operational OpenVPN server and it's IP Address.

    1. In NPS, you want to create your OpenVPN server as a new RADIUS Client.
    2. Generate a new key
    3. Create a new NPS policy
      • Add a condition for a Windows Group, add your VPN users who are allowed to use VPN.
      • Add another condition for Client IPv4 Addresses, add the IPv4 address of the OpenVPN server.
    4. Grant Access to the VPN users.
    5. Configure authentication method, under EAP types (MS-CHAPv2)
    6. accept the defaults on constraint.
    7. Complete the policy, move the policy up in the list.

    In OpenVPN web-gui, look for authentication and select RADIUS. If RADIUS is not used click button to use it.
    Then under RADIUS authentication select MS-CHAPv2
    Then in RADIUS settings setup what you configured in NPS with the shared secret.
    update

    posted in General Discussion read more
  • Ronnie Wong

    @Jaime-Soto,

    If you're wanting to buy lab equipment, you have to decide on how detailed you want get.
    The recommendation for CCNP should also be sufficient for CCNA studies too.

    So I would say you want at least 3 routers running 15.x IOS with k9....you don't have to get gig ports unless you just want it. So you can probably get 2800 series routers. For point-to-point, you want serial connection... The others can be FastE.

    You want a couple of layer 3 switches, 3750s would be awesome but I've done most of mine using 355os and 3560s...once again running 15.X ISO with k9 . You can thrown in a 2960 for a straight layer 2 if you want...

    of course you'll have to make or buy ethernet cables, buy serial cables, power cables for the devices.

    This will be be suffice for your to make a topology for just about anything you'll do for CCNP.

    posted in Cisco read more