My apologies for not seeing your post here. I'm thinking that we may need a little more information to help out.
If DNS is the issue on the server side, select the other test machine and see if you can use the network utility for a DNS test to the server. If it resolves via hostname the issue is probably more of a client side issue.
If you get a return try to clear the dns cache of the problematic machine and see if that allows you to now connect.
Ok. So that leaves you with ONE solution currently with ITProTV which is for you to use practice-labs. I recommend that you take a cisco lab, use NYWAN1, you can configure FR on it. You can turn NYEDGE1 into the DTE for your FR switch.
As I've stated, you're not going to encounter this for CCNA or CCNP R/S. If you see it anywhere it would be for something like the CCNP SP exam. I'm not sure it would even be there now.
remember on traffic between vlans. The inbound and outbound terminology are weird. We have to think of directionality for the processing.
ip access-group 120_in inwhen applied to the vlan interface is (from within the VLAN 120 outbound to another) . And
ip access-group 120_in outwhen applied to the vlan interface means (from outside the vlan 120 heading in to the vlan).
so it's a bit twisted in our syntax to the meaning of the ACL.
I also am getting no statistic counters or log entries indicating the rule is being actively applied to packets.
You need at least one permit statement.
SW1# show access-list 120_in IP access list 120_in statistics per-entry 10 deny ip any any log [match=0] 20 deny icmp any any log [match=0] 30 permit ip any any [match=0]
I'm still working the answer for the other part... let me get some more information
are you doing this between vlans on the same switch? or between vlans on different switches?
right, so you've got then two options still
You can work with practice-labs.com . It's CCNP labs already have a FR lab setup. The only time you'll configure a FR switch is on the CCNP Service Provider Exam. So the lab is setup for you to create a frame relay router. But having said that, you can configure the NYWAN1 as a frame-relay switch, it has serial interfaces, you'll have one client NYEDGE1.
If you have a router that is not currently in use that has serial interfaces, you can setup a FR switch on those as well.
You mention that a key-string should not be used in production. Is the key-chain feature specific to the Cisco platform?
I'm not sure if the concept is only specific to Cisco or not. I can only tell you that cisco requires a key-string to be attached to the a key-chain. I'm no so familiar with the sonic firewall.
I am able to get OSPF going with "Message Digest", but the command on the Cisco side I am using on the interface is "ip ospf message-digest-key 1 md5 0 MYKEYSTRINGHERE". This is not recommended? Even though the traffic is technically still traversing an encrypted tunnel?
The use of single key that is unchanging is not recommended in production, even when you're using a VPN tunnel.
Is all of this logic around key-string and key-chain the same for HSRP authentication or do the rules change?
As far as I know, it shouldn't change
So, in a key-chain, the string is processed again within the timeframe you specify to produce a unique authentication string which rotates. Assuming you used the same rotation time and original key-string, each side should get the same result. That sounds all well and good to me, am I on the right track?
If so, what is the significance of setting a year in your rotation time-frame?
You're just trying to set a temporary key that can only be used for that time period. If you set multiple keys within the key-chain without time, they are all active all the time. I'm not sure how you would make them rotate without the time
Wouldn't you want the key to rotate indefinitely? What happens if the year you use is in the past? Or does the firewall automatically update it as the string is processed?
Yes and no. You do want it to change regularly. No, not indefinitely. You could have a router that loses connection or dies. What happens if the key has changed on one side while the router is down, you're not sure what key it's using at the current time.
Setting a time in the past doesn't affect it, it just goes active from that past date until you set an end date. I'm not sure about what the sonic firewall would do.
In my question 1 above I give an example of a key-string I used to get OSPF authentication working between a Cisco device and a SonicWALL. Can you tell me what the significance of the "1" is in the Cisco command?
It is the key number on the key-chain to be used. So a
1is the first key on the key-chain.
For example, if I were to run a similar command to get OSPF going on a different interface would it be okay to still use "1", or is that globally applicable beyond the interface somehow? For example, would I need to use "2" if I wanted to use a different key-string on a different interface?
So these authentication commands are on a per interface basis, so a
1on different interfaces is not necessarily the same as a
1on another interface.
What is all of this? What is the difference between a keychain and a key-string? If I specify a message-digest-key "1" for an interface to negotiate OSPF, should I not use "1" again? Is there a show that deep dives into this I can watch?
I believe we go over this in the CCNA show (maybe), CCNA Security show and CCNP ROUTE...
But here's a summary
Think of the
key-chainas being the container or "set" of keys.
Think of the
key-stringas the individual "key" can can be used.
Routing authentication relies on a
key on keychainto function. Before authentication can be used, a keychain with one one key (minimally) must be created. It's a hierarchy, that allows the association of multiple
key-stringsto a single
key-chain. You set a time send and receive time for each
key-string.This is useful if the connection is over a public network so that security keys are changed on a regular basis. Though you can set a single key, this is only good in a testing environment, in a production environment you want the keys to change. This has to be manually done if you only setup one key.
Setting up multiple keys allows routers to to use a single key for a period of time. Then the routers use two keys for a limited period of overlapping time, then use the next key only in
key-chainfor a period of time, while the first key expired.
create what needs to be used for authentication. I created a key-chain and 2 key-
R1#configure terminal R1(config)#key chain MYCHAIN R1(config-keychain)#key 1 R1(config-keychain-key)#? Key-chain key configuration commands: accept-lifetime Set accept lifetime of key cryptographic-algorithm Set cryptographic authentication algorithm default Set a command to its defaults exit Exit from key-chain key configuration mode key-string Set key string no Negate a command or set its defaults send-lifetime Set send lifetime of key R1(config-keychain-key)#key-string securetraffic1 R1(config-keychain-key)#accept-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019 R1(config-keychain-key)#send-lifetime 00:00:00 1 April 2019 00:00:00 15 May 2019 R1(config-keychain)#key 2 R1(config-keychain-key)#key-string securetraffic2 R1(config-keychain-key)#accept-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019 R1(config-keychain-key)#send-lifetime 00:00:00 1 May 2019 00:00:00 15 June 2019 R1#
Apply the Key-Chain to interface to use for authentication
R1#configure terminal R1(config)#interface g0/0 R1(config-subif)#ip authentication mode eigrp 10 md5 R1(config-subif)#ip authentication key-chain eigrp 10 MYCHAIN R1(config-subif)#end R1#
This allows for both keys to be used, the time-limits set on each key-string will tell the router when to use them.
You do the same thing for R2 and the interface that connects to R1. If these do not match key-strings, it will not work.
You can only customize the base configuration so much and cannot do a reboot to clear the config. But it's possible.
You just choose the NYWAN1 router as your Frame switch...
choose your interface....
I think there's a lab that is setup for you to configure this one as a frame relay
dtebecause the frame-switch is already setup...but you can create it using the NYWAN1 serial and using NYEDGE1 serial port
If you want to do a full blown lab you can always use a 7200 vxr IOS15.x image and import that into GNS3 to create your frame switch with serial ports too, which was more realistic.
If DNS IP information is being handed out using DHCP, you could change the DHCP lease to include your new DNS server's IP (192.168.1.42) as a DNS server. Get everyone to renew the lease to get the new DNS information. Then decommission your 192.168.1.4. You would still have to do a manual reconfig of static VMs or boxes with the NEW DNS information. But it sounds as if you already have DNS running on other servers...So how are those accessed by the current LAN hosts?
A Cisco router is not going to help you in this instance since the DNS server is on the same subnet and not going to another subnet. NAT is not going to help either because we're not doing any inside or outside interfaces. ASA isn't helping because you're still on the trusted network within the same trusted network.
So someone else may have a better solution but I think what I mentioned may be considered.
Why does this work?
You must view this from the standpoint of the vlan interface: So don't look at it independently but something similar to the following e.g. :
ip access-group 1_out in
should be viewed as more as
inside to outside
ip access-group 1_out out
should be viewed as more as
outside to inside
This is why this works.
try this...I think I messed up and forgot that when using match statements, the extended ACL to use must permit, then match can drop it (yeah, intuitive right?). Try this. I don't have a complete lab setup for testing only the NX-OS demo.
SW1(config)# show running-config aclmgr !Command: show running-config aclmgr !Time: Wed Apr 10 10:20:24 2019 version 7.3(0)D1(1) ip access-list DENY2VLAN1 10 permit ip 192.168.120.0/24 any 20 permit icmp 192.168.120.0/24 any vlan access-map DENY2VLAN1MAP 10 match ip address DENY2VLAN1 action drop vlan filter DENY2VLAN1MAP vlan-list 120
hopefully that works...
or try ..and configure the filter on vlan 1 instead?
this is me is relatively confusing since these things don't have ingress or egress attached to them. sigh
IP access list test
10 deny ip 192.168.120.0 0.0.0.255 any
20 deny icmp 192.168.120.0 0.0.0.255
try the following to see what shows up:
show running-config aclmgr
show vlan filter
show vlan access-map
You may have to consider using VLAN ACLs (VACL) instead of traditional ACLs.
switch(config)# show running-config aclmgr !Command: show running-config aclmgr !Time: Tue Apr 9 20:23:04 2019 ip access-list DENY_ACL_MAP 10 deny ip 192.168.120.0/24 any 20 deny icmp 192.168.120.0/24 any 30 permit ip any any vlan access-map DENY_TEST 10 match ip address DENY_ACL_MAP action drop vlan filter DENY_TEST vlan-list 120
Now run the same verification commands now
show running-config aclmgr
show vlan filter
show vlan access-map
Let me know if I've not missed your point completely.
please submit a support ticket to firstname.lastname@example.org with the following information:
What course are you currently viewing so they can see if it's an account issue or a technical issue with the labs and practice tests.
This will get you the best direct and most immediate helpful response!
Thanks for being a member!
You need to have NPS role installed and functional on Windows Server.
You need to have an operational OpenVPN server and it's IP Address.
- In NPS, you want to create your OpenVPN server as a new RADIUS Client.
- Generate a new key
- Create a new NPS policy
- Add a condition for a Windows Group, add your VPN users who are allowed to use VPN.
- Add another condition for Client IPv4 Addresses, add the IPv4 address of the OpenVPN server.
- Grant Access to the VPN users.
- Configure authentication method, under EAP types (MS-CHAPv2)
- accept the defaults on constraint.
- Complete the policy, move the policy up in the list.
In OpenVPN web-gui, look for authentication and select RADIUS. If RADIUS is not used click button to use it.
Then under RADIUS authentication select MS-CHAPv2
Then in RADIUS settings setup what you configured in NPS with the shared secret.
If you're wanting to buy lab equipment, you have to decide on how detailed you want get.
The recommendation for CCNP should also be sufficient for CCNA studies too.
So I would say you want at least 3 routers running 15.x IOS with k9....you don't have to get gig ports unless you just want it. So you can probably get 2800 series routers. For point-to-point, you want serial connection... The others can be FastE.
You want a couple of layer 3 switches, 3750s would be awesome but I've done most of mine using 355os and 3560s...once again running 15.X ISO with k9 . You can thrown in a 2960 for a straight layer 2 if you want...
of course you'll have to make or buy ethernet cables, buy serial cables, power cables for the devices.
This will be be suffice for your to make a topology for just about anything you'll do for CCNP.