Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About ToryDav
ToryDav
Building a reputation
Member since Sep 24, 2019
Apr 26 2024
Community Record
130
Posts
53
Kudos
3
Solutions
Badges
Jan 22 2024
1:00 PM
Hi! Is it possible to create some type of RBAC using group policy or SAML (Azure AD) for an Anyconnect user? Ideally giving them a specific VLAN when they connect based on a level of access would be fine, or somehow applying a group policy that contains an L3 firewall override? How do others do this in the field? ISE?
... View more
Labels:
- Labels:
-
Client VPN
Dec 21 2023
1:18 PM
When using an MX as a branch spoke connecting to a concentrator in the data center, we need to implement a full-tunnel design to send all wired traffic on the network through the Corperate firewalls located in the data center. However, I also have a requirement to send the local office wifi traffic (both office user and guest) out to the internet directly at the spoke level. When I choose to send the default route to a spoke MX creating a full tunnel, am I correct that I then need an SDWAN + license to enable Local Breakout for a couple of wifi vlans to not use the default route through the tunnel?
... View more
Labels:
- Labels:
-
Auto VPN
Dec 5 2023
12:44 PM
Hi All, Running into a scenario where we have an L3 9500 core with SVIs (Gateway) for user subnets for a given site. MX firewalls are going to replace a different vender firewall for outbound internet access and AutoVPN will be used to connect the sites together. I suspect if a subnet's default gateway lives on the 9500 core (l3 core) then it cannot participate in AutoVPN if MX is intended to be at the Internet Edge in routed mode. Can you confirm my logic is true/false? Will the SVIs need to be migrated to the MX? Has anyone run into this?
... View more
Labels:
- Labels:
-
Auto VPN
Dec 5 2023
5:47 AM
Okay here's the actual peice you want to read in Darren's link. The actual documentation is misleading because it says you need "Per Device SD-WAN+ licenses" which are only available in 1,3,5 year terms. I have a 10 year SDWAN license which is clearly not a per device license. The text below does not state it needs to be a per device license however. Mixed-license environments The SD-WAN Plus and Advanced Security licenses can be selected on a per-device basis for a mixed-license deployment. In this way, some sites could have MXs with full SD-WAN Plus license functionality and remaining sites with Advanced Security license features. Enterprise licenses can only be applied organization-wide.
... View more
Dec 5 2023
5:41 AM
That's why I posted. It's not clear.
... View more
Dec 4 2023
2:42 PM
Hello, Is there a license activation grace period? I have heard you have up to 90 days to claim licenses before the "countdown" begins. I have always assumed the countdown began when the license key is cut and issued. Does anyone know?
... View more
Dec 4 2023
2:38 PM
Hello, Looking for some better guidance around this topic. Can you have mixed MX license types? I always thought the answer was No but have found some mixed information and I'd like to clarify. Is this possible for co-term? How about a per-device license model? I have a per-device license model for this scenario with Advanced Security MX licensing and need to claim an SD-WAN license for a new MX that is going to be deployed. For co-term I believe it is not possible unless the license is explicitly an SD-WAN per device license but I can't find the information on a per-device license model scenario.
... View more
Dec 1 2023
6:37 AM
Ah okay I get it, thanks for confirming. I would think stick mac allow list would make sense for being applied at the profile level since the mac allow list is learned, not specified, but I don't know how the configuration works behind the scenes so I can see there likely is a technical limitation preventing it from being possible. Good to know! No MAC Allow or Sticky MAC allow on profiles. It would be nice if we could override the profile to set these on a port by port basis, but if it's one or the other, then the profiles have to go unfortunately.
... View more
Nov 30 2023
9:13 AM
I wanted to set stick mac allow list access policy on my port profile, however, there isn't any option to do so in the drop down. Is this not supported? It seems I may have to remove the port profiles to enable the policy.
... View more
Oct 18 2023
12:30 PM
I basically am implementing this already. I've overridden the log, actually its pretty neat because using python logging, I can simply create a log where I want it and log away my info, warnings and errors for my script, but because I'm using the meraki module in the same runtime, all the meraki logs automatically are written in my new log within /logs. That said, the meraki api still creates the log file in the other dir, but it's blank.
... View more
Oct 17 2023
2:30 PM
Hello, I would like to know if there is a way to change where the .log file generated by the API is stored. I want this in a /logs/ dir, not in the current directory where my script lives. I don't want to suppress the log, nor do I want to manually or programmatically move it.
... View more
Oct 11 2023
3:19 PM
Hi @CptnCrnch, Regarding your comment on Umbrella Statistics, I want to be clear in that regardless of which model you go with "Manual, vs Automatic", that neither will allow dashboard to display statistics? You also stated that the automatic integration does not have an umbrella account and everything is in the Meraki Dashboard, so there is only configuration options for DNS and the predefined policies, no statistics or logging of event of any kind? I just want to be clear.
... View more
Oct 6 2023
6:32 AM
1 Kudo
Same, but without access to them I needed to actually prove that was the issue. Just to update you all, this was related to windows firewall.
... View more
Oct 5 2023
12:09 PM
Thanks GldenJoe, the only issue I see with all this right now is I exported the, VLANs, Subnets, policy objects and the L3 rules and ported them over to a lab MX that I have setup to simulate the environment and all testing passed as expected. Intra-VLAN traffic were permitted worked as expected. Inter-VLAN traffic where permitted worked as expected. Traffic not specified explicitly to be allowed was not allowed. Internet bound traffic worked just fine. However on the staged equipment where we noticed the issue, test hosts cannot ping each-other within the same VLAN, or in different VLANs that are explicitly permitted. Changing firmware to the latest patch changed nothing. Moving the hosts from the switches directly onto the MX changed nothing. So I built SVIs on Stack 1 and Stack 2 to do ping testing to rule out the hosts themselves perhaps dropping the ping, and they work as expected. At this point I am thinking this is a problem with some of these particular test laptops, but unsure otherwise.
... View more
Oct 4 2023
11:07 AM
The clients are on a L2 switch. The switch is trunked to the firewall. I am setting up a lab to replicate the MX environment now and we will see if I see the same result of traffic being blocked where it should not be. It could be a switching issue. More to come.
... View more
Oct 4 2023
9:49 AM
Hi alemabrahao, the requirement is to block all traffic between the VLANs, not just ICMP. I'm only using ping to do some basic testing in the rules. MX is the gateway. I'm going to recreate the rules in my lab MX to see if the result is the same. PREVIEW
... View more
Oct 4 2023
9:33 AM
Good Day, Looking for a recommendation to deny inter-vlan routing on the MX using Layer 3 firewall rules. In this case I created a rule denying all RFC1918 subnets in source and destination, and put that above the default allow rule. This way outbound to the internet is not bothered, and I can create specific allow rules to permit some inter-vlan routing where applicable. Seemed to be working okay so far in testing, however I did notice some ICMP response not founds in a packet capture when ping testing two hosts in the same VLAN. I'd think that if they are in the same VLAN, the layer 3 rules would not apply, so I am troubleshooting the MX as a bug and changed firmware version to the latest patch. Waiting to confirm if this resolved the issue, but can you sanity check me here?
... View more
Labels:
- Labels:
-
Firewall
Feb 10 2023
1:02 PM
Genius! Okay so let me ask you this, the VLAN Gateways live on a layer 3 switch then?
... View more
Feb 8 2023
7:58 PM
2 Kudos
Username ToryDavenport 243108
... View more
Feb 8 2023
6:15 PM
Hello, Is it possible to summarize branch routes with AutoVPN? Let's suppose my branch site VLANS are all /24s that could be summarized into a single larger prefix. When I turn on AutoVPN and configure the branch as a spoke, all the enabled /24s propagate to the hub MX or vMXs. So is it not possible to summarize these routes? Let's say the hubs are vMXs that peer eBGP with another device. The vMX passes the specific prefixes to that device. Any thoughts?
... View more
Labels:
- Labels:
-
Auto VPN
Feb 5 2023
6:06 AM
I had never heard of them either. So far I like them, fast and easy 90 day certificates. What's really neat to me is the API. Haven't tested it too much yet however. https://zerossl.com/developer/
... View more
Feb 5 2023
5:41 AM
1 Kudo
I took another crack at this and did successfully upload and save my certificate generated from www.zerossl.com this morning. I used https://whatsmychaincert.com/ to generate the correct certificate chain and checked the box to include the root certificate. This chain, with the ZEROSSL certificate was the winning combo. I did not use the ca_bundle.crt provided by ZERO SSL. I will write up a tutorial on how I did this and share soon. Cheers
... View more
My Accepted Solutions
| Subject | Views | Posted |
|---|---|---|
| 4462 | Feb 5 2023 5:41 AM | |
| 2624 | Mar 28 2022 3:09 PM | |
| 4042 | May 20 2021 3:37 PM |
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 7 | 10805 | |
| 4 | 4431 | |
| 3 | 2135 | |
| 2 | 5697 | |
| 2 | 9158 |
© 2024 Cisco Systems, Inc.
