I am wondering if having a Nexus 7K is mandatory to implement SGACLs within a TrustSec Infrastructure deployment or having a Nexus 5500 could be enough?
View 1 Replies
I applied command "auto qos voip trust" to the uplink interface. But I found that the interface shown command "auto qos trust" was applied when i show running-config. Could the command "auto qos voip trust" show in the configuration after i applied? If not, how can i check the interface that applied "auto qos voip trust"?
View 5 Replies View RelatedWe are trying to set up ACS 5.2 in our multi-forest AD environment. As part of our evaluation we set up an Active Directory External Identity Store to a domain (a.b.edu). It connects properly and I can see the directory groups in the that tab when we Select. This domain (a.b.edu) has a two way trust with another domain in another forest (x.y.b.edu). However, I do not see the groups in that domain and I cannot seem to manually add those groups using the Add on the free text Group Name.
The documentation is not clear on this point: Page 8-41 and 8-42 of the "User Guide for the Cisco Secure Access Control System 5.2) says: "The External User Groups dialog box appears displaying a list of AD groups in the domain, as well as other trusted domains in the same forest." This implies to me that it cannot cross forests even though a trust is set up. This seems to be what is happening.
I am trying to implement IP SLA. Can I implement it on layer2 switches?
View 5 Replies View RelatedI have a trouble to implement dynamic QoS between two sites (Site A, and site B) across low speed WAN link (512k). On each site I have Cisco 1921 router. Most important app is Oracle. Because of slow speed WAN links, I want to avoid exact bandwith reservation for Oracle. I only reserve 5% bandwith for network control(icmp, ssh, telnet...) and want configure next Qos scenario:
1. If Oracle traffic exist on a network, it must have 70% of link speed guaranteed, all other apps (e.g mail, file share, ftp) use rest of the bandwith.
2. If there isn't Oracle traffic on a network, all other apps can use all available bandwith.
Issue descrtption:I used all Cisco guides, but when I implemented this on production it simply didn't work. There is no any significant improvement after implementing this (when I start network file sharing accross wan link, Oracle becomes etremly slow.).Here is configuration wich I trying to implement:
ACL-s and class-maps used to mark traffic:
access-list 119 remark ###QoS-MGMT###
access-list 119 permit tcp any any eq 22
access-list 119 permit tcp any any eq telnet
access-list 119 permit icmp any any
access-list 120 remark ###QoS-DB_ORA###
[code].....
I have a question about my ACS redundancy deployment. I bought three ACS all of them came with base license. but i bought large deployment license my question is necesary to buy the large deployment license to add two seconday ACS to my Primary ACS ? now if I install the large deployment in my primary ACS it replique to other ACS or I have to install first the large deployment one by one (secondary ACS) before to join to the Primary ACS.
View 1 Replies View RelatedI am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how different authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?
View 10 Replies View Relatedi have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.As I understand this is the license required : L-CSACS-5-LRG-LIC=
·
Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is. for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
I already have large deployment add-on license. I also have 3 ACS Servers. Now, my primary ACS server is now up and my two secondary ACS server will be put up soon.
Just want to ask, when should be the large deployment add-on license be loaded? Can I load it to my primary ACS server eventhough my secondary servers are still not up? Or should I load it to my primary ACS server when my two secondary servers are already up?
I am going to deploy Cisco ISE with WLC 5500. I have two kinds of users one for which I want to deploy just open access Wi-Fi network, without working with Cisco ISE and Second group of Users for which I want to deploy Cisco ISE services like advanced authentication, posture and profiling. For both users I have just one WLC. Is there any problem to just deploy two SSID one for open access (without Cisco ISE) and second Secure with Cisco ISE ?
View 5 Replies View RelatedI am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell
My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?
I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.
We have our Nexus as our default gateway (101.1) and the default VLAN1 is setup with two subnets 101.X and 102.X. The DHCP server is using a superscope setup to accomodate the overflow of devices requesting IPs on 101, so when 101 is consumed persons are able to obtain a 102.X IP address. The setup is basic on superscope. The issue is some times the routing to the firewall with a 102.X is not always 100%. Somedays all goes well and the 102 subnet is routed out to the firewall and its a good day. However, such as today a 102.X address is not routing as it did 24 hours ago. I am perplexed as to why this is behaving unpredicatable. Here is running-config for VLAN1 to show the 102 as secondary address to VLAN1.
View 2 Replies View RelatedEvery link and guide i see about stacking two 3750 switch , the port 1 is connected to port 2 on the other switch and vice versa
i mean you can connect port 1 to port 1 on the other and connect their port 2 to each other
1- is it any benefit in the cross connection ?
2- do i encounter any problem if i stack a 24ts with a 48ts or a 12s-s (all are 3750)
3-i stacked two switches with each other and the ports became 1/0/* and 2/0/* and then i removed stack but on second switch the ports are still 2/0* !! when there is only one switch the interfaces should be 1/0/*
I know that with the Nexus switches that we must use the management port and the management vrf for services such as NTP, SNMP etc. I have this configured on my 5548 and it still will not sync with NTP. [code]
View 5 Replies View RelatedI saw a push bottom below the fan module of the nexus 7010. What that is for?
View 3 Replies View RelatedI ma trying to query "CISCO-PORT-CHANNEL" mib on Nexus 7000 for portChannel table and I am not getting any info.
Nexus OS versions : Nexus 7000 - System version: 5.1(5)
Nuxus 5000 - System version: 5.0(3)N1(1a)
Any pointers or other alternatives to query through MIB ?
We are trying to install the latest version of Nexus 1000v to ESXi5.1 and the installer application is much better than the previos one, but we are having problems with implemetation, because deploying of OVA file times out.
First attempt: Nexus-1 was successfully deployed on ESXi-1, but Nexus-2 which should be deployed on ESXi-2 returned an error: "Deploy OVF template":"Operation timed out." Second attempt: Deploying of Nexus-1 returned the same error Third attempt: The same as the first attempt.
It looks like that there is a time limit which is used for deploying OVA file and since file needs to be uploaded to ESXi it takes too long, so the installation fails. Is it possible to extend this time?
How will I know if my catalyst and Nexus switch supports Ethertype 0x05ff. This is for the beacon probes sent out by our ESX Servers.
We will be using Nexus 3048 and we have 3750 catalyst switches as our distro switches.
What is the correct way to create an SNMP user on a Nexus 5k Switches and limit the read/write access to some OIDs?I have been searching for hours for configuration examples or guides, but i had no luck.I guess a role has to be created, containing rules for some feature, but the list of features doesn't contain anything about snmp.This is my configuration on catalyst switches and i'd like to achieve the same result on the Nexus 5k:
conf term
access-list 10 permit host x.x.x.x
access-list 10 deny any
snmp-server view myview ccCopyTable included
snmp-server group mygroup v3 priv read myview write myview access 10
snmp-server user myuser mygroup v3 auth md5 xxxxxx priv aes 256 xxxxxx
end
I am using ACS 5.2 and attempting to authorize users through TACACS to Nexus 5.1 code. I seem to have ACS setup correctly based on documentation I received through here. The problem is that the NX/OS doesnt seem to be operating as expected.
View 2 Replies View RelatedI have a problem with the switches Nexus, is impossible authenticate from tac_plus. In other company, I configured ACS for authenticate the Nexus Switches and OK The configuration of my tac_plus is:
user = gian {
login = cleartext prueba
member = nexus
group = nexus {
default service = permit
service = shell {
#double-quote-values = yes
#shell:roles=""network-admin""
cisco-av-pair*shell:roles="network-admin"
The configuration of switch is:
tacacs-server host xx.xx.xx.xx key 7 "xxxxx"aaa group server tacacs+ AAA_TACACS_SERVER server xx.xx.xx.xx source-interface mgmt0
aaa authentication login default group AAA_TACACS_SERVERaaa authorization commands default group AAA_TACACS_SERVER localaaa accounting default group AAA_TACACS_SERVER
Does ACS v4.2 support the addition of the Nexus switches? We have a few new Nexus devices that have been added to ACS, but cannot be accessed successfully. A msg re: role based authentication is received. Do I have to do something special in ACS to support this?
Nexus 5596 v5.1(3)N2(1)
We have Nexus7009 at client network but due to limitation of Nexus switches that they can not be directly integrate Nexus with RSA so client has purchased cisco ACS for the AAA. We are able to do the authentication and authorization via ACS.However clients wants to further integrate the ACS with RSA so that authentication should happen via RSA and authorization should happen ACS. Is that possible ? if yes, how can i configure the ACS ?
View 5 Replies View Relatedi am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is 5.0.2,I have created a role on nexus.
View 1 Replies View RelatedI have setup my radius server access on the Nexus but am unable to authenticate through putty. If I do a radius-server test on the Nexus it says I authenticate. Here is the log I am getting.
2012 Mar 14 16:03:21 switch-a %AUTHPRIV-4-SYSTEM_MSG: pam_unix(aaa:auth): check
pass; user unknown - aaad
[Code].....
I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
how do i set limit on the log file size in ACS 5.3. I had the same issue with Nexus 1000v but there is a command that enables you to set log file nane and size. it is getting bulky.
View 7 Replies View Relatedhow to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.
View 8 Replies View RelatedI can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
View 4 Replies View RelatedI m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies View RelatedI see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies View RelatedI am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies View RelatedHow to trust the transit CoS value on ASR1013?
Tried so:
Router# configure terminal
Router(config)# interface gigabitethernet 0/0/0.1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# plim qos input map cos enable
But not worked.
Traffic path without ASR:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> DLnk 3526_2 --> Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 5
If we add ASR1013:
Server --> DLink 3526_1 --> Cisco 3750 --> Cisco 7606 vrf VoIP --> Cisco ASR1013 --> Cisco 7600 global --> DLink 3526_2 - Client
DLink 3526_1 sets the CoS = 5
Client receives CoS = 0
