Cisco :: LMS 4.1 - Template Center Configuration Filter Based On User Input?
Nov 30, 2011
is it possible to create some Configuration Template that pushes configurations only to switches or interfaces with a certain actual existing configuration element- e.g. a certain interface description?
Example:Template Parameter Mask asks User for an Interface Description- the User enters e.g. "A101" Second Parameter asks User for an access vlan to deploy to this interfaces- e.g. " 10"
So during deployment LMS make a "switchport access vlan 10" only on interfaces that contain the description "A101".
I know this is possible via Compliance Check/Deploy, but we want to make this more User friendly and flexible so that e.g. a Helpdesk Member can use this Template to easily change the VLAN based on a interface description (which refers in this case to a CAT5 outlet label).
I have a 2911 router connected to two different ISP. Is it posible to route traffic based on what interface the traffic came first?Lets say I have the deault route to use interface gig0/0(ISP1), but a certain ip packet reach the router by interface gig0/1(ISP2). Is there any way (if possible without using source NAT) that I could route traffic back to that ip address using interface gig0/1. The source Ip addresses are not fixed, so I can not use Policy Based Routing.
I have 2 connections a single T1 for voip traffic only and a DSL line for data traffic.the dsl was migrated to a 2811 with out any issues now comes the time to move the T1 over.
on the T1 side I am able to ping the WAN router and the LAN router IP address but nothing behind it.
currently this is the only statment on the router: ip route 0.0.0.0 0.0.0.0 Dialer1
as a quick a dirty to remove the above i tried: no ip route 0.0.0.0 0.0.0.0 Dialer1 ip route 66.55.110.0 255.255.255.0 Dialer1
but the DSL side dropped. we have a 66.55.110.152/29
for the T1 i would use the following statement.. we have a 209.98.53.192/27
Any recommendation for creating a configuration template for the SRP521W? I can use the Admin-->Backup Config to get a xxx.cfg file, but I cannot edit it with notepad++. Also, i know the config can be view via view-source: [URL], but how would I load a modified copy of this back to the router?
I have made some test and i noticed that qos input policy does not classify the icmp packet based on their dscp.The "match dscp ef" or "match precedence 5" is not working only the "match protocol icmp" shows hits.
We need to classify the different icmp packets based on dscp ( TOS ) for measurement purpose.CISCO 7200, 12.4.25d and 12.4.20T have a same behavior.
We have created a sample configuration for ISRG2 2901 Router. The sample configuration is long, and with copy/paste it is possible to skip some lines, and it is difficult to ensure the configuration of every device is standardized due to this error possibility. What we are trying to achieve is first create a template from this sample configuration file, and then create configuration files for each device seperately and automatically. After creating this configuration instances, we want to be able to distribute the configuration files (and possibly the ios) to the devices during the staging phase. Since there are about 1000 2901 routers, creating configuration files is important?
From searching we have found the following tools:
1) CCE (Cisco Configuration Engine): This tool seems to be very efficient for distributing the created configuration files. We may use the serial number of the device, and it provides almost zero touch provisioning of the configuration files to the devices. Creating the configuration file from the template seems to be manual, i.e enter the ip addresses of the interfaces, the routing tables one by one for each device. How can we use velocity template for device configs?
2) Ciscoworks LMS Prime: It is possible to create a baseline template for the devices, and after getting the backup configuration of the routers, it is possible to compare the actual configuration of the device with the baseline template, and understand if there is any difference with each other. This is indeed very useful in order to keep the configuration standardized, we again could not find a way to create bulk configuration files from the baseline template.
3) Solarwinds Config Generator: This tool is useful for creating a configuration file from a template, but again not for automatically creating configuration files, and needs manual intervention.
4) Excel Macro: It seems that some people have achived to automatically create configuration files with using an excel macro, but we could not find a procedure or tip of how to achieving this.
5) Pearl or TCL/TK Script: Again since we are not software developers but from networking field, it is difficult to achieve a working form of this scripts or codes due to to lack of documentation and development experience.
I have been asked by a client to restrict access to a number of non work related sites. Easy, blocked them using Firewall> Content Filter. Then I was asked to disable this filter for one user (the Managing Director) so he can access eBay.
I am familiar with doing this on a Netgear device, but so far my efforts with the RV082 have failed.
First I have tried using DHCP to reserve an IP address for this user, then setting 'Access Rules' so that this IP has all access all the time, but this does not appear to work.
I assume setting this IP as the DMZ would achieve what I want but it seems like overkill and not very security wise.
A short background. Our corporate SSID is being migrated from using PEAPv0 to EAP-TLS. This restricts access only to company notebooks. Additionally we have barcode scanners which are used to inventory assets. Those devices are not able to use EAP-TLS as they cannot be integrated in the domain and being unable to do certificate based authentication.
As a workaround we planned to use another SSID with access to the same network but using PEAPv0 as authentication method, basically the same SSID but with a different name. As this naturally allows anyone to access the corporate network with a valid username/password I now wanted to add another step into the authentication process - the MAC of the device. I know I can do the filtering at the WLAN controller, but as it has a limited database as well as the fact that it is cumbersome to maintain the MAC list on all the controllers I thought I can do it over our ACS system.
I am now trying to accomplish the following: The user gets authenticated via the internal user store, which is succesful. Now I want to authorize the user via the MAC address, which is stored in the internal host store of the ACS, if access is granted or not.
For this I created the following policy:
Service Selection Policy -- (Rule based result selection)
-- (NDG:Device Type in All Device Types:Wireless And RADIUS-IETF:Called-Station-ID contains <SSID>) | Result: PEAP access
-- Default | Result: DenyAccess
Service PEAP access Identity: Internal Users -- (Single result selection) Authorization -- (Rule based result selection) -- Internal Hosts:HostIdentityGroup in All Groups:Valid_MACs
When I then try to access the wireless network I won't get authenticated. The error I get, when I look into the logs is: 15039 Selected Authorization Profile is DenyAccess
Is it not possible to use one identity store as "attribute database" for the other identity store?
I've installed Cisco ACS 5.3. After I created several internal users (defined password and enabled password), Identiy Groups, Access Polices, Network Devices and AAA Clients (e.g. Cisco 1841) for Radius and configured my Router like this:
... aaa authentication login VTY group radius local-case aaa authentication enable default group radius enable ....
Now I'm able to login successful using my internal User. But if I try to use enable to enter the enable level I'll receive the message "% Error in authentication." when I use the defined enable password.
In the ACS logging I'll can see that "$enab15$" is missing. If I setup a user name "$enab15" I can login to enable level, but what have I to do, to use the custom enable passwords?
Step 1.2 - 1.5 is requiered for both (Radius and Tacacs). Then you have to switch to 2.1-2.7 for Radius or 3.1 - 3.7 for Tacacs authentication.
I have 4 story hotel with 40 rooms, 10 rooms in each floor, i want to setup wifi network to cover all the rooms, what should i do or what instruments to use, is it possible to make user based setup for each room.
I want to give limited access to our first level support so that they can execute certain basic commands like, port vlan change, access port shut/no-shut on Cisco 6509 and 3750E switches IOS based. I want to restrict them to only few options so they can not make changes to uplink (TenGig) ports and can not issue reload command etc. We do not have TACACS. What is the best way to achieve this?
I have a cisco 2950 switch, connected with 4Mbps of internet and number of users will access the internet. There is no restraction on bandwidth limit for users, if any body use high download the remaining users are facing the slow browsing problems.
So, if i can put a bandwidth limitation for every users the problem will be solved. how to restract the bandwidth on user bases.
I am currently trying to enable WCCP between a Cisco ASA 5512 firewall and Barraccuda Webfilter 410 Vx applicance. The ASA firewall is running IOS version 8.6(1)2 and the Barracuda is funning firemware 6.0.0.013. Both the ASA and Barracuda are in the same network and can ping eachother. The ASA has several interfaces, outside, inside, data and dmz. The PCs and barracuda appliance are behind the data interface. ASA data IP 172.16.18.1 Barracuda IP 172.16.18.40 All PCs in the 172.16.18.0/24 subnet use the ASA as the default gateway and should have web requests redirected to the Barracuda.
I suspect my issue is that the ASA is generating a Router Identifier of 172.21.20.1 which is my inside network and the barracuda cannot communicate with it. how I can get this working ?
I want to be able to gather some time metrics based on source IP, and destination port. Is it possiable to track how much time a user spends using a service based on it's port number. I have figured out how to capture all the data, and I can then look at timestamps, but I would like a better way if possible. Can this be done at the firewall, or do I need a different appliance?
i am planning to buy 867vae router and i would like to ask you a few things the configuration is through cli only(because i am not familiar with cli) or it can be web based ? the basic configuration for dsl and routing are preconfigured or i have to do everything from scratchf? if someome has configured let say a draytek router, is it the same with this router or its a different world?
I have to install a wireless mesh network shortly using Cisco 1552 APs. This will be controller based using 5508 controllers. The controllers currently have some 1262 APs configured in a mesh and bridging configuration so happy that it all basically works. My question is - what is the "config mesh range' command doing on the controller ( or setting the Range(RootAP to MeshAP) setting on the controller mesh GUI. The default setting is 12000feet and I have left it at default at present. Just interested in what this is used for - I assume it alters the mesh protocol parameters somehow ( or the RF parameters perhaps ) as it suggests in the guide that mesh APs will reboot following this command being changed.
I recently bought and installed a WAP4410N access point (using PoE) and it's running stable. I was able to access the web-based configuration by using the IP address of the AP (something like 192.168.0.184, coming from the DHCP of my router). However, I'm unable to access the web-based configuration using the host name of the device (mentioned next to the device name in the basic setup section of the web-based configuration). I changed the host name several times, but I can't connect to the device using the host name. Accessing the device by its IP address works, but I have to check the logging of my router to find out which IP address I have to use. Is there a way to access the device using the host name?
(I think my WAP4410N has firmware version 2.0.2.1 installed)
I was unable to configure vlan-based qos on Cisco IOS Software, s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1) Seems to me my configuration is not working. Here is the output of the interface:
sh int G1/6 | i rate Queueing strategy: fifo 30 second input rate 25231000 bits/sec, 4282 packets/sec 30 second output rate 46940000 bits/sec, 9257 packets/sec
Why I can't see matches in ACLs? I've double checked the direction and seems to me it is correct. I can't see matches even I configure something like this:
10 permit ip host 192.168.1.168 any 20 permit ip any host 192.168.1.168
Why my output rate is higher than 30M? Is it bacause there is no matching traffic here in ACLs? I'm absolutely shure that this host with such ip connected to this interface:
#sh arp | i 192.168.1.168 Internet 192.168.1.168 0 feed.beef.f00d ARPA Vlan3 #sh mac address-table | i feed.beef.f00d * 3 feed.beef.f00d dynamic Yes 0 Gi1/6
I have Verizon FIOS internet/wireless router and then a WRT310N wireless router connected to it thru Ethernet cable. I want to disable DHCP in the Linksys, but when I try to access the set up page at address 192.168.1.1 the Verizon router set up page shows up. I've tried to connect the router directly to the computer, but it needs the internet connection from the Verizon router. How do I get to the set up of the Linksys at the same time the Verizon is using the same address?
(result) once logged in, it automatically showed running-config. However when I tried with PI 1.2 with this user (inout). I couldn't do configuration back.
reference [URL]
create certain user with read-only privilege while PI 1.2 is able to do configuration archiving ?
I have been searching but unfortunately not successful in finding appropriate documentation on how to configure the ASA such that a user using AnyConnect SSL VPN client is prompted for their username + AD credentials + RSA SecurID token (all three must be presented/entered by the user) in separate fields before the VPN tunnel is established. On latest version of AnyConnect (3.1) and ASA version 9.x on 5500-X.
I've one Cisco 3750G-12S with ip routing enable, the swtich is with IP Service firmware, with PRR support.Currently set my default static route 0.0.0.0 0.0.0.0 10.1.18.71 to my Firewall A Currently all of the VLAN for will be routed to 10.1.18.71
I've created a new VLAN 2 for my 10.1.2.0/24 network with the VLAN interface 2 ip address 10.1.2.10, my intention is to route 10.1.2.0/24 traffic to my 10.1.2.1 by creating the access list and route-map.
I've configure my test pc with a static ip and my gateway pointing to 10.1.2.10 (VLAN 2 gateway) , i'm not able to route to 10.1.2.1.
I have two 1811's connected in a lab using a ipsec vpn tunnel (using a switch to simulate an internet connection between them).I am trying to configure one of the routers as a ZBPF just to allow a remote windows login (DC on the firewalled side, workstations on the other side).I'm trying to verify that the zbpf is working, but it doesn't seem to stop anything. I had match icmp added to the class-map, but took it out to test if icmp would fail. It didn't. Basically, I don't think the firewall is working at all. Any thoughts on how I can configure this so that the policies will work between zone-pairs?
Here's an quick drawing:
Here are the configurations:
Local router: hostname sdc-1811-LocalLab ! boot-start-marker boot-end-marker ! no aaa new-model ! resource policy
I want to add the command "no logging event link-status" to all switchport mode access ports EXCEPT for the ones with the following switchport access vlans: 4022,4032,4042,4052,4072 & 4082. How do I create a compliance template to do this? LMS 3.2, RME 4.3.1
