Dears
sorry if my question is far from CCIE scope. but in real production, i have one aruba controller and ACS 5.3. the requirement is to have wireless users authenticated from ACS using PEAP MSCHAPv2.. i configured internal user and apply access service policy with Permit access authorization profile.. but it is not working and showed me this error "11019 Selected Service DenyAccess". please help
Edit: This thread is getting too long, and it is now closed. Please post in a more detailed thread below instead:
Use this thread for Q&A on how to build INE's new CCIE RSv5 topology, either in physical hardware or virtualization. This thread will later be compiled into the new "How To Build A CCIE Rack" page.
Quoted from the CCIE R&S v4 study guide:
"OSPF has specific rules for selecting a path that crosses areas.....
- Take the shortest path to area 0
- Take the shortest path across area 0 without traversing a nonzero area"
- Take the shortest path to the destination without traversing area 0"
Would this imply that if I have 2 ABR's with interfaces in area 0 and 1, will downstream routers in area 1 choose the shortest path over the least cost path in order to reach area 0 ?
I tested this theory, and the downstream router chose the least cost path over the shortest path.
Hi Experts,
On R1 I have the below configuration:
R1#sh run | i tcp
ip tcp mss 1460
I have set the MSS value to 1460.
Still the tcp connetions origination from R1 to a remote router R3 is negotiated at a MSS value 536 in tcp sync sent from R1. Why is it so?
Can you guys give me some feedback on this new diagram format? I'm trying to get a mix between complete information while at the same time not making the diagram too busy and unreadable. The diagram is optimized for 1080p. Click it to open in fullscreen:
http://i.imgur.com/BuFzRvL.png
Hi all,
Looking for a best practice configuration for ASA failover.
From what I have read you can have separate interfaces for failover and state or you can use the same interface for both.
=== SEPATATE INTERFACES FOR FAILOVER AND STATE ===
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet2
failover link STATE GigabitEthernet3
failover interface ip FAILOVER 192.168.0.1 255.255.255.252 standby 192.168.0.2
failover interface ip STATE 192.168.1.1 255.255.255.252 standby 192.168.1.2
=== SAME INTERFACE FOR FAILOVER AND STATE ===
failover lan unit primary
failover lan interface FAILOVER_STATE GigabitEthernet2
failover link FAILOVER_STATE GigabitEthernet2
failover interface ip FAILOVER_STATE 192.168.0.1 255.255.255.252 standby 192.168.0.2
Does anyone see any pros/cons? Apart from the obvious need for an extra interface.
Thanks
Hi all,
Is it possible to exclude certain flows from the global inspection policy on ASA?
We are using the global_policy which is fine for 99% of flows but would like to selectivity disable FTP inspection for certain flows based on interface or source/dest IP (ACL). We don’t really want to disable FTP inspection globally.
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
Can this be done?
Thanks
Just wondering if the lab does not specifically say to permit icmp to a specific subnet is there any issue with just doing the following?
access-list OUT_IN extended permit icmp any any
fixup icmp
As subject really.
At the moment I am about 4.5 months out from my lab. While I'm fairly happy with my knowledge so far (I am aware of my knowledge gaps... Multicast I'm looking at you) - I'm keen to get onto the full scale labs so I can see it all in action.
Thanks
G
I can't seem to get FCSP authentication to work between my 7K and 5K. Authentication works great between the 5K and MDS switches, but the 7K fails everytime. I've compared configs and even torn down/built from scratch the config for the pairing, but still no joy. Just wondering, first, whether there's some trick to getting this to work, or if there's a verification command that can tell me where it's failing. Second, if I have a typo, I'd love for someone to point it out to me :D
7K:
feature fcsp
fcsp dhchap hash SHA1
fcsp dhchap dhgroup 4
fcsp dhchap password 7 qabzk7000
fcsp dhchap devicename 20:00:54:7f:ee:f9:22:80 password 7 qabzk5000
interface vfc1112
fcsp on
5K:
feature fcsp
fcsp dhchap hash SHA1
fcsp dhchap dhgroup 4
fcsp dhchap password 7 qabzk5000
fcsp dhchap devicename 20:00:e4:c7:22:08:c4:80 password 7 qabzk7000
interface vfc1112
fcsp on
I just passed the CCIE R&S on my first attempt!
And only 1 day before v5 comes along!
I just want to share the experience of my journey with everyone.
It all started about a year and a half ago, when I decided I wanted to become a CCIE. I knew it was going to be a long and hard journey but I was determined to do it.
I started by getting an all access pass and watching the videos, also read more books than I can remember, after about 6 months I passed the written exam.
After that I continued with the ATC videos and working on the Volume 1 and Volume 2 labs. I have to admit that after doing my first Volume 2 lab it went so bad I had the feeling that I had no idea what I was doing and I was never going to pass this exam.
But I'm lucky I had the support from my family and friends, and work colleagues that always kept me going when I was feeling down.
The rack rentals that INE has are a really good investment. I have tried a home lab, but just the amount of hours you waste setting things up and changing things around are better spent practicing. With work and family you really need to make the most of every minute you can dedicate to studying.
After working for a couple of months on the labs I attended the 10 day bootcamp in London last January. I can definitely say that I wouldn't have passed without this.
Dave Smith is an amazing teacher. The way he explains everything and walks you into all sorts of problems, helps you really understand how things work.
Also, meeting other people that are in your same situation helps a lot. I kept contact with a few of the other students and we formed a study group. I gained knowledge and friends from the bootcamp, so it was definitely worth it.
After this I kept practicing and took a few weeks of work in the final stages where I kept doing labs every day.
So that’s it, I'm looking forward to getting my personal life back now :)
Thanks to everyone that helped me out and just remember to keep working hard and the results will come.
Luis Da Silva CCIE #44011
Is there any documentation out there or information on building INE's Service Provider topology for learning? I'd like to start studying for the SP track; but, would hate to start spending a bunch of money on gear if there's a way to do it virtually (even if it's only partially).
Thanks in advance!
Ethan M.
CCIE #44000
After watching the mpls sham link video from Brian, it made me wonder something. He had a problem where the same route was learnt from two different neighbors, who were both advertising the route as the same type of LSA (Type 3), however one neighbor was in area0 and the other was in area78. So even though the metric was lower via area 78, the path that was preferred was via area0. This got me thinking. If we had this same scenario again but the neighbors were in area 77 and 78 (i.e. not area 0), would the lower area number take preference (i.e. the path via area 77 regardless of metric) or could we use metric to influence the decision?
Just trying to work out if this path selection is only applicable when using area0.
Thanks,
Stephen
Hello,
Can I mention "deny log" statement under the class default to watch which traffic to be allowed? Will I loose any points if I forgot to remove it at the end of my lab exam? Thank you.
Regards
movien
I know it's been asked - I've searched and am still unclear.
What's available? Configuration Guides? Command References? Design Guides?
I know where it is, just not which ones.
Thanks,
PC
Use this thread for discussion on building INE's CCIE RSv5 topology using GNS3 with 7200 series routers.
Details of INE's RSv5 topology can be found here.
Details on GNS3 can be found here.
This thread is a continuation of the original RSv5 build thread that can be found here.
PLEASE DO NOT POST REQUESTS FOR IOS IMAGES, IT IS ILLEGAL TO PROVIDE YOU WITH THEM UNLESS YOU ALREADY HAVE A VALID CISCO SERVICE CONTRACT.
Hello all,
maybe you need infos how to get to Diegem (Cisco location) from Charleroi.
Here is how you can do it.
After you arrived to Charleroi, take the bus at Exit 4 (you can buy tickets online: http://www.brussels-city-shuttle.com/en#/)
The journey takes to Brussels-Midi cca. an hour. After that, catch a train. You can buy ticket online: http://www.belgianrail.be/en/Default.aspx
Here is the two stations name:
Br,
Ferenc
Hello All,
I need some help with getting a default route between two BGP peers in my lab. On router PE1 I have successfully inserted a default route into the vrf (MYVRF) and I can access the networks connected to G0/0 (My ISP) as long as I am on PE1. What I am having an issue with is getting the route inserted in MYVRF on PE2.
I have the following in my BGP config on PE1:
address-family ipv4 vrf MYVRF
redistribute connected
redistribute static
redistribute ospf 2
default-information originate
On PE2, I get a default route:
#show ip route vrf MYVRF
Gateway of last resort is 172.16.1.1 to network 0.0.0.0
B* 0.0.0.0/0 [200/0] via 172.16.1.1, 00:01:47
The problem is Loopback0 on PE1 is not in MYVRF and I am using that as the update soucre for the PE1 to PE2 BGP peering. I cannot ping 172.16.1.1 from vrf MYVRF on PE2. How can I adjust this I get the default route 0.0.0.0/0 from G0/0 on PE1 across to PE2?
Any ideas?
Thanks.
I am setting up a certificate-based VPN with my ASA using anyconnect ver 3.1 but it encouters this problem. I try fixing it in 5 days but i still failed. Please give me some ideas. Thank you :(
[6/4/2014 4:35:24 PM] Connection attempt has failed.
[6/4/2014 4:35:25 PM] No valid certificates available for authentication.
[6/4/2014 4:35:25 PM] Connection attempt has failed.
Note that if i use "local aaa authentication", i successful connect.
So I am begining the process of building my CCIE R&S home lab. I was looking for some thoughts on the best design? So far it appears the best option would be a hybrid design where I virtualize the 20 routers needed and use a breakout switch to connect to 4 physical switches. Has anyone put this design together? any thoughts on the type of server I should use to virtualize my 20 routers?