Linux set local proxy for O/S

export http_proxy=http://:port

3750-X route-map for wireless access

!

interface Vlan100

ip address 172.16.255.254 255.255.0.0

ip helper-address 172.16.255.250

ip pim sparse-mode

ip policy route-map ROUTE-PROXY-TRAFFIC-POLICY

!

!

access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq www

access-list 101 permit tcp 172.16.1.0 0.0.0.255 any eq 443

!

!

access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 50

access-list 102 permit ip 172.16.1.0 0.0.0.255 any eq 51

access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 500

access-list 102 permit udp 172.16.1.0 0.0.0.255 any eq 4500

!

!

!

route-map ROUTE-PROXY-TRAFFIC-POLICY permit 10

match ip address 102

set ip next-hop 172.16.255.253

!

route-map ROUTE-PROXY-TRAFFIC-POLICY permit 50

match ip address 101

set ip next-hop 172.16.255.252

Visio Auto-Connect

If you actively use visio and are fed-up of the auto-connect as much as I was.. this is for you!

Enable or disable AutoConnect in all drawings

1. On the Tools menu, click Options.
2. Click the General tab.
3. Under Drawing window options, select the Enable AutoConnect check box.

Banner MOTD #

A banner should be an informational warning/notification and not be a welcome to my device. I love a good banner and ascii, makes it all the more fun.

banner motd #
_~_
. / ^ -\ .
|\| (o) (o) |/|
|—–.OOOo–U–oOOO.——————|
|                                      |
|   * Authorised Access Only *       |
|                                      |
|_______________Oooo.__________________|
.oooO           (   )
(   )            ) /
\ (            (_/
\_)

This host is: $(hostname)

#
!

Cisco WLC 7.x future Wireless QOS capabilities

Having the need to look at a converged network/telephony strategy with Microsoft LYNC and a request (not requirement) for users to be able to access the LYNC telephony over a Cisco wireless solution. Thinking a little out of the box I had got to the point of considering how to run ATM over a lightweight solution.

Along came AVC.. it certainly looks like a great step forward and I cant wait to have an opportunity to plau.

http://www.youtube.com/watch?feature=player_detailpage&v=h6ZLSc_lYEg

http://www.cisco.com/en/US/solutions/collateral/ns1015/ns483/ns780/at_a_glance_c45-649117.pdf

 

 

Cisco ASA ASDM logging filters

I was looking at applying some filters to the ASDM logging viewer the other day and spent 5 minutes adding one of each type just to see what would be seen within the configuration. Its pretty straight forward and very similar to Wireshark filters. Nb. the use of a “;” where multiple filters are applied.

ASA Firewall Filters:

# Only source IP: FILTER:srcIP=172.16.0.50
# Only port 21: FILTER:srcPort=21;
# Source IP and port 21: FILTER:srcIP=172.16.0.50;FILTER:srcPort=21;
# Destination IP: FILTER:dstIP=10.206.164.41;
# Severity Level (4=WARNINGS): FILTER:sev=4;

DMVPN with EIGRP

hostname VPN-Router-1
!
!
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC-ONE
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco101
!
crypto keyring DMVPN-KEYRING vrf INET-PUBLIC-TWO
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco202
!
!
!
crypto isakmp policy 10
encr aes 256
hash sha
authentication pre-share
group 2
!
!
!
crypto isakmp profile ISAKMP-INET-PUBLIC-PROF-1
keyring DMVPN-KEYRING-ONE
match identity address 0.0.0.0 INET-PUBLIC-ONE
!
crypto isakmp profile ISAKMP-INET-PUBLIC-PROF-2
keyring DMVPN-KEYRING-TWO
match identity address 0.0.0.0 INET-PUB-TWO
!
!
!
crypto ipsec transform-set AES256/SHA/TRANSPORT esp-aes 256
esp-sha-hmac
mode transport (used for devices behind a NAT)
!
!
!
crypto ipsec profile DMVPN-PROFILE-ONE
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile FVRF-ISAKMP-INET-PUBLIC
!
crypto ipsec profile DMVPN-PROFILE-TWO
set transform-set AES256/SHA/TRANSPORT
set isakmp-profile ISAKMP-INET-PUBLIC-TWO
!
!
!
interface Tunnel11
bandwidth 10000 (available bandwidth)
ip address 10.11.11.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE-ONE
ip nhrp authentication cisco111
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip hello-interval eigrp 100 20
ip hold-time eigrp 100 60
no ip split-horizon eigrp 100
!
interface Tunnel12
bandwidth 10000 (available bandwidth)
ip address 10.12.12.1 255.255.255.0
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel vrf INET-PUBLIC
tunnel protection ipsec profile DMVPN-PROFILE-TWO
ip nhrp authentication cisco222
ip nhrp map multicast dynamic
ip nhrp network-id 101
ip nhrp holdtime 600
ip nhrp redirect
no ip redirects
ip mtu 1400
ip tcp adjust-mss 1360
ip hello-interval eigrp 200 20
ip hold-time eigrp 200 60
no ip split-horizon eigrp 200
!
!
!
router eigrp 101
network 10.11.11.0 0.0.0.255
passive-interface default
no passive-interface Tunnel11
eigrp router-id 10.11.11.1
!
!
!
router eigrp 101
redistribute eigrp [EIGRP AS] route-map SET-ROUTE-TAG-DMVPN
!
!
!
router eigrp 100]
redistribute eigrp 100
!
!
!
route-map SET-ROUTE-TAG-DMVPN permit 10
match interface Tunnel10
set tag DMVPN-EXTERNAL
no auto-summary
!
!
!

 

Export Netflow over IPSEC

One of my earlier posts covered routing Netflow Exports to a server over IPSEC. The previous covered method relied on the use of GRE tunnels and loopback interfaces to forward the export to a central router which in-turn then forwarded them onto the collector.

The question of why bother and just not use a Cisco ASA to terminate the VPN could be raised and I guess the requirements and the methods of the outgoing connectivity will have input. However, the ASA will support the exporting of Netflow over and IPSEC tunnel and adding no funky workarounds. The two key things to remember are:

Add the collector to your INSIDE interface

Ensure the collector is covered by Interesting traff