ASA 5585-X multiple bridge-groups expected behaviour

Hi all,
suppose a deploy of an asa5585-x in transparent mode made by two bridge-groups (2 interfaces each).
Now suppose that a new traffic flow in direction north-south traverses the bvi1. What's the expected behavior if the traffic going back (south-north) will traverse the bvi2? Will be that traffic correctly recognized as part of the flow previously detected?
Regards.
A.M.

Discovered today that the 'fix' I mention above is more of a workaround, because when I initiated a manual failover for one of the failover groups, the alerts returned. And the failover status was again on Normal (Waiting) for a couple of monitored logical interfaces.
I was able to workaround the problem as described above.

Similar Messages

Can single interface accomodates multiple bridge groups

Hi,
I am working on building FW configuration to serve multiple tier environment. The FW is in Transparent Mode, Sw Ver 8.4 which supports Bridge-group.
My question is, whether FW supports having mutilple Bridge-groups under single interface. If not, what are the alternatives.
firewall transparent
interface gi0/0
nameif outside
security-level 0
bridge-group-1
bridge-group-2
interface gi0/1
nameif WebServers
security-level 50
bridge-group-1
interface e0/2
nameif AppServers
security-level 100
bridge-group-2
Thanks

Hello,
That is not possible, Each interface will need to be assigned to a specific bridge group..
Alternative would be to use a dedicated pair of interfaces for each bridge group
Regards,
Julio

Multiple VLANSs with 1 bridge group for DLSw+

I am working on a network with a DLSw+ on a 6500 MSFC with multiple VLANs. There is one bridge group and it is mapped to DLSw + and to each VLAN. It is working, but I want to know if there is an and advantage placing each VLAN in it's own bridge group and mapping each bridge group to DLSw+.
I have an example of the config I am referring to below: I would appreciate any feedback or comments on this.
bridge 1 protocol ieee
dlsw local-peer peer-id 10.88.1.2 group 1 border promiscuous
dlsw bridge-group 1
dlsw bridge-group 2
dlsw bridge-group 3
dlsw bridge-group 4
dlsw bridge-group 5
dlsw bridge-group 6
dlsw bridge-group 7
dlsw bridge-group 8
int vlan 10
bridge-group 1
int vlan 11
bridge-group 2
int vlan 12
bridge-group 3
int vlan 13
bridge-group 4
int vlan 14
bridge-group 5
int vlan 15
bridge-group 6
int vlan 16
bridge-group 7
int vlan 199
bridge-group 8
Thanks,
Bruce

exactly.
When the router receives bridged packet whose destination MAC address is not on the router's bridge table, the router will flood the packet to all the VLANs if all the VLANs are on the same bridge group. Similary, the router forwards broadcast traffic to all VLANs.
If different VLANs are under different bridge group, the traffic mentioned above is noly forwarded to DLSw.l

VCenter Single Sign-On Permissions Assignment for Members of Multiple AD Groups

Hi all,
I ran across an interesting issue whilst assigning permissions using Active Directory groups within vCenter.
Environment
1 vCenter Appliance managing 2 Datacenters (1 Datacenter with 2 Clusters, 1 Cluster with 2 Hosts, 1 Cluster with 4 Hosts, 1 Datacenter with 1 Cluster containing 1 host.)
vCenter has an SSO Identity Source configured using Active Directory (Integrated Windows Authentication).
vCenter and all hosts are domain members of child1.parent.com.au
The Active Directory Forest contains a parent domain, let's call it parent.com.au, and two child domains child1.parent.com.au and child2.parent.com.au.
Although the Identity Source was configured for my child domain, using child domain credentials it added the parent domain and subsequently both child domains. Okay, so there are trusts, I'm okay with this. The interesting issue is yet to come.
Two Active Directory Groups were added. Deployment Admins A and Deployment Admins B.
Two vCenter Roles were created with similar names. VM Deployers A and VM Deployers B
Deployment Admins A was assigned the Deployers A role to Cluster A (Cluster, VM Folders, Datastore Folders)
Deployment Admins B was assigned the Deployers B role to Cluster B (Cluster, VM Folders, Datastore Folders)
Note: No objects overlap. All hosts, vms and datastores are isolated to each cluster.
So the next step is assign an child1 AD User to the Deployment Admins A group. As expected the user using credentials child1\user can connect to vCenter via the VI Client and see all the relevant objects. Great!
So now I assign the same child1 AD user to the second AD group Deployment Admins B. Now we wait and nothing happens. The permissions don't change. The user logs out and logs back in using the same credentials and still the permissions don't change.
So I remove the user from both AD groups and get them to log out and in and sure enough they can't.
This time I assign the child1\user account the roles as set out previously. So child1\user account is assigned to both roles in place of each AD Group. The expected behaviour is observed. As I add the second permission set, the objects become visible within the VI client.
Okay so now I remove the explicitly assigned permissions and reassign via the groups and this time I ask the user to log in via the UPN ([email protected]). Whoa! It works.
So it seems that assigning permissions for the same user in multiple AD groups across multiple roles can only be achieved when the user uses a UPN login to the VI Client.
Has anybody else found this to be the case?
If so, were you able to fix it?

Hello,
I have found this to be the case and think it is more due to SSO than AD. If you look at how you login as the 'administrator' when you first configure SSO it is in effect using UPN. I would raise this as a case to VMware and make sure they are aware of the issue. There are some issues with SSO being worked each day.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

ASA 5585 setting unchecked

i am seeing a strange issue on 2 of my Cisco ASA 5585s
randomly the "Enable inbound VPN sessions to bypass interface access list. Group...." setting is getting unchecked.
i have verified that no one is logging into the system
is this a bug in the firmware or the ASDM ?

Hi,
I have not run into this issue atleast.
First and only thing that comes to mind is that someone is using the ASDMs VPN Wizard to configure new VPN connections and during that changes this Global Setting that you mention.
On the CLI format the command is
sysopt connection permit-vpn
The above is the default setting and will mean that any traffic coming through a VPN connection will bypass the interface ACL of the interface where the VPN is connected to.
The below form of the command changes the behaviour of the ASA so that any connection will need to be allowed in the interface ACL of the interface where the VPN is connected to.
no sysopt connection permit-vpn
You can view the current setting (among all the other system option settings) with
show run all sysopt
- Jouni

Sliding Window Table Partitioning Problems with RANGE RIGHT, SPLIT, MERGE using Multiple File Groups

There is misleading information in two system views (sys.data_spaces & sys.destination_data_spaces) about the physical location of data after a partitioning MERGE and before an INDEX REBUILD operation on a partitioned table. In SQL Server 2012 SP1 CU6,
the script below (SQLCMD mode, set DataDrive & LogDrive variables for the runtime environment) will create a test database with file groups and files to support a partitioned table. The partition function and scheme spread the test data across
4 files groups, an empty partition, file group and file are maintained at the start and end of the range. A problem occurs after the SWITCH and MERGE RANGE operations, the views sys.data_spaces & sys.destination_data_spaces show the logical, not the physical,
location of data.
--=================================================================================
-- PartitionLabSetup_RangeRight.sql
-- 001. Create test database
-- 002. Add file groups and files
-- 003. Create partition function and schema
-- 004. Create and populate a test table
--=================================================================================
USE [master]
GO
-- 001 - Create Test Database
:SETVAR DataDrive "D:\SQL\Data\"
:SETVAR LogDrive "D:\SQL\Logs\"
:SETVAR DatabaseName "workspace"
:SETVAR TableName "TestTable"
-- Drop if exists and create Database
IF DATABASEPROPERTYEX(N'$(databasename)','Status') IS NOT NULL
BEGIN
ALTER DATABASE $(DatabaseName) SET SINGLE_USER WITH ROLLBACK IMMEDIATE
DROP DATABASE $(DatabaseName)
END
CREATE DATABASE $(DatabaseName)
ON
( NAME = $(DatabaseName)_data,
FILENAME = N'$(DataDrive)$(DatabaseName)_data.mdf',
SIZE = 10,
MAXSIZE = 500,
FILEGROWTH = 5 )
LOG ON
( NAME = $(DatabaseName)_log,
FILENAME = N'$(LogDrive)$(DatabaseName).ldf',
SIZE = 5MB,
MAXSIZE = 5000MB,
FILEGROWTH = 5MB ) ;
GO
-- 002. Add file groups and files
--:SETVAR DatabaseName "workspace"
--:SETVAR TableName "TestTable"
--:SETVAR DataDrive "D:\SQL\Data\"
--:SETVAR LogDrive "D:\SQL\Logs\"
DECLARE @nSQL NVARCHAR(2000) ;
DECLARE @x INT = 1;
WHILE @x <= 6
BEGIN
SELECT @nSQL =
'ALTER DATABASE $(DatabaseName)
ADD FILEGROUP $(TableName)_fg' + RTRIM(CAST(@x AS CHAR(5))) + ';
ALTER DATABASE $(DatabaseName)
ADD FILE
NAME= ''$(TableName)_f' + CAST(@x AS CHAR(5)) + ''',
FILENAME = ''$(DataDrive)\$(TableName)_f' + RTRIM(CAST(@x AS CHAR(5))) + '.ndf''
TO FILEGROUP $(TableName)_fg' + RTRIM(CAST(@x AS CHAR(5))) + ';'
EXEC sp_executeSQL @nSQL;
SET @x = @x + 1;
END
-- 003. Create partition function and schema
--:SETVAR TableName "TestTable"
--:SETVAR DatabaseName "workspace"
USE $(DatabaseName);
CREATE PARTITION FUNCTION $(TableName)_func (int)
AS RANGE RIGHT FOR VALUES
0,
15,
30,
45,
60
CREATE PARTITION SCHEME $(TableName)_scheme
AS
PARTITION $(TableName)_func
TO
$(TableName)_fg1,
$(TableName)_fg2,
$(TableName)_fg3,
$(TableName)_fg4,
$(TableName)_fg5,
$(TableName)_fg6
-- Create TestTable
--:SETVAR TableName "TestTable"
--:SETVAR BackupDrive "D:\SQL\Backups\"
--:SETVAR DatabaseName "workspace"
CREATE TABLE [dbo].$(TableName)(
[Partition_PK] [int] NOT NULL,
[GUID_PK] [uniqueidentifier] NOT NULL,
[CreateDate] [datetime] NULL,
[CreateServer] [nvarchar](50) NULL,
[RandomNbr] [int] NULL,
CONSTRAINT [PK_$(TableName)] PRIMARY KEY CLUSTERED
[Partition_PK] ASC,
[GUID_PK] ASC
) ON $(TableName)_scheme(Partition_PK)
) ON $(TableName)_scheme(Partition_PK)
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_GUID_PK] DEFAULT (newid()) FOR [GUID_PK]
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_CreateDate] DEFAULT (getdate()) FOR [CreateDate]
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_CreateServer] DEFAULT (@@servername) FOR [CreateServer]
-- 004. Create and populate a test table
-- Load TestTable Data - Seconds 0-59 are used as the Partitoning Key
--:SETVAR TableName "TestTable"
SET NOCOUNT ON;
DECLARE @Now DATETIME = GETDATE()
WHILE @Now > DATEADD(minute,-1,GETDATE())
BEGIN
INSERT INTO [dbo].$(TableName)
([Partition_PK]
,[RandomNbr])
VALUES
DATEPART(second,GETDATE())
,ROUND((RAND() * 100),0)
END
-- Confirm table partitioning - http://lextonr.wordpress.com/tag/sys-destination_data_spaces/
SELECT
N'DatabaseName' = DB_NAME()
, N'SchemaName' = s.name
, N'TableName' = o.name
, N'IndexName' = i.name
, N'IndexType' = i.type_desc
, N'PartitionScheme' = ps.name
, N'DataSpaceName' = ds.name
, N'DataSpaceType' = ds.type_desc
, N'PartitionFunction' = pf.name
, N'PartitionNumber' = dds.destination_id
, N'BoundaryValue' = prv.value
, N'RightBoundary' = pf.boundary_value_on_right
, N'PartitionFileGroup' = ds2.name
, N'RowsOfData' = p.[rows]
FROM
sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
INNER JOIN sys.partitions AS p
ON o.[object_id] = p.[object_id]
INNER JOIN sys.indexes AS i
ON p.[object_id] = i.[object_id]
AND p.index_id = i.index_id
INNER JOIN sys.data_spaces AS ds
ON i.data_space_id = ds.data_space_id
INNER JOIN sys.partition_schemes AS ps
ON ds.data_space_id = ps.data_space_id
INNER JOIN sys.partition_functions AS pf
ON ps.function_id = pf.function_id
LEFT OUTER JOIN sys.partition_range_values AS prv
ON pf.function_id = prv.function_id
AND p.partition_number = prv.boundary_id
LEFT OUTER JOIN sys.destination_data_spaces AS dds
ON ps.data_space_id = dds.partition_scheme_id
AND p.partition_number = dds.destination_id
LEFT OUTER JOIN sys.data_spaces AS ds2
ON dds.data_space_id = ds2.data_space_id
ORDER BY
DatabaseName
,SchemaName
,TableName
,IndexName
,PartitionNumber
--=================================================================================
-- SECTION 2 - SWITCH OUT
-- 001 - Create TestTableOut
-- 002 - Switch out partition in range 0-14
-- 003 - Merge range 0 -29
-- 001. TestTableOut
:SETVAR TableName "TestTable"
IF OBJECT_ID('dbo.$(TableName)Out') IS NOT NULL
DROP TABLE [dbo].[$(TableName)Out]
CREATE TABLE [dbo].[$(TableName)Out](
[Partition_PK] [int] NOT NULL,
[GUID_PK] [uniqueidentifier] NOT NULL,
[CreateDate] [datetime] NULL,
[CreateServer] [nvarchar](50) NULL,
[RandomNbr] [int] NULL,
CONSTRAINT [PK_$(TableName)Out] PRIMARY KEY CLUSTERED
[Partition_PK] ASC,
[GUID_PK] ASC
) ON $(TableName)_fg2;
GO
-- 002 - Switch out partition in range 0-14
--:SETVAR TableName "TestTable"
ALTER TABLE dbo.$(TableName)
SWITCH PARTITION 2 TO dbo.$(TableName)Out;
-- 003 - Merge range 0 - 29
--:SETVAR TableName "TestTable"
ALTER PARTITION FUNCTION $(TableName)_func()
MERGE RANGE (15);
-- Confirm table partitioning
-- Original source of this query - http://lextonr.wordpress.com/tag/sys-destination_data_spaces/
SELECT
N'DatabaseName' = DB_NAME()
, N'SchemaName' = s.name
, N'TableName' = o.name
, N'IndexName' = i.name
, N'IndexType' = i.type_desc
, N'PartitionScheme' = ps.name
, N'DataSpaceName' = ds.name
, N'DataSpaceType' = ds.type_desc
, N'PartitionFunction' = pf.name
, N'PartitionNumber' = dds.destination_id
, N'BoundaryValue' = prv.value
, N'RightBoundary' = pf.boundary_value_on_right
, N'PartitionFileGroup' = ds2.name
, N'RowsOfData' = p.[rows]
FROM
sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
INNER JOIN sys.partitions AS p
ON o.[object_id] = p.[object_id]
INNER JOIN sys.indexes AS i
ON p.[object_id] = i.[object_id]
AND p.index_id = i.index_id
INNER JOIN sys.data_spaces AS ds
ON i.data_space_id = ds.data_space_id
INNER JOIN sys.partition_schemes AS ps
ON ds.data_space_id = ps.data_space_id
INNER JOIN sys.partition_functions AS pf
ON ps.function_id = pf.function_id
LEFT OUTER JOIN sys.partition_range_values AS prv
ON pf.function_id = prv.function_id
AND p.partition_number = prv.boundary_id
LEFT OUTER JOIN sys.destination_data_spaces AS dds
ON ps.data_space_id = dds.partition_scheme_id
AND p.partition_number = dds.destination_id
LEFT OUTER JOIN sys.data_spaces AS ds2
ON dds.data_space_id = ds2.data_space_id
ORDER BY
DatabaseName
,SchemaName
,TableName
,IndexName
,PartitionNumber
The table below shows the results of the ‘Confirm Table Partitioning’ query, before and after the MERGE.
The T-SQL code below illustrates the problem.
-- PartitionLab_RangeRight
USE workspace;
DROP TABLE dbo.TestTableOut;
USE master;
ALTER DATABASE workspace
REMOVE FILE TestTable_f3 ;
-- ERROR
--Msg 5042, Level 16, State 1, Line 1
--The file 'TestTable_f3 ' cannot be removed because it is not empty.
ALTER DATABASE workspace
REMOVE FILE TestTable_f2 ;
-- Works surprisingly!!
use workspace;
ALTER INDEX [PK_TestTable] ON [dbo].[TestTable] REBUILD PARTITION = 2;
--Msg 622, Level 16, State 3, Line 2
--The filegroup "TestTable_fg2" has no files assigned to it. Tables, indexes, text columns, ntext columns, and image columns cannot be populated on this filegroup until a file is added.
--The statement has been terminated.
If you run ALTER INDEX REBUILD before trying to remove files from File Group 3, it works. Rerun the database setup script then the code below.
-- RANGE RIGHT
-- Rerun PartitionLabSetup_RangeRight.sql before the code below
USE workspace;
DROP TABLE dbo.TestTableOut;
ALTER INDEX [PK_TestTable] ON [dbo].[TestTable] REBUILD PARTITION = 2;
USE master;
ALTER DATABASE workspace
REMOVE FILE TestTable_f3;
-- Works as expected!!
The file in File Group 2 appears to contain data but it can be dropped. Although the system views are reporting the data in File Group 2, it still physically resides in File Group 3 and isn’t moved until the index is rebuilt. The RANGE RIGHT function means
the left file group (File Group 2) is retained when splitting ranges.
RANGE LEFT would have retained the data in File Group 3 where it already resided, no INDEX REBUILD is necessary to effectively complete the MERGE operation. The script below implements the same partitioning strategy (data distribution between partitions)
on the test table but uses different boundary definitions and RANGE LEFT.
--=================================================================================
-- PartitionLabSetup_RangeLeft.sql
-- 001. Create test database
-- 002. Add file groups and files
-- 003. Create partition function and schema
-- 004. Create and populate a test table
--=================================================================================
USE [master]
GO
-- 001 - Create Test Database
:SETVAR DataDrive "D:\SQL\Data\"
:SETVAR LogDrive "D:\SQL\Logs\"
:SETVAR DatabaseName "workspace"
:SETVAR TableName "TestTable"
-- Drop if exists and create Database
IF DATABASEPROPERTYEX(N'$(databasename)','Status') IS NOT NULL
BEGIN
ALTER DATABASE $(DatabaseName) SET SINGLE_USER WITH ROLLBACK IMMEDIATE
DROP DATABASE $(DatabaseName)
END
CREATE DATABASE $(DatabaseName)
ON
( NAME = $(DatabaseName)_data,
FILENAME = N'$(DataDrive)$(DatabaseName)_data.mdf',
SIZE = 10,
MAXSIZE = 500,
FILEGROWTH = 5 )
LOG ON
( NAME = $(DatabaseName)_log,
FILENAME = N'$(LogDrive)$(DatabaseName).ldf',
SIZE = 5MB,
MAXSIZE = 5000MB,
FILEGROWTH = 5MB ) ;
GO
-- 002. Add file groups and files
--:SETVAR DatabaseName "workspace"
--:SETVAR TableName "TestTable"
--:SETVAR DataDrive "D:\SQL\Data\"
--:SETVAR LogDrive "D:\SQL\Logs\"
DECLARE @nSQL NVARCHAR(2000) ;
DECLARE @x INT = 1;
WHILE @x <= 6
BEGIN
SELECT @nSQL =
'ALTER DATABASE $(DatabaseName)
ADD FILEGROUP $(TableName)_fg' + RTRIM(CAST(@x AS CHAR(5))) + ';
ALTER DATABASE $(DatabaseName)
ADD FILE
NAME= ''$(TableName)_f' + CAST(@x AS CHAR(5)) + ''',
FILENAME = ''$(DataDrive)\$(TableName)_f' + RTRIM(CAST(@x AS CHAR(5))) + '.ndf''
TO FILEGROUP $(TableName)_fg' + RTRIM(CAST(@x AS CHAR(5))) + ';'
EXEC sp_executeSQL @nSQL;
SET @x = @x + 1;
END
-- 003. Create partition function and schema
--:SETVAR TableName "TestTable"
--:SETVAR DatabaseName "workspace"
USE $(DatabaseName);
CREATE PARTITION FUNCTION $(TableName)_func (int)
AS RANGE LEFT FOR VALUES
-1,
14,
29,
44,
59
CREATE PARTITION SCHEME $(TableName)_scheme
AS
PARTITION $(TableName)_func
TO
$(TableName)_fg1,
$(TableName)_fg2,
$(TableName)_fg3,
$(TableName)_fg4,
$(TableName)_fg5,
$(TableName)_fg6
-- Create TestTable
--:SETVAR TableName "TestTable"
--:SETVAR BackupDrive "D:\SQL\Backups\"
--:SETVAR DatabaseName "workspace"
CREATE TABLE [dbo].$(TableName)(
[Partition_PK] [int] NOT NULL,
[GUID_PK] [uniqueidentifier] NOT NULL,
[CreateDate] [datetime] NULL,
[CreateServer] [nvarchar](50) NULL,
[RandomNbr] [int] NULL,
CONSTRAINT [PK_$(TableName)] PRIMARY KEY CLUSTERED
[Partition_PK] ASC,
[GUID_PK] ASC
) ON $(TableName)_scheme(Partition_PK)
) ON $(TableName)_scheme(Partition_PK)
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_GUID_PK] DEFAULT (newid()) FOR [GUID_PK]
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_CreateDate] DEFAULT (getdate()) FOR [CreateDate]
ALTER TABLE [dbo].$(TableName) ADD CONSTRAINT [DF_$(TableName)_CreateServer] DEFAULT (@@servername) FOR [CreateServer]
-- 004. Create and populate a test table
-- Load TestTable Data - Seconds 0-59 are used as the Partitoning Key
--:SETVAR TableName "TestTable"
SET NOCOUNT ON;
DECLARE @Now DATETIME = GETDATE()
WHILE @Now > DATEADD(minute,-1,GETDATE())
BEGIN
INSERT INTO [dbo].$(TableName)
([Partition_PK]
,[RandomNbr])
VALUES
DATEPART(second,GETDATE())
,ROUND((RAND() * 100),0)
END
-- Confirm table partitioning - http://lextonr.wordpress.com/tag/sys-destination_data_spaces/
SELECT
N'DatabaseName' = DB_NAME()
, N'SchemaName' = s.name
, N'TableName' = o.name
, N'IndexName' = i.name
, N'IndexType' = i.type_desc
, N'PartitionScheme' = ps.name
, N'DataSpaceName' = ds.name
, N'DataSpaceType' = ds.type_desc
, N'PartitionFunction' = pf.name
, N'PartitionNumber' = dds.destination_id
, N'BoundaryValue' = prv.value
, N'RightBoundary' = pf.boundary_value_on_right
, N'PartitionFileGroup' = ds2.name
, N'RowsOfData' = p.[rows]
FROM
sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
INNER JOIN sys.partitions AS p
ON o.[object_id] = p.[object_id]
INNER JOIN sys.indexes AS i
ON p.[object_id] = i.[object_id]
AND p.index_id = i.index_id
INNER JOIN sys.data_spaces AS ds
ON i.data_space_id = ds.data_space_id
INNER JOIN sys.partition_schemes AS ps
ON ds.data_space_id = ps.data_space_id
INNER JOIN sys.partition_functions AS pf
ON ps.function_id = pf.function_id
LEFT OUTER JOIN sys.partition_range_values AS prv
ON pf.function_id = prv.function_id
AND p.partition_number = prv.boundary_id
LEFT OUTER JOIN sys.destination_data_spaces AS dds
ON ps.data_space_id = dds.partition_scheme_id
AND p.partition_number = dds.destination_id
LEFT OUTER JOIN sys.data_spaces AS ds2
ON dds.data_space_id = ds2.data_space_id
ORDER BY
DatabaseName
,SchemaName
,TableName
,IndexName
,PartitionNumber
--=================================================================================
-- SECTION 2 - SWITCH OUT
-- 001 - Create TestTableOut
-- 002 - Switch out partition in range 0-14
-- 003 - Merge range 0 -29
-- 001. TestTableOut
:SETVAR TableName "TestTable"
IF OBJECT_ID('dbo.$(TableName)Out') IS NOT NULL
DROP TABLE [dbo].[$(TableName)Out]
CREATE TABLE [dbo].[$(TableName)Out](
[Partition_PK] [int] NOT NULL,
[GUID_PK] [uniqueidentifier] NOT NULL,
[CreateDate] [datetime] NULL,
[CreateServer] [nvarchar](50) NULL,
[RandomNbr] [int] NULL,
CONSTRAINT [PK_$(TableName)Out] PRIMARY KEY CLUSTERED
[Partition_PK] ASC,
[GUID_PK] ASC
) ON $(TableName)_fg2;
GO
-- 002 - Switch out partition in range 0-14
--:SETVAR TableName "TestTable"
ALTER TABLE dbo.$(TableName)
SWITCH PARTITION 2 TO dbo.$(TableName)Out;
-- 003 - Merge range 0 - 29
:SETVAR TableName "TestTable"
ALTER PARTITION FUNCTION $(TableName)_func()
MERGE RANGE (14);
-- Confirm table partitioning
-- Original source of this query - http://lextonr.wordpress.com/tag/sys-destination_data_spaces/
SELECT
N'DatabaseName' = DB_NAME()
, N'SchemaName' = s.name
, N'TableName' = o.name
, N'IndexName' = i.name
, N'IndexType' = i.type_desc
, N'PartitionScheme' = ps.name
, N'DataSpaceName' = ds.name
, N'DataSpaceType' = ds.type_desc
, N'PartitionFunction' = pf.name
, N'PartitionNumber' = dds.destination_id
, N'BoundaryValue' = prv.value
, N'RightBoundary' = pf.boundary_value_on_right
, N'PartitionFileGroup' = ds2.name
, N'RowsOfData' = p.[rows]
FROM
sys.objects AS o
INNER JOIN sys.schemas AS s
ON o.[schema_id] = s.[schema_id]
INNER JOIN sys.partitions AS p
ON o.[object_id] = p.[object_id]
INNER JOIN sys.indexes AS i
ON p.[object_id] = i.[object_id]
AND p.index_id = i.index_id
INNER JOIN sys.data_spaces AS ds
ON i.data_space_id = ds.data_space_id
INNER JOIN sys.partition_schemes AS ps
ON ds.data_space_id = ps.data_space_id
INNER JOIN sys.partition_functions AS pf
ON ps.function_id = pf.function_id
LEFT OUTER JOIN sys.partition_range_values AS prv
ON pf.function_id = prv.function_id
AND p.partition_number = prv.boundary_id
LEFT OUTER JOIN sys.destination_data_spaces AS dds
ON ps.data_space_id = dds.partition_scheme_id
AND p.partition_number = dds.destination_id
LEFT OUTER JOIN sys.data_spaces AS ds2
ON dds.data_space_id = ds2.data_space_id
ORDER BY
DatabaseName
,SchemaName
,TableName
,IndexName
,PartitionNumber
The table below shows the results of the ‘Confirm Table Partitioning’ query, before and after the MERGE.
The data in the File and File Group to be dropped (File Group 2) has already been switched out; File Group 3 contains the data so no index rebuild is needed to move data and complete the MERGE.
RANGE RIGHT would not be a problem in a ‘Sliding Window’ if the same file group is used for all partitions, when they are created and dropped it introduces a dependency on full index rebuilds. Larger tables are typically partitioned and a full index rebuild
might be an expensive operation. I’m not sure how a RANGE RIGHT partitioning strategy could be implemented, with an ascending partitioning key, using multiple file groups without having to move data. Using a single file group (multiple files) for all partitions
within a table would avoid physically moving data between file groups; no index rebuild would be necessary to complete a MERGE and system views would accurately reflect the physical location of data.
If a RANGE RIGHT partition function is used, the data is physically in the wrong file group after the MERGE assuming a typical ascending partitioning key, and the 'Data Spaces' system views might be misleading. Thanks to Manuj and Chris for a lot of help
investigating this.
NOTE 10/03/2014 - The solution
The solution is so easy it's embarrassing, I was using the wrong boundary points for the MERGE (both RANGE LEFT & RANGE RIGHT) to get rid of historic data.
-- Wrong Boundary Point Range Right
--ALTER PARTITION FUNCTION $(TableName)_func()
--MERGE RANGE (15);
-- Wrong Boundary Point Range Left
--ALTER PARTITION FUNCTION $(TableName)_func()
--MERGE RANGE (14);
-- Correct Boundary Pounts for MERGE
ALTER PARTITION FUNCTION $(TableName)_func()
MERGE RANGE (0); -- or -1 for RANGE LEFT
The empty, switched out partition (on File Group 2) is then MERGED with the empty partition maintained at the start of the range and no data movement is necessary. I retract the suggestion that a problem exists with RANGE RIGHT Sliding Windows using multiple
file groups and apologize :-)

Hi Paul Brewer,
Thanks for your post and glad to hear that the issue is resolved. It is kind of you post a reply to share your solution. That way, other community members could benefit from your sharing.
Regards.
Sofiya Li
Sofiya Li
TechNet Community Support

Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!

Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter

Rsrb with multiple ring groups on head ends with one phy ring?

working on an issue for a customer and I cant find good documentation on this anywhere for multiple ring-groups
have 2 routers, each with 2 ring groups connected on a mau terminating multiple serial connections (wan, hence the rsrb) and utilizing rsrb tcp with local ack. The configuration was done sometime ago. It was set up to utilize frame which now they are using ptp t1s. I see in the remote routers they are forwarding pakcets to both routers to ring 20. (there are 2 routers if one fails then it is meant to learn its path to the CIP through the other router)
---------router1
source-bridge ring-group 30
source-bridge ring-group 31
blahblah peers tcp local-ack
int t0
source-bridge 20 1 30 <----notice bridge 1
source-bridge spanning
int t1
source-bridge 20 1 31 <----notice bridge 1
source-bridge spanning
--------router2
source-bridge ring-group 30
source-bridge ring-group 31
blahblah peers tcp local-ack
int t0
source-bridge 20 2 30 <----notice bridge 2
source-bridge spanning
int t1
source-bridge 20 2 31 <----notice bridge 2
source-bridge spanning
I thought the physical rings had to be different in order to run parrallel links. Or are different bridge #'s feasible? The end issue they are having is that when links bounce, they are not releasing the tcp session and the show llc shows remote sides as busy and the head end as connected. (then obviously removal of local ack fixed the issue)
Not ready to live without local ack... could the same ring # on both routers be the issue since they are on the same mau and destined for the same location?
==MAU to CIP==
| | | | all physical connection on mau are ring 20
router1 router2
| | | | | ring groups 30 and 31 configured on both routers with 1 statement to each router in the network per router (so each remote side is only connected to either ring group 30 or 31 (not both since you can only do over token ring) and the show source-bridge is showing forwards to each head end router's physical ring 20. I thought I would see one with forwards the other 0 since first response, but then saw the bridge # differed.)

case was opened over a month ago with no luck or serious help. Have had great luck in the past with tac, but this one was frustrating and nothing was done.
case#D039413
And the remote routers connect directly to the cip with LLC2. (end to end connection, not remote to router 1 and 2 to CIP)
show llc shows the local mac of the gateway and the cip token.
the network goes like this
rr = remote router
fr= frame relay
ptp= ptp t1
rtr1 and rtr2 = router 1 and 2
rr--fr--rr--ptp--rtr1 and rtr2 ---rr---cip
I have tried numerous things on this and its apparent that the only option is dlsw and I have pressed the issue enough to start on it with test segments.
my theory was when the host queried the gateway, its first reply was local-ack on rtr2 (could be rtr1 but for theory we will say rtr2) which was giving back RR and the other end was actually in a disconnect state and sending rnr's to the rtr1 (in this exapmple the host was talking thru rtr2 to the remote side and the remote side was trying the opposite router) which local ack would reply to the supervisor frames
what was causing the problems in my opinion is the host provider does not utilize local ack since they only have lanned token rings and the customer provides their own wan routers. So the explorer would be answered quicker by the other router and that would be the source route bridged path to the remote side, where the other sides local ack and rif cache was routing through the opposite router. Unfortunately the site where we collected the data on I can not test since I have transitioned it to dlsw to solve their issues and show them the benfits of dlsw

Establishing multiple recipient group in Mail?

I need to establish a contact list for a large group of people to whom I will be sending out weekly emails. Is there a way to simply paste in all of the email addresses at once into the BCC field and then somehow set all of those recipients as a single 'group' that I can reuse again without having to repaste in all the addresses each time?
Alternatively, it appears that Apple Mail expects you to use your Address Book to establish email groups. Honestly, I would rather not have all of these people in my Address Book, since I don't even know most of them. But, in the event that using the Address Book is the only way to set up a multiple recipient group, is there a way to, again, paste in all of the addresses at once rather than having to edit each recipient separately? I only have the email addresses (no names or other info) in an Excel spreadsheet. I've tried importing via csv and that failed miserably.
Any suggests are welcome

Greetings,
Is there a way to simply paste in all of the email addresses at once into the BCC field and then somehow set all of those recipients as a single 'group'
Sorry, you can't do that.
Alternatively, it appears that Apple Mail expects you to use your Address Book to establish email groups.
True, since that's what Address Book is for; keeping your contacts readily available and organized.
But, in the event that using the Address Book is the only way to set up a multiple recipient group, is there a way to, again, paste in all of the addresses at once rather than having to edit each recipient separately?
Sorry, no. You need to create a contact for each of your intended members of the group, even if all you have is their email addrress. Then you can create a new group with whatever name you like and move those contacts to that group, which you can then select to send your email to when you're in Mail.

Vlan on asa-5585

Hi,
Is there any way to create vlans on cisco asa 5585 similar way we do for cisco switches.
The asa in this case is an interface for subsidary users to connect into this new network.
We require few vlans to be created for some servers on the firewall. the firewall should be the gateway for these servers.
eg. vlan 100 - 192.168.100.1/24 should be on the ASA firewall.
How do we achieve this?
Appreciate all help on this.

Hi,
You will have to configure atleast one physical interface as a Trunk interface if you want to bring the Vlan all the way to the ASA. Essentially the configuration follows the same lines as configuring a Cisco router to act as the gateway for multiple Vlans behind a switch.
The actual configuration format depends on how you have set up the ASA. Is it Single Context or Multiple Context?
In Single Context the configuration would be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
vlan 100
nameif LAN
security-level 100
ip add 10.10.10.1 255.255.255.0
interface GigabitEthernet0/0.200
vlan 200
nameif DMZ
security-level 50
ip add 192.168.10.1 255.255.255.0
If you are running Multiple Context mode the configuration could be something like this
interface GigabitEthernet0/0
description TRUNK
interface GigabitEthernet0/0.100
description LAN
vlan 100
interface GigabitEthernet0/0.200
description DMZ
vlan 200
context EXAMPLE-CONTEXT
allocate-interface GigabitEthernet0/0.100
allocate-interface GigabitEthernet0/0.200
config-url disk0:/EXAMPLE-CONTEXT.cfg
Or something along these lines
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
Feel free to ask more if needed.
- Jouni

Bridge Groups, are they required?

Hi All
I'm currently a tad confused about Bridge Groups and ASA/FWSM in transparent more. Are they really required or not?
Here one sample: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
It's written:
At least one bridge group is required per context or in single mode.
So that really sounds like yes you need one.
Where as this config sample here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml or many others I found online, never have a bridge group configured.
Could somebody please enlighten me about what is correct?
And does it matter if it's an active/standby configuration?
Thanks a lot
pato

Pato,
It depends. On the newer ASA and FWSM you need the BVI. It is just to configure the management IP. This is required.
The old link (the second one that you listed) has the management IP (not under the int BVI) but on the newer ASA code you can see it is configured under the int BVI as you can see here:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html#wp1382356
-Kureli

ASA5500 Bridge groups

Hi experts!
I have to interconnect 2 DMZs switches to the core switch and an internet access switch with a ASA 5520 in transparent mode. Is it possible to do bridge groups with subinterfaces, using VLANs on ASA5520 in transparent mode?
Thanks
Wesley

The transparent security appliance uses an inside interface and an outside interface only.If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
If you place the ASA in transparent mode on a trunk link, you will need to configure a security context for each vlan in the trunk.
Try these link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b7d.html#wp1044006
http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b90.html

Bridge-Groups FWSM

Hello All,
I have a question about Bridge Groups if someone can help me. So, I have two bridge groups on one FWSM obviously using two different IP Scopes. However I can only have one default route so for instance.
BVI 1 - 192.168.1.4 (outside1)
BVI 2 - 192.168.2.4 (outside2)
ip route outside1 0.0.0.0 0.0.0.0 192.168.1.1
I now obviously cannot put another default route statement in so how does the FWSM route traffic it doesn't know the destination to when the source is from 192.168.2.x. Does it send it out 192.168.1.1? If so does this become a suboptimal routing issue, and is there possibly a better solution than this? Or is thisnormal and everything is ok? Thanks in advance to all who reply!

Hi John,
When the FWSM uses bridge-groups, it is configured in transparent (layer 2) mode. Because of this, the FWSM won't be responsible for routing traffic. It will use a MAC address lookup instead:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1232185
One exception to this is management traffic to/from the FWSM. For this, you'll need to specify separate static routes:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1202704
"The default route for the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network, and you can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic."
-Mike

How many default virtual context counts with ASA 5585 Series

Hi All:
I prepare replace FWSM to ASA 5585 Series,but I confuse the default virtual context counts on ASA 5585.
I used 3 virtual contexts on my old FWSM(1 admin context with 2 contexts).According the ASA configuration guide below.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1188797
It state the ASA 5585 have default 2 contexts,Does it state the ASA 5585 just have 2 contexts or 1 admin context plus "2" context (3 contexts available)
thks fot your reply

Hi,
To my understanding the ASA with the most default lisence lets you use 2 Security Contexts to your own purposes. Admin context will always be there on the ASA when running in multiple context mode. Its created when you change your ASA from its default mode (single) to "mode multiple".
In my original post the latter part was just to mention that to my understanding if you use 2 ASAs (almost any model) in failover with a software 8.3 and above the ASA will combine their lisences regarding some values. For example connecting 2 ASAs in Failover which have limit of 2 Security Contexts, they will get combined and the failover will have 4 Security Context limit.
Atleast that is what I see with the "show version" command and this is also what we have been told by a Cisco employee. Ive also been told that if I for example (running 8.3+ OS) buy a 5 Security Context license for the other unit, It will combine the others base license (2 SC) to the others units new license (5 SC) resulting in the combined Security Context limit of 7.
This is what Cisco documentation mentions about Active/Standby and Active/Active Failover Licensing at version 8.3 and above:
Or you have two ASA 5540 adaptive security appliances, one with 20 contexts and the other with 10 contexts; the combined license allows 30 contexts. For Active/Active failover, for example, one unit can use 18 contexts and the other unit can use 12 contexts, for a total of 30; the combined usage cannot exceed the failover cluster license.
I've have had 2 ASA5585-X ASAs combined in A/A Failover running 8.4(2) and they have atleast showed that they have the combined Security Context limit of 4 Security Contexts
Heres a partial output of the "show version" command on the ASAs in question when they were just out of the box combined in Failover with no other configurations other than running in multiple context mode and management configuration in admin context.
Licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 1024 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualVPN-DES : Enabled perpetualVPN-3DES-AES : Enabled perpetualSecurity Contexts : 2 perpetualGTP/GPRS : Disabled perpetualAnyConnect Premium Peers : 2 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 10000 perpetualTotal VPN Peers : 10000 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Disabled perpetualAnyConnect for Cisco VPN Phone : Disabled perpetualAdvanced Endpoint Assessment : Disabled perpetualUC Phone Proxy Sessions : 2 perpetualTotal UC Proxy Sessions : 2 perpetualBotnet Traffic Filter : Disabled perpetualIntercompany Media Engine : Disabled perpetual10GE I/O : Disabled perpetualFailover cluster licensed features for this platform:Maximum Physical Interfaces : Unlimited perpetualMaximum VLANs : 1024 perpetualInside Hosts : Unlimited perpetualFailover : Active/Active perpetualVPN-DES : Enabled perpetualVPN-3DES-AES : Enabled perpetualSecurity Contexts : 4 perpetualGTP/GPRS : Disabled perpetualAnyConnect Premium Peers : 4 perpetualAnyConnect Essentials : Disabled perpetualOther VPN Peers : 10000 perpetualTotal VPN Peers : 10000 perpetualShared License : Disabled perpetualAnyConnect for Mobile : Disabled perpetualAnyConnect for Cisco VPN Phone : Disabled perpetualAdvanced Endpoint Assessment : Disabled perpetualUC Phone Proxy Sessions : 4 perpetualTotal UC Proxy Sessions : 4 perpetualBotnet Traffic Filter : Disabled perpetualIntercompany Media Engine : Disabled perpetual10GE I/O : Disabled perpetual
Though I still suggest confirming all these things from the people/company that youre acquiring the ASA(s) from so you get what youre asking for. Or someone from Cisco could confirm this on these forums.

Which routing protocols are supported on ASA 5585

Hi,
I am curious to know which routing protocol is well supported on Cisco ASA 5585. do someone on the forum has implemented routing on ASA?
I have ASA 5585 on context mode, as of now 4 contexts have been created. upstream device is Nexus.
I have ASA with Software Version 8.4(4)1 and Device Manager Version 6.4(9).
if someone can point me to good implemented example of routing protocol to their environment (like OSPF, BGP) that would be great.
Thanks

You're welcome.
Multiple contexts adds another twist - in ASA 8.4 dynamic routing protocols are not supported at all for multiple contexts. Reference.
ASA 9.0 added support for dynamic routing protocols in multiple context modes, including OSPF v2 (but not v3 for IPv6). Reference.
FYI ASA 9.1(2) is current as of this writing and is the recommended release in the 9.x train. (Mentioned near the end of the latest TAC Security podcast - episode #37 here.)

ASA 5585-X multiple bridge-groups expected behaviour

Similar Messages

Maybe you are looking for