Clone a Cisco router - best practices?

Similar Messages

• Cisco MSE Best Practice

  Hi there,
  I have two MSE 3355, MSE-1 for wIPS and MSE-2 for Location.
  In the PI (Prime Infrastructure) site maps reports I can't look the wIPS attackers from the MSE-2 Location. It is possible to do this without having the wIPS license in the same server? How can I interoperate the wIPS attacks reports from the MSE-1 to the MSE-2 location base server? What is the best practice for this scenario?
  Thanks

  Using TACACS+ with ACS especially gives you all of the AAA's - this is better/best practice for mgmt access to Cisco devices imho.
  Bilal

• Cisco Administration Best Practice - TACACS+ or RADIUS

  I'm new to cisco and currently building a midsize environment and wanted to know what is the best practices for administration management of cisco equipment?
  Thanks!

  Using TACACS+ with ACS especially gives you all of the AAA's - this is better/best practice for mgmt access to Cisco devices imho.
  Bilal

• IVR (Inter-VSAN Routing) - Best practices questions

  Hi there,
  We have a situation where we will have multiple customers hosted on a 9513 and sharing a single storage array.
  We want to keep the logically seperated in their own VSANs, but of course the storage array will need to be zoned to all the customers hosts.
  Now IVR should be the thing to use, but I'm getting resistance from the local team (screams of "Nooooo!!! They're EVILLLLL!!!") ... so I want to find out if there are some best practices around IVR use ?
  Should they be used only for light duty stuff ? (though at present we use them with tape backup, which isn't exactly "light")
  Do they impact performance to a measurable degree ?
  Are they stable ?
  What can go wrong with them ? And does it happen often ?
  Thanks!

  IVR does not impact application I/O performance because all the vsan rewrite and fcid rewrite actions are done in hardware asics. The IVR process on supervisor is responsible for managing the configuration and ensuring the rewrite tables are programmed in the linecards. The process is stable.
  Most of the issues I have seen are in environments with multiple IVR enabled MDS switches ISL'd together or an MDS IVR enabled switch connected to a McData/Brocade in an interop mode.
  Like any feature there have been bugs and it pays to check the SAN-OS release notes when planning installs. For example, a config change on one switch does not get properly pushed to another IVR switch or a forwarding table for an ISL interface does not get correctly programmed. There have also been a fair share of user misconfigurations which could have been avoided if Cisco Fabric Services (CFS) was enabled for IVR. This is done with the 'ivr distribute' command. Without this it is very difficult in large topologies of multiple IVR switches to ensure they have a consistent IVR config. In other cases there have been problems from a mix of IVR enabled switches running different releases of SAN-OS, e.g. mixing 3.0 with 3.2.
  Best practice is to have dual physical fabrics, upgrade one fabric at a time ensuring all IVR switches in a fabric run same SAN-OS release.
  A single IVR switch is much easier to implement. The MDS Configuration Guide has a list of best practices for IVR and one of those is to use the NAT option. Personally I would avoid NAT option where you can as NAT makes any troubleshooting harder trying to figure out the domain ID translations. You would also minimize risk of hitting some NAT related bugs, but you could also avoid most of these by checking the workarounds documented in the Release Notes. And with NAT you need to also configure persistent virtual domains and fcids to cater for AIX and HP-UX systems that cannot handle the FCID of the target changing whenever the exported virtual domain ID changes. To give NAT credit, each vsan is represented by a single virtual domain. In regular non-NAT mode, each switch in a vsan is represented by a virtual domain, meaning you eat up more virtual domain IDs. So in large topologies with many domain IDs there are scalability advantages to using NAT and the IVR updates between switches are more efficient with fewer virtual domain IDs to advertize. Of course, NAT must be used if merging physical fabrics with same domain ID and you cannot afford the downtime to change one of the switch domain IDs.
  However if it is just a single IVR switch I would avoid NAT. To do this all your domain IDs should be statically defined and there must be no overlapping domain IDs between IVR'd vsans. If it is a brand new install you can easily achieve this by specifying unique allowed domain ID ranges per vsan.
  For example, each customer can have their own vsan with say 10 domain IDs and the storage can be in vsan 2. You will only use one domain ID per vsan on day 1. Allowing 10 domain ids per vsan means you can add up to 9 other switches per vsan should you need to in the future. There is a maximum 239 domains per vsan so you could have up to 23 customers on your 9513 working with a range of 10 domain IDs per vsan.
  fcdomain domain 2 static vsan 2
  fcdomain domain 10 static vsan 10
  fcdomain domain 20 static vsan 20
  fcdomain domain 30 static vsan 30
  ..and so on..
  fcdomain domain 230 static vsan 230
  fcdomain allowed 01-09 vsan 2
  fcdomain allowed 10-19 vsan 10
  fcdomain allowed 20-29 vsan 20
  fcdomain allowed 30-39 vsan 30
  ..and so on..
  fcdomain allowed 230-239 vsan 230
  With or without IVR you should still run dual fabrics (e.g. 95xx in each fabric) and host based multipathing for redundancy.
  And don't forget IVR will require an Enterprise license. I have even seen a large outage because the customer forgot to install the license before the 120 day grace period expired.

• Differential pair routing best practices

  I've been looking for differential pair routing methodologies and am wondering if there are any documents available other than what I see in the UB help, which basically just says how to set up the groups in the group editor.
  Apparently the pairs must still have each side routed manually, using the rules to check for spacing conformity.
  Apparently there is no capability to route both nets simulataneously like I've done in other layout tools.  This could get to be a pain for the large designs I need to do.
  Also the rules check seems to be flawed.  It reports spacing violations in my test placements where there are none.  It does not put up design rule error red bubbles for the violations, though it does appear to center the area on the screen at least.
  No error is generated for trace lengths outside of the limits, even if topology is set to daisy chain.  Apparently one must just watch the spreadsheet while pushing traces to get the length measurement to be correct.
  The autorouter doesn't seem to respect differential pairs at all.
  If I have many hundreds of diff pairs to set up are there any shortcuts, or do I need to set up each pair manually in the group editor?
  Thanks,
  David B
  Attachments:
  DiffPairTest.ewprj ‏39 KB

  I've been looking for differential pair routing methodologies and am wondering if there are any documents available other than what I see in the UB help, which basically just says how to set up the groups in the group editor.
  Apparently the pairs must still have each side routed manually, using the rules to check for spacing conformity.
  Apparently there is no capability to route both nets simulataneously like I've done in other layout tools.  This could get to be a pain for the large designs I need to do.
  Also the rules check seems to be flawed.  It reports spacing violations in my test placements where there are none.  It does not put up design rule error red bubbles for the violations, though it does appear to center the area on the screen at least.
  No error is generated for trace lengths outside of the limits, even if topology is set to daisy chain.  Apparently one must just watch the spreadsheet while pushing traces to get the length measurement to be correct.
  The autorouter doesn't seem to respect differential pairs at all.
  If I have many hundreds of diff pairs to set up are there any shortcuts, or do I need to set up each pair manually in the group editor?
  Thanks,
  David B
  Attachments:
  DiffPairTest.ewprj ‏39 KB

• Cisco best practices on Channeling.

  All,
  Can anyone point me to a document that describes Cisco's best practices when it comes to channel settings in a Unified wireless infrastructure.  We know that AP's can be configured to communicate over a specific channel or they can be set to "global" ie auto.  Meaning that the AP will decide what channel is best to communicate over.
  Just looking for the best way to configure this, especially in a building that has hundreds of access points per floor.
  Thank you in advance
  izzy

  The best way to determine this is with a formal site survey...
  However take a look at this document.This is a really really good document!
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch3_WLAN.html

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.

• Best Practice for ASA Route Monitoring Options?

  We have one pair Cisco ASA 5505 located in different location and there are two point to point links between those two locations, one for primary link (static route w/ low metric) and the other for backup (static route w/ high metric). The tracked options is enabled for monitoring the state of the primary route. the detail parameters regarding options as below,
  Frequency: 30 seconds               Data Size: 28 bytes
  Threshold: 3000 milliseconds     Tos: 0
  Time out: 3000 milliseconds          Number of Packets: 8
  ------ show run------
  sla monitor 1
  type echo protocol ipIcmpEcho 10.200.200.2 interface Intersite_Traffic
  num-packets 8
  timeout 3000
  threshold 3000
  frequency 30
  sla monitor schedule 1 life forever start-time now
  ------ show run------
  I'm not sure if the setting is so sensitive that the secondary static route begins to work right away, even when some small link flappings occur.
  What is the best practice to set those parameters up in the production environment. How can we specify the reasonanble monitoring options to fit our needs.
  Thank you for any idea.

  Hello,
  Of course too sensitive might cause failover to happen when some packets get lost, but remember the whole purpose of this is to provide as less downtime to your network as possible,
  Now if you tune these parameters what happen is that failover will be triggered on a different time basis.
  This is taken from a cisco document ( If you tune the sla process as this states, 3 packets will be sent each 10 seconds, so 3 of them need to fail to SLA to happen) This CISCO configuration example looks good but there are network engineers that would rather to use a lower time-line than that.
  sla monitor 123
  type echo protocol ipIcmpEcho 10.0.0.1 interface outside
  num-packets 3
  frequency 10
  Regards,
  Remember to rate all of the helpful posts ( If you need assistance knowing how to rate a post just let me know )

• Best Practice for where to apply ACL's on a router

  I have a 1760 router with a 4 port ethernet card. It has the Vlan1 int on it for f0/0 in the IOS. I need to apply an ACL to that interface/subnet with the phyical cable in f0/0 and ip range of vlan1. When appling the ACL should I apply it to the physical interface or the Vlan (mgt) interface. What is the best practice and is there any docs on this on cisco?
  Thanks
  Chris

  Chris
  The f0/0 is operating as a switch port and as such you can not apply the access list directly to the physical interface. You should apply the access list to the vlan interface.
  HTH
  Rick

• How often should the Cisco 6509 and 3750 switches be rebooted? Does Cisco have a best practice recommendation?

  How often should the 6509's and 3750's switches be rebooted?
  Does Cisco have a best practice document on this and recommendation how long the switch should be up before it gets rebooted?
  Why is a reboot needed if there are no indications of issues on the log?

  I'd agree with Larry here.
  If you're not seeing any issues with your IOS revision and there are no relevant PSIRTs (security notices applicalble to features and or exposure of your device requiring an IOS upgrade) then you can go a very long time without rebooting, if ever.
  I'm sure it's far from a record, but our corporate distribution router that supports >1000 downstream devices day in and day out has never been rebooted since installation just over 5 years ago. I have a top of rack Layer 2 switch (2900 series running CatOS) that's almost at 10 years.
  That said, you should have some monitoring scheme that assures you everything is healthy. But as long as memory and cpu are happy, the device will run forever.

• Best practice for having separate clone data for development purposes?

  Hi
  I am on a hosted Apex environment
  I have a workspace containing two instances/ copies of the application: DEV and PROD
  I would like to be able to develop functionality and data in/ with the DEV instance and then insert it into DEV.
  I gather that I can insert pages from DEV to PROD via Create -> New page as copy -> Page in another application
  But I don't know how I can mimic this process with database objects, eg. if I want to create a new table or manipulate the data in an existing table in a DEV environment before implementing in a PROD environment.
  Ideally this would be done in such a way that minimises changing table names etc when elevating pages from DEV to PROD.
  Would it be possible to create a clone schema that could contain the same tables (with the same names) as PROD?
  Any tips, best practices appreciated :)
  Thanks

  Hi,
  ideally you should have a little more separation between your dev and prod environments. At the minimum you should have separate workspaces each addressing separate schemas. Apex can be a little difficult if you want to move individual Apex application objects, such as pages, between applications (a much requested improvement), but this can be overcome by exporting and importing the whole application. You should also have some form of version control/backup of export files.
  As far as database objects go, tables etc, if you have tns access to your hosted environment, then you can use SQL Developer to develop, maintain and synchronize between your development and production schemas and objects in the different environments should have identical names. If you don't have that access, then you can use the Apex SQL Workshop features, but these are a little more cumbersome than a tool like SQL Developer. Once again, scripts for creating and upgrading your database schemas should be kept under some sort of version control.
  All of this is supposing your hosting solution allows more than one workspace and schema, if not you may have to incur the cost of a second environment. One other option would be to do your development locally in an instance of Oracle XE, ensuring you don't have any version conflicts between the different database object features and the Apex version.
  I hope this helps.
  Regards
  Andre

• EDI - 753Routing Request and 754 Routing Instructions transactions- what SAP ECC6 EDI output type, msg type, msg code, basis idoc is best practice to generate the idoc?

  One of our Trading Partner wishes to implement the 753 Routing Request and 754 Routing Instructions.  Can anyone give me best practice answer the following Questions?  We are on SAP ECC6 R3
  What Application? i.e. V2, V7?
  What output condition to use?  i..e. LALE, LAT2, SEDI????
  What Message type?  i.e SHPADV?
  What Basic Idoc Type? i.e SHPMNT05?
  What Message Code?  i.e. SHPM?
  What Process Code?  i.e. SHPM??
  What Function Module? i.e. IDOC_OUTPUT_SHPMNT??
  Does the SAP Transpotation Module have to be configured for this to be implemented?
  Your comments are greatly appreciated, we have until Nov 1 to be compliant?

  Good Morning,
  While I did not get any responses from my question, yes, I was able to determine what needed to be configured.   I hope the below will help you: This is for SAP ECC6
  The output application for the 753 Routing Request is "V7"
  The output type is "SEDI"
  Transmission medium is "6"
  The Basic Idoc type is "Shipmnt05"
  when setting up your Partner Profile (WE20) add:Message Partner Role "SP" with Message type "SHPADV', Message coed "753", Basic Type "SHPMNT05", Message Control add Application "V7", Message type "SEDI", Process Code "SHPM".
  also http://scn.sap.com/thread/698368 pages 14 and 15 were helpful.
  I have not configured the Inbound 754.  For now the inbound 754 Routing Instructions will be emailed to our traffic department.
  Thank you,
  Have a great day,
  jane

• Best practice for web servers behind a router (NAT, ACL, policy-map, VLAN)

  Hi,
  I'm a new Network admin, and I have some configuration questions about my installation (see attachment).
  I have 3 web servers behind a router.
  Public interface: 3 public ip adresses
  Private interface: router on a stick config ( 3 sub-interfaces, 3 different networks, 3 VLAN)
  I would to know the best way to redirect http traffic to the right server.
  My idea is to map a public address to a private address, via NAT, but I'm not sure for the configuration.  I could also redirect via Policy-map and filter by url content.
  So if you have some advise for this case, it would be really appreciated.
  Thank you.
  Chris.

  Hello Christophe,
  As I understand you want 1st that ; 
  if somebody go to A.local.com from internet then he will redirect to 192.168.1.10 in your internal network. 
  That means, you need static mapping between your public @ip address and your local ip address. 
  for this example, your local interface is Fa0/0.1 and I dont your public interface because it is not mention in your diagram. I will suppose S0/0 for public interface. 
  that is the config for the Web Server1. You can do the same with the remaining servers:
  interface fa0/0.1 
  ip nat inside
  interface serial0/0
   ip nat outside
  ip nat inside source static 192.168.1.10 172.1.2.3 
  static mapping from local to public. 
  I suppose you have done the dns mapping in your network and the ISP have done the same in his network. 
  ip route 171.1.2.3 interface serial0/0 
  or 
  ip route 0.0.0.0 0.0.0.0 interface serial0/0. 
  After these step for each web server, you will get the mapping. 
  Now you can restrict access to this ip only to http or https protocol on your isp and after on your local network 
  like
  ip access-list extended ACL_WebServer1
  permit ip any 192.168.1.10 eq www
  deny ip any 192.168.1.10
  exit
  interface fa0/0.1
   ip acess-group ACL_WebServer1 in
  no shut
  exit
  That is the first step. 
  Second step : you want to filter traffic by url, that means layer 5 to 7 filtering. 
  I am not sure that it is possible using cisco router with (ZBF + Regex).
  Check the first step and let us know ! 
  Please rate and mark as correct if it is the case. 
  Regards,

• Best Practices - VMware ESX 4.0 in a Cisco Environment?

  Hello,
  I'm presently designing a VMware ESX 4.0 deployment and integrating it with our Cisco environment.  I've found the following document:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.html "VMware Infrastructure 3 in a Cisco Network Environment" and I was just wondering if there was a newer document applicable to ESX 4.x or if these best practices still applied?
  I'm particularly interested in proper vlan design for the various port-groups with in ESX and etherchannel configuration between ESX hosts and Cisco switches.
  Thanks,
  Rob

  Well, in that this is a Storage group, I'll answer froma storage noetworking point of view.
  ESX hosts are no different to any other host,  Just stick with the standard best practice of single initiator zoning and you'll be fine.
  As a slight aside, from an array point of view, I've tended to configure all the pWWN's of the whole cluster into one "host" definition, as this makes LUN mapping easier.
  Steven

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?