ZBF: Assign zone to interface via Cisco AV Pair
Hello,
I am terminating ADSL connections via an L2TP tunnel from a service provider and have configured Cisco AV Pairs to assign incoming sessions into different VRFs based on the username of the remote router. I am also using Zone Based Firewall configuration and need to also assign the created virtual access interface into a zone in the same manner as I am assigning VRFs.
I am assigning VRFs like so:
Cisco-AVpair+=ip:vrf-id=<vrf-name>
I have tried assigning a zone with the following configuration but with no luck:
Cisco-AVpair+=ip:interface-config=zone-member security <zone-name>
Cisco-AVpair+=lcp:interface-config=zone-member security <zone-name>
I have looked around but am unable to find a definitive list of Cisco AV Pairs to determine if there is one suitable specifically to assign a zone or a more generic AV Pair that can assign arbitrary configuration.
Any help appreciated.
Thanks.
For anyone else who has a similar issue, I raised the issue with Cisco TAC and the solution was to use a Cisco AVpair of
lcp:interface-config=zone security <zonename>
I also had to add:
aaa policy interface-config allow-subinterface
Once I did this it worked a treat.
Similar Messages
-
Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?
hi,
is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
in detail, we would like to assign this policy
policy-map SET_EF
class class-default
set dscp ef
to an interface. All traffic should be marked with a defined DSCP value.
This works find when doing it statically with
interface FastEthernet2/1
service-policy input SET_EF
but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
unfortunately this seems to not work on Catalyst 45k and 37k.
In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
4503-E#sh aaa attributes
AAA ATTRIBUTE LIST:
Type=1 Name=disc-cause-ext Format=Enum
Type=2 Name=Acct-Status-Type Format=Enum
<snip>
Type=345 Name=sub-policy-In Format=String
Type=346 Name=sub-qos-policy-in Format=String
Type=347 Name=sub-policy-Out Format=String
Type=348 Name=sub-qos-policy-out Format=String
any input is welcome :-))
best reagrdsadditionally to this discussion, i've just opened a service request with TAC.
unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012...... -
Brocade DCX Fiberchannel trunk via Cisco ONS not working
We have a SAN environment over 2 locations. On each location they placed a Brocade DCX 8510 SAN switch. The Inter site link is provided via CISCO ONS.
We use at both sites a MXP_MR_10DME card with two interfaces. We created two circuits and configured the ports at FC4G.
So when we connect the brocade switches directly to the ONS it works perfect. We then have 2 4GB fiberchannel connections.
However we would like to trunk these connection to a 2x 4GB channel.
On the Brocade switches we configured both interfaces connected to the ONS as Trunk.
Both switches see each other but no traffic will run over this trunk. When we disable one port of the Brocade in this trunk then traffic starts to flow.
Questions:
Is it possible to create a trunk between the brocades via ONS?. ( we know that it will work with a direct fiber connection).
I know you can do trunking by using other cards but is this possible with the 1-DMEX-C cards.
So is the ONS aware of a trunk. I suppose that the ONS should be transparent.
If anybody has done did before, do we need to configure something specific on the ONS or Brocade switches..?
THX.Nevermind...
I have been given the wrong SFP modules. -
Cisco av-pairs SSID vs Dynamic Vlan Assignment
Hello,
Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
So the question is if a working alternative to SSID av-pairs exists.
Thanks.To be honest, I have never heard of this SSID av-pair ever working in wireless:)
You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.
You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or ACLs to filter what you don't want going out of the vlan. WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN. If course their are limitations, but with newer requirements means that there is no one answer. You might be able to meet certain requirements, but other you will have to sort of figure out.
-Scott -
VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?
Hi.
I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
I was wondering which was the most recommended solution.
1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
or
2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
Could someone please explain and suggest their preferred option.
Thanks.You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.
-
How to reset Dot11Radio interface via SNMP
Hi guys,
Please tell me how i RESET my AP's radio interface via SNMP? It's mean down and up right behind sb.
I'm using several SNMP commands for manage to our Cisco's. But I'm unsuccessful at this.. Please help me. Thakns.Isn't there any response? isn't there any Cisco Specialist at there???
-
Can not access ASAs inside interface via VPN tunnels
Hi there,
I have a funny problem.
I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
All tunnels and the RAS VPN access are working fine.
I use the tunnels for Voip, terminal server access and a few other services.
The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
No problem when I connect to the interface via a host inside the network.
All telnet statments in the config are ending with the INSIDE command.
On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
For the RAS client access I use the Cisco 5.1 VPN client.
Did anybody have any suggestions?
Regards
MarcelMarcel,
Simply add on the asas you want to administer through the tunnels
management-access
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
for asa5505
management-access inside
for all others if you have management interface management0/0 defined then:
management-access management
then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
telnet 10.20.20.0 255.255.255.0 inside
http 10.20.20.0 255.255.255.0 inside
same principle for l2l vpns
Regards -
Web Interface of Cisco Prime 2.1 not working
Excuse me!
I install the trial version cisco prime 2.1 (OVA) on ESXi server
I can ping cisco prime but web interface of cisco prime not worinking
prime/admin# ncs status
Health Monitor Server is running.
Ftp Server is running
Database server is running
Tftp Server is running
Matlab Server is running
NMS Server is running.
Plug and Play Gateway is running.
SAM Daemon is running ...
DA Daemon is running ...
Syslog Daemon is running ...Services running fine..
check it with other Browser , Supported browser are below::
– Google Chrome 31 or later.
– Microsoft Internet Explorer 8.0 or 9.0 with Google Chrome Frame plugin (users logging in to the simplified Lobby Ambassador interface do not need the plugin).
– Mozilla Firefox ESR 24.
– Mozilla Firefox 24, 25 or 26.
If above does not help , reboot the server once and check the issue again.
Thanks-
Afroz
***Ratings Encourages Contributors **** -
EREC: "Assign Values to Interface Parameters" query
Hi All,
I am currently on ehp4, sp4. I had a requirement to change the format of the form to display the posting. Hence i took the help of the node: technical settings>User Interfaces>Administrator and Recruiter>General Settings>Assign Values to Interface Parameters. Here i user the parameter: FORM_PUBL_INT_DOVR and parameter value as the new Z form created. The new form was visible in the publication area of the job posting.
But when i try to view the form by searching the job posting (as a candidate), it is still displayed in the old format. i.e when i try to view the posting using the posting search functionality.
Can anybody please tell me what is the configuration left from my side
Note: Majority of my application is a BSP application
Regards,
KishoreDear Kishore,
Please do the entry in the table V77RCF_PRM_PL for custom entries. Also check the table T77RCF_UI_PARAM whether correct form is used or not ??
Best Regards,
Deepak. -
Include multiple sub-interfaces in Cisco ASA for VPN tunnel
I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site. -
Can I rate-limit on the sub-interface in cisco asr 1013?
Hi,
I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
IOS XE Version: 03.06.00.S
Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
ZobairThe ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
Please find a sample configuration -
ASR1004(config)#policy-map test
ASR1004(config-pmap)#class class-default
ASR1004(config-pmap-c)#shape average 10000
Applying for both ingress and egress : -
ASR1004(config)#int gig1/1/0
ASR1004(config-if)#service-policy output test
or
ASR1004(config-if)#service-policy input test -
Assigning material to class via ALE
Hi experts,
I am looking for a way to assign the materials to the class through ALE. What message type can I use to transfer this information.
Thanks for your help.Hi Rolmega,
Please check this link and scroll to the middle.
There is a section to talk about assigning material to class via config and ALE.
http://help.sap.com/saphelp_nw04/helpdata/en/7e/cb843643a311d189ee0000e81ddfac/content.htm
Hope this will help.
Regards,
Ferry Lianto
Please reward points if helpful. -
Shutdown wireless interface via SNMP Write?
Hi
We're working on writing a very simple web app to control a couple of access points via SNMP. I'm trying to shutdown the Wireless interface via SNMP WRITE with the following oid;
.1.3.6.1.2.1.2.2.1.7.1
and
.1.3.6.1.2.1.2.2.1.7.2
But its saying the integer of '0' is invalid (badValue, wrong type or length). I'm able to set other values like hostname, etc, so I know my string is correct...can anyone help? THanks
JasonHi
Just found my own answer...the value to shutdown the interface is not 0, it's 2. durrr
Thanks
J -
Setting PPPoE clients speed Via Cisco router
Hi i have a 7200 cisco router working as NAS (network access server) for PPPoE sessions , the clients connected DSLAMS and the Cisco connected to an AAA external Raduis server.
i want to set the user speed Via cisco router in a way which can be controlled in the Radius server , and not through the actual speed of the DSLAMS ports
Thanks alotHello Mohamed,
there is a feature called controlled subscriber bandwidth that may fit your needs:
see
http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_con_sub_bdwth_ps6441_TSD_Products_Configuration_Guide_Chapter.html
it manipulates the ATM traffic parameters on a per user basis
these settings can be done on radius AV:
example:
The following example shows how to configure RADIUS attributes for a user profile for DBS:
[email protected] Password = "userpassword1", Service-Type = Outbound
Service-Type = Outbound,
Cisco-Avpair = "vpdn:tunnel-id=tunnel33",
Cisco-Avpair = "vpdn:tunnel-type=l2tp",
Cisco-Avpair = "vpdn:l2tp-tunnel-password=password2",
Cisco-Avpair = "vpdn:ip-addresses=172.16.0.0",
Cisco-Avpair = "atm:peak-cell-rate=155000",
Cisco-Avpair = "atm:sustainable-cell-rate=155000"
Hope to help
Giuseppe -
LMS , AAA via Radius and cisco AV pair
We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
I have tried a few, but none seem to work. And i havent found documentation on this.No, It is pure authentication that is done.
There is not way to select a role in LMS based on an AV pair.
With tacacs+ something like that is possible.
Cheers,
Michel
Maybe you are looking for
-
Printing in Windows 7 using Crystal Reports XI
Is there a compatibility issue with Crystal Reports and Windows 7? Everytime i attempt to print a report the program crashes. I can export the report to pdf and print it but cant print directly to a printer. Any info? Thanks
-
Cant understand this exception and error
if i run the below programm am getting this type of error show below.How to cure this error. <%@ page import="java.util.*;" %> <%! String username,password; Connection myConnection; Statement stmt,st; ResultSet rs,rs1,rs2,rs3; PreparedStatement ps=nu
-
I am trying to print a document from pages that is mostly black and white- with only 2 lines in red (One of the lines is a graphic). I'm using a Lexmark printer. When I print it the black copy prints perfectly, but the red copy comes out blank. My in
-
Filter for reducing wiggly photos shows no more virtual tiles can be added
Laptop: Lenovo W 701, 32 GB RAM Photoshop-Version: CC 2014.2.1 (64 Bit) When I try to activate the filter to reduce wiggly photos, the current photoshop-Version Shows an error-message: "No more virtual tiles can be added". In Prior Versions of Photos
-
To buy a ringtone do u pay every month?
To buy a ringtone do u pay every month? How does it work ?