ZBF: Assign zone to interface via Cisco AV Pair

Similar Messages

• Assign QoS Service Policy via RADIUS to Catalyst 45k/37k?

  hi,
  is there a way to assigen a QoS service policy via Radius to an Caltalyst 4500/3750 Switchport?
  in detail, we would like to assign this policy
      policy-map SET_EF
       class class-default
         set dscp ef
  to an interface. All traffic should be marked with a defined DSCP value.
  This works find when doing it statically with
      interface FastEthernet2/1
           service-policy input SET_EF
  but we would need to assign such a policy via Radius during the 802.1x Authentication. different users should get differnt policies. We use Cisco ACS 5.2 as Radius Server and there actually is a field for
  that in the Authorization Profile Common Tasks Configuration. in detail, this uses the cisco-av-pair "sub-policy-In=<policy name>" attribute to assign a service policy to an NAS.
  we found also two other attributes "sub-qos-policy-in" and "ip:sub-qos-polcy-in" for that. CCO says that "ip:sub-qos-polcy-in" works with Catalyst 65k (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/qos.html#wp1926523)
  unfortunately this seems to not work on Catalyst 45k and 37k.
  In the ACS Logs we can see that these attributes are attached to the Radius Reply, but unfortunately they are ignored by the switch.
  it is interesing that when entering "show aaa attributes" on the Catalyst 45k, these attributes are displayd - so for my understanding the switch should understand these attibutes (?)
      4503-E#sh aaa attributes
      AAA ATTRIBUTE LIST:
          Type=1     Name=disc-cause-ext                 Format=Enum
          Type=2     Name=Acct-Status-Type               Format=Enum
      <snip>
          Type=345   Name=sub-policy-In                  Format=String
          Type=346   Name=sub-qos-policy-in              Format=String
          Type=347   Name=sub-policy-Out                 Format=String
          Type=348   Name=sub-qos-policy-out             Format=String
  any input is welcome :-))
  best reagrds

  additionally to this discussion, i've just opened a service request with TAC.
  unfortunately the engineer told me that by now per-User QoS is definitely no supported on this two plattforms but it's listed on the roadmap and will be possibly availabe mid 2012......

• Brocade DCX Fiberchannel trunk via Cisco ONS not working

  We have a SAN environment over 2 locations. On each location they placed a Brocade DCX 8510 SAN switch. The Inter site link is provided via CISCO ONS.
  We use at both sites a MXP_MR_10DME card with two interfaces. We created two circuits and configured the ports at FC4G.
  So when we connect the brocade switches directly to the ONS it works perfect.  We then  have 2 4GB fiberchannel connections.
  However we would like to trunk these connection to a 2x 4GB channel.
  On the Brocade switches we configured both interfaces connected to the ONS as Trunk.
  Both switches see each other but no traffic will run over this trunk. When we disable one port of the Brocade in this trunk then traffic starts to flow.
  Questions:
  Is it possible to create a trunk between the brocades via ONS?. ( we know that it will work with a direct fiber connection).
  I know you can do trunking by using other cards but is this possible with the 1-DMEX-C cards.
  So is the ONS aware of a trunk. I suppose that the ONS should be transparent.
  If anybody has done did before, do we need to configure something specific on the ONS or Brocade switches..?
  THX.

  Nevermind...
  I have been given the wrong SFP modules.

• Cisco av-pairs SSID vs Dynamic Vlan Assignment

  Hello,
  Once upon a time, there was a Cisco av-pairs attribute to allow a Wireless user to a given SSID through Radius servers.
  If I'm not wrong, this feature has not been supported anymore (for several years) on WLC.
  Dynamic vlan assignment is an alternative way to control user acces to a given vlan. It simplifies the architecture, because only one SSID is needed and the user traffic is then redirected to the right vlan. But... There is an important issue with it, since only one SSID (and BSSID) is used, broadcast packets from all vlans are transmitted to everybody. It is an issue when some services use broadcast to announce their features (IPv6 autoconf, Bonjour, and so on...).
  So the question is if a working alternative to SSID av-pairs exists.
  Thanks.     

  To be honest, I have never heard of this SSID av-pair ever working in wireless:)
  You would need at least two ssids and the radius server would need to ability to send a CoA to dissassociate the device so that the device would join the other SSID. The radius server would also have to push out the wireless profile to the client for the SSID they need to associate to. This can be done using Cisco ISE, but not Microsoft radius or even Cisco ACS.  
  You can still use aaa overuse to place devices on specific vlans and use the WLC to allow bonjour or  ACLs to filter what you don't want going out of the vlan.  WLC has bonjour capabilities and thus you can specify that on the interface and not on the WLAN.  If course their are limitations, but with newer requirements means that there is no one answer.  You might be able to meet certain requirements, but other you will have to sort of figure out.  
  -Scott

• VLAN Assignment of SSID using Cisco AV Pair or Dot1x ?

  Hi.
  I am looking to setup wireless access to 2 of my internal VLANs. I am using Cisco 1130AG, PEAP and RADIUS for the authentication as one network is for employees only and one restricted to guests only.
  I was wondering which was the most recommended solution.
  1. To have 2 SSIDs, with one in each VLAN with the access restricted using the Cisco AV Pair attribute in RADIUS
  or
  2. Use one SSID and use Dot1x and the Tunnel attribute to assign the VLAN?
  This option I feel is more complicated and I am still unsure how this works in reality as the SSID itself can only be part of one VLAN????
  Do I have to configure a Dot11Radio and Fastethernet interface for each intended vlan in this case?
  Could someone please explain and suggest their preferred option.
  Thanks.

  You should have two ssid's one for your internal and one for guest. You should use 802.1x for your internal and your guest should be open with a Login page of some sort. You can still use dynamic vlan assignments so that your internal users who try to access the guest page will be put on the internal vlan. Of course the guest will always be placed on the guest vlan. If you have a WLC, the login page and setup is easier, because in autonomous you will have to use something like ZoneCD for guest if you want a HotSpot type wifi.

• How to reset Dot11Radio interface via SNMP

  Hi guys,
  Please tell me how i RESET my AP's radio interface via SNMP? It's mean down and up right behind sb.
  I'm using several SNMP commands for manage to our Cisco's. But I'm unsuccessful at this.. Please help me. Thakns.

  Isn't there any response? isn't there any Cisco Specialist at there???

• Can not access ASAs inside interface via VPN tunnels

  Hi there,
  I have a funny problem.
  I build up a hub and spoke VPN, with RAS Client VPN access for the central location.
  All tunnels and the RAS VPN access are working fine.
  I use the tunnels for Voip, terminal server access and a few other services.
  The only problem I have is, that I could not access the inside IP address of any of my ASAs, neither via tunnels nor via RAS VPN access. No telnet access and no ping reach the inside interfaces.
  No problem when I connect to the interface via a host inside the network.
  All telnet statments in the config are ending with the INSIDE command.
  On most of the ASAs the 8.2 IOS is running on one or two ASAs the 8.0(4).
  For the RAS client access I use the Cisco 5.1 VPN client.
  Did anybody have any suggestions?
  Regards
  Marcel

  Marcel,
  Simply add on the asas you want to administer through the tunnels
  management-access
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
  for asa5505
  management-access inside
  for all others if you have management interface management0/0 defined then:
  management-access management
  then you may need to allow the source , for example if RA VPN pool network is 10.20.20.0/24 then you tell asa that network cann administer asa and point access to inside, but sounds you have this part already.
  telnet 10.20.20.0 255.255.255.0 inside
  http 10.20.20.0 255.255.255.0 inside
  same principle for l2l vpns
  Regards

• Web Interface of Cisco Prime 2.1 not working

  Excuse me!
  I install the trial version cisco prime 2.1 (OVA) on ESXi server
  I can ping cisco prime but web interface of cisco prime not worinking
  prime/admin# ncs status
  Health Monitor Server is running.
  Ftp Server is running
  Database server is running
  Tftp Server is running
  Matlab Server is running
  NMS Server is running.
  Plug and Play Gateway is running.
  SAM Daemon is running ...
  DA Daemon is running ...
  Syslog Daemon is running ...

  Services running fine..
  check it with other Browser , Supported browser are below::
  –    Google Chrome 31 or later.
  –    Microsoft Internet Explorer 8.0 or 9.0 with Google Chrome Frame plugin (users logging in to the simplified Lobby Ambassador interface do not need the plugin).
  –    Mozilla Firefox ESR 24.
  –    Mozilla Firefox 24, 25 or 26.
  If above does not help , reboot the server once and check the issue again.
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• EREC: "Assign Values to Interface Parameters" query

  Hi All,
  I am currently on ehp4, sp4. I had a requirement to change the format of the form to display the posting. Hence i took the help of the node: technical settings>User Interfaces>Administrator and Recruiter>General Settings>Assign Values to Interface Parameters. Here i user the parameter: FORM_PUBL_INT_DOVR and parameter value as the new Z form created. The new form was visible in the publication area of the job posting.
  But when i try to view the form by searching the job posting (as a candidate), it is still displayed in the old format. i.e when i try to view the posting using the posting search functionality.
  Can anybody please tell me what is the configuration left from my side
  Note: Majority of my application is a BSP application
  Regards,
  Kishore

  Dear Kishore,
  Please do the entry in the table V77RCF_PRM_PL for custom entries. Also check the table T77RCF_UI_PARAM whether correct form is used or not ??
  Best Regards,
  Deepak.

• Include multiple sub-interfaces in Cisco ASA for VPN tunnel

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
  Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
  Inside, int0/1 : 10.1.1.0/24
  DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
  Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
  Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
  And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
  So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
  Additional settings:
  Have ACL to allow all sub interfaces to access outsite ( lower security level)
  NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
  I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

• Can I rate-limit on the sub-interface in cisco asr 1013?

  Hi,
  I am looking for the command of rate-limit on a sub-interface in cisco asr 1013.
  Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.2(2)S, RELEASE SOFTWARE (fc1)
  IOS XE Version: 03.06.00.S
  Please let me know if it is possible in cisco asr 1013. If yes then what are the commands.
  Zobair

  The ASR no longer supports the rate-limit command, but it does support the same functionality in a QoS policy.
  Please find a sample configuration -
  ASR1004(config)#policy-map test
  ASR1004(config-pmap)#class class-default
  ASR1004(config-pmap-c)#shape average 10000
  Applying for both ingress and egress : -
  ASR1004(config)#int gig1/1/0
  ASR1004(config-if)#service-policy output test   
  or
  ASR1004(config-if)#service-policy input test

• Assigning material to class via ALE

  Hi experts,
  I am looking for a way to assign the materials to the class through ALE.  What message type can I use to transfer this information.
  Thanks for your help.

  Hi Rolmega,
  Please check this link and scroll to the middle.
  There is a section to talk about assigning material to class via config and ALE.
  http://help.sap.com/saphelp_nw04/helpdata/en/7e/cb843643a311d189ee0000e81ddfac/content.htm
  Hope this will help.
  Regards,
  Ferry Lianto
  Please reward points if helpful.

• Shutdown wireless interface via SNMP Write?

  Hi
  We're working on writing a very simple web app to control a couple of access points via SNMP.  I'm trying to shutdown the Wireless interface via SNMP WRITE with the following oid;
  .1.3.6.1.2.1.2.2.1.7.1
  and
  .1.3.6.1.2.1.2.2.1.7.2
  But its saying the integer of '0' is invalid (badValue, wrong type or length).  I'm able to set other values like hostname, etc, so I know my string is correct...can anyone help?  THanks
  Jason

  Hi
  Just found my own answer...the value to shutdown the interface is not 0, it's 2.  durrr
  Thanks
  J

• Setting PPPoE clients speed Via Cisco router

  Hi i have a 7200 cisco router working as NAS (network access server) for PPPoE sessions , the clients connected DSLAMS and the Cisco connected to an AAA external Raduis server.
  i want to set the user speed Via cisco router in a way which can be controlled in the Radius server , and not through the actual speed of the DSLAMS ports
  Thanks alot

  Hello Mohamed,
  there is a feature called controlled subscriber bandwidth that may fit your needs:
  see
  http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_con_sub_bdwth_ps6441_TSD_Products_Configuration_Guide_Chapter.html
  it manipulates the ATM traffic parameters on a per user basis
  these settings can be done on radius AV:
  example:
  The following example shows how to configure RADIUS attributes for a user profile for DBS:
  [email protected] Password = "userpassword1", Service-Type = Outbound
       Service-Type = Outbound,
       Cisco-Avpair = "vpdn:tunnel-id=tunnel33",
       Cisco-Avpair = "vpdn:tunnel-type=l2tp",
       Cisco-Avpair = "vpdn:l2tp-tunnel-password=password2",
       Cisco-Avpair = "vpdn:ip-addresses=172.16.0.0",
       Cisco-Avpair = "atm:peak-cell-rate=155000",
       Cisco-Avpair = "atm:sustainable-cell-rate=155000"
  Hope to help
  Giuseppe

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel