|
|
1
« Last post by LoboPR on Today at 08:38:01 AM »
Hi,
I come from the ASA side of firewalls. Have a few questions.
1- In the ASA ACL you would have an implicit Deny any any at the end of the ACL. That would block all traffic not explicitly permitted in the ACL. Best practice would be to enter it as an ACE at the last position with the log option.
Is this the same with the ACP on the FTD?
2-With just configuring NAT on the ASA. The traffic from the higher security level can pass to the lever security lever (ex inside (100) outside (0))
On the FTD I notice that the security levels are all level 0 and no place to change this.
Do we have to explicitly permit outgoing traffic before the deny?
Thanks,
2
« Last post by MC on March 21, 2024, 07:30:58 PM »
You are correct. Because MPBGP was used between BC and Transit Control node, LISP routes at each VRF/Site need to be redistributed into MPBGP and this includes any external routes learned by a site Border node. These are all taken care of by DNAC and there is nothing you need to do manually in terms of redistribution.
3
as per my understanding, transit control node only learns LISP prefixes which then redistributes them in MPBGP towards BC nodes at sites.
At HQ, there is some route leaking between VRFs for some shared services in DC.Does this mean that it is mandatory to redistribute BGP prefixes ožat HQ site into LISP so they get advertised to transit control node?
If not, how BC nodes at other sites would learn about those prefixes if transit control node is not learning BGP prefixes?
What am I missing?
Thank you in advance.
4
« Last post by MC on March 18, 2024, 07:51:20 PM »
Endpoint DHCP should always sent/received on an overlay and why you need IP Transit to allow packet to get to a DHCP server outside of the fabric.
5
« Last post by MC on March 18, 2024, 07:49:26 PM »
LM-PXGRID is a standard web cert template with both client and server authentication so DNAC can connect to pxGrid. Once created, don't forget to publish it. From what I recall, the openssl.cfg should be included with an installation. If not, you can just grab one off the internet.
6
Hi, I watched your videos on SDA transit between multi sites. Does it mean that when end point is sending DHCP request it goes over underlay, and DHCP offer goes over overlay? Thank you.
7
How did you create the LM-PXGRID template and where did you place it so it will be listed under Certificate Template in CA. Also, I downloaded and installed openssl (from sourceforge) but there where no openssl.cfg file in the bin directory. How can I resolve these two isssue so I may continue.....Thanks
8
« Last post by MC on February 06, 2024, 07:56:10 PM »
Cisco now offers Catalyst Center VM on ESXi but it has limited availability so check with your account manager. You can try to install a VM on your own using the official ISO but you will need to have comparable hardware resources and result is not guaranteed.
9
« Last post by MC on February 06, 2024, 07:51:48 PM »
It depends on which video series you are referring to. All lab videos were created with actual hardware but you may be able to rebuild them in a system like GNS3 or EVE-NG although it won't exactly match what are in the labs.
10
I want to be able to mock up your SDAccess/DNAC videos in my home lab, looks like you used a physical appliance. Have you done anything with DNAC on ESXi? Iv'e seen a few videos on it but not sure, if you have any experience would you mind sharing? Thanks,
|
Recent Posts