Answer Questions

Hello Gents, kindly can someone explain to me Lisp Pub/Sub and what its benefits rather than Lisp/BGP

Hello Guys, I need help to validate whether my understanding is correct.I'm new to ISE, I know some rules but I can't progress with my client's problem.1 - He has an AD, but there is no GPO policy for Wireless.2 - There is a rule in ISe that first validates the machine, then the user, and if both match, it will be released to the corporate network.If it doesn't match on the machine (client's domain), it receives a different vlan, and falls under the Byod rule. To get around it without AD support, we tried to change the rules for TEAP, however, as there are many machines, we would have to do this via GPO, and the experts were unable to do so. Doubts:1 - Is there any way to validate the user and machine without a specific GPO for Wireless (802.1x)?2 - If not, the team should create a GPO that installs the certificate on the machine, right? Then I would have to change my rule to TLS, is that right? But could you share some example/video on how I should configure this rule? I think that to authenticate the visitor's machine (if it doesn't have the certificate), I don't know if it would be the same rule, for example:Rule 1:AND: EAP-TLS AND: ADAND: Cerificate Subject - Common name Starts_With "string x, y, or z"Result => VLAN Permit 56 And if you don't fall under this ruleRule 2:AND: Radius Called Stations ID (SSID)AND:AD External to the client (domain user)Result => Vlan Permit 57 (Byod Rule - User's own machine)That makes sense?      

https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/We have not determined the initial access vector used in this campaign. We have not identified evidence of pre-authentication exploitation to date.While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which we detail below.Nice.  

In the past Devnet sandbox, the maximum reservation duration is 4 hours and I usually didn't have much problem accessing the CML sandbox. However, in the new Torque system, the maximum reservation duration is up to 8 days. It is almost impossible to access the CML sandbox. Given that most of us, if not all, can't possibly use the Sandbox 24/7, suggest that the Sandbox team reduces the maximum reservation period to a much shorter period (e.g. 8 hours), so that the Sandbox resources can be more efficiently utilized and made more available to everyone. 

Default vsan (vsan0001) in UCSM is showing as Admin status okay but Operational status down (major alarm from Monintoring system)=================================================================================================================================It is causing an inconvinience for us as we are getting alarm generated for this default VSAN which we are not using in ourUCS Fabric interconnects. But somehow as All unused FC ports (Disabled) are pointing or member of this default vsan. Is there any wayto get rid of this without causing any problems. See below for details; A(nx-os)# show vsanvsan 1 informationname:VSAN0001 state:activeinteroperability mode:defaultloadbalancing:src-id/dst-id/oxidoperational state:down vsan 1111 informationname:VSAN1111 state:activeinteroperability mode:defaultloadbalancing:src-id/dst-id/oxidoperational state:up fc-uplink # show vsan VSAN:Name Id FCoE VLAN Fabric ID FC Zoning Overall status---------- ---------- ---------- --------- --------- --------------default 1 4048 Dual Disabled OkTop 1111 1111 A Disabled Ok *****Default VSAN and not in use************A(nx-os)# show vsan 1 membershipvsan 1 interfaces:fc1/5 fc1/6 fc1/7fc1/8 fc1/9 fc1/10fc1/11 fc1/12 fc1/13fc1/14 fc1/15 fc1/16=======================**********Working and in use VSan**********A(nx-os)# show vsan 1111 membershipvsan 1111 interfaces:fc1/1 fc1/2 fc1/3fc1/4 vfc3867 vfc4248vfc4353 vfc4354 vfc4517vfc4518 vfc4573 vfc4574vfc4578 vfc4583 vfc4584vfc4644 vfc4648 vfc4650vfc4659 vfc4660 vfc4669vfc4670 vfc4694 vfc4769vfc4770 vfc4784 vfc4785vfc4833 vfc4834 vfc4839vfc4840 vfc4845 vfc4846vfc4876 vfc4877 vfc4882vfc4883 vfc4910 vfc4911vfc4922 vfc4923 vfc4941vfc4953 vfc4959 vfc4998vfc4999 vfc5010 vfc5011vfc5027 vfc5055 vfc5083vfc5085 vfc5143 vfc5162vfc5163 vfc5173 vfc5179vfc5187 vfc5195 vfc5201vfc5209 vfc5211 vfc5219vfc5221 vfc5227 vfc5233vfc5239 vfc5243 vfc5250vfc5251 vfc5261 vfc5267vfc5281 vfc5289 vfc5299vfc5305 vfc5315 vfc5321vfc5331 vfc5343 vfc5373vfc5379 vfc5385 vfc5391vfc5405 vfc5411 vfc5417vfc5423  

I would like to know why this bug, version 7.2.6, is indicated as being affected and fixed. Will it be fixed with a 7.2.6 patch? or is it an error that appears in both

Hello, I deployed Cisco Jabber Guest 11.2.1 in my lab. I was able to download the web addon and the extension for chrome browser. Some days later , i noticed could neither download the web addon or install extension for chrome .I got this error 404 when i clicked the download button https://chrome.google.com/webstore/detail/jbglbakaieakcdiaiabbihafndhapfkithe above url was not foundI have tried on different pc but still the same error 404I decided try on firefox.  The download icon didn't load. I  checked the mozilla  firefox extension and added the plugin.I searched the chrome extension store  for  the jabber guest but no successHas Cisco finally moved to webrtc?any contribution will be appreciated

Hi,So i fired up ACI Simulator using ProxMox Hypervisor.I have set my static IP as follow:IPv4 address: 192.168.1.200/24Gateway: 192.168.1.1the IP address is free and available in my network.The subnet is correct.The gateway is correct.However, i cannot ping ACI Simulator or cannot ping from inside ACI Sim to outside. For example:I log into the ACI Simulator console and ping the gateway or a host in my network and I get 100% Packet loss.I tried this in VirtualBox as well and i get the same results.If i look at 'ifconfig', i see my apic1-eth1 inet is 192.168.1.200, net mask: 255.255.255.0, broadcast: 0.0.0.0I believe the broadcast is wrong and should probably be 192.168.1.255 but not sure if thats causing the issue.When i first configured ACI Simulator, i was not prompted to enter the broadcast address. Not sure whats causing the issue. All my other Linux VM's use the same VirtIO (paravirtualized) bridge adapter and they work just fine.  Not sure how i can resolve this or update the broadcast address to see if it resolvs the issue. Any ideas would be great.  Thank you!

The Cisco document bgp-mvpn-bgp-safi-129-ipv4.pdf (cisco.com) appears to refer to BGP SAFI 129 as the one used for mVPN configurations. This is totally confusing compared to the mVPN profile configuration guide Configure mVPN Profiles within Cisco IOS XR - Cisco First of all, could someone point out if the bgp ipv4/vpnv4 multicast SAFI has anything to do with profile 14 mVPN config or not ? Second question would the difference between the vpnv4 multicast and mvpn SAFI-es ? Thank you.

Hi, I have a Cisco Roomkit Pro with an Extron Nav-e IP system. The system has been working perfectly; however, after the recent update, when disconnecting a laptop, Cisco keeps presenting with just a black screen.Has the latest update changed how Cisco handles CEC or syncing?I understand my issue is now caused by the Extron decoder, this did not happen before the update, no settings have been changed on the extron or Cisco

Hi Experts, I am testing the MTU size that BDI can support. Please take a look at my config and test below. I configured the physical interface and BDI with MTU 9190. When I do a traceroute mpls, it shows MRU 1500 suggesting that the network interfaces (BDI) can accept packets up to 1500 bytes in size without requiring fragmentation. When I ping the neighbor including the size and df, I can send up to 6354. The neighbor device is also set with MTU 9190. Can you tell me why the traceroute says 1500 MRU but I can send up to 6543? I appreciate the response. TEST-PE#show running-config interface BDI15Building configuration...Current configuration : 277 bytes!interface BDI15ip address 172.22.224.182 255.255.255.252ip mtu 9190ip ospf network point-to-pointip ospf 1 area 0.0.0.0mpls traffic-eng tunnelsbfd interval 300 min_rx 300 multiplier 3ip rsvp signalling hello bfdTEST-PE#show running-config interface gigabitEthernet 0/0/4Building configuration...Current configuration : 266 bytes!interface GigabitEthernet0/0/4mtu 9190no ip addressnegotiation autoservice instance 15 ethernetencapsulation dot1q 15rewrite ingress tag pop 1 symmetricbridge-domain 15!endTEST-PE#show ip interface BDI15BDI15 is up, line protocol is upInternet address is 172.22.224.182/30Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 9190 bytesHelper address is not setDirected broadcast forwarding is disabledTEST-PE#traceroute mpls ipv4 172.22.239.45/32Tracing MPLS Label Switched Path to 172.22.239.45/32, timeout is 2 secondsCodes: '!' - success, 'Q' - request not sent, '.' - timeout,'L' - labeled output interface, 'B' - unlabeled output interface,'D' - DS Map mismatch, 'F' - no FEC mapping, 'f' - FEC mismatch,'M' - malformed request, 'm' - unsupported tlvs, 'N' - no label entry,'P' - no rx intf label prot, 'p' - premature termination of LSP,'R' - transit router, 'I' - unknown upstream index,'l' - Label switched with FEC change, 'd' - see DDMAP for return code,'X' - unknown return code, 'x' - return code 0Type escape sequence to abort.0 172.22.224.182 MRU 1500 [Labels: 393/implicit-null Exp: 0/0]L 1 172.22.224.181 MRU 9190 [Labels: 612 Exp: 0] 44 msL 2 172.22.224.217 MRU 9190 [Labels: 959 Exp: 0] 14 msL 3 172.22.224.194 MRU 9190 [Labels: 2178 Exp: 0] 13 msL 4 172.22.224.141 MRU 9190 [Labels: implicit-null Exp: 0] 19 ms! 5 172.22.224.81 14 msTEST-PE#ping 172.22.224.181 size 6354 dfType escape sequence to abort.Sending 5, 6354-byte ICMP Echos to 172.22.224.181, timeout is 2 seconds:Packet sent with the DF bit set!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 8/17/44 msTEST-PE#ping 172.22.224.181 size 6355 dfType escape sequence to abort.Sending 5, 6355-byte ICMP Echos to 172.22.224.181, timeout is 2 seconds:Packet sent with the DF bit set.....Success rate is 0 percent (0/5)TEST-PE#!  

Hello,Can SSSNT be added to a product later, or only at the time of purchase?

As a work around and until Cisco resolves this, Jabber 14.1.1 for Macs works with Jabra headset Engage 75 and the headset can answer the call.

Dear, I would like to ask if it is possible to make automatic reports in SNA. Currently we generate reports manually, but our client wants to automate them.There is the mentioned process, can you share information with me, I remain attentive thanks.

Hey guys - Does anyone else have this issue in the title with ASA using the WebVPN ? TLS handshakes are failing after the Chrome 124 updates. After doing research it's due to hybridized kyber support. The current workaround for Chrome/ Edge is below for anyone else that has this issue but I've seen 0 posts on this regarding Cisco. Plenty of other vendors have this issue as wellchrome://flags/#enable-tls13-kyber set to disabledComputer Configuration > Policies > Administrative Templates > Google > Google Chrome > Enable post-quantum key agreement for TLS > DisabledComputer Configuration > Policies > Administrative Templates > Microsoft Edge> Enable post-quantum key agreement for TLS > Disabled

Hello, We are running CUCM v14. We have several call pickup groups which work fine if the phones are dialed directly. The phones are also in a line group and I want to configure a pickup group on the hunt pilot. The Hunt pilot, pickup group and directory numbers are all in the same partition. Still the pickup function does not work. Any idea on how to fix this?

After I upgrade to ASA 9.18, the command app-agent heartbeat interval 1000 retry-count 3I am using Cisco CSM (4.22 SP1) to deploy policies and it is stuck getting an error:app-agent heartbeat interval 1000 retry-count 3^ERROR: % Invalid input detected at '^' marker. Not sure what to do

Hi, The File Detection category generates a lot of alerts on browser cache with signatures like these:GT:JS.Hyena.xGT:JS.Injected.xTrojan.Generic.xTrojan.GenericKD.xAuto.x.in02W32.x.in12.TalosMost of the time these files are unique so they won't be on VirusTotal.Submitting to Cisco's cloud sandbox won't do anything because they don't have any extensions to run with a default program, it's browser AppData. The files are in proprietary formats specific to the browser and require forensics tools to parse. Even then these generic signature names don't tell us what it is about the file that is triggering the alert.Does anyone have reasonable a way to do root cause analysis without going to Cisco TAC? Is there a way to see the logic behind these signatures? Or do we know how they work at a higher level, is it looking at strings or binary patterns?  

Is there anyone here using Cisco 8000 series (8801/8802/etc) in their backbone with VXLAN? I’d like to get some feedback of this Silicone One based platform.Use case: Looking for a backbone upgrade from Cat6K based VPLS to something new. Have 6 pairs of PEs now.

Trying to deploy an Instance via the FMC. Instance gets created okay on the deviceHowever I and am getting the error "This instances is not registered with this management centre".The Instance does not display in the "Devices All" page. But it is on the device itself under instances?Is there some way to force registration? 

Hello, Regarding this vulnerability as well as cve-2024-20359 and 20358, could you please tell me which version fixes these vulnerabilities for ASAv10 version 9.124.18? BR, José

Hello, do you have more information regading this bug? There is mentioned that the problem is fixed but there is not mentioned the fixed version. We also checked the CVE where we can see that the problem is in the version of Open SSH 8.2, this problem is fixed in version 9.6 of Open SSH. If it is true there is not only affected the version 20.12 but all SD-WAN versions, in our case version 20.6.. Regads Hynek

I have a requirement for VPN with MFA for a subset of users, while protecting the other users from Spray attacks.   Scenario: Customer is currently implementing VPN with MFA for a defined set of users (1/3 of staff) Most users do NOT have a requirement for VPN and MFA. The customer is currently implementing Cisco Duo for MFA, and is currently using MS NPS for RADIUS auth to on-prem AD.  Azure AD is out of the picture for the time being. The customer has a partially implemented Cisco ISE. Customer uses SCCM The customer does not have MS E3 licenses, or P1/P2   Goal: Protect non-VPN/MFA users from being locked out due to password spray attacks.   Option One Increase the Duo licenses to cover all users Con: Can’t do this - customer has 1/3 of users covered by MFA only.   Option Two Machine certs as part of the auth chain, pre-logon Does this require move to ISE, or will it work with NPS? Will this work prior to users entering credentials? Any downsides?   Option Three AD Group supporting allowed VPN users, all other users in an AD group that disallows VPN access. Does Group recognition happen before or after user credentials are shared? Is it different for NPS vs ISE?   Thanks    

Hello,I have a new install with Codec EQ with quad cam, and quite often, the audio coming out of the speakers from the quad cam drops and is very low, even if the volume is at 100%.Does anyone have this issue?Thank you