Allow HSRP on certain VLANs on Cisco OTV

I was working with a vendor and one of their requirements  was to split their two routers between the  two sites and enable HSRP. We are running OTV to extend layer 2 between the two sites. To avoid sub optimal switching and routing, I created filters to prevent HSRP peers to see each other between the two data centers. Allowing HSRP traffic across OTV is NOT Cisco best practices but there times that we have to do exceptions right? So how do you allow HSRP to cross OTV? Follow the three simple steps below to allow HSRP. You need to allow this to all your OTV instances.




Step 1. Do not add the VLAN in your VLAN filter list (VLAN 5 is the vlan we want to allow)

vlan filter HSRP_Localization vlan-list 2,3,4,7
 
Step 2. Do not add the VLAN in your arp inspection filter list (VLAN 5 is the vlan we want to allow)

ip arp inspection filter HSRP_VMAC_ARP vlan 2,3,4,7 

Notice that VLAN 5 is not included  meaning it will not be filtered.

Step 3. Identify the mac address of the HSRP you want to allow. You will most likely find this in the active router side since the standby router will not see the arp table for HSRP 1.1.1.1 because it still being filtered.


SiteA-Nexus#sh ip arp | inc 1.1.1.1
1.1.1.1    00:17:52  0000.0c07.ac05  Vlan5


Once you determine the mac address, add it to your route-map

mac-list OTV_HSRP seq 5 permit 0000.0c07.ac05 ffff.ffff.ffff
mac-list OTV_HSRP seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00
mac-list OTV_HSRP seq 11 deny 0000.0c9f.f000 ffff.ffff.f000
mac-list OTV_HSRP seq 15 deny 0100.5e00.0000 ffff.ffff.ff00
mac-list OTV_HSRP seq 20 permit 0000.0000.0000 0000.0000.0000
route-map OTV_HSRP_filter permit 10
  match mac-list OTV_HSRP

If you are wondering what is the ffff.ffff.ffff this is a wildcard to match all.

Cisco ACE Appliance Admin Context Sample Configuration

Below is a sample configuration of the Admin Context of the Cisco ACE Appliance not the MODULE.

hostname ACE_ONE -> Hostname of Primary ACE
peer hostname ACE_TWO -> Optional if you have a secondary ACE

interface port-channel 1 -> Channel Group for ACE
description Port-Channel 1
switchport trunk allowed vlan 1-1024 -> VLAN Trunks to allow
no shutdown

Create a port channel on your switch and bind all 4 interfaces total 4 gig connections.
interface gigabitEthernet 1/1
speed 1000M
duplex FULL
channel-group 1
no shutdown

interface gigabitEthernet 1/2
speed 1000M
duplex FULL
channel-group 1
no shutdown

interface gigabitEthernet 1/3
speed 1000M
duplex FULL
channel-group 1
no shutdown

interface gigabitEthernet 1/4
speed 1000M
duplex FULL
channel-group 1
no shutdown



clock timezone standard EST
clock summer-time standard EDT
ntp server ntp.time.com


access-list ALL line 8 extended permit ip any any -> This access will permit all traffic inbound


class-map type management match-any remote_access -> Create a class map for management
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any

policy-map type management first-match remote_mgmt_allow_policy -> Policy map for management
class remote_access
permit

interface vlan 100
ip address 10.20.100.10 255.255.255.0 -> IP Address of main ACE
peer ip address 10.20.100.11 255.255.255.0 -> Optional if you have a secondary ACE
access-group input ALL -> Access-list ALL
service-policy input remote_mgmt_allow_policy -> Service Policy for management
no shutdown

ip route 0.0.0.0 0.0.0.0 10.20.100.1 -> Create a Static Route. In this case, I use the gateway for the interface VLAN 100.

username admin password 5 $0&uusanalljsd99865%$ role Admin domain default-domain -> Admin user for the admin context.


Below is optional if you have a secondary ACE for high availability. FT interface can be a dedicated VLAN or one of the physical interface of the ACE. Note: If you use the physical interface for high availability you can only bind 3 physical interfaces on your ACE.
ft interface vlan 800
ip address 192.168.200.1 255.255.255.252
peer ip address 192.168.200.2 255.255.255.252
no shutdown

ft peer 1 -> Optional if you have a secondary ACE for high availability
heartbeat interval 300
heartbeat count 20
ft-interface vlan 800

ft group 2 -> Optional if you have a secondary ACE for high availability
peer 1
priority 101
peer priority 90
associate-context Admin -> Add the Admin context to ft group 2
inservice





On my next post, I will show you how to create a virtual context in the admin context.

Our New Mini Server Room

We finally finish our mini server room. The server room are mostly for our virtual servers and our Netapps.

We have one of our 6509 VSS in this datacenter & the other VSS is in another closet.

Single Sign on with Cisco SSL VPN and Sharepoint

We just deployed sharepoint at my job and I was looking for a way to have a single sign on with our ssl vpn using our Cisco ASA and Sharepoint. I was looking at cisco forums and couldn't get any answer. After playing around with the ASA settings 4 hours later, I was able to make it work and it was so simple to do. Make sure that you are using the same authentication you are using with SSL VPN and Sharepoint. Our VPN SSL is setup using LDAP or NTDomain authentication. With SSO enable, it will pass the credential you use to log in to SSL VPN to Sharepoint.

First you have to enable single sign by going in to

Configuration->Clientless SSL VPN Access->Group Policy choose the policy you want to enable single sign on click edit-> more options -> single sign on and click add
URI=*
Auhtentication Type=Basic,NTLM, and FTP click OK.



Then go to Configuration->Clientless SSL VPN Access->Portal Customization If you don't have a customize page yet click add and name it SharepointSSO you can name it anything you want then click Edit, another browser will open up.







Under Portal on the left side disable everything in title panel, toolbar, navigation panel, application. Under Homepage choose
Mode=Custom Intranet Web Page
Custom Intranet Web Page URL=http://sharepointserver/_layouts/Authenticate.aspx (The site that let the users authenticate)
URL List Mode= No Group.



Save the custom page and login to your SSL VPN. You should automatically log in to sharepoint.


There are other ways to accomplish this but this is the simplest way so far. There is also a post plugin that you can download and use but I couldn't get it to work at the time I was doing this. Please let me know if you tried the same settings I did and how it work for you.

This settings also works with Citrix Web Interface as long as the client detection feature is NOT enabled.

McAfee false positive detection of w32/wecorl.a when using 5958 DAT file

McAfee has identified an issue where a specific DAT file version is causing a false positive detection of the w32/wecorl.a virus. When this false positive occurs, Svchost.exe is blocked and quarantined, which will cause the machine in question to shut down with a DCOM error, and can in some circumstances cause a blue-screen. This issue appears to only occur on Windows XP SP3 clients.

This issue is known to occur with version 5958 of the McAfee DAT file, released on April 21, 2010. McAfee has released an EXTRA.DAT file to suppress this false detection. After installing the EXTRA.DAT, you can restore the effected file from Quarantine within McAfee. To restore a file from Quarantine, please carry out the following steps:

1. Open the VirusScan Console.
2. Double-click Quarantine Manager Policy.
3. Click the Manager tab.
4. Right-click the required item and select Restore.

For more information, please refer to the following McAfee articles:

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

https://kc.mcafee.com/corporate/index?page=content&id=KB51109

Cheap free internet hotspot gateway

I was given a task by our upper management to setup a free wireless access on our remote locations. I have been searching for an appliance or software that can provide a splash screen for end users to see to agree on the Terms of Use. I first look at nomadix which I know is popular but very expensive. I also tested the zone cd which was very easy to set up but there was a recurring cost. So I went ahead and tested antamedia hotspot software which really work well and very easy to configure even the splash screen was easy to customized. The caveat to this is that you still need a PC with dual NICs for it to work and it will cost you around $400 just for the software not including the PC. I was determine to get this software but when we were ready to get it, we had issues paying for it because we only do purchse orders not credit cards plus the company is not in the United States. It was a blessing in disguise that this company that I called before (citrusmicro.com) finally got back to me and told me that a new box just came in. I went ahead and ordered it and when I got the boxes it literraly took me less than 15 minutes to set it up with terms and conditions with customized splash screen. The box looks like a small router that runs on unix. The best part, It only cost us $190.00 per box without the need of another PC. For more info about the hotspot gateway from GIS follow the link below.

http://www.guest-internet.com/hotspot_gateway_for_guest_internet_access.html


This is where I got it from
http://www.citrusmicro.com/GIS-R2-Hot-Spot-Internet-Gateway-p/gis-r2.ht

Nexus 7018 Cable Management Part 2

Below is the final outcome of our cable management to the Nexus.


We ran all the cables on the left side so that we don't cover the air flow of the Nexus switch.