smart licencing and switches without internet access
essentailly you set a reservation code on the switch
apply it in the smart account
download a confirmation and tftp it to the switch and install from that file
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst_slr/b-169-9000-series-SLR-cg/b-169-9000-series-SLR-cg_chapter_00.html
Setup the trunk ports on your switch and trunk the vlans to your VMhosts.
Sample setup
2 hosts
2 switches
From each host a trunk cable to SW1 and SW2
4 cables total. Remember you will need other ports on your VMware servers for MGMT vMotion etc.
VMWARE 5.x
New port group
NoVLAN (used for native (untagged traffic) VLAN - not usually ysed)
VLAN type none
VLAN 81 - DMZ (most used)
VLAN type: vlan
VLAN ID: 81
VLAN Trunk (need to do the tagging on the guest VM)
VLAN Trunking
VLAN TRUNK RANE: 150-160
VMware 6.x
Networking
Make a new port group
Hosts -> config -> Networking -> Virtual switch -> Add networking
New vswitch
virtual machine port group for standard switch
Standard vSwitch0 for example need to setup the same on each host so VM's can failover
Distributed switch can be setup at the DC level and is automatically created for you on each host.
Looks like we might need to make a distributed switch
Sample login banner
************************************************************************
* UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED *
* *
* You must have explicit, authorised permission to access or configure *
* this device. Unauthorised attempts and actions to access or use this *
* system may result in civil and/or criminal penalties. All activities *
* performed on this device are logged and monitored. *
* *
************************************************************************
Power shell script to download and install chrome
No more fighting with IE
https://www.snel.com/support/install-chrome-in-windows-server/
$LocalTempDir = $env:TEMP; $ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller"); & "$LocalTempDir\$ChromeInstaller" /silent /install; $Process2Monitor = "ChromeInstaller"; Do { $ProcessesFound = Get-Process | ?{$Process2Monitor -contains $_.Name} | Select-Object -ExpandProperty Name; If ($ProcessesFound) { "Still running: $($ProcessesFound -join ', ')" | Write-Host; Start-Sleep -Seconds 2 } else { rm "$LocalTempDir\$ChromeInstaller" -ErrorAction SilentlyContinue -Verbose } } Until (!$ProcessesFound)
Without admin rights
$LocalTempDir = $env:TEMP;
$ChromeInstaller = "ChromeInstaller.exe"; (new-object System.Net.WebClient).DownloadFile('http://dl.google.com/chrome/install/375.126/chrome_installer.exe', "$LocalTempDir\$ChromeInstaller");
Invoke-Item $LocalTempDir;
In explorer
Open %temp% in
SIP
INVITE
100 trying
180 ringing (phone is ringing)
200 ok (other end accepted the call / answered)
There are often 3 parties involved:
Client1 <-> sip proxy <-> Client2
The issue
Azure’s IKEv1 VPN is “policy based” by default (crypto map)
Azure’s IKEv2 VPN is “route based” by default (VTI / tunnel interface / routes)
Cisco FTD side IKEv2 VPN is “policy based” (crypto map)
My FTD was running version 6.6.1 which doesn’t support the VTI interfaces needed for route based VPN. VTI support is added in version 6.7 but that version also requires 32GB of RAM and it also deletes old DH groups liks DH group 2. All 3rd parties would need to be contacted. All S2S VPN’s with 3rd parties would need to be updated. That is a significant amount of work that would need to be co-ordinated and would need sign off and OOH work etc.
Why it works sometimes
When Azure side is trying to initiate the traffic. It’s trying to use IKEv2 route based which won’t work. However when the lifetime is reached and the VPN re-keys if the Cisco side initiates the traffic with IKEv2 policy based the azure side will accept that connection. That is why it works sometimes and does not work other times. It just depends on which side tries to bring the VPN up first after it has gone down from lifetime expiry.
Some possible fixes:
1 – Change the VPN to the old IKEv1 policy based VPN. This should work but might have implications for security audits etc.
2 – Change azure side to be policy based, and responder only. Cisco TAC said there is a checkbox to make the VPN policy based and responder only. Azure side will need to go into powershell and manually add traffic selectors
The TAC engineer said a support ticket with Azure may be required to set this up.
Cisco side will need to setup a script to constantly ping something on the Azure side. This will keep the Cisco side initiating the VPN.
3 – Upgrade Firepower to 6.7. May need RAM upgrade. Will need to contact all 3rd parties which have a site to side and co-ordinate updating all the VPN settings.
Possible quick fix/work around:
Setup the ping –t from the Cisco side to the azure side
Clear down the VPNs (affects all S2S VPN’s)
Do this a few times until we can bring the VPN between Azure <-> DLR backup with DLR side as initiator
Daniel can you give me a host to ping on the Azure side (10.5.0.0 255.255.255.0), I don’t think it even needs to respond but just something I can use to generate traffic to match the VPN.
Some old DH groups are depreciated and removed from version 6.7
Cisco completely removed them, deleted, they can't be used at all. Any VPN config you had with old settings needs to be updated before you upgrade. This will need changes on your end and the peer end.
Sample settings to use
A1-E-AES256-I-SHA256-P-SHA256-DH21-28800
A2-E-AES256-I-SHA256-P-SHA256-DH20-28800
A3-E-AES256-I-SHA256-P-SHA256-DH19-28800
A4-E-AES256-I-SHA256-P-SHA256-DH14-28800
A1-E-AES256-I-SHA256-P-SHA256-DH21-28800
Priority 1
Lifetime: 28800
Integrity: SHA256
Encryption: AES-256
PRF: SHA256
DH group: 21
IKEv2 IPsec proposal
ESP-E-AES256-I-SHA256
ESP hash: SHA-256
ESP Encryption: AES-256
