FIREWALL


No.1

Challenge

NGFW-unit1# sh cluster info 

Clustering is not enabled

NGFW-unit1(cfg-cluster)# enable noconfirm 

NGFW-unit1(cfg-cluster)# Local Unit is about to join into cluster, all current management connections to the unit will be torn down.

将asa做了cluster,可是cluster

Solution

将asa with firepower 做了cluster,但是cluster control没有按照最佳时间port channel连接到交换机上,而是asa间互联,这样其中之一的asa重启了,那么portchannel无法维持,cluster control down了直接自己把自己踢出出去了

按照最佳实践接到可靠的堆叠交换机,保证任何时候cluster control都在。。。

More Information


No.2

Challenge

为firepower引导流量,配置如下,未果。。。

access-list sfr_redirect extended permit ip any any 


class-map sfr_redirect

 match access-list sfr_redirect


policy-map global_policy

class sfr_redirect

  sfr fail-open monitor-only

Solution


More Information


NEXUS switch

No.1

Challenge

*Apr 14 03:12:14.990: %SW_VLAN-4-VTP_USER_NOTIFICATION: VTP protocol user notification: MD5 digest checksum mismatch on receipt of equal revision summary on trunk: Gi1/0/24


*** MD5 digest checksum mismatch on trunk: Gi1/0/23 ***

*** MD5 digest checksum mismatch on trunk: Gi1/0/24 ***

*** MD5 digest checksum mismatch on trunk: Po9 ***

Solution

一堆nexus7010配置了vpc peerswitch 通过vpc下联接入交换机 vtp version 2 结果进入交换机没有获得nexus传来的vlan 还报错如上,经查nexus VTP配置修订版本号 为全网最低 1 所以型号接入交换机空配置,要是有vlan可能会把nexus的直接覆盖了

修正nexus的VTP配置修订版本号无法使用命令行,添加或删除vlan会自动变更VTP配置修订版本号

More Information

VTP配置修订版本号问题 

http://easycisco.blog.163.com/blog/static/176312238201011132504989/

VLAN Trunk协议(VTP)故障排除

http://www.cisco.com/c/zh_cn/support/docs/lan-switching/vtp/98155-tshoot-vlan.html#topic9

Error: MD5 digest checksum mismatch on trunk:

https://learningnetwork.cisco.com/thread/21771