March 31, 2017
Posted by on
Unsupress maps in Cisco can really be a very helpful tool in situations where you might be summarizing a bunch of /24s to maybe a /20, but you need to leak out one of the /24s without summarization, and still advertise the larger summary route.
By default, once you use summarize all networks that fall under your summary route do not advertise any more. In my situation I was testing ECMP and needed to advertise one /24 to each of my MPLS neighbors, so my hub router could get back on either path. I couldn’t test this with the full /24 due to outage concerns so we had to do this for a /24 that was not used that often. I am not going to show the layout of the Dual MPLS , but just one.
Below shows the topology
Great, now for config on the Cisco Routers.
- Created Prefix list of subnets I need to be unsupressed.
- Create a new route-map to match those subnets.
- Add the BGP statement referencing my neighbor with the “unsuppress-map” keyword.
- clear routes soft, to force a refresh.
My Prefix list name will be UMAP and my route-map will be named UMAP-MAP
So lets take a look at our advertised routes to my neighbor 10.0.5.22 before making the changes.
Notice that just the /20 is being advertised. Now check out the config below, and lets apply.
ip prefix-list UMAP seq 5 permit 10.32.39.0/24
route-map UMAP-MAP permit 10
match ip address prefix-list UMAP
router bgp 64551
neighbor 10.0.5.22 unsuppress-map UMAP-MAP
Then clear update BGP
clear ip bgp * soft
So that’s it for the config. Lets look at the advertised routes now.
Great! we are advertising our /24 and everything is now working perfectly. Unsuppress maps to the rescue!
March 14, 2017
Posted by on
Within ZD we might need to enable LDAP look ups to facilitate in using Active Directory logins to the firewall for administration, or authentication for Guest pass creation/ZeroIT.
Recently I had to do this, and it had been a while, so I decided to write a short entry on it.
So in this case I am configuring LDAP for use with Guest pass so domain users have to sponsor guest wireless accounts.
Below shows the options for our Test-AD LDAP server. There are some key things here.
Notice in this case we are not using TLS.
The Base DN and admin DN are the location of the user who can perform lookups in AD. The best way to find this info is going to AD user/computers and under “View” enable “Advanced features” then go into the details of the user account- you will have a “attribute editor” tab. The User DN is located, if you double click that attribute you can copy it directly.
Next key attribute is “sAMAccountName” under key attribute – that attribute is really just the windows user login account name.
That’s it! I will do another entry on setting up guest pass where domain users can sponsor accounts.