(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2
You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
(config)#arp access-list ARP_ACL_20
(config-arp-nacl)#permit ip host 20.1.1.2 mac host 0000.1111.1111
(config-arp-nacl)#permit ip host 20.1.1.3 mac host 0000.3333.3333
And now APPLY:
(config)#ip arp inspection filter ARP_ACL_20 vlan 2
#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
2 Enabled Active ARP_ACL_20 No
Vlan ACL Logging DHCP Logging Probe Logging
---- ----------- ------------ -------------
2 Deny Deny Off
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
2 0 0 0 0
The switch CPU performs dynamic ARP inspection validation checks; therefore,
the number of incoming ARP packets is rate-limited to prevent a denial-of-service attack.
(config-if)#ip arp inspection limit rate 5 <--- DEFAULT IS 15 PPS (packets per second)
#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Gi3/0/1 Untrusted 5 1 <--- THE CHANGED ONE
Gi3/0/2 Untrusted 15 1 <--- 15 pps IS THE DEFAULT VALUE
To monitor the DROPPED packets due to DAI:
(config)#ip arp inspection log-buffer logs 0 interval 5 <--- LOG 0 - NO SYSTEM MESSAGE GENERATED
Check the log for details:
#show ip arp inspection log
Total Log Buffer Size : 32
Syslog rate : 0 entries per 5 seconds.
ACE Load Balancer SSL Certificate Part I, Generate the CSR
ACE Load Balancer SSL Certificate Part I, Generate the CSR (Certificate Signing Request)
You have more than one Real Servers, and its much more practical to install an SSL certificate once, on the ACE Load Balancer, then to install it on each and any of the Servers within the Balanced Service.
The CSR is needed for generate or order a new certificate. New certificates are generated by Certificates Authorities (CA) using the CSR as a seed for the certificate generation.
In order to terminate the SSL certificate on the Load Balancer, a few steps must be performed.
Step 1 Define and Configure the Parameters
First thing we need to do is to generate the CSR based on the RSA key and a set of parameters that we need to define and configure on the ACE Load Balancer in the Global Configuration mode:
(config)# crypto csr-params CSR_CISQUEROS
(config-csr-params)# country SP
(config-csr-params)# state MA
(config-csr-params)# locality MADRID
(config-csr-params)# organization-name CISQUEROS TECHNOLOGY
(config-csr-params)# organization-unit NETWORKS
(config-csr-params)# common-name prevol.cisqueros.blogspot.com
(config-csr-params)# email cisqueros@blogspot.com
LB_ACTIVE# show crypto files
Filename File File Expor Key/
Size Type table Cert
-----------------------------------------------------------------------
… … …
CISQUEROSRSAKEY.PEM 1675 PEM Yes KEY
… … …
T1-LBA-01 # show crypto key CISQUEROSRSAKEY.PEM
1024 bit RSA keypair found in CISQUEROSRSAKEY.PEM
Modulus:
9b:d1:06:75:ad:54:8b:81:e5:72:56:58:f9:fc:79:bd:07:51:c2:8b:52:01:bf:8e:c9:8b:20:61:30:7a:4b:62:f7:c3:c3:04:37:b8:46:3e:68:af:21:55:fa:82:e6:a7:58:f6:b0:2b:a2:7e:ac:59:3c:7c:2f:a8:a1:f3:3e:f5:92:9f:56:40:04:cc:ce:4c:33:1d:04:69:51:b6:a5:4a:f7:5a:47:a7:b9:3d:8c:81:
aa:09:83:6f:58:3b:f9:08:f8:33:7c:10:bf:b5:16:61:cc:81:18:4c:a1:39:fe:ac:21:45:4c:20:02:44:44:df:08:68:33:af:0c:99:1b:8d:
Step 3 Generate the CSR Key
CSR is generated from the key and the CSR parameter map, "crypto generate csr" generates the PKCS10 CSR in PEM format and outputs the CSR to the screen
LB_ACTIVE # crypto generate csr CSR_CISQUEROS CISQUEROSRSAKEY.PEM
-----BEGIN CERTIFICATE REQUEST-----
MIIC/DCCAeQCAQAwgbYxCzAJBgNVBAYTAklUMQswCQYDVQQIEwJNSTEPMA0GA1UE
BxMGTUlMQU5PMSQwIgYDVQQKExtHSUUgQVhBIFRFQ0hOT0xPR1kgU0VSVklDRVMx
GDAWBgNVBAsTD1NFUlZJQ0UgQ09OVFJPTDEdMBsGA1UEAxMUcHJldm9sLmF4YS1p
dGFsaWEuaXQxKjAoBgkqhkiG9w0BCQEWG2VtYW51ZWxlLmNhbnR1QGF4YS10ZWNo
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALF38eazErvgTOl7
hP3sAboRGvXzee6+4aTpmC+ZTjeboLkfrehfZfYdEyhgBdu6trM8vxiL6Urzlgj4
RGdUlAfUgHwaXmTOO3QgqsgvdRpyk14lYecN2DytgP1ibq9w3h5MyOP+CfI6Huhv
DyQBILJlSepnJUFOhEOR2YRGdW0HTGgZWCykaUQb3GZSLGHMN5jAzPfvX1WTZNxM
PDQOYsGZ45MssciQp7pl8sXX1xBCvNNuJx1T28LTjA0+ikuFjKyDmfMXpYB8n4oO
76KsdII033zfNZBZQLcTE4rk5nuHfjmfziu5bmk9mqwX3zOughiWTovXxVI960iR
25ZzGa0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQBdQnM2H+iA4TLQWmYqv8Y5
AEL4pYpdBJDvnMvIVMrG3d8lOJe7AkMHPsTGovd+1fbVh8xw+xRc/nsUfmZmWLCM
LeuLAEhdODPP+vNx3sE3cL2rD/eg+eTXLi5ZrdOlojsknuCihxTq/4fo5DimGr2C
8HNAX+x9NyXOPEjK4AdGsP2NOVfPOAr2dHHv7g7OeDo2ElDXmfXtTdL7NZ8NRJoX
8VDlARGp0zNhh/Urn6oFat4MkhyIfvh8wKCA1uQ4jX19NsfdTjjGaI/Y4q6mpTm9
XqisIh5QKQ/3XJI8gz4YSNF5wegI4XQ6Qwp1QQzQozA2y9Qouu7xqKC0eQKv1dYl
-----END CERTIFICATE REQUEST-----
TIP: CSR is not saved on the Load Balancer. Should you have the need to have it again, you will have to generate it one more time using the same steps.
TIP2: The only thing that the Certificate Authority is interesed in, and what you absolutely must send them is the content between the following two lines in the CSR:
-----BEGIN CERTIFICATE REQUEST-----
And
-----END CERTIFICATE REQUEST-----
Export the RSA Key to the standby load-balancer, in order to avoid desynchronization when saving. First export the RSA key from the original load-balancer:
LB_ACTIVE# crypto export CISQUEROSRSAKEY.PEM terminal
MIICXQIBAAKBgQCb0QZ1rVSLgeVyVlj5/Hm9B1HCi1IBv47JiyBhMHpLYvfDwwQ3
uEY+aK8hVfqC5qdY9rAron6sWTx8L6ih8z71kp9WQATMzkwzHQRpUbalSvdaR6e5
PYyBqgmDb1g7+Qj4M3wQv7UWYcyBGEyhOf6sIUVMIAJERN8IaDOvDJkbjQIDAQAB
AoGBAI3CFYZqM0jY3M6xEDIfKQJ47kF4TxuYE2f5U3QYjqqXV6KagfPPitislOhX
OJpvDkE57f1E0MosRYMWOO1eSB/nvvAIod2Fcj9VZoTexKgyykukzZStYvwaEKKV
pdMaoK31H9olTj2zTl6vzzYs59q0YCEPmp1hvr1A1mMKrQ8BAkEAzXSF5RdLBEuD
isc20/z3FkW+tkJwkeNEoTem1knqSVtQTdTVaGjULgtIexJF8NzHdHf1tYYw6w2o
AESr85j2uQJBAMImR+PeDtyWFOatVeqI+ofgFootW6cPUOaNzBVlY7ehhz2ytRWn
9Neu3tW0v85p0iSZCSH+TdPozn65uIW2oXUCQHAVdopRV8qDC8MlBSNHKOEMsYsq
2dCs5J7zBmB3OIpGd5vOVZI9RivMWgFSKbfKKkG+w9wA1iUVcSacUBZ3x3kCQQCY
v9mL1CfJMWNcYj/YeNDzmkDhkfIsLAawfht1MgIUdcebqUCDu1MNZo33gW/vDJ7D
IIxo7FV7Rg1A8wnUWe4JAkBP8dj2BSY2SCsGPZ7VlaJQBalpxdQIMF52bLdsWNAK
LAakpQffg4I2t8MHNKYPuxMfSsmHPkzrNaDpN9Ohk21J
-----END RSA PRIVATE KEY-----
Then copy it to the other (Standby) load-balancer using the command: crypto import terminal CISQUEROSRSAKEY.PEM
LB_STANDBY# crypto import terminal NAME_OF_THE_KEY.KEY
Please enter PEM formatted data. End with "quit" on a new line.
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuDU2bvtOg1PiVKxIdvgZHaURfS+Df/eCq+Y7ASRY8PV7vGpl
ZfDKVh48TTSu7SsMXSlAf0Rrmn67xnbOL13lIth/C7GgCdHYyX4QB+vdhYN10x8M
PEUQbQlHS8urFBnQsph8CV/2oUjSWUz/UhqLZidsuddaNUiqN2ZFdO/Baa54laKX
YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
YoGWBYwcRbsL+cirrt/7Xh4/vqXzVjAvBacLcSm7nQ5kArVWI8hFYFDiubEIN2LO
keV7eoQxaM1rsvyS5WrB3tBzELI6zpTJVWNkSrLVRR2o6kOx/pM/hms4RzLIO87E
TGMAzCnNLrQ8PpBESPGMLLjnyXo1iPPFIqz+NwIDAQABAoIBAQCCllasfsO+Hi2J
UUld7awAdBDd6l0Szuh37JNPz/CtgZnijJqtlfIa8vxUz1BjGe197cynbF3L/KQp
ofexZKMX/Nqz84w86eMBlLjQpMk56WQR8yS9ZUirw7Qja5MwgMyOj8L+8mTpGbLl
U8x87Ax+stxFMwHkXEsvUvVSXNWEkNGZRafziJ5X+Skw6EFHOGHlJG1KoyHdTfrr
KijxTDvMSSu4HzOrKSZTgJ3W3Vg963rdvWmhc9lH2VcwcmABtl1yZNCmEvzYVbqO
s1ipO2tVeFUD5WC3x03rhKOWwF0XVTe/+W57J6i4EZkAuEfrFIfE1YEh5jGftG+E
esVIszmBAoGBAPFBfuKV7V/zn4+lJc3SsL9FE9g4ay1Cqx6+d/474HlV9YxT1ba7
09APF5aNnZjeaH0AqgaSm0uErpgkCVzKTweVXNeQj2j3/DTVZaa5hutSt8CFwY8K
tl5YuG3obH6GL0+bGBdX0fPw7NGtaPggpihi4pgSOTck98hMcRGeXBPxAoGBAMN3
MBu4t6RVz7bHf5vqbc8c85kt2iWt27VET/uQPlrIJmjN9HwdFnTuA9WNDpXEmvLi
qG5BNGV0RB1p1EywFkNYroeGxI+TyvfG5jqV7pCMDOuNeBEpMGq1bFtfmUYyjaXe
y4jORUD2KK1hgSxtR5xourQ7yJo9McjxE1IwZ7ynAoGACjciv0dn6LMxI2zzv9ZX
A5JSN8qTxzPWeRPJkutIIvsfzZRTLUyguGObNRXEAZARTpGzoVmd18HDfs+v0c0D
MagCaWJGoEQ32qjaiAe9DcPP4ggH3R2wASiyjnzT8zuNT0qa54oharnd3TcBhdgk
EPu26oeDArG/CC0scHmLHpECgYATrDdHUvwIqipRtxp80sdihQNvc1H1YN4wDEQQ
iZ/8+xAClFf69eKAukPghmXlZPhDYdSZ5C4l1+HTJAeeAEr9VDucoE/AM5vF/FrH
ord0DORwALkI4SBiXQge2ixPCF+BRj8t8bS+qQfHC304v3bpoxDHewzhmS8djkXn
i7+lGQKBgAvj9zNIWlAmoAGZISt1LMi+MHn2YjWGOUw3HHeX4G8W57s5IpfjOo+u
xPP7TGErKkfjTx1BaMR6NhsLlAV0fGURS4U38NcFLaUE1Npa3wOwVOPMcJ8Ozmb9
MNMqY3s2fZ+W9buRAwdK+8dzkSyNnkDlRDKv5Ey5eVCm2Lp0FzHZ
-----END RSA PRIVATE KEY-----
Subscribe to:
Posts (Atom)
Most Popular Posts
-
Before we start, lets once again make sure we fully understand what Bridge Domain is. The bridge domain can be compared to a giant distribut...
-
Ever since Cisco bought Insieme and created Cisco ACI, and VMware bought Nicira and created NSX, I've been intensively deep-diving and b...
-
[In collaboration with the guest blogger, Marc Espinosa ] Let's start with the messaging protocols, MQTT and CoAP, and consider which ...
-
By know you should know the following facts about ACI: Cisco Nexus 9k Switches make the ACI Fabric, which is the Control and the Data pla...
-
Get ready to have your mind blown. One of the easiest procedures I've encountered. You just need to follow these 3 steps, to migrate the...
-
The VM-Series firewall for VMware NSX is jointly developed by Palo Alto Networks and VMware. NetX APIs are used to integrate the Palo Alto N...
-
Google has made their Cloud Platform (GCP) so that you can host your application any way your business requires. When we talk about the ...
-
First time we “unpack” ACI, we will find a certain number of potential Spine and potential Leaf switches, and hopefully 3 (or 5) APIC Contro...
-
Narbik Topology for web-iou Disclaimer: I DON’T OWN NOR HAVE AN ACCESS TO THE TOPOLOGY, INITIAL CONFIGS, IOU/IOL BINARIES OR ANY OTHER ...
-
Before I get into the Python for NX-OS, let me explain a few concepts that I've seen Network Engineers have been struggling with. Dev...