ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.
Nexus switch is learning AWS routes ovr (Ebgp)BGP and has a tag with AS Value. This nexus switch advertises routes learned from AWS to Paloalto firewall(Ibgp) We would like to create redistribute profile which can redistribute only routes which have tag of specified value into ospf . Output on Nexus:- This is sent to Paloalto FW X.X.X.X/16, ubest/mbest: 1/0 *via AWS Next-hop, [20/0], 26w4d, bgp-OWNAS, external, tag <AWSAS> We would like to match routes with the tag value of <AWSAS> and redistribute these routes into OSPF . I can see two options under redistribution profile after We selected "bgp" protocol as source, but it has only two options. one to match community value and other is extended community but nothing to match tag value. could someone advise me if that is possible.Thank you in advance
... View more
could someone advise me to set rate-limit for guest(10.1.10.0/24) traffic in this topology I read the article that We need to apply policy on egress interface always. Hence, for upload, it's on outside interface connected to Internet and for download it is on inside interface (ae) connected to SW (1) Internet Speed 500 Mbps (2) Rate-limit for Guest traffic (10.1.10.0/24 GW is on Firewall ae.10 ) to any traffic both download and upload -100 Mbps (3) All internal IP addresses both Guest and Enterprise Networks are translated to same Public IP if I want to achieve it, (1) Create QoS Profile " MyQos" with Egress max -100 Mbps and I don't add any classes as I know there is no Voice or video from Guest Network Range like below (2) apply this to outside interface connected to internet and also to aggregate interface "ae.10 " (3)Create QoS Policy - Here do I need two policies - one from Trust -->untrust zone and for download , Untrust --> to Trust also, what IP ranges I need to select in source selection, is it before NAT or post NAT Thanks in advance
... View more
To all, I have multiple tunnels on PA 850. It was difficult to see through which tunnel specific traffic was sent. I tried "show vpn ipsec-sa" it gave me only Peer IP addresses but not proxy-IDs ( interesting traffic permitted through tunnel). is there any CLI command which can tell not only local peer and remote peer but also permitted encryption traffic (added under proxy-ID tab). Monitor tab also didn't help as it shows which Firewall policy it was permitted by but no tunnel information in the logs too. Thanks in advance
... View more