2 WLSM's in different subnets to support up to 600 AP's ???
Would like to know if the following is possible.
I have 2 WLSM's in different subnets, the idea is to have up to 300 AP's supported in one WLSM and another 300 AP's pointing toward the other blade in another chassis.
Can I use the same vlans I have defined in all AP's, but just point half of them to the other WLSM? Or, should I create new vlans for the second set of AP's connecting to the 2nd WLSM balde. The AP's native vlan would be different for the each of the WLSM blades.
Thanks in advance. Mike
Thanks Lisa - I'm still unclear ... when you say that you must have the same native vlan (say vlan 1) trunked through the campus. So both WLSM's will use the same vlan for control traffic to the AP's???
I have read this document several times but does not show how to install 2 or say 10 WLSM's in a given network. Won't the native vlan have so much overhead and broadcast that it would make it a problem?
I was going to point half of my ap's at one wlsm and the other half at wlsm-2 use differnt native vlans for each wlsm but use the same data vlans for ap data traffic.
Do you see any problems with this style of configuration?
Similar Messages
-
How to map two different subnets to one SSID
Hi Experts ,
we have two offices in same city at different location however we are planning to bring both the office at same location.
Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.
Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....
Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....
I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet....
How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :
I can not create new SSID for site B since same will be broadcasting even in Site A AP's
Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
Your suggestions will be really helpful for me to go ahead and understand in better manner ...Well first off, you need to bring that subnet over to site a without breaking any routing. Once you do that then sites B subnet will have a different vlan than site A of course. Now with both subnets working in site A, you create a dynamic interface on the WLC for that new subnet. Create an AP group for both sites, you can name it by vlan or by any name you want. Now in the ap group for site A, you define what SSID's you want and map the vlan to that ap groups. Then add sites A AP's to that group. You do this also for site B's AP's and map the SSID to the new subnet you brought over and move the AP's to that group. The APs from site B would have to be setup in local mode not hreap.
Makes sense
Sent from Cisco Technical Support iPhone App -
2 different subnets on single vlan
I have this setup.
2 3750G switches stacked.
I have 2 servers with IP 10.10.10.1/30 and 10.10.10.2/30 connected into port g1/0/1 and g1/0/2 respectivily on switch1 both in vlan 100
I have another 2 servers with IP 10.10.20.1/30 and 10.10.20.2/30 connected into port g2/0/1 and g2/0/2 respectivily on switch2 both also in vlan 100.
I need to keep this same vlan across the stack. In theory servers on same subnet in vlan 100 should be able to communicate properly, or am I wrong?
What can I do to prevent broadcasts from propagating between subnets of this single vlan?Edison
Perhaps I read the post from Sparky slightly differently than you do. The first pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine. And the second pair of servers are in the same logical subnet and in the same VLAN so they should communicate with each other fine.
But I agree with you that there are flaws in this implementation. First, since the subnets are /30 they only allow two hosts and with two servers in the subnet there is nothing to act as a gateway and to provide access to "remote" addresses. Also this implementation breaks the assumption that there is a correlation between subnet and VLAN. We tend to assume that a correlation exists and that a subnet is related to a VLAN and a VLAN is related to a subnet. But VLAN is a layer 2 concept and subnet is a layer 3 concept and they are not necessarily related. There is no rule that says that a VLAN have only 1 subnet (though that is common practice). A VLAN interface with a primary IP address and a secondary IP address would certainly support 2 (or more) subnets.
Note that this implementation does not provide the isolation that we tend to assume when we talk about subnets. We generally assume that devices in 1 subnet do not communicate directly with devices in a different subnet (because we tend to assume that each subnet is a separate broadcast domain). But this implementation puts both subnets into the same broadcast domain. So the first pair of servers will hear all the broadcasts (including ARP) from the second pair of servers and any of these servers could communicate directly with any other of the servers - certainly not bounded by the subnet.
Sparky
There is no way to isolate the broadcasts within the same VLAN. The basic definition of VLAN is that it is a broadcast domain. And any broadcast generated will be flooded thoughout the entire broadcast domain. The only way to restrict the broadcasts is to create 2 VLANs.
HTH
Rick -
Multiple RAC databases on same GI using different subnets for Public i/face
Hello. We are configuring a 2 node cluster. That cluster will host several RAC databases. For security reasons our networking team want to create separate subnets for the application traffic to each specific RAC database on the cluster.
E.g. application 1 has 2 application servers that will connect to RAC database PROD1 via one subnet, application 2 has 3 application servers that will connect to RAC database PROD2 via a different subnet, etc.
In addition the networking team want to configure a separate management subnet that DBAs etc. will use to administer all RAC databases and infrastructure in the cluster.
Grid Infrastructure version 11.2.0.2. Database versions will vary from 10.2.0.x to 11.2.0.2. All databases will utilise RAC.
We want to take advantage of SCAN listener functionality to support connectivity to all databases on the cluster. Forum thread 2199620 [https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620] suggests that 11gR2 supports multiple subnets, which looks to be exactly the feature we need. Please can you confirm how this works and point us to any documentation (standard docs, white papers, MOS, etc.) that might help us configure this.
Document referenced in thread 2199620 was not exactly what we were looking for, and didn't translate too well in Google Translate.
Any guidance much appreciated. Thanks, Rich.
Similar threads:
https://cn.forums.oracle.com/forums/thread.jspa?messageID=9846298? (Dual SCAN on multi homed cluster)
https://cn.forums.oracle.com/forums/thread.jspa?threadID=2199620 (scan listener in OAM VLAN)
Edited by: 887449 on 26-Sep-2011 01:41Thanks Levi. Your advice is very much appreciated.
Your statement that we can only have one SCAN listener listening on one public network is actually the clarification I was looking for.
For anyone else reading this thread I believe this gives us 3 options:
1) Configure a SCAN listener and have all applications, and all management/administration, connecting to the corresponding database on the same cluster via that SCAN listener, all on the same subnet.
2) Configure a SCAN listener for use by all applications connecting to the corresponding database on the same cluster, and use TNSNAMES/VIP for management/administration traffic, both on separate subnets (by configuring the LISTENER_NETWORKS parameter)
3) Configure a SCAN listener for use by applications connecting to one of the databases on the cluster via one subnet, use TNSNAMES/VIP for all other applications connecting to other databases, each using their own subnet. Plus, the management/administration could be via another subnet utilising TNSNAMES/VIP.
From our perspective we will work out the best one for us and implement accordingly.
Thanks again for your timely and comprehensive response. -
ACE load balancing servers on different subnets...
Hello,
I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?
Thanks in advanced for your support.Hi,
You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy -
Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?
Hi Everyone,
I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
Many thanks,
NickHi Larry & Strike First,
Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
& are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
However I noticed whilst looking at this further that the Server names are the same, hence my question?
Am I right in saying that providing the workstations have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
I could build a new VM if you feel it would be better practice to do so?
Many thanks for your assistance,
Nick -
Is it possible to cluster appliances across different subnets?
We are attempting to cluster two appliances across different subnets in order to provide greater survivability. Although we were able to cluster the appliances, the manageability of the appliances has become somewhat impaired. We've opened ports 443, 22 and 2222 between the two appliances. The appliances are C350s running AsyncOS 7.1.3-010. Are we missing something?
Thanks,
RobRob,
Are these appliances communicating using IP addresses? If yes, in order to a join cluster,using IP addresses there must be a reverse DNS (PTR) record configured in DNS server for the Cisco IronPort appliance.Please check that if the the reverse lookup works. If not, it might be another issue.
Regards,
Jyothi Gandla
Customer Support Engineer -
Good afternoon
I currently operate a two node DAG in our primary site supporting one mailbox database. I plan to introduce a third DAG node in our datacenter which is in a different Active Directory site. Both current DAG members replicate over a dedicated replication
network to keep the traffic separate from the MAPI traffic. The third DAG member will also have a dedicated replication network adapter (of course, on a different subnet). Ideally I would like to seed the database at a time of my choosing, rather than at the
moment I add the mailbox database copy (I know how to achieve this), but I would like to specify which network the data replicates over.
According to the following (see below link) under the 'Seeding and Networks' section as my two DAG members will be on different subnets in different sites Exchange will make the decision to use the MAPI network adapters of the target and source server.
'If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.'
http://technet.microsoft.com/en-us/library/dd335158%28v=exchg.150%29.aspx
Am I able to force Exchange to use the replication network adapters of both source and target server when I initiate the seeding process? I have a 200+ GB mailbox database that will need to replicate over a 100Mbps internet connection to our secondary
site and I would like to keep that traffic to the replication network I have configured.
Any insight would be helpful.Hi,
If you want to specify the networks for seeding, you can use the
Network parameter when running the
Update-MailboxDatabaseCopy cmdlet and specify the DAG networks that you want to use.
If you don't use the Network parameter, then the system uses the following default behavior for selecting a network to use for the seeding operation:
If the source server and target server are on the same subnet and a replication network has been configured that includes the subnet, the replication network will be used.
If the source server and target server are on different subnets, even if a replication network that contains those subnets has been configured, the client (MAPI) network will be used for seeding.
If the source server and target server are in different datacenters, the client (MAPI) network will be used for seeding.
So please use the Update-MailboxDatabaseCopy cmdlet with
NetWork parameter to specify which DAG network should be used for seeding.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Belinda Ma
TechNet Community Support -
Airtunes on different subnets - Why not?
I've been googling for the past week in order to try and find out if it is possible to use airtunes on different subnets before I actually buy the device only to find out that it does not satisfy my needs. For various reasons I can not have all my machines into the same subnet.
Searching revealed that because the Airtunes relies on Bonjour which in turn relies onto mDNS (i.e. mullticast) it simply can not be used in two different subnets. I've read that it cannot be done everywhere. I just can't understand the actual reason. Being a network engineer for more than 9 years I find it hard to accept that if both local subnets on my 3640 have multicast routing enabled it still won't do the trick. Can anyone shed some light into this? Unfortunately I still don't own the device so I can not do any tests...
Any help would be much appreciated.
TIA,
GrSpider
Powermac G5 Quad, MB C2D Mac OS X (10.4.9)GrSpider -
Bonjour (and mDNS) work perfectly well across multiple subnets so long as your router is configured to support (i.e. route) multicast traffic. I use Bonjour on a constant basis across three subnets with both Mac and Windows platforms for a variety of service location purposes (printing, file sharing, streaming media) and have no problems whatsoever.
The AirTunes limitation you're referring to is an Apple policy decision, not a technical issue. It appears they've restricted iTunes<-->Airport streaming media connectivity to connections that originate and terminate on the same subnet. I assume they feel it's a mechanism to help enforce digital rights management.
Just to summarize: I routinely print to my Airport Express units across subnets, and share my iTunes music library to non-AirPort devices on different subnets; I just don't (can't) share my iTunes music library to an Airport Express on a different subnet.
That one limitation aside, they've been a great addition to my network.
FWIW. -
File Server Migration from 2008 Standard to 2012 Standard accross different subnet
Hi
Im going to migrate File server from Windows 2008 Standard server to Windows 2012 Standard . Source and Destination Servers are on different subnets . According to this
http://technet.microsoft.com/en-us/library/jj863566.aspx I cannot use Server migrations tool in-built into 2012 . Im not sure if I can use file server migration toolkit 1.2?.
Also my Domain controllers are mixture of Windows 2003, 2008 , 2008 R2 and I've upgraded the schema level to 2012 R2 . Is there anything else I need to be aware of ?
Can anyone please recommended best way to go about doing this migration . Is file server migration toolkit 1.2 is compatible ? .
Only reason I don't want to use Robocopy to this is because If I miss a small setting etc then I will face unwanted downtime.
I presume Migration toolkit will also create all the Quotas etc on the destination server .
Thanks
mumtazHi mumtaz,
We could use file server migration toolkit 1.2 to migrate file server between the two subnets. In order to maintain security settings after the migration, please ensure the security of files and folders after they are migrated to a target file server, the File
Server Migration Wizard applies permissions that are the same as or more restrictive than they were on the source files and folders, depending on the option you select.
In the meantime, quota cannot migrate by this tool but we can export and import the quota using dirquota command. Export the templates as xml and then import to new server:
dirquota template export /file:C:\test.xml
dirquota template import /file:C:\test.xml
For more detailed information, please see:
Template Export and Import Scenarios
http://technet.microsoft.com/en-us/library/cc730873(WS.10).aspx
Regards,
Mandy
If you have any feedback on our support, please click
here
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
ASA 5505: VPN Access to Different Subnets
Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymousHi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks! -
Can ARD 3 now share a screen across 2 different subnets
We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
Thanks,
GregStill no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
Thanks in advance,
Greg -
Can members in a pool be on different subnets using CSM
Hello. We have recently been investigating load balancing devices, and were almost set on F5. We then overhauled our core network, including replacing one 4507R with 2 6500's, outfitted with Sup720's and FWSM modules.
Now, we are seriously thinking about investing in the CSM or ACE module instead of the F5. I was wondering if the servers in my virtual pool can be on different subnets?
For example, the user is looking for a web server with an IP of 192.168.110.1. This virtual ip is setup on the CSM module, and contains three physical servers, 192.168.110.10, 192.168.110.20, and 10.10.10.1 (server in a different data center, only to be used if the two primary servers go down). Will this work, or do all members in the pool need to be on the same subnet?
Thanks.I would recommend the following test results published by veritest
http://www.lionbridge.com/NR/rdonlyres/5518CDEC-0D57-446E-8E3D-2AE73DCB7EEF/0/csm_comparison.pdf
Gilles. -
WRV200 IPSEC VPN to a remote site with 2 different subnets
Hi,
My old WRV54G had no problem with this! I'm trying to connect an IPSEC tunnel back to a router at my main office, there are two Subnets there 192.168.0.0/24 and 10.171.131.0/24. In my old router I would set up two tunnels to the same gateway with different subnets and everything would work fine.
When I do this with the WRV200 both tunnels come up but in the view of the VPN status they both have the remote network listed as 192.168.0.0 /24 and I can't seem to get them both to work. If I delete the 192.168.0.0/24 tunnel (tunnel #A) and just use the tunnel#B I can connect to the 10 network.
Anyone been able to get this working?Hi,
Ok, so the first thing you will have to think about is the encryption domain of the existing L2L VPN. Since your aim is to publish a Web server from another site through a L2L VPN connections you have to consider what the source addresses for the Web server connections can be?
It might be that you would need to have the source address for the L2L VPN in DC1 as "any" and naturally on DC2 the destination would be "any".
Though in that case it would probably cause problems if the Web server would need to use the DC2 Internet connections for something. This is because we would have now defined that traffic from the Web server to "any" destination IP address should be tunneled to the L2L VPN.
One other option might be that you actually configure DC1 site so that all incoming traffic from the Internet towards the 111.111.111.111 will have their source address translated to a single IP address (to be decided) before entering the L2L VPN. This would eliminate the need to use the "any" in the L2L VPN configurations because the Web server would see all connections come from a single IP address and therefore would not cause problems for the DC2 Web server IF it needs to access or be accessed through the local DC2 Internet connection.
Judging by your examples it would seem that you are using a 8.2 or older software level. Would you be willing to share some current configurations (with masked public IP addresses) or should I just give you some example configurations?
Most important ones would naturally be current NAT configurations and configuration related to the L2L VPN connection.
- Jouni -
Using a interface in a sparse-root zone on a different subnet
Hello,
is it possible to use interface ce0 for the global zone and configure interface ce1 for the non-global zone, but the interfaces are on a different subnet?
ce0 ... 10.5.5.18 / global zone
ce1 ... 192.168.5.18 / non-global zone
using Solaris 5.10 Generic_125100-10
I configured ce0 in the global zone (of course)
and I plumbed ce1 also in the global zone - but configured ce1 in the zones definition
zonecfg:oem> add net
zonecfg:oem:net> set physical=ce1
zonecfg:oem:net> set address=192.168.5.18The zone boots without any problems and it looks like this:
[global zone]
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
inet 0.0.0.0 netmask 0
ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
zone oem
inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255[non-global zone]
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255I've read this is solved with GLDv3 drivers and exclusive IP instances mentioned in the blog http://blogs.sun.com/stw/entry/what_s_up_ce_doc -
so the system shows
# dladm show-link
ce0 type: legacy mtu: 1500 device: ce0
ce1 type: legacy mtu: 1500 device: ce1I get weird results even if I ping between the zones, I get "ICMP Destination unreachable"
Can this be solved with a full-root zone ...?
-- Nickhere are my current settings:
*[global zone]*
# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
10.5.5.0 10.5.5.18 U 1 10864 ce0
224.0.0.0 10.5.5.18 U 1 0 ce0
default 10.5.5 .1 UG 1 42839
127.0.0.1 127.0.0.1 UH 2 619817 lo0
# ifconfig -a
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.5.5.18 netmask ffffff00 broadcast 10.5.5.255
ether 0:3:ba:b0:53:39
ce1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
inet 0.0.0.0 netmask 0
ether 0:3:ba:b0:53:39
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
zone oem
inet 192.168.5.18 netmask ffffff00 broadcast 192.168.5.255
! root@elba2:/ # route get 192.168.5.18
route to: 192.168.5.18
destination: 192.168.5.18
mask: 255.255.255.255
interface: ce1:1
flags: <UP,DONE>
recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
0 0 0 0 0 0 8232 0 *[sparse-root zone]*
# netstat -nr
Routing Table: IPv4
Destination Gateway Flags Ref Use Interface
192.168.5.0 192.168.5.18 U 1 83 ce1:1
224.0.0.0 192.168.5.18 U 1 0 ce1:1
127.0.0.1 127.0.0.1 UH 19 86105 lo0:1
# ifconfig -a
ce1:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 7
inet 192.168.5.18 netmask ffffff00 broadcast 192.168.1.255
# route get 10.5.5.18
route to: 10.5.5.18
destination: 10.5.5.18
mask: 255.255.255.255
interface: ce0
flags: <UP,DONE>
recvpipe sendpipe ssthresh rtt,ms rttvar,ms hopcount mtu expire
0 0 0 0 0 0 8232 0 Thank you for your time !
-- Nick
Maybe you are looking for
-
HT5312 I don't remember my security question answers (nor my rescue email address)
I don't remember the answers to my security questions and I don't know what I used for my rescue email address. Now what?
-
Hello, Are there any logs on the WCS that can capture the MAC and IP address of a Guest client ? The idea is to have this information available in order to correlate it with the Web server logs. It seems that the WCS logs capture only the MAC address
-
Different Music with One Slideshow
I'm putting together a DVD of a short film using DVD Studio Pro. I want to include a slideshow of behind the scenes pics on disc. I would like to give folks the option of choosing if they'd like to watch the slideshow with either music from the origi
-
ITunes not even recognizing that my iPod is even there
I connect my iPod classic to iTunes and it doesn't even recognize it is even there, but it shows in the iPod display screen that it is connected. Need to try to do a restore on the iPod, but cannot if iTunes doesn't even show that it is there. Any su
-
Apple TV I have to re-start after every power outage. Is this normal? I have gen 3
After all power outages. I have to re-set my Apple TV. Is this normal? I have had this device for 8 months and its become a pain!