3005 address pools and vlan

Similar Messages

• IP address schemes and VLANs

  I'm in the middle of working on Re-IPing a network for a client and wanted to clarify a couple of concepts before I got started:
  First of all, the current setup is that all 50 sites use identical VLAN ID's at each site to relate to the same services (I.e. VLAN 10 - Data, VLAN 20 - VOIP, etc.).
  However, I have had read some discussions that seem to suggest that using completely unique VLAN's at each site would be better practice.
  Can someone confirm or deny this, and elaborate as to why this is/isn't best practice?
  Secondly, if I'm using a /16 format as a template for each site, and referencing a pre-assigned device ID as the second octet (10.[site ID].x.x/16), would it be best to assign the subnets contiguously from bottom to top, starting with the biggest subnet, or is there a better approach?

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  If you're sites are tied together with L3, I would suggest reusing the same VLAN numbers for the same VLAN purposes.
  Regarding your /16, that's a rather large (IPv4) allocation.  Your sites are very large?  If not, you might want to use a smaller reservation per site, or even different reservations for different site tier sizes.
  When it comes to allocating IP space, I would recommend you try to preserve large blocks for future allocations.  This can be accomplished by keeping the binary nature of address space allocations in mind.
  This can be accomplished by keeping track of the binary tree "above" the allocated network block.  Only allocate similar or related network blocks from within the same "parent" tree.
  For example, if your first allocation is a /30, anywhere within your /16, you now still have an available /15 and /14.  However, where you allocate your second allocation, another /30, could lose your /15 or the /14.  Consider if the two /30s were sequentially allocated, the one at the last /30 of the top /15 and the other at the first /30 at the top of the bottom /15.

• Can we assign IPv4 IP address pool to IPv6 VPN Client

  We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
  We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
  LAN Server are in IPv4 only..
  Requirement :
  Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
  Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
  Qus:
  1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
  2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
  Thanks
  Sankar

  AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 
  Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

• RRAS 2012 With DHCP Works, Cannot Get Static Address Pool To Connect Completely

  Hello Forums Users:
  I have set up RRAS/DA 2012 successfully incorporating my AD DHCP server.   Every connection works and I see all networks that I have VPN tunnels set up with, which is totally cool.    However, I want to assign remote VPN users IP's from a
  static address pool - and while the setup completes without issue and the client connects, I can see absolutely nothing.    No good pings, no connect to Lync client, Outlook, etc. etc.
  I am OBVIOUSLY missing something but have no idea what that is.   Do I need to add something (and I really have no idea what that "something" is) to RRAS config so the static address pool (192.168.40.0 in this case) has the same access as
  the AD DHCP pool does?
  Thanks again for taking the time to check this out and comment.

  Bill:
  Thanks for the reply....  yes, the idea is to free up a pool of IP's large enough to accomodate all 170 staff.   Our current 192.168.2.x DHCP hands out 150, but I need to plan for DR/BCP when other locations (about 110 users) remote in when their
  location goes dark.
  I already have VPN tunnels between the main locations and a VPN user can see ALL of them when it gets an IP from DHCP.   Are you saying that I have to add routes to all the routers/firewalls to accomplish this?
  Or would I use IPv4 Static Routes?   A network I'd like access to is 192.168.14.0 /24.   Would the route look like any of these?   Sorry it's not clear what I would use as the gateway (192.168.2.1 is the RRAS server network gateway, 192.168.2.6
  is RRAS IP)
  Destination         Net Mask               Gateway                Interface
  192.168.14.0      255.255.255.0        192.168.2.1            LAN
  192.168.14.0    255.255.255.0
    192.168.14.254      LAN             (
  (.254 is the remote gateway)

• Can i use same address pool for different remote access VPN tunnel groups and policy

  Hi all,
  i want to create a different remote access VPN profile in ASA. ihave one RA vpn already configured for some purpose.
  can i use the same ip address pool used for the existing one for the new tunnel-group (to avoid add rotuing on internal devices for new pool) and its a temporary requirement)
  thanks in advance
  Shnail

  Thanks Karsten..
  but still i can have filtering right? iam planning to create a new group policy and tunnelgroup and use the existing pool for new RA  and i have to do some filetring also. for the new RA i have to restrict access to a particualr server ,my existing RA have full access.
  so iam planning to create new local usernames for the new RA and new group policy with vpn-filter value access-list to apply for that user as below,  this will achive waht i need right??
  access-list 15 extended permit tcp any host 192.168.205.134 eq 80
  username test password password test
  username test attributes
  vpn-group-policy TEST
  vpn-filter value 15
  group-policy TEST internal
  group-policy TEST attributes
  dns-server value 192.168.200.16
  vpn-filter value 15
  vpn-tunnel-protocol IPSec
  address-pools value existing-pool
  tunnel-group RAVPN type ipsec-ra
  tunnel-group RAVPN general-attributes
  address-pool existing-pool
  default-group-policy TEST
  tunnel-group Payroll ipsec-attributes
  pre-shared-key xxx

• 2 ISPs with addresses /32 and PPtP Server onboard of Cisco 3825

  First of all, excuse me for my bad English, it's not my native language.
  A couple of years ago our company changed our central router Cisco 1841 with more powerfull 3825 ISR.
  Here is show ver
  Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(24)T7
  This Cisco 3825 contains 2 DIMMs - 256Mb and 512 Mb of RAM onboard.
  Now it works with 2 ISPs (take a glance on pdf picture http://www.intelcom-ug.ru/scheme.pdf or in the attached file). We're using the failover scheme, the ISP1 with statically assigned IP address 85.20.20.20/32 (Dialer 1)  is used as Backup link. The ISP2 L2TP link is main.
  Now our authorities organize the remote office with Cisco 1841. And we face with the problem, we cannot connect via PPtP from anywhere to the  85.20.20.20/32 (Dialer 1). And we need some help or advise. The config of Cisco 3825 is like this:
  version 12.4
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime localtime
  service password-encryption
  hostname CENTRAL-OFFICE
  boot-start-marker
  warm-reboot
  boot-end-marker
  security authentication failure rate 3 log
  logging message-counter syslog
  logging buffered 64000
  enable secret 5 HEREISTHESECRETPASSWORD
  aaa new-model
  aaa local authentication attempts max-fail 3
  aaa authentication login default local
  aaa authentication ppp default local
  aaa authentication ppp vpn-users local
  aaa authorization exec default local 
  aaa authorization exec vpn-users local 
  aaa authorization network vpn-users local 
  aaa session-id common
  clock timezone MSK 4
  ip source-route
  no ip gratuitous-arps
  ip cef
  no ip domain lookup
  ip domain name somewhere.net
  ip name-server 8.8.8.8
  no ipv6 cef
  multilink bundle-name authenticated
  vpdn enable
  vpdn-group 239
   accept-dialin
    protocol pptp
    virtual-template 100
  vpdn-group global
  ! Default L2TP VPDN group
  ! Default PPTP VPDN group
   accept-dialin
    protocol any
  password encryption aes
  voice-card 0
  username administrator privilege 15 password 7 737364645252414571
  username vpnuser password 7 85956353413120384645373930
  archive
   log config
    hidekeys
  ip tcp selective-ack
  ip tcp timestamp
  ip tcp synwait-time 5
  ip tcp path-mtu-discovery
  ip ssh version 2
  l2tp-class beeline
  pseudowire-class pw-beeline
   encapsulation l2tpv2
   protocol l2tpv2 beeline
  buffers tune automatic
  interface Loopback0
   ip address 10.111.111.111 255.255.255.255
  interface GigabitEthernet0/0
  descrition --Our Local Network--
   ip address 192.168.7.2 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   duplex auto
   speed auto
   media-type rj45
  interface GigabitEthernet0/1
   description --Trunk Connection--
   no ip address
   duplex auto
   speed auto
   media-type rj45
  interface GigabitEthernet0/1.10
  description --Connection to ISP1 through vlan on our managed switch--
   encapsulation dot1Q 10
   pppoe enable group global
   pppoe-client dial-pool-number 2
  interface GigabitEthernet0/1.20
  description --Connection to ISP2 through vlan on our managed switch--
   encapsulation dot1Q 20
   ip address dhcp
   ip virtual-reassembly
  interface Virtual-PPP5
  description --Interface for ISP2--
   ip address negotiated
   no ip proxy-arp
   ip nat outside
   ip virtual-reassembly
   ip tcp adjust-mss 1380
   no peer neighbor-route
   no cdp enable
   ppp authentication chap callin
   ppp chap hostname 8282828282828
   ppp chap password 7 theSecretForISP2
   pseudowire 10.255.255.242 10 pw-class pw-beeline
  interface Virtual-Template100
  description --TEMPLATE for incoming PPtP connections of our users--
   ip unnumbered Dialer1
   autodetect encapsulation ppp
   peer default ip address pool for-vpn
   no keepalive
   ppp authentication ms-chap ms-chap-v2 vpn-users
   ppp authorization vpn-users
  interface Dialer1
  description --Interface for ISP1. PPPoE--
   bandwidth 10240
   ip address negotiated
   ip accounting output-packets
   ip nbar protocol-discovery
   ip nat outside
   ip virtual-reassembly
   encapsulation ppp
   ip tcp adjust-mss 1400
   load-interval 30
   dialer pool 2
   dialer-group 2
   no fair-queue
   ppp authentication chap callin
   ppp pap sent-username reteretere password 7 PasswordForISP1
  ip local policy route-map External_VPN
  ip local pool for-vpn 172.16.135.1 172.16.135.10
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1 100 track 1
  ip route 0.0.0.0 0.0.0.0 Virtual-PPP5 track 2
  ip route 192.168.239.0 255.255.255.0 172.16.135.1 name C1841-Rossiyskaya70
  ip route 194.87.0.8 255.255.255.255 Dialer1
  ip route 194.87.0.9 255.255.255.255 Virtual-PPP5
  ip route 10.255.255.242 255.255.255.255 dhcp
  ip route 10.255.255.247 255.255.255.255 dhcp
  no ip http server
  no ip http secure-server
  ip nat inside source route-map Beeline interface Virtual-PPP5 overload
  ip nat inside source route-map UTK interface Dialer1 overload
  ! This access-list is for local Network proxy
  ip access-list standard fwd-squid
   permit 192.168.7.100
   permit 192.168.7.0 0.0.0.255
  ! This access-list is for ip local policy
  ip access-list extended External_VPN_access
   permit tcp host 85.20.20.20 eq 1723 any
   permit tcp host 85.20.20.20 eq 22 any
   permit tcp host 85.20.20.20 eq telnet any
   permit icmp host 85.20.20.20 any echo-reply
  track 1 ip sla 1 reachability
  ip sla 1
   icmp-echo 194.87.0.8 source-interface Dialer1
   timeout 7000
   threshold 100
   frequency 15
  ip sla schedule 1 life forever start-time now
  ip sla reaction-configuration 1 react timeout threshold-type immediate action-type triggerOnly
  track 2 ip sla 2 reachability
  ip sla 2
   icmp-echo 194.87.0.9 source-interface Virtual-PPP5
   timeout 7000
   threshold 400
   frequency 15
  ip sla schedule 2 life forever start-time now
  ip sla reaction-configuration 2 react timeout threshold-type immediate action-type triggerOnly
  access-list 1 remark --SNMP Watching--
  access-list 1 permit 192.168.7.0 0.0.0.255
  access-list 100 permit ip 192.168.7.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  dialer-list 2 protocol ip permit
  dialer-list 3 protocol ip permit
  route-map External_VPN permit 10
   match ip address External_VPN_access
   set default interface Dialer1
  route-map UTK permit 10
   match ip address 100
   match interface Dialer1
  route-map Beeline permit 10
   match ip address 100
   match interface Virtual-PPP5
  snmp-server community public RO 1
  control-plane
  line con 0
  line aux 0
  line vty 0 4
   exec-timeout 30 0
  line vty 5 15
  exception memory ignore overflow processor
  exception memory ignore overflow io
  scheduler allocate 20000 1000
  ntp update-calendar
  ntp peer 194.33.84.1
  event manager applet nat_clear_isp1 
   event track 1 state any
   action 1 wait 5
   action 2 cli command "enable"
   action 3 cli command "clear ip nat translation *"
  event manager applet nat_clear_isp2 
   event track 2 state any
   action 1 wait 5
   action 2 cli command "enable"
   action 3 cli command "clear ip nat translation *"
  end

  Okay, you are not going to be able to do this using the interconnect between the switch and the router. The issue is -
  1) if you make the interconnect a L2 trunk then you would have subinterfaces on the router interface connecting to the switch. But you cannot have multiple interfaces on the router configured from the same IP range so it won't work ie. you would need a subinterface using the same IP range as one of the other interfaces
  2) if you make the interconnect L3 as you have then you cannot route to the same subnet ie. think of it as two separate devices, a L3 switch and a router. You connect the L3 switch to the router using a L3 connection.
  On the switch you then configure a client with a public IP and on another interface on the router ie. not the interface used to connect to the switch, you use the same public IP range.
  You cannot then route from the client to that other interface because you don't route to the same IP subnet and the client and the other interface are separated by a different IP subnet.
  So neither will work. The L3 switch is usually used where you have multiple vlans/IP subnets and you create L3 vlan interfaces for these on the switch and then you route to other subnets that are reachable from the router, whether these are directly connected subnets or remote networks.
  But you aren't doing that.
  The only way i could see you doing what you need is to not configure the interconnect at all and instead run cables from the relevant router interfaces to the switch. Then you could configure vlans on the switch and have them route via the physical router interface.
  The switch is then only acting as a L2 switch and all L3 is done on the router.
  One thing i should say is i have never used the switch module this way so i can't guarantee it will work although i can't see why it wouldn't.
  Jon

• Can ISE 1.2 Virtual Appliance assign VPN address pool like ACS does?

  Dear friends,
  I have observed that Cisco ISE Virtual Appliance (VMware) can act as a RADIUS server in the same manner as ACS does, but I cannot find the way of assigning an IP address to a remote VPN client (only assigning a VLAN).
  At this point I don't know if it is strictly necessary to have the IP address assignment for the remote VPN clients done in the external firewall (i. e. Cisco ASA) in this case.
  Is there any way of defining an IP address pool in the ISE itself for VPN clients authenticated against that ISE?
  If the answer is not, which ones could be the options for that assignment other than the ASA pool assignment? Could it be possible defining the corresponding address pool in an internal DHCP server that could provide the IP address to the VPN client after successful authentication through ISE?
  Any help would be really appreciated to clarifying these questions.
  Thank you and best regards.

  Please find the link below for the may help you to get the answer related to comparision and even for deployment.
  http://pmbuwiki.cisco.com/Products/ISE/Technical/Design-Config/Guest_and_Web_Portal_Services

• Assign DHCP Pools to VLAN on SG500

  Hello,
  I want to use the internal DHCP Server of a SG500-Stack (Layer3-Mode) to assign addresses to several VLANs.
  I was able to create several Pools, but I didn't find any option to assign these pools to VLANs or Ports.
  For Example:
  Addresses from Pool 192.168.0.0/24 are assigned to VLAN10
  Addresses from Pool 10.0.0.0/24 are assigned to VLAN20
  Addresses from Pool 10.128.128.0/24 are assigned to VLAN30
  Is this possible with a SG500?
  If it is, please give me a hint where I can set this up as I didn't find anything about this.
  Thanks in advance,
  Christoph

  This is an example to create Vlan and DHCP per vlan and how to assign the port to vlan
  but before please change the mode of the router to layer 3 and ensure you have the latest firmware
  1. Create a vlan
  #configure terminal
  #vlan database
  #vlan 10
  #vlan 20
  #vlan 30
  #exit
  2. Create interface of the Vlan's
  #interface vlan 10
  #ip address 192.168.0.254 255.255.255.0
  #interface vlan 20
  #ip address 10.0.0.254 255.255.255.0
  #interface vlan 30
  #ip address 10.128.128.254 255.255.255.0
  #exit
  3. Enable DHCP server on vlan's in this example the range is from 100 to 200 hosts
  #address low 192.168.0.100 high 192.168.0.200 /24
  #address low 10.0.0.100 high 10.0.0.200 /24
  #address low 10.128.128.100 high 10.128.128.200 /24
  #exit
  4. Assign the port to Vlan 10 and 20 and 30 in my example I assign port 1 to vlan 10 , port 2 to vlan 20 and port 3 to vlan 30
  #interface gigabitethernet 1/1
  #switchport mode access
  #switchport access vlan 10
  #exit
  #interface gigabitethernet 1/2
  #switchport mode access
  #switchport access vlan 20
  #exit
  #interface gigabitethernet 1/3
  #switchport mode access
  #switchport access vlan 30
  #exit
  So now connect pc with on port 1,2,3 to make a test
  Please lets me know and please rate the post and mark answered to help other customers
  Thanks
  Mehdi

• DHCP and Vlan

  i've got a 1700 router with subinterface fast ethernet 2 assigned to vlan 2 with dot1q trunking.i want to setup dhcp on the router.the native vlan is not used.i'm only using vlan 2.will the hosts receive ip addresses automatically for vlan 2 or do i need to setup helper addresses ?

  Hi,
  You can indeed set up the router to be a DHCP server, which means that you will not need to configure any helper addresses.
  If a DHCPDISCOVER message comes in over your fastethernet sub-interface, the router will respond with an address.
  Here's a sample config:
  service dhcp
  ip dhcp pool DCHPPool1
  network ! network and mask you want to assign
  default-router ! ip address of router
  dns-server
  ip dhcp excluded-address
  (since you don't want it handing out addresses such as the router's address)
  Hope that helps - pls rate the post if it does.
  Regards,
  Paresh

• Listener EA2: database connection pool and connection revalidation

  Hi all,
  As one can expect from early adopter release there could be some bugs but I can't find any references in forum to my situation:
  * My 11g XE database and listener are starting as windows services when server boots operating system (Windows Server 2003 R2).
  * I configured my web server (unsupported Jetty 9.0.0.M1) to start as windows service when operating system starts.
  * Apex Listener 2.0.0.268.17.05 configured to connect with XE using JDBC thin driver with default settings (initial pool size 3, max statements 10, min connections 1, max connections 10, inactivity timeout 1800, abandoned connection timeout 900)
  * Because web server starts a bit faster than Oracle database when apex connects first time it gets "ORA-12528, TNS:listener: all appropriate instances are blocking new connections" (could be that database still starting but already registered service with listener)
  * From listener.log file I can see that all further connections made from Apex listener succeeds
  * When I try to open any apex page with browser I am getting 404 error and apex listener logs error (*time is 2 days after system startup*):
  2012-11-30 3:56:02 PM oracle.dbtools.common.config.db.DatabaseConfig badConfiguration
  SEVERE: The pool named: apex is not correctly configured, error: Listener refused the connection with the following error:
  ORA-12528, TNS:listener: all appropriate instances are blocking new connections
  ConnectionPoolException [error=BAD_CONFIGURATION]
       at oracle.dbtools.common.jdbc.ConnectionPoolException.badConfiguration(ConnectionPoolException.java:62)
       at oracle.dbtools.common.config.db.DatabaseConfig.badConfiguration(DatabaseConfig.java:146)
       at oracle.dbtools.common.config.db.DatabaseConfig.createPool(DatabaseConfig.java:168)
       at oracle.dbtools.common.config.db.DatabaseConfig.getConnection(DatabaseConfig.java:68)
       at oracle.dbtools.common.jdbc.ora.OraPrincipal.connection(OraPrincipal.java:25)
       at oracle.dbtools.apex.ModApexContext.getConnection(ModApexContext.java:320)
       at oracle.dbtools.apex.Procedure.getProcedure(Procedure.java:166)
       at oracle.dbtools.apex.OWA.validateProcedure(OWA.java:384)
       at oracle.dbtools.apex.security.Security.isValidRequest(Security.java:171)
       at oracle.dbtools.apex.ModApex.validateRequest(ModApex.java:233)
       at oracle.dbtools.apex.ModApex.doGet(ModApex.java:79)
       at oracle.dbtools.apex.ModApex.service(ModApex.java:263)
       at oracle.dbtools.rt.web.HttpEndpointBase.modApex(HttpEndpointBase.java:288)
       at oracle.dbtools.rt.web.HttpEndpointBase.service(HttpEndpointBase.java:127)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:848)
       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:665)
       <... Jetty web server stack ...>
       at java.lang.Thread.run(Unknown Source)
  2012-11-30 3:56:02 PM oracle.dbtools.rt.web.HttpEndpointBase modApex
  * Oracle listener log for same time (no errors here):
  30-NOV-2012 15:56:01 * (CONNECT_DATA=(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))(SERVICE_NAME=xe)(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1078)) * establish * xe * 0
  30-NOV-2012 15:56:01 * (CONNECT_DATA=(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))(SERVICE_NAME=xe)(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1079)) * establish * xe * 0
  30-NOV-2012 15:56:01 * (CONNECT_DATA=(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))(SERVICE_NAME=xe)(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1080)) * establish * xe * 0
  30-NOV-2012 15:56:01 * (CONNECT_DATA=(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))(SERVICE_NAME=xe)(CID=(PROGRAM=JDBC Thin Client)(HOST=__jdbc__)(USER=SYSTEM))) * (ADDRESS=(PROTOCOL=tcp)(HOST=127.0.0.1)(PORT=1081)) * establish * xe * 0
  * For some reason apex listener keeps first connection status and won't try to establish new connection if first attempt finished with ORA-12528
  * The same scenario is valid when at time of web server start oracle database/listener is not available - even if database and listener starts and apex successfully establishes further connections all apex pages gets 404 error
  * If I restart web server windows service (while oracle db and listener still running) browser opens apex pages without errors and apex listener does not log any errors
  * I know that I can avoid this error delaying start of web server windows service but it would be nice to have production release 2.x without such bugs

  Hi,
  Is there any way to use the connection pool or Datasource while connecting to database?If I am using a stateless sesssion bean and using a Data Access layer which just creates a database session to write the persistence toplink objects how I can make use of application server connection pool?Hi Vinod,
  Yes, TopLink allows you to use the app server's connection pooling and transaction services. Chapter 2 of the Oracle9iAS TopLink Foundation Library Guide provides details as do the TopLink examples. The easiest way to set this up is by using the sessions.xml file. The sample XML below is from the file <toplink903>\examples\ias\examples\ejb\sessionbean\sessions.xml. Here we are adding the datasource defined in OC4J and specifying that we are using the OC4J transaction controller also.
  <login>
  <user-name>sa</user-name>
  <password></password>
  <datasource>java:comp/env/jdbc/ejbJTSDataSource</datasource>
  <uses-external-transaction-controller>true</uses-external-transaction-controller>
  <uses-external-connection-pool>true</uses-external-connection-pool>
  </login>
  <external-transaction-controller-class>oracle.toplink.jts.oracle9i.Oracle9iJTSExternalTransactionController</external-transaction-controller-class>
  When using this approach you need to change your TopLink code slightly in the EJB methods:
  a. Acquire the ACTIVE unit of work from the server
  session (again, see the EmployeeSessionEJB code
  example) with something like:
  UnitOfWork uow = clientSession.getActiveUnitOfWork();
  b. Calls to uow.commit() can be ommitted or commented out
  because the EJB will handle this. Note that of course
  the methods you create in the EJB that are using this
  approach must have TX Required (default).
  Hope this helps.
  Pete

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• IP addresses taken and not released (SPR527W)

  Hello,
  I have  the SRP527W model.
  The situation is the devices are taking the IP address from the DHCP pool and I am running out.
  The setting for the client lease time is 0 = 0 means one day
  I could change it to 5 = 5 mins at start up
  How do i change the settings so other devices that are not on the network anymore give back the Ip addresses to the pool and not keep them forever.  I am running out of IP address in the DHCP pool and have so far have a max of 120 users.
  I would also like to note I ve not set any of these addresses as static to the client.  If they are not on the network after a week, the ip address should go back to the pool, whats going on?
  Thanks

  Thank you so much, I just changed the WEP to WAP2 and g and my Hawking extender works now. I thought it was bad , they send me a new one an dI had the same problem. The tech support in India waste my time and thought the Verizon router is not compatible with Hawking 300 extender.
  Alisa

• Oracle VM 3.1.1 and VLAN problem.

  Hi There
  We got two vlans, 10 and 11. 10 is used for our "Server Management" and 11 is used for "Cluster heartbeat" and "Live Migrate".
  So, when I added ovs1(the fist server), it discover the following:
  192.168.1.0 - 192.168.1.0-vpg
  Then I add the second vlan 11 and my "networks" look like this:
  192.168.1.0 - 192.168.1.0-vpg
  10.0.0.0 - 10.0.0.0-vpg
  Everything is still fine, I added the second server (ovs2) last night to the pool. I did some live migrations and test on the pool.
  This morning when I wanted to do a live migration OVMM complained that it is not in the same network group.
  So this is what I found under "vlan groups:
  192.168.1.0 - 192.168.1.0-vpg
  10.0.0.0 - 10.0.0.0-vpg
  0004fb00002500005ea963abcbaf0a1d
  So it seems that OVMM does not add it to the 192.168.1.0-vpg group ? And when I do a "rediscover" on ovs2, OVMM just create a new random number with that IP in.
  Any ideas... Do I need to log an SR ?
  Regards
  Nardus

  Hi There
  I don't know if this is the right way but it did solve the issue for me.
  I have compared files in the /etc/sysconfig/network-scripts directory and discovered that there was some files missing. The files that you need to look for is meta-bond0 and meta-vlan11. It seems that this files is been created when a server is installed or added to a pool and for some reason the meta-vlan* file is not created. This was on the server that wasn't adding the correct network. I made sure the meta-* files was the same on all my server, this might be different for your setup. After adding the missing meta-* file, I did need to remove the server from the pool and rediscover it.
  Hope it helps.
  Nardusg

• IPv6 Address Management and Security Questions

  I'm trying to draft an IPv6-based version of our location's current routing configuration in anticipation of when our ISP will finally roll it out, and address management has been giving me the biggest headache - ironic, considering IPv6 was supposed to simplify address allocation.
  My first config draft was made assuming that I would be getting a static /56 or /60 prefix from the ISP, and I was just going to insert the prefix into my DHCP pools and there would be no issues. That was before reading around and discovering that some ISPs are considering prefix delegation (PD) for both residential and business accounts instead of static blocks. Now I have questions about how to stick as close to the current IPv4 configuration as possible.
  For the PD scenario, what I am looking at now are two addresses ranges for each network - a ULA /120 space that I want to control using stateful DHCPv6, and the global space which can be /64 and auto-configured. That way there will be a "private" address space for internal routing in the event of a prefix change or an extended outage. But I'm not sure how the config should look for such a scenario. What I have drafted so far is this:
  ipv6 dhcp pool DHCP6_INTERNAL
   address prefix FDAB::1:0/120
   domain-name whatever.net
   dns-server FDAB::1:1
  ipv6 dhcp pool DHCP6_DMZ-WIFI
   address prefix FDAB::2:0/120
   domain-name guest.whatever.net
   dns-server FDAB::2:1
  interface GigabitEthernet0
   description WAN-LINK
   ipv6 enable
   ipv6 address dhcp
   no ipv6 unreachables
   no ipv6 redirects
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   ipv6 nd autoconfig default-route
   ipv6 dhcp client pd hint ::/56
   ipv6 dhcp client pd ISP-PREFIX
   zone-member security OUTSIDE
   speed auto
   duplex auto
   no cdp enable
  interface FastEthernet8.1
   description VLAN_1-INTERNAL
   encapsulation dot1Q 1 native
   ipv6 enable
   ipv6 address FDAB::1:1/120
   ipv6 address ISP-PREFIX ::1:0:0:0:1/64
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   zone-member security INSIDE
   ip tcp adjust-mss 1300
   ipv6 dhcp server DHCP6_INTERNAL
   ipv6 nd managed-config-flag
   ipv6 nd other-config-flag
  interface FastEthernet8.2
   description VLAN_2-DMZ-WIFI
   encapsulation dot1Q 2
   ipv6 enable
   ipv6 address FDAB::2:1/120
   ipv6 address ISP-PREFIX ::2:0:0:0:1/64
   ipv6 flow ingress
   ipv6 flow egress
   ipv6 virtual-reassembly in
   zone-member security DMZ
   ip tcp adjust-mss 1300
   ipv6 dhcp server DHCP6_DMZ-WIFI
   ipv6 nd managed-config-flag
   ipv6 nd other-config-flag
  Will this config work? By which I mean: will the DHCPv6 servers provide ULA addresses, and will SLAAC work for global address allocation? If not, what needs to be changed?
  Also, another question. I found a few references to a prefix name (the "ISP-PREFIX") which can be used as part of a static IPv6 address on an interface, which is a good idea in case the prefix changes. But that brings up another concern - if the prefix changes, that will invalidate ACLs referencing the global addresses using the previous prefix. Is there anything similar to the prefix name string that can be used in ACLs to keep this from occurring?

  DHCPv6-PD is not necessarily dynamic the same way as DHCP was with the public IPv4 addresses in the IPv4 world.
  While the outside network (PPPoE, DHCPv6, anything) might be truly dynamic and changing with possibly every login session, the DHCPv6 delegated prefix might be tied to your login credentials or DHCPv6 client's DUID after the first connection. A bit like a DHCP lease reservation.
  If that is the case, there is some possibility that your ISP will run reverse route injection, and will always route your "fixed" prefix  to the currently active dynamic "outside" address.
  Talk to your ISP and have them confirm that, once the PD'd /48 or /56 is initially assigned, it won't change, and that the same prefix will be delegated every time. Then you can treat it as if it were fully static, and you won't have to go down the ULA path.
  I contacted one of our local ISPs, and they're doing it exactly that way: PPPoE for IPv4 and IPv6 (fully dynamic), and DHCPv6-PD with the /48 tied to the PPPoE login credentials. I might change to that ISP sooner or later.
  With my current ISP, my IPv6 access is 6RD based. I get a /60, with my current public ipv4 address (by DHCP) embedded into those 60 bits. Readressing is bound to happen sooner or later, and it happens every so often, and it breaks my IPv6 ACLs.
  I'm also looking for a way to write IPv6 ACLs with wildcard bits, not prefix/mask, so I can use them with ZBFW. So far, no sign of it.
  A few more comments:
  ULA addressing: 
  It may look tempting, plausible and intuitive to use dual global and ULA addressing. 
  I started this way as well. However, it turns out that Windows 7 has (had?) some issues with proper source address selection. The "longest common prefix" rule never seemed to work properly. In some cases, it would pick the global address to talk to ULA hosts, or stubbornly insist to use the ULA address to talk to an IPv6 internet host. It was a frustrating experience. Be sure to test this to the full extent (and back, and again and then some more) with every operating system you intend to use.
  Using /120:
  Be sure to test this as well, and very thoroughly. Subnet masks longer than /64 are sometimes called "uncharted territory" in IPv6. Longer subnet masks will break SLAAC, and there may be (embedded) devices that will not react benevolently to a subnet mask other than /64, or simply lack support for DHCPv6.
  adjust-mss
  I see you have "ip tcp adjust-mss 1300". While PMTUd may be mandatory with IPv6, I found it being broken already :-( . "ipv6 tcp adjust-mss .... " is now a separate command since IOS 15.4(1). I would suggest considering it, depending with your experience with PMTUd on IPv6.

• WLC2112 with Guest / Web-Auth and vlan

  Hi
  I'm trying to configure my WLC with guest SSID and vlan 10.
  The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
  Please help.
  Management IP Address 192.168.14.252
  Software Version 6.0.182.0
  Emergency Image Version
  I have tried with ver. 5.2 also -

  I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
  Don't know if that helps, or not.