ACE access-list best practice

Similar Messages

• Anywhere Access interface best practice

  Hello,
  We are setting up Anywhere Access on Windows 2012 AD/DNS with the following configuration;
  Ethernet 1:
  IP: private
  Subnet: 255.255.255.0
  Gateway: Firewall/Router with private IP address 
  DNS: Ethernet 1 IP address
  Ethernet 2:
  IP: public (remote.domain.com - Anywhere 
  Subnet 255.255.255.248
  Gateway: DSL modem with public IP address
  DNS: Ethernet 1 IP address
  Questions:
  1. Considering only one gateway can be defined for multiple interfaces, from the best practices point of view please advise which one should be the gateway out of two underlined gateways:
  Firewall/Router with private IP address or
  DSL modem with public IP address
  2. Considering Ethernet 2 is configured with public IP addresses, please also advise if DNS for Ethernet 2 is correct or it should be public DNS. 
  Thanks.

  Generally the private interface. This one may help.
  Configuring and Customizing Remote Web Access on Windows
  Server 2012 R2 Essentials
  or try them over here.
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserveressentials&filter=alltypes%2Cnoreplies&sort=lastpostdesc
  Regards, Dave Patrick ....
  Microsoft Certified Professional
  Microsoft MVP [Windows]
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

• Access Connections best practice

  I like the idea of having Lenovo Access Connection change the appropriate settings depending on you network location. Like turning off wifi when you are cabled.
  Althoguh I often find it to be creating more problems than gains.
  Any generel best practice using this tool?
  Regards, Lars.

  Hi!
  Use non overlapping channel 1-6-11 on 3
  consecutive AP's.
  eg.
  AP1-Channel 1
  AP2-Channel 6
  AP3-Channel 11
  AP4-Channel 1
  AP5-Channel 6
  plzz take a look:
  http://www.cisco.com/en/US/products/hw/wirele
  ss/ps441/products_tech_note09186a00800a86d7.shtml#nonover
  HTH
  -Jai

• Ftp access docroot best practice

  I have installed WS 7.0, created a dir /docroot with owner:group websrvd:webservd. What is a "good" way to send files to /docroot via
  ftp? I only ftp over my local lan; access is not allowed outside of the local
  lan. Should I set up a new user in group webservd with ftp access?
  OR how do I set up a user for example dummy:staff to be able to
  write files to /docroot? Thank you, I am trying to figure out what are
  the best practices.
  Thanks in advance for any assistance.
  Mark.

  Irek,
  This is off subject but I wanted to talk to you about a previous issue that you where having in [This Thread|http://forum.java.sun.com/thread.jspa?messageID=9751068#9751068] .
  ireneusz.tarnowski wrote in another thread:
  Hi,
  I've noticed many failures in my error log. I use SJSWS 6.1u7. Some example are below:
  [04/Jul/2007:11:29:11] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:32:40] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:32:40] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:32:41] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:34:53] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:34:53] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:35:45] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)
  [04/Jul/2007:11:37:21] failure ( 9310): HTTP3068: Error receiving request from 156.17.73.28 (Connection refused)The IP address which is noticed in error line is a router of some NAT in my corporation. I want to tune my webserver and receive all request from this address.
  Any idea?
  IrekDid you ever figure out how to fix this issue with the Sun Webserver 6.1 that you had back in July last year with the "Error receiving request from <ip address> (Connection refused)" messages? We are getting the same errors on our Sun ONE / Sun Java System webserver version 6.1 SP6. Please let me know.

• Access Point Best Practice

  I have 5 access points, what is the best practice about the configuration of the channel of the access points, all access in the same channel, all access in different channel ? (802.11b/g).
  Thanks

  Hi!
  Use non overlapping channel 1-6-11 on 3
  consecutive AP's.
  eg.
  AP1-Channel 1
  AP2-Channel 6
  AP3-Channel 11
  AP4-Channel 1
  AP5-Channel 6
  plzz take a look:
  http://www.cisco.com/en/US/products/hw/wirele
  ss/ps441/products_tech_note09186a00800a86d7.shtml#nonover
  HTH
  -Jai

• ACE access-list and Passive FTP

  Can servers sitting behind the ACE successfully ftp files if the following rules are in place?
  access-list word line x extended permit tcp source destination eq 21
  access-list word line y extended permit tcp source destination eq 20
  With those lines I can establish an FTP session, but unable to transfer files.
  With the following statement access-list word line x extended permit ip source destination, passive ftp works?
  IS this because the ACE acl does not allow for stateful inspection of an FTP session?
  Thank you

  You are right lack of fixup/inspect is the reason for FTP connections to fail.
  You need something in line with the following config
  class-map match-all FTP-Traffic
  2 match port tcp eq ftp
  policy-map multi-match xyz
  class FTP-Traffic
  inspect ftp
  Syed Iftekhar Ahmed

• APO Cutover - Check lists / Best practices

  Dear collegues:
  We are in the process of going live in the next few weeks. We have our deployment plans etc but I would like to learn from other projects on your key lessons learnt. FYI - our scope is APO - DP / SNP / PPDS
  In this context, I request you of the following
  1) APO Check lists for go-live
  2) Key mistakes to avoid during APO go-live
  Regards,
  Pavan K Vankadaru

  Hi Kumar,
  I agree with Bruce Tanguay's view. The links are removed.
  Suggest you see this recent <a href="/people/eddy.declercq/blog/2007/06/08/from-the-grumpier-old-man-the-success-of-selfishness by Eddy De Clercq.
  You <a href="General Suggestions: Option of attaching documents in the thread post moved to Suggestions and Comments forum referred to Including attachments with posts post which was responded by SDN/BPX Ecosystem Manager.
  Thanks,
  Somnath

• Seaching for Best Practice links that work

  Hi,
  past few years I have been able to access SAP Best Practices documents like SAP Best Practices SAP Best Practices for CP and Wholesale Industries
  (this one still works and guides me to the building block and process overview documents!).
  Recently any link I can find to SAP Industry or Baseline Best Practices ends up with a dead link. See for example trying to get from here SAP Best Practices Baseline packages – SAP Help Portal Page
  to Localized for Netherlands V1.607 SAP Best Practices package further below on that page, results in screen shot attached. I have seen that in many more examples (different countries, or in Industry Best Practice Packages instead of Country Baseline packages....)
  Does any know whether and how SAP redesigned their access to Best Practices documents (Configuration Guides, eCatts, Scenario Process Overviews etc.?
  Thanks for your reply.
  Thijs

  Hi, Thijs,
  There is currently a problem with Best Practices on the Help Portal.  On the home page of the portal (http://help.sap.com/) there is a message that reads "Stay Tuned - There are temporary problems when accessing some content types, for example PDF documents or Best Practices. We are working on a solution."
  Our Wholesale Distribution industry group does not manage the Help Portal pages, so, unfortunately, I don't know the status of the problem or when it might be resolved.
  Lynn

• _h and _v Content, Best Practice

  Hello
  while i am working on the same content of an article as _h and _v, i noticed in _h i added 7 pages while in the _v there are 6 pages,
  and i relised this is not good to get the perfect result.
  so i add one more page in the _v, and started to change the size of the images so the contents goes to page 7.
  i was able to do that, and then i noticed that the 14th subtitle in the _h is in the 5th page and the same subtitle in the _v is in the 6the page.
  is this normal? or do i have to math the content so the reader when rotatiting will get the same result so he can folow reading.
  regards

  Hi Greg:
  To access the Best Practices using Business Content  do the following:
  1.-Open this URL: http://help.sap.com/bp_bw370/html/index.htm
  2.-Click on the "Preconfigured Scenarios" link.
  3.-Click on the Links to navigate on the different available scenarios and to see the documents you can download (Scenario Documentation, Scenario Installation Guide and Building Blocks).
  *Financials
  -- Financial Accounting Analysis
  -- Controlling Analysis
  -- CO-PA Analysis
  -- Cost Center Planning
  -- Reporting Financials EhP3
  *Customer Relationship Management
  -- Sales Analysis
  -- Cross-Functional Analysis: Financial and Sales Data
  -- Booking Billing Backlog Analysis
  -- Sales Planning
  -- Scheduling Agreements Analysis
  -- CRM Analytics
  *Supply Chain Management
  -- Purchasing Analysis
  -- Manufacturing Analysis
  -- Inventory Analysis
  -- Demand Planning Analysis
  -- Resource and Operation Data Analysis
  *Product Lifecycle Management
  -- Project System - Controlling and Dates
  *Human Capital Management
  -- Cross-Application Time Sheet
  -- Time Management - Time and Labor
  -- Personnel Development - Qualifications
  -- Travel Management - Travel Expenses
  *General
  -- Data Mining - ABC Classification
  Regards,
  Francisco Milán.

• Business Content Best Practice

  How do we go about evaluating Business Content for a project? Any tips/tricks/best practice used when dealing with Business Content?
  What are the dos and don't of Business Content?

  Hi Greg:
  To access the Best Practices using Business Content  do the following:
  1.-Open this URL: http://help.sap.com/bp_bw370/html/index.htm
  2.-Click on the "Preconfigured Scenarios" link.
  3.-Click on the Links to navigate on the different available scenarios and to see the documents you can download (Scenario Documentation, Scenario Installation Guide and Building Blocks).
  *Financials
  -- Financial Accounting Analysis
  -- Controlling Analysis
  -- CO-PA Analysis
  -- Cost Center Planning
  -- Reporting Financials EhP3
  *Customer Relationship Management
  -- Sales Analysis
  -- Cross-Functional Analysis: Financial and Sales Data
  -- Booking Billing Backlog Analysis
  -- Sales Planning
  -- Scheduling Agreements Analysis
  -- CRM Analytics
  *Supply Chain Management
  -- Purchasing Analysis
  -- Manufacturing Analysis
  -- Inventory Analysis
  -- Demand Planning Analysis
  -- Resource and Operation Data Analysis
  *Product Lifecycle Management
  -- Project System - Controlling and Dates
  *Human Capital Management
  -- Cross-Application Time Sheet
  -- Time Management - Time and Labor
  -- Personnel Development - Qualifications
  -- Travel Management - Travel Expenses
  *General
  -- Data Mining - ABC Classification
  Regards,
  Francisco Milán.

• Best Practice - Removing Old Access-Control Lists from Bug Mitigations

  I was just auditing my Internet router configuration against the NSA Router Security Configuration Guide and came across the old entries below.
  access-list 100 deny   53 any any
  access-list 100 deny   55 any any
  access-list 100 deny   77 any any
  access-list 100 deny   pim any any
  I remember applying them in the dim dark past and tracked it down to this advisory "Cisco IOS Interface Blocked by IPv4 Packets".
  Clearly they've just been propagated when then router and IOS get upgraded.
  My question is should we remove all the old workarounds, and how often do people audit their configs?
  Anything after 12.3 is not vulnerable, so it could safely be removed, but then it doesn't really hurt to leave them since we aren't expecting any of those protocols to be coming from the internet.  There is always the possibility that someone will just copy it to a router with an older vulnerable IOS.
  Obviously there will be a small amount of additional processing overhead on the acl too.
  All comments are welcome.

  I would not worry about processing. As long as you have an ACL applied, 2-3 lines more do not practically cause any extra overhead.
  You can keep the deny lines there and they will not hurt.
  As for how often people audit configs it depends on the policies. I have seen 6 months as the most common time frame.
  I hope it helps.
  PK

• 2K8 - Best practice for setting the DNS server list on a DC/DNS server for an interface

  We have been referencing the article 
  "DNS: DNS servers on <adapter name> should include their own IP addresses on their interface lists of DNS servers"
  http://technet.microsoft.com/en-us/library/dd378900%28WS.10%29.aspx but there are some parts that are a bit confusing.  In particular is this statement
  "The inclusion of its own IP address in the list of DNS servers improves performance and increases availability of DNS servers. However, if the DNS server is also a domain
  controller and it points only to itself for name resolution, it can become an island and fail to replicate with other domain controllers. For this reason, use caution when configuring the loopback address on an adapter if the server is also a domain controller.
  The loopback address should be configured only as a secondary or tertiary DNS server on a domain controller.”
  The paragraph switches from using the term "its own IP address" to "loopback" address.  This is confusing becasuse technically they are not the same.  Loppback addresses are 127.0.0.1 through 127.255.255.255. The resolution section then
  goes on and adds the "loopback address" 127.0.0.1 to the list of DNS servers for each interface.
  In the past we always setup DCs to use their own IP address as the primary DNS server, not 127.0.0.1.  Based on my experience and reading the article I am under the impression we could use the following setup.
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  127.0.0.1
  I guess the secondary and tertiary addresses could be swapped based on the article.  Is there a document that provides clearer guidance on how to setup the DNS server list properly on Windows 2008 R2 DC/DNS servers?  I have seen some other discussions
  that talk about the pros and cons of using another DC/DNS as the Primary.  MS should have clear guidance on this somewhere.

  Actually, my suggestion, which seems to be the mostly agreed method, is:
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  empty
  The tertiary more than likely won't be hit, (besides it being superfluous and the list will reset back to the first one) due to the client side resolver algorithm time out process, as I mentioned earlier. Here's a full explanation on how
  it works and why:
  This article discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB).
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders)
  Client side resolution process chart
  http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-
  logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  DNS
  Client side resolver service
  http://technet.microsoft.com/en-us/library/cc779517.aspx 
  The DNS Client Service Does Not Revert to Using the First Server in the List in Windows XP
  http://support.microsoft.com/kb/320760
  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.
  I agree with this proposed solution as well:
  Primary DNS:  Locally assigned IP of the DC (i.e. 192.168.1.5)
  Secondary DNS: The assigned IP of another DC (i.e. 192.168.1.6)
  Tertiary DNS:  empty
  One thing to note, in this configuration the Best Practice Analyzer will throw the error:
  The network adapter Local Area Connection 2 does not list the loopback IP address as a DNS server, or it is configured as the first entry.
  Even if you add the loopback address as a Tertiary DNS address the error will still appear. The only way I've seen this error eliminated is to add the loopback address as the second entry in DNS, so:
  Primary DNS:  The assigned IP of another DC (i.e. 192.168.1.6)
  Secondary DNS: 127.0.0.1
  Tertiary DNS:  empty
  I'm not comfortable not having the local DC/DNS address listed so I'm going with the solution Ace offers.
  Opinion?

• HTTP/HTTPS on the same ACE VIP - best practice

  I currently have a VIP representing one server farm that contains two http servers:-
  class-map match-all VIP-HTTP-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-xxxxx.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  I have port 80 and 443 open on the VIP and SSL termination performed on the ACE (both http servers are the same and configured for default load balancing behaviour - I've also specified port 80 for ACE to server traffic). Having 80 and 443 on the same VIP (meaning the site can be accessed via one NAT'd external IP) came from a request from the business so the site can have one domain.
  The majority of the http server(s) web content is standard http but there is a specific sub-directory of interactive forms that requires https termination.
  I have a couple of queries with regards to URL re-writes:-
  1) Is the SSL URL re-write functionality limited to just the host part of the URL or can the ACE enforce https for specific sub-directories, i.e. can the ACE intercept and re-write a URL if a user tries to go to a particular https page/directory using http (by just deleting the s from the URL within their browser)? A possible example being:-
  ssl url rewrite location "www\.cisco\.com\secure-forms"
  2) Can the ACE re-direct users back to a standard http page if they try to 'secure' their session by changing http to https within their browser (basically the opposite of the above).
  Basically as I have 80 and 443 on the same VIP I'm interested in the best practice methods of enforcing http and https content segregation using just the ACE (as opposed to having Apache doing the re-writes, etc).
  Web services functionality (in terms of SSL and URL re-writes) has traditionally fallen within the domain of a dedicated web development team (who use Apache, Tomcat, etc.) but the introduction of the ACE as a load balancing appliance that is primarily managed by the networks team but with functionality that crosses traditional team boundaries has resulted in lots of questions from web development around what functionality can be moved from Apache, etc. and onto the ACE?
  Any advice or personal experiences would be gratefully received.
  Thanks
  Matthew

  Back again!
  Could someone possibly cast their eye over the following config?
  The only bit I'm not sure on (syntactically and whether it can even be done on the ACE) is how to specify a DO NOT match regular expression, i.e. how to capture https URLs that do not match my secure pages so I can re-direct the request back to the normal http URL (class-map type http loadbalance Non-Secure_Pages). What I'd like to avoid is re-directing requests that don't need to be, i.e. re-directing all requests that don't match /secure back to http when the majority will be correctly going to a normal http URL :-
  rserver host server1
  description *** HTTP server 1 ***
  ip address 10.100.194.2
  inservice
  rserver host server2
  description *** HTTP server 2 ***
  ip address 10.100.194.3
  inservice
  rserver redirect REDIRECT_TO_HTTPS
  webhost-redirection https://www.website.co.uk/%p 302
  inservice
  rserver redirect REDIRECT_TO_HTTP
  webhost-redirection http://www.website.co.uk/%p 302
  inservice
  class-map type http loadbalance Secure_Pages
  match http url /secure.*
  class-map type http loadbalance Non-Secure_Pages
  *** DO NOT *** match http url /secure.*
  class-map match-all VIP-HTTP-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq www
  class-map match-all VIP-SSL-website.co.uk
  2 match virtual-address 10.79.18.10 tcp eq https
  policy-map type loadbalance first-match VIP-LB-HTTP-website.co.uk
  class Secure_Pages
  serverfarm REDIRECT_TO_HTTPS
  class class-default
  serverfarm serverfarm-website.co.uk
  policy-map type loadbalance first-match VIP-LB-SSL-website.co.uk
  class Non-Secure_Pages
  serverfarm REDIRECT_TO_HTTP
  class class-default
  serverfarm serverfarm-website.co.uk
  serverfarm host serverfarm-website.co.uk
  failaction purge
  rserver server1 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  rserver server2 80
  probe PING_SERVER
  probe http-website.co.uk
  inservice
  serverfarm redirect REDIRECT_TO_HTTPS
  rserver REDIRECT_TO_HTTPS
  inservice
  serverfarm redirect REDIRECT_TO_HTTP
  rserver REDIRECT_TO_HTTP
  inservice
  many thanks

• IOS XR deny ace not supported in access list

  Hi everybody,
  We´ve a 10G interface, this is a MPLS trunk between one ASR 9010 and a 7613, and the first thing that we do is through a policy-map TK-MPLS_TG we make a shape of 2G to the interface to the output:
  interface TenGigE0/3/0/0
   cdp
   mtu 1568
   service-policy output TK-MPLS_TG
   ipv4 address 172.16.19.134 255.255.255.252
   mpls
    mtu 1568
  policy-map TK-MPLS_TG
  class class-default
    service-policy TK-MPLS_EDGE-WAN
    shape average 2000000000 bps
    bandwidth 2000000 kbps
  and we´ve the policy TK-MPLS_EDGE-WAN as a service-policy inside, this new policy  help us to asign bandwidth percent to 5 class-map, wich in turn match with experimental values classified when they got in to the router:
  class-map match-any W_RTP
   match mpls experimental topmost 5
   match dscp ef
   end-class-map
  class-map match-any W_EMAIL
   match mpls experimental topmost 1
   match dscp cs1
   end-class-map
  class-map match-any W_VIDEO
   match mpls experimental topmost 4 3
   match dscp cs3 cs4
   end-class-map
  class-map match-any W_DATOS-CR
   match mpls experimental topmost 2
   match dscp cs2
   end-class-map
  class-map match-any W_AVAIL
   match mpls experimental topmost 0
   match dscp default
   end-class-map
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    bandwidth percent 2
  class class-default
  end-policy-map
  what we want to do is to assign a especific bandwidth to the proxy to the output using the class W_AVAIL, the proxy is 150.2.1.100. We´ve an additional requirement, wich is not apply this "rate" to some networks we are going to list only 4 in the example, so what we did was a new policy-map with a new class-map and a new ACL :
  ipv4 access-list PROXY-GIT-MEX
  10 deny ipv4 host 150.2.1.100 10.15.142.0 0.0.0.255
  20 deny ipv4 host 150.2.1.100 10.15.244.0 0.0.0.255
  30 deny ipv4 host 150.2.1.100 10.18.52.0 0.0.0.127
  40 deny ipv4 host 150.2.1.100 10.16.4.0 0.0.0.255
  50 permit tcp host 150.2.1.100 any
  60 permit tcp host 10.15.221.100 any
  policy-map EDGE-MEX3-PXY
   class C_PXY-GIT-MEX3
    police rate 300 mbps
   class class-default
   end-policy-map
  class-map match-any C_PXY-GIT-MEX3
   match access-group ipv4 PROXY-GIT-MEX
   end-class-map
  we asign a policy rate of 300 mbps to the class inside the policy EDGE-MEX3-PXY and finally we put this new policy inside the class W_AVAIL of the policy TK-MPLS_EDGE-WAN
  policy-map TK-MPLS_EDGE-WAN
  class W_RTP
    bandwidth percent 5
  class W_VIDEO
    bandwidth percent 5
  class W_DATOS-CR
    bandwidth percent 30
  class W_EMAIL
    bandwidth percent 15
  class W_AVAIL
    service-policy EDGE-MEX3-PXY
  class class-default
  end-policy-map
  and we get this:
  Wed Sep 17 18:35:36.537 UTC
  % Failed to commit one or more configuration items during a pseudo-atomic operation. All changes made have been reverted. Please issue 'show configuration failed' from this session to view the errors
  RP/0/RSP1/CPU0:ED_MEX_1(config-pmap-c)#show configuration failed
  Wed Sep 17 18:35:49.662 UTC
  !! SEMANTIC ERRORS: This configuration was rejected by
  !! the system due to semantic errors. The individual
  !! errors with each failed configuration command can be
  !! found below.
  !!% Deny ace not supported in access-list: InPlace Modify Error: Policy TK-MPLS_TG: 'km' detected the 'warning' condition 'Deny ace not supported in access-list'
  end
  Any  kind of help is very appreciated.

  That is correct, due to the way the class-matching is implemented in the TCAM, only permit statements in an ACL can be used for QOS class-matching based on ACL.
  unfortunately, you'll need to redefine the policy class match in such a way that it takes the permit only.
  if you have some traffic that you want to exclude you could do something like this:
  access-list PERMIT-ME
  1 permit
  2 permit
  3 permit
  access-list DENY-me
  !the exclude list
  1 permit
  2 permit
  3 permit
  policy-map X
  class DENY-ME
  <dont do anything> or set something rogue (like qos-group)
  class PERMIT-ME
  do here what you wanted to do as earlier.
  eventhough the permit and deny may be overlapping in terms of match.
  only the first class is matched here, DENY-ME.
  cheers!
  xander

• Looking for some best practice regarding Content Administrator access

  Hi. I am looking for some best practice or rule of thumb from SAP or from different companies how they address Portal Content Administrator access in Production environment. Basically, our company is implementing portal to work with SAP BW.  We are on SP 9. Basically, I am trying to determine if we should have 1-2 Portal Content Administrator in Production with 24/7 access or we should limit them from NOT having this.  Can you share with me some ideas of what is right? and what is not?
  Should we have access in Production? Or Should we have this access but limited? By the way, our users are allow to Publish BI reports/queries into Production.

  Hello Michael,
  Refer to this guide about managing initial content in portal.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00bfbf7c-7aa1-2910-6b9e-94f4b1d320e1
  Regards
  Deb
  [Reward Points for helpful answers]