Acl issue in L3 Switch SVI

HI
I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
I have a L3 switch with 3 vlans
Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
Vlan 10 - Server-Vlan - 172.16.10.1/24
Vlan 11 - User-Vlan - 172.16.11.1/24
I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
I want all in my network to access any thing outside the network.
i tried to configure acl as below-
access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
int vlan 1
ip add 172.16.1.1 255.255.255.0
ip access-group 101 in
When i am trying from outisde (172.16.100.1) -
Ping 172.16.10.1 - Good (expected)
Ping 172.16.11.1 - NOT (expected)
When I am trying to ping from inside Server-Vlan (172.16.10.1)
Ping 172.16.100.1 - Good
The problem -
When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
what is wrong happening here in this scenario?
regards
Sunny

Hi Jon,
I was working on the ACL for the above issue. i have found the below thigs-
int vlan 1
des Routing vlan
ip 172.16.1.1 255.255.255.0
ip access-group 110 in
int vlan 10
des server vlan
ip 172.16.10.1 255.255.255.0
int vlan 11
des Users
ip add 172.16.11.1 255.255.255.0
ip access-group 100 in
acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
what i understood,
for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
If i call inbound means the traffic coming in to that vlan initerface from Outside
If i call outbound means the traffic that going out through that interface.
so i ddint call any acl in outbound direction as of now.
Dear Jon, thanks for taking time to describing the scenario in detail before.
please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
Thanks and Regards
Suuny

Similar Messages

  • Refresh issue in LOV Switcher

    Guys,
    I facing a issue from LOV Switcher.
    Let me explain the scenario:
    I have search page (SearchPage.jsff), i have created page (CreateEditPage.jsff).
    CreatePage.jsff has a LOV (Lov is implemented using LOV swither, displays either LOV 1 or LOV2 depnding on the attribute in the viewobject)
    1. I navigate from SearchPage.jsff to CreateEditPage.jsff. As per the logic, Lov 1 is displayed. (as expected)
    2. Now am back to SearchPage.jsff, and again navigate to CreateEditPage.jsff. As per the logic LOV 2 is displayed. (as expected)
    3. Now am back to SearchPage.jsff, and again navigate to CreateEditPage.jsff. As per the logc, LOV 1 should be displayed, but it is displaying Lov 2. (when i refresh the page using F-5, the proper LOV is displayed).
    There seems to be some issue with the LOV refresh.
    Anybody faced similar issue??
    Any suggestions are welcome....

    would this help you:
    http://jobinesh.blogspot.com/2011/09/programmatically-switching-lov-queries.html

  • Experincing issues with 2960X switch

    Hi there.
    We are experincing issues with 2960X switch losing the ability to recognise the modules that are inserted in SFP ports.
    Initially, the modules are recognised, usable and will happily participate in cross-stack etherchannels. However, after a period of time -  and this ranges from a couple of hours to a few days, the links go down on the 2960X-side but are still registered as up on at the other end of the etherchannel.
    2960X stack  1      Po1(SD)         LACP      Gi3/0/49(D) Gi3/0/51(D)
    3750G stack  2      Po2(SD)         LACP      Gi1/0/23(I) Gi2/0/22(I)
    When the link fails, the member switch loses the ability to identify modules inserted - it knows they are there, but it cannot identify them. Having a look at the controller for one of them and it's having trouble,see below:-
    sh controllers ethernet-controller gi3/0/49 phy detail
    GigabitEthernet3/0/49 (gpn: 457, port-number: 49)
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    A 'sh int' gives:-
    Auto-duplex, Auto-speed, link type is auto, media type is unknown.
    Reboot the stack or just the member and everything resets and works again - for a period of time. I've swapped from compatible to Cisco-brand modules inbetween restarts and it doesn't prevent the issue reoccuring.
    The slots all fail at the same time and once they're in the error state, that switch has to be restarted before it will recongnise anything inserted in any slot.
    I have this issue on two seperate stacks in two different sites. We're running 15.0(2)EX4.
    Has anyone seen anything like this? Particularly interested in this which I've seen using the sh controllers cmd and on the console once after a reboot. hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    Any thoughts would be greatly appreciated.
    Aid

    Hi Team
    We happen case GLC-T with Catalyst 2960 Hang , It can't work 
    We was reload switch but same ( GLC-T with Catalyst 2960 Hang)
    and use command bellow  
    Switch97#
    Switch97#
    Switch97#sh int gi 1/0/26 transceiver 5 transceiver de
    Switch97#sh int gi 1/0/25 transceiver detail 
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 0 yeti_iic_read_retry failDiagnostic Monitoring is not implemented.
    Switch97#
    Switch97#
    Switch97#sh int gi 1/0/25 transceiver detail 6 transceiver        de
    Switch97#sh int gi 1/0/26 transceiver detail 
    hulc_sfp_iic_intf_read_eeprom sfp _index 1 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 1 yeti_iic_read_retry fail
    hulc_sfp_iic_intf_read_eeprom sfp _index 1 yeti_iic_read_retry failDiagnostic Monitoring is not implemented.
    We try IOS Software EX3, EX4, EX5 and 15-2.2 but can't problem 
    Please suggest case to me

  • Flex connect with a per user ACL with APs locally switched

    Hi all,
    Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
    Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
    Thanks
    Sent from Cisco Technical Support iPad App

    Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
    As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
    Sent from Cisco Technical Support iPhone App

  • Roaming issue - Layer 2 switch CAM table updates

    Hi,
    We have a setup with 2 WLC2500  and 10 1041 LAP distributed on various sites (3 or 2 per site), using HREAP (local switching, central auth) and AP Groups, for grouping the APs on each site.
    On one site everything works fine, roaming was correctly done, and client could communicate inmediatly after the roaming process, but on other site we found that if we roam between the 2 APs found out that even the client get conected to the AP it takes about 300 second (5 minutes) for the client to get traffic forwarding.
    Here i´m attaching the debug session for client and l2roam:
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Association received from mobile on AP 50:06:04:2a:4a:10
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying site-specific IPv6 override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying IPv6 Interface Policy for station 9c:02:98:8e:c6:5d - vlan 0, interface id 0, interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Applying site-specific override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d STA - rates (8): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d STA - rates (12): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Processing WPA IE type 221, length 22 for mobile 9c:02:98:8e:c6:5d
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d apfMsRunStateDec
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d apfMs1xStateDec
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Change state to START (0) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Initializing policy
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Change state to AUTHCHECK (2) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) DHCP required on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1for this client
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_2: Jun 13 11:27:59.198: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:4a:10 from Associated to Associated
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d Sending Assoc Response to station on BSSID 50:06:04:2a:4a:10 (status 0) ApVapId 1 Slot 0
    *apfMsConnTask_2: Jun 13 11:27:59.199: 9c:02:98:8e:c6:5d apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:4a:10 from Associated to Associated
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Creating a PKC PMKID Cache entry for station 9c:02:98:8e:c6:5d (RSN 0)
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Initiating WPA PSK to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d dot1x - moving mobile 9c:02:98:8e:c6:5d into Force Auth state
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Skipping EAP-Success to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Starting key exchange to mobile 9c:02:98:8e:c6:5d, data packets will be dropped
    *dot1xMsgTask: Jun 13 11:27:59.247: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Received EAPOL-key in PTK_START state (message 2) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.316: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.317: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d apfMs1xStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) DHCP required on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1for this client
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 50:06:04:2a:4a:10 vapId 3 apVapId 1
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d apfMsRunStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d associated
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Reached PLUMBFASTPATH: from line 4918
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Key exchange done, data packets from mobile 9c:02:98:8e:c6:5d should be forwarded shortly
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.375: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
    *ccxL2RoamTask: Jun 13 11:27:59.376: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d has unsupported CCX version 0 in [l2roamProcessClientAssociation]
    *spamApTask1: Jun 13 11:27:59.418: 9c:02:98:8e:c6:5d Sent EAPOL-Key M5 for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:27:59.486: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *ccxL2RoamTask: Jun 13 11:28:16.823: Neighbor List for LRAD 50:06:04:2a:db:80,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000000: 00 36 33 81 84 a6 c8 ac  d7 71 50 06 04 2a db 80  .63......qP..*..
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000010: 28 11 50 06 04 2a db 80  0b 00 06 01 06 ab 11 11  (.P..*..........
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000020: 03 b8 02 28 11 50 06 04  2a 4a 10 01 00 07 01 06  ...(.P..*J......
    *ccxL2RoamTask: Jun 13 11:28:16.823: 00000030: ab 10 11 03 b8 02                                 ......
    *ccxL2RoamTask: Jun 13 11:28:47.441: Neighbor List for LRAD 50:06:04:2a:e0:40,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000000: 00 49 33 81 00 23 14 84  0d 64 50 06 04 2a e0 40  .I3..#...dP..*.@
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000010: 28 11 50 06 04 2a e0 40  0b 00 06 01 06 ab 11 11  (.P..*.@........
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000020: 03 b8 02 28 11 50 06 04  2a de 70 01 00 07 01 06  ...(.P..*.p.....
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000030: ab 10 11 03 b8 02 28 11  50 06 04 2a 47 20 06 00  ......(.P..*G...
    *ccxL2RoamTask: Jun 13 11:28:47.442: 00000040: 07 01 06 ab 10 11 03 b8  02                       .........
    *ccxL2RoamTask: Jun 13 11:29:27.832: Neighbor List for LRAD 50:06:04:2a:db:80,  Slot 1 not found in [l2roamGetNeighborListForSlot].
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000000: 00 36 33 81 84 a6 c8 ac  d7 71 50 06 04 2a db 80  .63......qP..*..
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000010: 28 11 50 06 04 2a db 80  0b 00 06 01 06 ab 11 11  (.P..*..........
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000020: 03 b8 02 28 11 50 06 04  2a 4a 10 01 00 07 01 06  ...(.P..*J......
    *ccxL2RoamTask: Jun 13 11:29:27.832: 00000030: ab 10 11 03 b8 02                                 ......
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Reassociation received from mobile on AP 50:06:04:2a:db:80
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying site-specific IPv6 override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying IPv6 Interface Policy for station 9c:02:98:8e:c6:5d - vlan 0, interface id 0, interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Applying site-specific override for station 9c:02:98:8e:c6:5d - vapId 3, site 'PRUVIA', interface 'management'
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1626)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d STA - rates (8): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d STA - rates (12): 2 4 11 22 164 48 72 108 12 18 24 96 0 0 0 0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Processing WPA IE type 221, length 22 for mobile 9c:02:98:8e:c6:5d
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Deleted mobile LWAPP rule on AP [50:06:04:2a:4a:10]
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Updated location for station old AP 50:06:04:2a:4a:10-0, new AP 50:06:04:2a:db:80-0
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfMsRunStateDec
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfMs1xStateDec
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Change state to START (0) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Initializing policy
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 START (0) Change state to AUTHCHECK (2) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 AUTHCHECK (2) Change state to 8021X_REQD (3) last state RUN (20)
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) DHCP required on AP 50:06:04:2a:db:80 vapId 3 apVapId 1for this client
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 50:06:04:2a:db:80 vapId 3 apVapId 1
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:db:80 from Associated to Associated
    *apfMsConnTask_3: Jun 13 11:29:32.375: 9c:02:98:8e:c6:5d Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfMsConnTask_3: Jun 13 11:29:32.376: 9c:02:98:8e:c6:5d Sending Assoc Response to station on BSSID 50:06:04:2a:db:80 (status 0) ApVapId 1 Slot 0
    *apfMsConnTask_3: Jun 13 11:29:32.376: 9c:02:98:8e:c6:5d apfProcessAssocReq (apf_80211.c:5237) Changing state for mobile 9c:02:98:8e:c6:5d on AP 50:06:04:2a:db:80 from Associated to Associated
    *apfMsConnTask_3: Jun 13 11:29:32.409: 9c:02:98:8e:c6:5d Updating AID for REAP AP Client 50:06:04:2a:db:80 - AID ===> 2
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d Creating a PKC PMKID Cache entry for station 9c:02:98:8e:c6:5d (RSN 0)
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d Initiating WPA PSK to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:29:32.418: 9c:02:98:8e:c6:5d dot1x - moving mobile 9c:02:98:8e:c6:5d into Force Auth state
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Skipping EAP-Success to mobile 9c:02:98:8e:c6:5d
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Starting key exchange to mobile 9c:02:98:8e:c6:5d, data packets will be dropped
    *dot1xMsgTask: Jun 13 11:29:32.419: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Received EAPOL-key in PTK_START state (message 2) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.475: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d apfMs1xStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.514: 9c:02:98:8e:c6:5d 192.33.1.251 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) DHCP required on AP 50:06:04:2a:db:80 vapId 3 apVapId 1for this client
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 50:06:04:2a:db:80 vapId 3 apVapId 1
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d apfMsRunStateInc
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d associated
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d 192.33.1.251 RUN (20) Reached PLUMBFASTPATH: from line 4918
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Stopping retransmission timer for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Key exchange done, data packets from mobile 9c:02:98:8e:c6:5d should be forwarded shortly
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.515: 9c:02:98:8e:c6:5d Sending EAPOL-Key Message to mobile 9c:02:98:8e:c6:5d
       state PTKINITDONE (message 5 - group), replay counter 00.00.00.00.00.00.00.02
    *ccxL2RoamTask: Jun 13 11:29:32.516: 9c:02:98:8e:c6:5d Mobile 9c:02:98:8e:c6:5d has unsupported CCX version 0 in [l2roamProcessClientAssociation]
    *spamApTask5: Jun 13 11:29:32.558: 9c:02:98:8e:c6:5d Sent EAPOL-Key M5 for mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.601: 9c:02:98:8e:c6:5d Received EAPOL-Key from mobile 9c:02:98:8e:c6:5d
    *Dot1x_NW_MsgTask_5: Jun 13 11:29:32.601: 9c:02:98:8e:c6:5d Received EAPOL-key in REKEYNEGOTIATING state (message 6) from mo

    Already check everything you said, but no luck. Also check on another site and found out that could be a mac learning/updating issue with HP procurve 2510 switches. When a client roams from AP1 to AP2, on the switch the mac table entry for the client does not update to the port where AP2 is. After the mac-aging-time on the HP Procurve switch ends, the mac updates correctly and the traffic start going fine. Any ideas on how can i deal with this issue? Any configuration help for the WLC controller or APs? HP switches are configured as default (out-of-the-box).

  • Routing Issue with 3550 Switch

    I am having an issue with routing with one of my Cisco 3550 switches.  I know the 3550s are EoL but some of us have to work with what we have.
    I am using a 3550 on either side of a Layer 2 link.  The Layer 2 link is 2 Extreme Summit X-440 switches with Microwave between the switches.  I have a VLAN configured on both switches and tagged on the ports connected to the Microwave.  The 3550 switch on each end is configured for IP routing but I cannot pass traffic between the switches.  If I unplug the switch on the local end and plug in a laptop, I can ping the switch on the remote end and access devices at the remote end. 
    I know this should work because I am doing the same thing over another Microwave link and Layer 2 link using another 3550 and a HP ProCurve at the remote end.
    Here are the configs for each 3550:
    Local end;  Port Fa0/23 goes to the Remote Side.  Port Fa0/24 goes to the rest of the network
    Current configuration : 5417 bytes
    ! No configuration change since last restart
    version 12.2
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    no service password-encryption
    service sequence-numbers
    hostname Brindley3550
    enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
    no aaa new-model
    clock timezone UTC -6
    clock summer-time UTC recurring 1 Sun Apr 2:00 1 Sun Nov 2:00
    mls qos map cos-dscp 0 8 16 26 32 46 48 56
    mls qos min-reserve 5 170
    mls qos min-reserve 6 10
    mls qos min-reserve 7 65
    mls qos min-reserve 8 26
    mls qos
    ip subnet-zero
    ip routing
    ip domain-name morgan911.net
    ip name-server 1.2.150.11
    ip name-server 1.2.150.5
    spanning-tree mode pvst
    no spanning-tree optimize bpdu transmission
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface FastEthernet0/1
     switchport access vlan 18
     switchport mode dynamic desirable
     spanning-tree portfast
    {Removed for Brevity}
    |
    interface FastEthernet0/7
     switchport access vlan 13
     switchport mode dynamic desirable
     spanning-tree portfast
    interface FastEthernet0/8
     switchport access vlan 13
     switchport mode dynamic desirable
     spanning-tree portfast
    {Removed for Brevity}
    interface FastEthernet0/23
     description To Gum Springs via Extreme P10
     no switchport
     ip address 1.2.147.1 255.255.255.252
     speed 100
     duplex full
    interface FastEthernet0/24
     description To Flint via Ceragon Eth 2
     switchport trunk encapsulation dot1q
     switchport mode trunk
     speed 100
     duplex full
     mls qos trust cos
     auto qos voip trust
     wrr-queue bandwidth 20 1 80 1
     wrr-queue min-reserve 1 5
     wrr-queue min-reserve 2 6
     wrr-queue min-reserve 3 7
     wrr-queue min-reserve 4 8
     wrr-queue cos-map 1 0 1 2 4
     wrr-queue cos-map 3 3 6 7
     wrr-queue cos-map 4 5
     priority-queue out
     spanning-tree link-type point-to-point
    interface GigabitEthernet0/1
     switchport trunk encapsulation dot1q
     switchport mode trunk
    interface GigabitEthernet0/2
     switchport access vlan 10
     switchport trunk native vlan 50
     switchport mode dynamic desirable
     spanning-tree portfast trunk
    interface Vlan1
     ip address 1.2.145.2 255.255.255.0
    ip default-gateway 1.2.145.1
    ip classless
    ip route 0.0.0.0 0.0.0.0 1.2.145.1
    ip route 1.2.165.0 255.255.255.240 1.2.147.2
    ip route 1.2.166.0 255.255.255.240 1.2.147.2
    ip http server
    snmp-server community public RO
    snmp-server community public/RO RO
    snmp-server location Brindlee Mountain Tower Site
    snmp-server contact Jamey Wright
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps cluster
    snmp-server enable traps entity
    snmp-server enable traps envmon fan shutdown supply temperature
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps flash insertion removal
    snmp-server enable traps port-security
    snmp-server enable traps config
    snmp-server enable traps syslog
    snmp-server enable traps mac-notification
    snmp-server enable traps vlan-membership
    snmp-server host 1.2.150.100 public  tty envmon syslog snmp
    control-plane
    ntp clock-period 17180143
    ntp server 1.2.150.21
    end
    And this is the config for the remote end.  Port Fa0/24 is the port for the link back to the local end.
    Current configuration : 5058 bytes
    version 12.2
    no service pad
    service timestamps debug datetime localtime show-timezone
    service timestamps log datetime localtime show-timezone
    no service password-encryption
    service sequence-numbers
    hostname GS3550
    enable secret 5 $1$3A.n$lzBUQg.fn4hJ7f0jEOqe71
    no aaa new-model
    clock timezone UTC -6
    clock summer-time UTC recurring
    mls qos map cos-dscp 0 8 16 24 32 46 46 56
    udld aggressive
    ip subnet-zero
    ip routing
    ip domain-name morgan911.net
    ip name-server 1.2.150.11
    spanning-tree mode pvst
    spanning-tree extend system-id
    vlan internal allocation policy ascending
    interface FastEthernet0/1
     switchport access vlan 21
     switchport mode dynamic desirable
     spanning-tree portfast
    interface FastEthernet0/2
     switchport access vlan 21
     switchport mode dynamic desirable
     power inline delay shutdown 20 initial 300
     spanning-tree portfast
    {Removed for Brevity}
    interface FastEthernet0/23
     switchport access vlan 22
     switchport trunk encapsulation dot1q
     switchport mode trunk
     speed 100
     duplex full
     spanning-tree portfast
    interface FastEthernet0/24
     description To Brindlee via Extreme P10
     switchport mode dynamic desirable
    (Is a member of VLAN 1)
     speed 100
     spanning-tree portfast
    interface GigabitEthernet0/1
     switchport trunk encapsulation dot1q
     switchport mode trunk
    interface GigabitEthernet0/2
     switchport mode dynamic desirable
     spanning-tree portfast
    interface Vlan1
     ip address 1.2.147.2 255.255.255.252
    interface Vlan21
     ip address 1.2.165.1 255.255.255.240
     ip helper-address 1.2.150.11
     ip helper-address 1.2.150.5
    interface Vlan22
     ip address 1.2.166.1 255.255.255.240
     ip helper-address 1.2.150.5
     ip helper-address 1.2.150.11
    ip default-gateway 1.2.147.1
    ip classless
    ip route 0.0.0.0 0.0.0.0 1.2.147.1 10
    ip http server
    snmp-server community public RO
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps cluster
    snmp-server enable traps entity
    snmp-server enable traps envmon fan shutdown supply temperature
    snmp-server enable traps vtp
    snmp-server enable traps vlancreate
    snmp-server enable traps vlandelete
    snmp-server enable traps flash insertion removal
    snmp-server enable traps port-security
    snmp-server enable traps config
    snmp-server enable traps hsrp
    snmp-server enable traps bridge newroot topologychange
    snmp-server enable traps syslog
    snmp-server enable traps mac-notification
    snmp-server enable traps vlan-membership
    snmp-server host 1.2.150.100 public  envmon syslog snmp
    control-plane
    ntp clock-period 17180192
    ntp server 1.2.150.21 key 0 prefer
    Ideas?  Anything stand out as grossly wrong?  I have worked on this for 2 days and am at a loss.
    Thanks
    Jamey

    Sorry for the delay in replying.  Other items at the office took priority over this project.  I tried that and no change.  I pulled the switch from the remote site and took it back to the local end and connected the switches with a crossover cable and everything works fine.  I have pretty much determined that it is an issue with the config in one of the Extreme switches.  The config in those look pretty normal but there are a few things I am unsure of.  Guess I'll see if there is a similar site for Extreme gear.
    Thanks
    Jamey

  • PLM Web UI ACM/ACL issue

    Hi All,
    I am configuring PLM Business package/ Web UI in portal. Version EHP4. (PLM Web UI)
    Every screen (Material, BOM) giving me error "Authorizations are missing" . I know this trusted user issue.
    I provided the role "SAP_PLMWUI_TRUSTED_USER_ALL" in ECC System.
    How I can fix the problem? Which roles I need to assign to resolve the problem. FYI, Document are working fine. Because documents are not the part of ACM
    2. I am looking in to SAP Help for authorizations  but there are not detailed steps to set up these ACM/ACL .
    3. How I can generate Root Context. There is a program we can run in SE38. But before that I need to assign Context Admin role to in IMG. Which role I need to assign as Context Admin.
    I appreciate your help. Thanks in Advance.
    Regards
    Mark

    administrator can set up the whitelist in Customizing for SAP NetWeaver under SAP
    Web Application Server Web Dynpro ABAP Set-Up Active Controls Whitelist .
    o The whitelist has to be named DEFAULT.
    o File Extension
    All files of this type can be executed in an external program by using the
    Customizing option %auto%. For more information see Customizing for Logistics
    General under Product Lifecycle Management PLM Web User Interface
    Objects Document in PLM Web UI Define Workstation Application
    o Application
    Enter applications to be used for viewing or editing a file.
    o Download
    Enter at least one directory and one server. The system opens the directory and
    all subdirectories for the download.
    o Upload
    Enter at least one directory and one server. The system opens the directory and
    all subdirectories for the upload.
    Make an entry for each option (File Extension, Application, Download,
    Upload).
    o Find the correct server name for upload and download
    Working with a local whitelist in a SAP system requires a certificate for the system used.
    The administrator must download the certificate using transaction WDR_ACF_GEN_CERT.
    Alternatively, the administrator can create the new certificate in Customizing for SAP
    NetWeaver under Application Server Web Dynpro ABAP Generate Certificate for
    Whitelist
    3. Each user has to install the certifcate using transaction ACF_WHITELIST_SETUP.
    Alternatively, the user can install the certificate via Customizing for SAP NetWeaver
    under Application Server Web Dynpro ABAP Activate Active Controls Whitelist .
    o The provided list of whitelists is only for display reasons. The certificate is always
    installed for the DEFAULT whitelist.
    o You have to install the certificate after each change of the DEFAULT whitelist

  • ACL issue

    Hi
    I have activated the ACL switch by selecting ACL FLAG & Edit ACL check boxes in Tcode dcswitch but the authorization tab is not  coming in DMS screens (CV01N, CV02N & CV03N). Can you please help me to solve it.
    Regards
    Harris

    Hi Deepak Kori
    The link provides the steps to get the option for turn on / off the ACL/browser switch. But in our system i can see these option in the Tcode dcswitch.
    I selected (tick mark) the ACL FLAG & Edit ACL checkboxes in Tcode dcswitch but i can't see the Authorization tab in CV01N. This problem exist only in DEV client not in IDES.
    If i don't select "Use ACM" check box in DC10 for the particular document type then the authorization tab is coming for that document type in IDES system. But in DEV client there is no field like "Use ACM" check box in DC10. Can you please clarify that 1. The ACL authorization tab will come only in IDES system?
    2. The ACL authorization can be used only in SAP Easy Document Management System or we can use it for SAP GUI also?
    3. Do we need to install anything (ex: PLM WebUI) to use the ACL authorization?
    Regards
    Harris.

  • Issue during Me53N -- switch to change mode

    Hi Experts,
    I use MEREQ001 to add new fields on the customer tab.
    I check during the process the fields and set to required and input a.s.o.
    f.e.
    If sy-tcode eq ME52N or ME51N.
            IF screen-name EQ 'CI_EBANDB-ZZ_ABTL'.
              screen-input = 1.
              screen-required = 1.
            ENDIF.
    Works fine except one issue.
    The user starts tc me53n and click on the pencil to switch from display in change mode.
    The problem now is that sy-tcode is still ME53N and I don´t if there is a field which know that I´m now in change mode.
    Try to find something in SYST but I´m not sure.
    These two field are changing the value during the process.
    sy-modno
    sy-oncom
    what field should I use? Or is there a field I can use instead?
    Any Ideas?
    Thanks
    Alex

    wrong forum - sorry

  • Complex NAT and ACL issue with multiple VLANS

    Hello Forum. 
    We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
    From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
    From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
    The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
    WHAT WORKS:
    Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
    Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
    I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

    Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

  • Issue relinking after switching to Proxy Mode

    So I'm 80% through a music video, and things are gettings a bit "jumpy"!
    I'm told my FCPX that some frames dropped out because the hard drive was too slow, so I switched over to Proxy Mode.
    Suddenly, all the clips in the event library and the timeline go red. When I try to reconnect them, nothing happens. The clips will come back if I switch back to the optimized media pref.
    Is this normal? I have 11gb of ram on a 8-core mac pro... didn't have this issue until I upgraded to 10.0.3

    OK, sorry to come back to this, but I'm working on another project now that has become a bit jumpy.
    When I tried to transcode the media for Proxie, it tells me that I have not got enough room on my hard drive. All the project files and events are stored on the same drive which has 317gb free. The original footage file is 36.72gb...
    Surly this is enough?

  • ACL on Layer 2 Switch

    Hi,
    How can the below ACL automatically work according to given schedule which is every "Friday from 8:00 am too 11:00 am till 4 month" while the time-range is not working.
    someone asked me it possible through CACTI backup tool? If this is possible then how?
     10 permit ip any host 110.93.218.154
        15 permit ip any host 98.129.229.186 log
        20 permit ip any host 10.99.0.1
        30 permit ip any host 10.99.0.17
        40 permit ip any host 10.99.0.155
        45 permit ip any host 10.99.0.157
        50 permit ip any host 10.99.0.169
        60 permit ip any 10.101.88.0 0.0.0.15
        70 permit ip any host 10.101.88.1
        80 deny ip any any (76 matches)

    Yes i want this ACL work only  in specific  time every friday 8:00 to 11:00 at access level cisco switch. I used the time-range commands with my ACL but it does not work. i just want to know how my ACL will work every friday from 8:00 to 11:00 automatically.

  • Netbooting issue with Netgear switches

    Hi,
    We’ve started having issues with Netbooting since we recently replaced our network hardware, going from very old (10 yrs +) 3Com switches running at 100MB to desktop / 1GB backbone to brand new Netgear switches at 1GB desktop / 10GB backbone.
    On the old network hardware Netbooting would work fine, showing a list of Netboot images that we are able to boot from with no issue (mainly used for DeployStudio). We have two Mac servers on our network, and now, rather than being able to get a list of Netboot images, it seemingly selects one of the two “Default” images (one for each server) at random. Whichever image is selected works correctly, but we now have no way of choosing at time of bootup.
    Other than replacing the switches, nothing else has changed (that I am aware of) that could have caused this to stop working. However, some relevant info:
    The new Netgear switches are generally M5300-52G-POE+ with a small number of XSM7224S.
    Spanning Tree is enabled on the switches (set to Rapid Spanning Tree – 802.1w). Have also tried with STP turned off totally as I understand this may make a difference – however it did not.
    The infrastructure is a mixed network, with both Windows PC’s/Servers sitting on the same network as the Macs. DHCP is supplied by one of the Windows servers.
    No VLAN’s are set up – all running on same network.
    Both Mac servers are sitting in different physical locations on the network. One is running 10.9.4 and the other on 10.6.8
    If I boot holding down Option then I only see the local hard disk.
    If I boot holding down either N or Option N then the Mac boots using one of the two Default Netboot images, seemingly at random, from one of the two Mac servers. This is as expected for Option N, but N alone used to bring up a list of images (including those not selected as the default on either server).
    All the netboot images show up correctly within the Startup Disk option within System Preferences. I can then boot successfully from any of them in this manner, and am therefore able to get round my problem in the short term, but of course this isn’t ideal.
    I have tried setting the netinstall images to be available both over HTTP and NFS, but this has no effect. Also there are no access restrictions in place for any of the images.
    I’m not 100% convinced that the issue is related to swapping to Netgear switches. Particularly as no specific configuration was ever done on the old 3Com switches to get netboot working (it just worked from the start). Also, the new switches are so much quicker than the old ones. That said it seems far too coincidental that this started happening when the switches were swapped over, and that as I said before, nothing else has changed.
    If there’s anything anyone can suggest that I can check, both with the switch configuration or otherwise, I’d be really grateful.
    Finally, just to say I’m more a Windows person than a Mac man, so treat me gently J
    Cheers,
    LSDWho

    NetBoot uses DHCP to look for available NetBoot servers so when you hold down just N at boot time it sends a DHCP query asking NetBoot servers to advertise themselves. This might therefore suggest the issue is DHCP related. (Strictly speaking NetBoot uses BSDP - Boot Service Discovery Protocol.)
    Note: This use of DHCP by NetBoot does not normally conflict with a real full-blown DHCP server which would ignore this type of query. So it should not cause an issue with your Windows DHCP server.
    Since it might be DHCP related I would look at the following -
    http://kb.netgear.com/app/answers/detail/a_id/21984/~/what-is-a-dhcp-l2-relay-an d-how-does-it-work-with-my-manged-switch%3F
    http://kb.netgear.com/app/answers/detail/a_id/21990/~/how-do-i-configure-a-dhcp- l3-relay-using-the-web-interface-on-my-managed-switch%3F
    I would then see if you can disable DHCP relay functionality and also any other related features like DHCP filtering. If you have not already done so it might be worth checking for any firmware updates and installing those as often 'new' switches out of the box will have shipped with older firmware.

  • Robocopy ACL Issue

    Hello,
    I am trying to copy a folder from one server to another using Robocopy in Windows 2008.  The security permissions on the folder (ACLs) are not copying properly.
    Folder Details:
    Folder #1 on Server A has the following ACLs: Domain Admin -> Full Control, UserX -> Full Control
    When I use robocopy with the /copyall parameter and copy Folder #1 from Server A to Server B it is missing the "UserX" permission under the security tab.  The parent folder on Server B does not have inheritance turned on and its security is set to Domain Admin -> Full Control.  Why aren't my security/ACLs (namely the permissions ofr USERX) copying properly?
    Thanks in advance,
    D

    I came across this thread because I have been researching the very same issue. Likewise I am running Windows Server 2008 X64 SP2 on both servers.
    Be wary of those who throw out suggestions to check your syntax, yet are not intimately familiar with this issue. Many people making such suggestions often do not know what the different versions of Robocopy are, what limitations each version has, how to get each version or what has changed syntax-wise from version to version. Yet they talk with authority. This has always been and will always be part of open public forums. Of course we should always look at our syntax. However this seems to be an issue with the new version of Robocopy.
    I haven't hammered the solution down yet, but here are some things to try:
    1) Note that many people on other forums are saying that if the source has inheritance turned on, then Robocopy will not copy the permissions over, especially those at the root of a drive. Others have suggested turning off inheritance on the source. I don't like that solution. I turn on inheritance for a reason.
    2) I have tried copying one level down from the root with some success. For example, instead of this:
    Robocopy.exe \\server1\e$  e:   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1 (or whatever your parameters are...)
    try going down one level...
    Robocopy.exe \\server1\e$\folder1  e:\folder1   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1
    I don't like this solution either. It is so much simpler to copy from the root of one drive to the root of another drive on another server. I don't want to have to do extra scripting to gather the names of the folders one level below the root and then add For Loops to my script.
    3) In some forums people are suggesting to use Robocopy to copy data and icacls.exe to handle the permisssions, at least on the root. I plan to explore this option next. Once again, I don't like the solution. I expect Robocopy to be able to handle this.
    Of course I'll eat my shoe if it turns out that Robocopy works just fine and I simply don't have the right syntax.

  • ACL issue on 3750x

    Hi All,
    i have 5 vlan on 3750x switch, (vlan 10,20,30,40,50 )
    and i had applied ACL on Switch so that no user can access vlan 30.
    All things are working fine but all LAN user can access vlan 30 server ip, but unable to access vlan 30 users.
    Please help ...
    let me know required things to be configure.

    Hi,
    Below is the config which is correct please solve this one and last 1 was incorrect.
    the IP address of the LAN user accessing the server IP (172.24.10.0 255.255.248.0)
    the above subnet is able to access that server ip (172.24.30.5) but not able to access the other user of vlan 30.
    so i want that none of the lan user should able to access vlan 30 and its server ip.
    interface Vlan10
    ip address 172.24.1.1 255.255.255.0
    ip access-group 101 in
    interface Vlan20
    ip address 172.24.2.1 255.255.255.0
    ip access-group 102 in
    interface Vlan30
    ip address 172.24.3.1 255.255.255.0
    ip access-group 103 in
    ip access-group 150 out
    interface Vlan40
    ip address 172.24.4.1 255.255.255.0
    ip access-group 104 in
    interface Vlan50
    ip address 172.24.16.1 255.255.255.192
    ip access-group 100 in
    interface Vlan100
    ip address 172.24.10.250 255.255.248.0
    access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
    access-list 100 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
    access-list 100 deny   ip 172.24.16.0 0.0.0.63 172.24.8.0 0.0.7.255
    access-list 100 permit ip any any
    access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.2.0 0.0.0.255
    access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.3.0 0.0.0.255
    access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.4.0 0.0.0.255
    access-list 101 deny   ip 172.24.1.0 0.0.0.255 172.24.16.0 0.0.0.63
    access-list 101 permit ip any any
    access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.1.0 0.0.0.255
    access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.3.0 0.0.0.255
    access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.4.0 0.0.0.255
    access-list 102 deny   ip 172.24.2.0 0.0.0.255 172.24.16.0 0.0.0.63
    access-list 102 permit ip any any
    access-list 103 permit ip host 172.24.3.26 any
    access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.1.0 0.0.0.255
    access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.2.0 0.0.0.255
    access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.4.0 0.0.0.255
    access-list 103 deny   ip 172.24.3.0 0.0.0.63 172.24.16.0 0.0.0.63
    access-list 103 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
    access-list 103 permit ip any any
    access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.1.0 0.0.0.255
    access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.2.0 0.0.0.255
    access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.3.0 0.0.0.255
    access-list 104 deny   ip 172.24.4.0 0.0.0.255 172.24.16.0 0.0.0.63
    access-list 104 permit ip any any
    access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.1.0 0.0.0.255
    access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.2.0 0.0.0.255
    access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.3.0 0.0.0.255
    access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.4.0 0.0.0.255
    access-list 105 deny   ip 172.24.16.0 0.0.0.63 172.24.10.0 0.0.0.255
    access-list 105 permit ip any any
    access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootps
    access-list 105 permit udp 172.24.16.0 0.0.0.63 host 172.24.10.250 eq bootpc
    access-list 150 deny   ip 172.24.3.0 0.0.0.255 172.24.10.0 0.0.0.255
    access-list 150 permit ip any any

Maybe you are looking for