ACS 5.4 multiple network interfaces support

In ACS 5.4 release note, it says:
Multiple network interface connector support
ACS 5.4 supports up to four network interfaces: Ethernet 0, Ethernet 1, Ethernet 2, and Ethernet 3. ACS management functions use only the Ethernet 0 interface, but AAA protocols use all configured network interfaces. You must connect the ACS nodes in the distributed deployment only to the Ethernet 0 interface. Therefore, the syslog messages are sent and received at the log collector's Ethernet 0 interface. Data forwarding from one interface to another interface is prohibited to prevent potential security issues. The external identity stores are supported only on the Ethernet 0 interface. In ACS 5.4, multiple network interface connectors are also supported for proxies.
But in the CSACS 1121 Series Appliance Rear View section, it still says on Ethernet 0 is usable. All other interfaces are blocked.
I am confused. Can anyone clarify for me if we can use multiple network interface in ACS 5.4? What about management interface?
Thanks!

We configured 2 interfaces in past within testing enviornment and it worked. ACS 5.4 supports multiple network interfaces on the UCS platform, on a virtual machine and on the legacy ACS 5.x IBM/CAM hardware. The ACS management functions use the interface eth0 only and the AAA protocols use all available network interfaces.
Jatin Katyal
- Do rate helpful posts -

Similar Messages

Multiple network interface....

I have group (cloud) of systems and each system has two network interfaces. One interface is 172.17.0.0/19 and other is 192.168.x.x.
The 192.168.x.x network interface is dedicated to NFS (usually). So I want to configure that interface do not listen to inetd services and SSH. I want only RPC and Portmap services should be listening on that interface. And other interface (172.17.0.0/19) for normal services.
( Note: all system running Solaris 9)
--Ritesh Patel

Hello.
WHY do you want inetd not to listen on this interface?
I do not think that is possible with inetd. If you wish to prevent users to connect from another interface you must use the "tcpd" tool (on the companion CD). However inetd will listen on the interface; tcpd will just block incoming connections.
Martin

Multiple network interface question

ok so i work for my college as a student worker in network operations. today they did a makeover on the dorm network and added in some traffic shaping. Instead of getting 8mb down im getting 1mb down. Well one of the admins went to lunch and had the new config still open on his computer so i shifted over and decided to take a look at this new ruleset. Im not sure why he did it like this but the traffic shaping is not done by a per port basis but by a per ip basis. Well i started thinking at this point and pulled out my old computer and installed arch on it to use as a download box for all my bittorrent needs, i have this box loaded up with 6 nics (5 pci and 1 onboard) each pulling their own ip, how can i get arch to bridge all 6 nics (or multiplex) so i can get atleast most of my bandwidth back.
Yes i asked them to exclude me from the trafficshaping but was told it wouldnt be fair to the other students

This might help: http://lartc.org/howto/lartc.rpdb.multiple-links.html

Role of multiple network interfaces

Hi,
I'm trying to setup a Mac Mini Server to act as a gateway and to offer various services from inside and outside of my office. For me this is some kind of test setup before I may look into getting a bigger machine for this job.
Because a gateway needs two ethernet interfaces I got an Apple USB-Ethernet adapter which technically works without problems. However since the USB-Ethernet is slower than the internal ethernet interface of the Mac Mini I want to connect the USB interface to the internet (fixed IP, DNS forward set, reverse in work) and the faster internal interface to my internal network.
The server is set up to make NAT but DHCP is done by another server. So the internal address is also manually set. Also there is an internal DNS Server I've setup the server to use it's own DNS service.
It took me some time to figure out how to make the USB interface (en2) the primary interface by turning off the internal interface (en0) during installation and adding it at a later time. So when I'm now doing a changeip -checkhostname I can see that my external address is my primary interface and my public hostname is correct.
However my biggest problem at the moment is that it seems as if all services are bound to the internal interface/network (en0) and I'm not able to access services like VPN, iChat or web from the internet or by using the public hostname.
Do I have to somehow tell all these services to explicitly bind to the external interface/address? Or is there no other way than to use en0 as the external interface in my configuration?
Thanks,
Alex

Please search for existing discussions of establishing static IP routes; this stuff can and does work, but requires manual set-up. IP selects a primary NIC in the absence of a known route regardless of the NIC the message arrived on, which means the Mac box doesn't work like you'd expect without some help. [Here's one discussion|http://discussions.apple.com/message.jspa?messageID=5697532], and there are others.
Mac boxes don't make particularly easy nor effective nor efficient nor economical firewalls in my experience, and this is inherent in the design differences between a Mac and a dedicated firewall. External firewalls are an added expense for a small network, but (in my experience) tend to have advantages over using a Mac box doubling as a firewall.
Given the number of folks that try this particular configuration, it would be useful for Apple to provide some guidance and some tools here to set up the static routes and to operate the Mac as a router (in some future release of Mac OS X Server after Snow Leopard Server 10.6); you're going to be using the bash shell to get this stuff going.

Cisco ISE with multiple Network interface

Hello,
I am deploying Cisco ISE 1.2 in a distributed deployment and the requirement is to use external Radius proxy feature. ISE PSNs are designed to have 2 L3 NIC's, Eth0 for administration and Eth1 as client side facing NIC for Radius requests. I am interested to know would Cisco ISE in version 1.2 use Eth1 interface to send RADIUS authentication request to external RADIUS Proxy server.
Could not find above information in Cisco SNS-3400 Series Appliance Ports Reference.
http://www.cisco.com/en/US/docs/security/ise/1.2/installation_guide/ise_app_c-ports.html
Thanks
Kumar

Thanks Ahmad for the reply.
Cisco ISE uses standard RADIUS authentication and authorization port to send request to Exteranl RADIUS proxy. As per the interface/port refrence guide of version 1.2 this is listed that is causing a confusion :-
Eth0
Eth1
Eth2
Eth3
Policy Service node
Session
•UDP:1645, 1812 (RADIUS Authentication)
•UDP:1646, 1813 (RADIUS Accounting)
•UDP: 1700 (RADIUS change of authorization Send)
•UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
External Identity Stores
and Resources
•TCP: 389, 3268, UDP: 389 (LDAP)
•TCP: 445 (SMB)
•TCP: 88, UDP: 88 (KDC)
•TCP: 464 (KPASS)
•UDP: 123 (NTP)
•TCP: 53, UDP: 53 (DNS)
(Admin user interface authentication and endpoint authentication)
In external Identity Stores and Resources it says Eth0 is used for (Admin user interface authentication and endpoint authentication), where under sessions it lists that all ports can be used for RADIUS Authentication and Authorization.
I am not sure what I am missing to understand between the two if you can highlight that.
Thanks
Kumar

ACS 3.3 multiple IP interfaces

Is it possable to setup the ACS server to respond on different IP addresses for different clients. I.e we have a group of devices which should communicate with the ACS for TACACS+ AAA on address 1 and a compleatly different group of devices that need to use a different address for the server.

This document presents the software and hardware with which Cisco Secure ACS for Windows (ACS) is compatible.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_tech_note09186a008009462a.shtml

Does CISCO C3560X VLAN support multiple Network segments which are further configured with HSRP function

Hi Cisco experts,
My name is Kumagai and I need your expert opinions below.
I am trying to configure one VLAN1 support multiple network segments as below.
(this should be a very straight forward configuration and should be OK, I think ? )
interface Vlan1
ip address 172.30.0.0 255.255.128.0
ip address 172.30.31.253 255.255.254.0 secondary
ip address 172.30.61.253 255.255.254.0 secondary
ip address 172.30.71.253 255.255.254.0 secondary
ip address 172.30.4.253 255.255.255.0 secondary
The only issue that is eating me is the above network segments are using HSRP too
and I am not sure is this possible with a combination of VLAN1 supporting multiples which are
further supported with HSRP settings in Cisco environment.
!example of HSRP:
interface Vlan4
ip address 172.30.4.253 255.255.255.0
no ip redirects
standby 4 ip 172.30.4.254
standby 4 priority 105
standby 4 preempt
<<< what will happen if I add the HSRP configuration as below into the above VLAN1 with multiple Network segment ??)
I would like to summarize my "Combined" configurations as below but I need your expert opinions on
whether the configuration below is workable without any problem ??
Or it is a total flop because Cisco does not support the configuration below !!!
interface Vlan1
ip address 172.30.0.0 255.255.128.0
ip address 172.30.31.253 255.255.254.0 secondary
ip address 172.30.61.253 255.255.254.0 secondary
ip address 172.30.71.253 255.255.254.0 secondary
ip address 172.30.4.253 255.255.255.0 secondary
standby 30 ip 172.30.31.254
standby 30 priority 105
standby 30 preempt
standby 60 ip 172.30.61.254
standby 60 priority 105
standby 60 preempt
standby 70 ip 172.30.71.254
standby 70 priority 105
standby 70 preempt
standby 4 ip 172.30.4.254
standby 4 priority 105
standby 4 preempt
Thanking you in advance !!!!!

Hi,
As far as i know we dont set the ip helper address on the radio interface. It should be on the L3 interface of corresposding VLANs i.e.
int vlan 20
ip helper-address 192.168.33.xxx
int vlan 60
ip helper-address 130.20.1.xxx
I'm assuming that your using SVI's (int Vlan 20 and int Vlan 60) rahter than physical interfaces. Also hope you have configured switch port as trunk where this AP is connected.
Modify the AP config as below since you are using data vlan as the native vlan
interface Dot11Radio0.20
encapsulation dot1Q 20 native
interface FastEthernet0.20
encapsulation dot1Q 20 native
Ideally your AP fastethernet configuration should looks like below and not sure how you missed this as this comes by default when you have multiple vlans for multiple ssids.
interface FastEthernet0.20
encapsulation dot1Q 20 native
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
interface FastEthernet0.60
encapsulation dot1Q 60
no ip route-cache
bridge-group 60
no bridge-group 60 source-learning
bridge-group 60 spanning-disabled
Hope this helps.
Regards
Najaf

ACS 5.4 Multiple NIC Questions

I've read that 5.4 includes support for multiple NICs (appliance and VM). My question is what can these NICs be used for? I know one must be a dedicated management link, and the other three support TACACS/RADIUS. Does this mean that each NIC can have a separate IP address and thus act as a separate AAA target or are the links just used for aggregation?
If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Hi Chris,
If you're running 1121 with ACS 5.4 and looking at Table 4-4     ACS 5.4 Functional Interface Distribution Among Network Interfaces. then the answer is that you may set up any interface for tacacs/radius authentication. However, management interface should be setup for gig0 only. Currently, it doesn't support NIC teaming/bonding. However, it sometimes create issues with replication.
http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_hw_ins.html#wp1179311
In case you are running 3415 appliance, the only difference is that it supports reduduncy but that only applies for Cisco Integrated Management Interface (CIMC)
step 4. Set the NIC mode to your choice for which ports to use to access the CIMC for server management
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_hw_ins_ucs.html#wp1188250
Hope this helps.
~BR
Jatin Katyal
**Do rate helpful posts**

BadRequest: Virtual machines with secondary network interfaces and virtual machines with no secondary network

I'm trying to create an "ExtraLarge" VM with multiple NICs. The New-AzureVM returns the following error:
BadRequest: Virtual machines with secondary network interfaces and virtual machines with no secondary network
interfaces are not supported in the same deployment, also a virtual machine having no secondary network interfaces
cannot be updated to have secondary network interfaces and vice-versa.
But I have no other VMs. Or at least I did and then deleted them and all their disks. The service has no deployments (either staging or production).
Why is New-AzureVM complaining about a mismatch of VMs with and without secondary network interfaces when no other VMs exist?
I have tried many things to fix this, including the deletion of ALL of my resources. I have deleted and created the service many times, both with an affinity group and without. I have a screen print of the -debug output if your interested.
Thanks for the outstanding help.

Hi Ron,
IMPORTANT NOTE: Please do not post the CONFIDENTIAL DETAILS ever on the public forums, this is HIGH RISK action.
Please send an email with your contact details to my email
[email protected] so that I guide you on steps which help you come out of the current scenario. Thank you for understanding.
I suggest you to create a new VNET and new VM with cloud services. Create Multiple NIC VM. Let us know the results.
Ref:
http://azure.microsoft.com/blog/2014/10/30/multiple-vm-nics-and-network-virtual-appliances-in-azure/
http://blogs.technet.com/b/canitpro/archive/2014/11/04/step-by-step-create-a-vm-with-multiple-nics-in-azure.aspx
If you are unable to create a VM with multiple NIC, please open a support case as it requires more confidential information which is out of scope of FORUM support offerings.
Regards,
Girish

Fake Network Interface - What Is It, and How Do I Get It?

I'm in the process of setting up Linux-VServer, which supports OS level virtualization. It's like running a VM, only instead of using an abstraction layer to create fake hardware and host another OS, the kernel just runs multiple userspaces and makes sure they don't touch anything they're not supposed to.
Anyway, like many VM solutions, networking is a bit funky. They create fake interfaces that seem to exist only in the kernel, then use iptables to mask them with NAT so it still works on a network. The trick is that I'm not sure how they're creating fake interfaces, so I don't know how to replicate it on Arch. Here's a page describing the process: http://linux-vserver.org/Networking_vserver_guests
On Debian, they add this to /etc/network/interfaces:
auto dummy0
iface dummy0 inet static
address 192.168.1.250
netmask 255.255.255.0
What are they using to make this work? Is there a good way to replicate it under Arch?
Last edited by arew264 (2009-03-26 03:18:19)

I ran `ip addr add 192.168.1.4/24 dev eth0 label eth0:1`, which adds an IP address to eth0.
This works better than the solution the vserver wiki recommends because I can give the guest a public IP address.
Is there a way to do this in /etc/rc.conf or the network daemon?
Last edited by arew264 (2009-03-26 03:18:51)

BO PCM: 80004002 no such interface supported

Hello All!
I developed a model in BO Profitability and cost management Model builder and sometimes I have an error 80004002 no such interface supported. But sometimes the system works correctly. Do you know anything about this error?
Configuration:
vmware 7.1.4
MS SQL SERVER 2008 R2
Windows Version: 5.2 (Build 3790) - Win 2003 Server
Windows Patch: Service Pack 2
Builder Version: Version 7.5.12 Build 2818)
PCM Username:
PCM Model:
PCM Server:
PCM Model Server:
Error Code: 80004002

See the flowchart attached to SAP Note [1352504|http://service.sap.com/sap/support/notes/1352504] which covers several possible causes of this error.
Also...there are about 15 other SAP notes that mention this error. Please check for Notes yourself before posting here. For example:
According to SAP Note [1351124|http://service.sap.com/sap/support/notes/1351124] it says:
Cause
The EPM/PCM system is installed to use the SOCKETS protocol; however the client workstation is unable to contact the primary applications server because it has multiple network adaptors and their binding order is wrong.
Resolution
On the client workstation change the binding order of TCP/IP on the network cards so that the network card that has the connection to the PCM systems is the first in the list. The binding order can be changed in u201CNetwork Connectionsu201D as follows: [see note for further explanation]
According to SAP Note [1514751|http://service.sap.com/sap/support/notes/1514751] it says:
Reproducing the Issue
There are no specific steps to force this condition to occur other than using the PCM system for several days without restarting the system or any of its services.
Cause
There is a memory leak in the PCM TransportService which causes PCMMainIPS.exe and PCMModelIPS.exe to consume more and more memory until these services fail causing the error message.
Resolution
Upgrade to PCM v7.5 SP10.
As I believe you are indicating you are on PCM v7.5 SP12 - please report the issue to SAP Support by creating a message on the Service Marketplace if neither of above resolves the issue. In the meantime, you may be able to stop and restart all the PCM services to work around the issue.
Best regards,
[Jeffrey Holdeman|http://wiki.sdn.sap.com/wiki/display/profile/Jeffrey+Holdeman]
SAP Labs, LLC
BusinessObjects Division
Americas Customer Solutions Adoption (CSA) team

Install solaris via jumpstart with 2 network interfaces

Hi guys,
I'm trying to deploy Solaris 10 on a LDOM , using Jumpstart server. The LDOM must have 2 network interfaces and 2 default routes. Here's the relevant part of sysidcfg file:
network_interface=vnet0 {primary
                hostname=aaaaaaaaa
                ip_address=aaa.aaa.aaa.aaa
                netmask=255.255.240.0
                protocol_ipv6=no
                default_route=bbb.bbb.bbb.bbb
network_interface=vnet1 {
                hostname=bbbbbbbbbbb
                ip_address=ccc.ccc.ccc.ccc
                netmask=255.255.248.0
                protocol_ipv6=no
                default_route=ddd.ddd.ddd.ddd
}After {ok} boot net - install, I get these messages:
Using RPC Bootparams for network configuration information.
Attempting to configure interface vnet1...
Skipped interface vnet1
Attempting to configure interface vnet0...
Configured interface vnet0
USB keyboard
Reading ZFS config: done.
Setting up Java. Please wait...
Serial console, reverting to text install
Beginning system identification...
Searching for configuration file(s)...
Using sysid configuration file xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:/sysidcfg
Search complete.
Discovering additional network configuration...
Completing system identification...and then unattended install stops and goes into interactive menu:
Default Route     Error for vnet1     ────────────────────────────────────────────────
The route ddd.ddd.ddd.ddd could not be added at this time. If you     wish to     accept
the route provided, the route     will be     added to the /etc/defaultrouter     file
to be     used at     reboot.     If you choose not to accept your choice, you will be
asked     to enter network information again for this interface.
      Accept Route
      ────────────
      [X] Yes
      [     ] NoAfter I choose "yes" , the installation goes back to unattended (automated) state.
Any ideas why installation breaks when adding second default route?
If I delete the line default_route=ddd.ddd.ddd.ddd, the installation is not interrupted.
Many thanks,
kido
Edited by: kido on Dec 29, 2010 6:10 PM

Hello again,
First of all, if I delete the second default route from sysidcfg, the installation performs uninterrupted, but vnet1 is not brought up after reboot. I get a message like: vnet1 is not a valid interface name...or something similar...
Regarding multiple default routes now... As long as "man defaultrouter" and "man sysidcfg" state that multiple routes are supported, I would expect this to work...or at least I need a way of installing 2 NICs without human intervention...
I will try to use some post install script instead ( will create /etc/hostname.vnet1 and add second route to /etc/defaultrouter) and will let you know the results.

How to handle multiple inbound interfaces with WSDL messages

Hi All,
We have a synchronous: Abap Proxy -> XI -> WebService Scenario. The webservice has multiple SoapActions e.g. SearchForProduct_WithX, SearchForProduct_WithY each with different message types. We have tried to use the receiver determination to send the request to the correct soapaction using conditions e.g. if field X in the request is populated use SearchForProduct_WithX action/message.
But when we run it through the proxy we get this error:
<CODE>IF_DETERMINATION.TOO_MANY_IIFS_CASE_BE</CODE>
<ERRORTEXT>Multiple inbound interfaces not supported for synchronous calls</ERRORTEXT>
Does anybody know how we can get around this or how best to deal with the multiple soap actions per wsdl situation.

Hi Yaghya,
We have used conditions in the Interface Determination. Interestingly if we use an HTTP sender adapter we can use this configuration ... but once we try and use ABAP proxies we get the previous error.
Another related question ... when we use the http adapter we get a connection time out exception. Same thing happens if we try and use the wsdl tester at /wsnavigator but we can open the wsdl through the browser. Any idea on this one?
Thanks for all your help.

Ix4-300d network interface going off-line

I just got a new ix4-300d to use as an iSCSI target in a relatively low-performance requirement file server.
I have used ix4-200d and ix4-300d in the past for iSCSI targets in disk-based backup scenarios wihtout issues.
I am having problems with this one, though. I am attempting to copy data to this new unit (with a VHD mounted from the iSCSI connection to the system), and while data seems to copy OK, at some point the network interface quits working somehow.
When this occurs, the unit still thinks that the interface is configured, and everything seems OK, I just cannot connect. Obviously, this causes my iSCSI initiators to die, and the VM hosted crashes hard. At that point, I have to restart the storage unit, and then reconnect my initiators, and then bring everything back online.
I've updated the firmware to the latest, but it wasn't that far out of date. I've found an article titled "Network storage device is not assigned an IP address" in the knowledgebase that points ot a problem with the software in the 4.0.2 series, and I was at 4.0.6, and am now current in 4.0.8. I am testing the process again, but wanted to check with the community to see if anyone has experienced anything similar and/or could offer some idea of why this interface quits working.
For what it's worth, the other units I have worked with were all in the 3.x series of software.
Thanks for any help/information anyone can provide.
Solved!
Go to Solution.

Hi chloeroxymax,
Do you have discovery enabled?
If not, check the box for "Enable discovery with iSNS" under the iSCSI settings and select "Use local iSNS server".
Then, on your iSCSI Initiator, go to the Discovery tab. Click "Add Server" under iSNS servers and enter the IP address of the NAS.
The device should show up under the Targets tab (you may have to click the refresh button)
On your other NAS devices, go to the iSCSI settings page and select "Enable discovery with iSNS" but select "Use external iSNS server" and type in the IP address of the ix4-300d NAS.
This may help things run smoothly. If the device is still disconnecting, I would recommend contacting technical support since this is a new device and you are covered by the warranty for support.
Have questions and need answers?
Search the database for answers to FAQ's, software/driver downloads, tutorials, news, features and more!
LenovoEMC Support & Downloads
LenovoEMC North America Support Contact Page

"No such interface supported" JRE 1.4 Win2000 install error

During installation of the latest JRE (j2re-1_4_0-win-i.exe) onto a friends PC I get the following message:
(during the "preparing the installshield wizard" part of the install)
"An error occurred while parsing command line arguments or reading setup.ini - No such interface supported."
Now, Nigel's PC used to have win95 on it - he couldn't get the thing to network with a win2000 computer so win200 was installed over win95 (I'm 85% sure that win95 wasn't fully deleted from the PC first).
It's easy to assume that the error is caused by the double installation of the windows OSs, but I was wondering if this is maybe a problem with the install shield itself.
Has anyone seen this type of error before, or know of a possible solution. (I'm about to tell him to simply reinstall win2000 from scratch)
cheers
Ray

InstallShield seems to refer to this problem in the following
knowledge base article
http://support.installshield.com/kb/view.asp?pcode=ALL&articleid=Q105146
I searched for "No such interface supported".

ACS 5.4 multiple network interfaces support

Similar Messages

Maybe you are looking for