Best practice to upgrade NAC Failover deployment

Similar Messages

• Best practice for upgrading task definition without deleting task instances

  best practice for upgrading task definition in production system without deleting or terminating task instances
  If I try and update a task definition with task instances running I get the following error:
  Task definition 'My Task - Add User' may not be modified while there are active task instances
  Is there a best practice to handle this. I tried to force an update through the console but that didn't work. I tried editing the task from the debug page and got the same error.

  1) Rename the original task definition.
  2) Upload the new task definition with the original name.
  3) Later, after all the running tasks have timed out, delete the old definition.
  E.g., if your task definition is "myWorkflow":
  1) Rename "myWorkflow" to "myWorkflow-old-2009-07-28"
  2) Upload the new task definition as "myWorkflow".
  Existing tasks will stay linked to the original (renamed) workflow definition.
  New tasks will use the new definition.
  As the previous poster notes, depending on the changes you are making, letting the old task definitions stay active could have bad side-effects and might be better avoided.

• Best Practice for upgrading to 11.1.1.3

  Hi,
  Can anyone tell me what is the best practice to upgrade FMW to 11.1.1.3...
  I followed the following steps to set up FMW 11.1.1.3.
  1. Oracle Enterprise edition Database 10.2.0.1 and applied 10.2.0.4 patch
  2. Installed RCU 11.1.1.3
  3. Installed Weblogic server 10.3.3 (11gR1)
  4. Installed Soa Suite 11.1.1.2 and applied patch for 11.1.1.3
  Is this the right way of installation or do i have to install 11.1.1.2 first f and then install 11.1.1.3..
  Regards,
  Sundar

  Yes, that seems to be fine.
  regards

• Best Practice in Upgrade from ECC 5.0 to ECC 6.0

  Dear All,
  Can someone help in looking for Best practice in Upgrade from ECC 5.0 To ECC 6.0 Project from Functional FI and CO Side.
  Thanks

  Moved to a different forum.

• What's the best practice to upgrade 3GS from 3.1.2 to 4.2.1

  I was reading the thread which was very helpful:
  http://discussions.apple.com/thread.jspa?threadID=2665989
  But there is a slight difference here with my situation:
  -- I'm planning to upgrade from 3.1.2 to 4.2.1, yet in that thread the guy was trying to upgrade from 4.1
  And recently a friend told me he had an error 1013 during upgrade. Google also mentioned another error code, 1015, related to upgrading to 4.2.1
  1. Does anyone know what exactly caused Error 1013 and 1015?
  2. what is the best practice to upgrade from 3.1.2? Upgrading to 4.1 first and then upgrade from 4.1 to 4.2.1? Will that eliminate the occurring of these itunes errors?
  *(Yes, I know apple has officially terminated supporting upgrading an iphone firmware to anything below 4.3. But can we just discuss my questions hypothetically?)*
  Thanks people.

  paulcb wrote:
  Errors 1013 and 1015...
  http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=iphoneError+1013+and1015
  http://support.apple.com/kb/ts1275
  Thanks a lot, paulcb.

• Best practice for upgrading task definition in production system

  If I try and update a task definition with task instances running I get the following error:
  Task definition 'My Task - Add User' may not be modified while there are active task instances
  Is there a best practice to handle this. I tried to force an update through the console but that didn't work. I tried editing the task from the debug page and got the same error.

  The best way for upgrade purposes is to use the rename function of the TaskDefinition from the lh command line utility.
  Basically renames all current task instances with the TaskDefinition name. You can then alter the existing TaskDefinition and upload into identity manager.

• Best Practice for VPC Domain failover with One M2 per N7K switch and 2 sups

  I Have been testing some failover scenarios with 4 nexus 7000 switches with an M2 and an F2 card in each. Each Nexus has two supervisor modules.
  I have 3 VDC's Admin, F2 and M2
  all ports in the M2 are in the M2 VDC and all ports on the F2 are in the F2 VDC.
  All vPC's are connected on the M2 cards, configured in the M2 VDC
  We have 2 Nexus representing each "site"
  In one site we have a vPC domain "100"
  The vPC Peer link is connected on ports E1/3 and E1/4 in Port channel 100
  The peer-keepalive is configured to use the management ports. This is patched in both Sups into our 3750s. (this is will eventually be on a management out of band switch)
  Please see the diagram.
  There are 2 vPC's 1&2 connected at each site which represent the virtual port channels that connect back to a pair of 3750X's (the layer 2 switch icons in the diagram.)
  There is also the third vPC that connects the 4 Nexus's together. (po172)
  We are stretching vlan 900 across the "sites" and would like to keep spanning tree out of this as much as we can, and minimise outages based on link failures, module failures, switch failures, sup failures etc..
  ONLY the management vlan (100,101) is allowed on the port-channel between the 3750's, so vlan 900 spanning tree shouldnt have to make this decision.
  We are only concerned about layer two for this part of the testing.
  As we are connecting the vPC peer link to only one module in each switch (a sinlge) M2 we have configured object tracking as follows:
  n7k-1(config)#track 1 interface ethernet 1/1 line-protocol
  n7k-1(config)#track 2 interface ethernet 1/2 line-protocol
  n7k-1(config)#track 5 interface ethernet 1/5 line-protocol
  track 101 list boolean OR
  n7k-1(config-track)# object 1
  n7k-1(config-track)# object 2
  n7k-1(config-track)# object 5
  n7k-1(config-track)# end
  n7k-1(config)# vpc domain 101
  n7k-1(config-vpc-domain)# track 101
  The other site is the same, just 100 instead of 101.
  We are not tracking port channel 101, not the member interfaces of this port channel as this is the peer link and apparently tracking upstream interfaces and the peer link is only necessary when you have ONE link and one module per switch.
  As the interfaces we are tracking are member ports of a vPC, is this a chicken and egg scenario when seeing if these 3 interfaces are up? or is line-protocol purely layer 1 - so that the vPC isnt downing these member ports at layer 2 when it sees a local vPC domain failure, so that the track fails?
  I see most people are monitoring upstream layer3 ports that connect back to a core? what about what we are doing monitoring upstream(the 3750's) & downstream layer2 (the other site) - that are part of the very vPC we are trying to protect?
  We wanted all 3 of these to be down, for example if the local M2 card failed, the keepalive would send the message to the remote peer to take over.
  What are the best practices here? Which objects should we be tracking? Should we also track the perr-link Port channel101?
  We saw minimal outages using this design. when reloading the M2 modules, usually 1 -3 pings lost between the laptops in the diff sites across the stretched vlan. Obviously no outages when breaking any link in a vPC
  Any wisdom would be greatly appreciated.
  Nick

  Nick,
  I was not talking about the mgmt0 interface. The vlan that you are testing will have a link blocked between the two 3750 port-channel if the root is on the nexus vPC pair.
  Logically your topology is like this:
      |                             |
      |   Nexus Pair          |
  3750-1-----------------------3750-2
  Since you have this triangle setup one of the links will be in blocking state for any vlan configured on these devices.
  When you are talking about vPC and L3 are you talking about L3 routing protocols or just intervaln routing.
  Intervlan routing is fine. Running L3 routing protocols over the peer-link and forming an adjaceny with an router upstream using L2 links is not recommended. Teh following link should give you an idea about what I am talking here:
  http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/
  HSRP is fine.
  As mentioned tracking feature purpose is to avoid block hole of traffic. It completely depends on your network setup. Don't think you would be needing to track all the interfaces.
  JayaKrishna

• Any known security best practices to follow for FMS deployment

  Hi all,
  We have recently deployed Flash Media Streaming server 3.5.2 and Flash Media Encoder on a Windows 2003 machine. Do you guys know of any security best practices to follow for the FMS server deployment on a Windows machine, could you please point me to that resource.

  Hi
  I will add some concepts, I am not sure how all of them work technically but there should be enough here for you to
  dig deeper, and also alot of this is relevant to your environment and how you want to deploy it.
  I have done a 28 server deployment, 4 origin and 24 edge servers.
  All the Edge servers on the TCP/IP properties we disabled file and printer sharing. Basically this is a way in for hackers and we disabled this only on the edge servers as these are the ones presented to the public.
  We also only allowed ports 1935, 80, 443 on our NICs. Protocol numbers are 6 and 17, this means that you are allowing UDP and TCP. So definitely test out your TCP/IP port filtering until you are confortable that all your connection types are working and secure.
  Use RTMPE over RTMP, as it is there to be used and I am surprised not more people use it. The problem as with any other encryption protocol, it may cause higher overhead on resources of the servers holding the connections.
  You may want to look at SWF verification. In my understanding, it works as the following. You publish a SWF file on a website. This is a source code that your player uses for authentication. If you enable your edge servers to only listen for authentication requests from that SWF file, then hopefully you are really lessening the highjacking possibilities on your streams.
  If you are doing encoding via FME then I would suggest that you download the authentication plugin that is available on the Flash Media Encoder download site.
  There are other things you can look at making it more secure like adaptor.xml, using a front end load balancer, HTML domains, SWF domains,
  Firewalls and DRM.
  I hope this helps you out.
  Roberto

• Best practices of Upgrade - 10.1.2 to 10.1.3

  One of our customer is planning to upgrade BPM (BPEL Process manager server) to latest version…(10.1.2 to 10.1.3)
  Please let me know if someone has any best practice document on this upgrade and provide some guidance to modify the old components to new components.
  This will help the customer to work with the latest oracle fusion suite of components.

  Cbeckett,
  I haven't checked yet, but my guess is that the upgrade side isn't
  ready yet - at this early stage it's more to show you what features
  ares there...
  Shaun Pond

• SAP Best Practice Baseline upgrade.

  Dear All,
  Im quite confuse here. I install SAP BP Baseline v1.603 (Malaysia) using system copy. Everything working find and now i try to upgrade it to SAP ERP 6.0 EHP4..May i know is it possible to upgrade to EHP4 for this best practices because i cannot see the content upgrade for EHP4 available for Malaysia. Can i use SAPEhpi to upgrade it to EHP4? or maybe SAP Best practices not allowed to upgrade to EHP4.
  Thank you

  Dear Muhamad,
  It is possible to upgrade to EHP4.
  SAP BP Baseline v1.603 is based on ERP6.0 EHP3.
  You can refer to the following comments in note 1301301:
  In order to allow you making use of functions and features
  provided withhigher SAP ERP enhancement package versions, in a
  system upfront set-up via SAP BP package activation based at
  least on "SAP ERP 6.03", please follow the below mentioned steps
  to bring your system to the desired enhancement pack level:
  -  System set-up according to the requirements stated in the
     QuickGuide of the SAP BP package to be activated
  -  SAP BP package has been activated with the required scope
  -  System update using SAP EhPI to the wanted enhancement package
     level
  -  Technically SAP provides a so called "Vendor Key" for SAP EhPI
     updates of systems containing SAP BP add-ons. This is only to
     ensure that the update is technically completed. When SAP EhPI
     asks for a decision regarding installed add-ons, choose "KEEP"
     for the SAP BP add-ons. In the next step a vendor key has to
     be provided.
  For technical reasons, vendor keys are specific for the "start
  release" the update is performed from:
  SAP EhPI updates on system based on SAP_BASIS 700 - column "Key
  (700)"
  SAP EhPI updates on system based on SAP_BASIS 701 - column "Key
  (701)"
  If a vendor key does not fit at all or a software component is
  not listed below, create a customer message on component
  BC-UPG-ADDON.
  SW Component      Key (700)            Key (701)
  BP-ERP05          1831003              2899480
  BP-INSTASS        2056515              2031478
  "IMPORTANT NOTE" :
  The functionality of the already installed SAP BP add-ons based
  on the previous SAP application version - the activation of a SAP
  BP package based on the previous SAP application version - can NO
  LONGER BE USED. But of course the functionality of the new SAP
  application version as such can be used.
  But just as mentioned in this note,
  you can use the vendor key to continue with the EHP4 update, but the
  version BP-ERP05 is NOT compatible with EHP4(note 1226284).
  Therefore, do not use BP-ERP05 on EHP4. You should install the
  latest version of BP add-on version for ERP6.0 EHP4.
  With Best Regards
  Julia Song

• Best practice for upgrading from ADS 9.1 to ADS 11

  So we will need start upgrading installs from Advantage Database Server (ADS) version 9 to ADS version 11. Is there a set of best practices? Certain procedures? How do we gracefully fall back if it doesn't work? Does anyone have experience with the dual install setup of ADS 9 and ADS 11? Did anyone else run into any issues with this upgrade path?
  Thanks in advance!
  Rodney

  Rodney,
    My first recommendation is to read the "Effects of Upgrading" section of the help file. I put the links below.
  Effects of Upgrading to Version 10
  Effects of Upgrading to Version 11
  Effects of Upgrading to Version 11.1
    The server will always work with an older client so I would recommend upgrading the server and testing it with your current application. The next step would be to upgrade the client and re-compile your application. I wouldn't anticipate any issues other than those outlined in the effects of upgrading.
    You can install multiple instances of Advantage, beginning with version 10, on the same machine. Keep in mind that only one instance, the first one installed, will be discoverable. To connect to other instances you will need to use <IP Address>:<Port> in the connection string. Details on installing additional instances of Advantage are here
  Chris

• Ask the Expert:Configuring, Troubleshooting & Best Practices on ASA & FWSM Failover

  With Prashanth Goutham R.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about the Configuring, Troubleshooting & Best Practices on Adaptive Security Appliances (ASA) & Firewall Services Module (FWSM) Failover with Prashanth Goutham. 
  Firewall Services Module (FWSM) is a high-performance stateful-inspection firewall that integrates into the Cisco® 6500 switch and 7600 router chassis. The FWSM monitors traffic flows using application inspection engines to provide a strong level of network security. Cisco ASA is a key component of the Cisco SecureX Framework, protects networks of all sizes with MultiScale performance and a comprehensive suite of highly integrated, market-leading security services.
  Prashanth Goutham is an experienced support engineer with the High Touch Technical Support (HTTS) Security team, covering all Cisco security technologies. During his four years with Cisco, he has worked with Cisco's major customers, troubleshooting routing, LAN switching, and security technologies. He is also qualified as a GIAC Certified Incident Handler (GCIH) by the SANS Institute.
  Remember to use the rating system to let Prashanth know if you have received an adequate response. 
  Prashanth might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community forum shortly after the event. This event lasts through July 13, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  Hello John,
  This session is on Failover Functionality on all Cisco Firewalls, im not a geek on QOS however i have the answer for what you need. The way to limit traffic would be to enable QOS Policing on your Firewalls. The requirement that you have is about limiting 4 different tunnels to be utilizing the set limits and drop any further packets. This is called Traffic Policing. I tried out the following in my lab and it looks good.
  access-list tunnel_one extended permit ip 10.1.0.0 255.255.0.0 20.1.0.0 255.255.0.0access-list tunnel_two extended permit ip 10.2.0.0 255.255.0.0 20.2.0.0 255.255.0.0access-list tunnel_three extended permit ip 10.3.0.0 255.255.0.0 20.3.0.0 255.255.0.0access-list tunnel_four extended permit ip 10.4.0.0 255.255.0.0 20.4.0.0 255.255.0.0    class-map Tunnel_Policy1     match access-list tunnel_one   class-map Tunnel_Policy2     match access-list tunnel_two   class-map Tunnel_Policy3     match access-list tunnel_three   class-map Tunnel_Policy4     match access-list tunnel_four  policy-map tunnel_traffic_limit     class Tunnel_Policy1      police output 4096000   policy-map tunnel_traffic_limit     class Tunnel_Policy2      police output 5734400   policy-map tunnel_traffic_limit     class Tunnel_Policy3      police output 2457600    policy-map tunnel_traffic_limit     class Tunnel_Policy4      police output 4915200service-policy tunnel_traffic_limit interface outside
  You might want to watch out for the following changes in values:
  HTTS-SEC-R2-7-ASA5510-02(config-cmap)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy1HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4096000HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy2HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 5734400WARNING: police rate 5734400 not supported. Rate is changed to 5734000    
  HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy3HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 2457600WARNING: police rate 2457600 not supported. Rate is changed to 2457500HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#     policy-map tunnel_traffic_limitHTTS-SEC-R2-7-ASA5510-02(config-pmap)#      class Tunnel_Policy4HTTS-SEC-R2-7-ASA5510-02(config-pmap-c)#       police output 4915200WARNING: police rate 4915200 not supported. Rate is changed to 4915000I believe this is because of the software granularity and the way IOS rounds it off in multiples of a certain value, so watch out for the exact values you might get finally. I used this website to calculate your Kilobyte values to Bits: http://www.matisse.net/bitcalc/
  The Final outputs of the configured values were :
      Class-map: Tunnel_Policy1      Output police Interface outside:        cir 4096000 bps, bc 128000 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps     Class-map: Tunnel_Policy2      Output police Interface outside:        cir 5734000 bps, bc 179187 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy3      Output police Interface outside:        cir 2457500 bps, bc 76796 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps    Class-map: Tunnel_Policy4      Output police Interface outside:        cir 4915000 bps, bc 153593 bytes        conformed 0 packets, 0 bytes; actions:  transmit        exceeded 0 packets, 0 bytes; actions:  drop        conformed 0 bps, exceed 0 bps
  Please refer to the QOS document on CCO here for further information: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/conns_qos.html
  Hope that helps..

• What are the best practices in upgrading from mac OS 10.5.8 to Mountain Lion?

  I what to upgrade two iMac's from 10.5.8 to Mountain Lion. I have the harddrives backedup. I also have Snow Leopard family pac on disc.
  I want to know the best way to upgrade and get a clean install of the new OS.

  First check that the Macs will run Mountain Lion.
  Then install Snow Leopad
  Update to 10.6.8 for App Store needed for Mountain Lion
  Using App Store purchase, download and install Mountain Lion.
  Allan

• Best practice for a distributed BI4 deployment?

  Hello Experts,
  Need suggestion on the following?
  We plan to deploy the BI4 software across 6 Servers (1 node on each server)
  We plan to dedicate 2 servers for the Management/Intelligent tier and 4 servers for the processing Tier (Webi, crystal and dashboards)
  WebApp and Database will be hosted on separate servers and will not be part of the above 6 servers.
  1 Option:
  -Install BI4 on the first server (Start a new deployment)
  -Then on the remaining 5 servers, use the option (Expand an existing deployment)
  In this approach CMS will be created on all 6 nodes however since our requirement is to have CMS on only 2 nodes (stopping it on the remaining 4 servers after install), is this a suggested approach? Since CMS poll each other a lot, we feel this might not be the best approach? Is there a possibility that there might be a negative impact on the overall platform if such an approach is considered?
  Or should we be considering other options to install BI4 software independently on each server, clustering the 2 nodes with all default services and then adding the other 4 nodes to this cluster (however creating only processing servers on these 4 nodes)?
  Look forward to your recommendations!
  Cheers,
  Vikram

  Hello,
  maybe you want to check out the SAP BI Pattern Book?!
  SAP Business Intelligence Platform Pattern Books - Business Intelligence (BusinessObjects) - SCN Wiki
  Regards
  -Seb.

• Best practice for upgrading an old system?

  My Archlinux installation seems to have been upgraded over three years ago for the last time. Today, a naive pacman -Syu resulted in a number of file conflict errors and wasn't carried out.
  I then checked the list of announcements since 2011 and identified a few that included the string "manual intervention required". I believe that it was the update of the "filesystems" package that didn't work, again due to conflicts, probably related to the move from /lib to /usr/lib around that time.
  My attempt to update glibc resulted in misconfigured libraries, which took a while to sort out. While I can run commands again, I doubt that my system is in a very healthy state now.
  What should I do, what should I have done to update my Archlinux installation, untouched for 3.5 years?
  Last edited by berndbausch (2014-08-31 04:14:50)

  SoleSoul wrote:If 'pacman -Syu' works now, what makes you ask this question? Is anything still broken?
  Well, I asked the question because nothing worked after following a few of those "manual intervention required" notes. More precisely, the result of the last pacman was that literally no command worked. It turned out that the system didn't find libraries anymore, in particular the loader ld-linux.so. It took me a while to figure this out and to patch the system up enough to have it limp along. Good learning, by the way.
  After that and the suggestion in this forum that a reinstall was the best solution anyway I did just that. Since my only applications were Samba and the acpi daemon, that was not too bad. Unfortunately it's not Archlinux anymore, but Centos, which I am simply more familiar with.