Branch office setup with L3 switch and router with IOS security

Similar Messages

• Branch  Office Setup Error.........

  hi all,
  when i try to do branch office setup from the webtogo server,the download hangs at one point and dislays this error........ this error does not appear when i do normal setup......
  webtgo.exe bad image
  "..............mysync_java.dll is not a valid windows image . please check against your installation diskette"
  i use oracle 8i database and oracle 9i lite(with latest patchset for 9i lite).
  i try to download on windows 2000 professional and 2000 server.....
  can anyone provide solution for this???????
  Thanks,
  Ashok Kumar

  Hi again
  This are my findings up to this moment
  managed somehow to pass the authentication problem and reached this exception
  Sync session exception stack trace:
  java.sql.SQLException: ORA-01403: no data found
  ORA-06512: at "MOBILEADMIN.CONS_EXT", line 216
  ORA-06512: at line 1
       at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:166)
       at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:318)
       at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:281)
       at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:636)
       at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:185)
       at oracle.jdbc.driver.T4CPreparedStatement.execute_for_rows(T4CPreparedStatement.java:799)
       at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1211)
       at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3137)
       at oracle.jdbc.driver.OraclePreparedStatement.executeUpdate(OraclePreparedStatement.java:3208)
       at oracle.lite.sync.Subscription.executeAndClose(Unknown Source)
       at oracle.lite.sync.HeliosSession.startSession(Unknown Source)
  To reach this point:
  - set the m_conn private member of the heliosSession class with reflection with value from Consolidator.getConnection()
  - set the m_client_id public member with username
  - set prviate m_passwd private member of heliosSession with reflection with the password.
  - to advance, changed in table mobileclient.c$etc_passwd with userpassword instead of null. somehow seems that heliossSession class, in initconvis method is comparring password from the file with that one, that is null. I don't know all the implications of this.
  Hope it helps
  Florin

• Branch Office setup

  Hello All.
  I have a problem with a branch office setup, and I can't for the life of me think of what the problem is.
  I have a remote office setup, using an ASA 5505 that is set up to establish an easy vpn connection to the central network.  The connection at the branch office is a 20/5 cable modem, the central network has a 25/25 fiber connection.
  The issue I have is this.  Wired clients work fine at this branch office, at least 95% of the time.  I have a lightweight AP there that can come up and join the controllers at the central network, no problem.  I haven't done anything with H-REAP because there are really no resources locally they need that would allow them to do their work, so all traffic is tunneled back to the WLC.
  Wireless clients can authenticate to the AP, and I can get 15-20ms ping responses from them all day.  Latency never comes close to the 600ms proposed limit with CAPWAP.  Yet, for some reason the performance of the clients is problematic.  Webpages will frequently not load correctly, they experience some freezing, and with one application we use - it refuses to load completely.
  If we bring these same computers to an AP connected to our central network, on the same SSID, they work flawlessly.
  Something about this particular location is causing a lot of grief for our users.
  For what it's worth, we are running WCS 7.0.230.0 and the WLCs are on 7.0.116.0.  The ASA is running a pretty basic configuration, pretty much out of the box with the easy vpn configuration entered.
  Any help on this would be appreciated, I am at my wit's end with this setup.

  Yes, 20/5 Download/Upload. 
  So I did as you suggested, here are the results with a 1400 byte packet:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 99, Lost = 1 (1% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 17ms, Maximum = 2208ms, Average = 42ms
  That 2208ms response was an anomaly.  I ran it again and got this:
  Ping statistics for 172.16.253.50:
      Packets: Sent = 100, Received = 100, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
      Minimum = 16ms, Maximum = 93ms, Average = 21ms
  With this one specific application we're testing with - it stops loading at a predictable point, every time.  However, I can remain VNC'd to this machine the entire time, and do anything else on the machine, but the application will fail to load at the same point every time.  But like I said, if I bring that client back to our main network, it works just fine, so it's not the application itself causing the problem, and we have other, smaller issues with other applications we have.  It's really bizarre.
  It's really not acting like interference.  I just set up a new site with an identical configuration - but with a 3502i AP, and I can replicate the behavior at that location too.  Unfortunately at this time we don't have anything to study the traffic with - I actually have a call on a solution for that this afternoon.

• Using another switch or router with TC???

  Do you use another ethernet switch or router with an integrated ethernet switch with your TC??? How do you have things setup?
  BTW: I'm running out of physical ethernet ports and I need to use Vonage...
  R

  If you're out of LAN ports then yes, you need a switch. Plug it into your TC and plug other stuff into the switch. Simple.
  When buying a switch, remember one of its ports will be occupied by the connection to the TC. For example, if you're using all three TC LAN ports, buying a five port switch results in a net gain of only three ports: one of them is needed for the uplink, and the one you had to unplug from the TC must now be connected to the switch... three remain.
  Fortunately they're not expensive.

• Which Switch and Router to choose?

  I am interested in purchasing a Cisco Switch and Router, or possible a Cisco Switch Router.
  However, I am not sure of what model to go with.
  Currently, we have a network with about 200 Workstations and 30 Servers for our Corporation Infrastructure.
  Also, for our lab, we have about 50 Linux Based Servers, and 30 Solaris Based Servers, that are part of our Network. We are a Research and Development Company, and we have had issues with the Lab machines bringing down our network, as well as our corporate network adversely affecting the lab machines. What we would like to do is segment the network so that the different areas will be isolated. However, we also would like to have a lot of control over the traffic that will be able to cross from our network into the lab so that users will still be able to run their tests.
  Security is also an issue, and it would be great to have more control, and a better view of what kind of traffic is running through our network.
  Currently, we have about 8 Gigabyte Switches which are unmanaged (Linksys and NetGear). Our idea was to get a 1 or 2 Cisco Switch Routers, and then split them up into VLANS and cascade our current switches so that we can still make use of them. The other ideas was to just get a Cisco Switch and use our CheckPoint Router/Firewall to do the routing.
  Can you give me any advice as to what model of Cisco Product you would recommend?
  Is it better to go with a Switch Router, or simply get a separate Switch and Router?
  Please note that all of our Machines have 10/100/1000 NICs, so the device will need to be Gigabyte.
  Thanks you so much!

  You have two choices. Either to use a chassis based solution or to use stacable switches such as a 3750. Are all the cat 5(or 5e,6) runs coming into one centralized location ? Or are there separate wiring closets that you plan to put. If then we need to put separate switches at those locations and run fiber back to the central location which has a chassis based or stackable switch.
  If using a chassis based solution, you can get a 4506 (4507 for redundancy, with a redundant supervisor engine). Supervisor engine is nothing but the CPU of the switch. 4506 is a 6 slot modular switch with 2 power supplies for redundancy. You cannot add two Supervisor engines on a 4506 (4507 can).
  Slot 1 is always for supervisor engine, the remaining 5 slots you can fill using 48 port 10/100/1000 modules.(48 * 5 = 240). So your maximum port density is 240 ports on a 4506. (Note that there are 4507, 4510 which are similar models with more slots)
  If using 3750, you can stack upto 9 switches in a stack using stacking cables on the back side of the switch. Each switch will have 48 ports (10/100/1000) and you can stack 5 switches to get 240 ports.
  For the firewall I would recommend using a PIX 515E, (Why go for Checkpoint firewall when you can use all Cisco). For routing between the vlans, the switches that I recommended above are all Layer 3 switches. They will route between the different vlans. You can also configure ACLs to restrict traffic between multiple vlans.
  HTH

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Has anyone deployed converged access with 3850 switches and 5760 WLCs?

  Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
  Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
  Pros
  With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
  Less hops for voice calls from user A to user B as data control traffic is dropped locally.
  Cons
  Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
  Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
  Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
  Can someone convince me why would a customer choose converged access?
  Sent from Cisco Technical Support iPad App

  They choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
  Sent from Cisco Technical Support iPhone App

• Trouble with CCME 4 and VIC2-2FXO; IOS 12.4(9)T

  Trouble with CCME 4 and VIC2-2FXO; IOS 12.4(9)T
  I am having trouble making outgoing call or answering incoming call.
  When I try to call out from my IP 7961 phone, it fails with the message "unknown number".
  For incoming call, it rings but when I pick up the call nothing happens,
  Put the receiver back on hook, the phone carries on ringing. I am in UK
  and just trying to set up test system with one analogue line. Any help will
  be most appreciated. My config of the 2811 router is posted below. All calls ineternally works fine.
  Thank you for your help.
  hostname Test-CME
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1 10.10.10.10
  ip dhcp excluded-address 10.139.139.1 10.139.139.10
  ip dhcp pool host
  network 10.10.10.0 255.255.255.0
  default-router 10.10.10.1
  option 150 ip 10.10.10.1
  ip dhcp pool data
  network 10.139.139.0 255.255.255.0
  default-router 10.139.139.1
  dns-server 10.139.139.5
  voice-card 0
  no dspfarm
  voice service voip
  allow-connections h323 to h323
  allow-connections h323 to sip
  allow-connections sip to h323
  allow-connections sip to sip
  supplementary-service h450.12
  h323
  sip
  header-passing
  registrar server expires max 3600 min 3600
  interface FastEthernet0/1
  no ip address
  no ip mroute-cache
  duplex auto
  speed auto
  no shut
  interface FastEthernet0/1.2
  description ** Data VLAN **
  encapsulation dot1Q 2
  ip address 10.139.139.1 255.255.255.0
  interface FastEthernet0/1.3
  description ** Voice VLAN **
  encapsulation dot1Q 3
  ip address 10.10.10.1 255.255.255.0
  ip http server
  ip http authentication local
  no ip http secure-server
  ip http path flash:
  tftp-server flash:S00104000100.sbn
  tftp-server flash:TERM41.7-0-3-0S.loads
  tftp-server flash:term61.default.loads
  tftp-server flash:term41.default.loads
  tftp-server flash:CVM41.2-0-2-26.sbn
  tftp-server flash:cnu41.2-7-6-26.sbn
  tftp-server flash:Jar41.2-9-2-26.sbn
  tftp-server flash:term70.default.loads
  tftp-server flash:term71.default.loads
  tftp-server flash:cnu70.2-7-6-26.sbn
  tftp-server flash:Jar70.2-9-2-26.sbn
  tftp-server flash:TERM70.7-0-3-0S.loads
  tftp-server flash:CVM70.2-0-2-26.sbn
  control-plane
  voice-port 0/3/0
  connection plar opx 202
  caller-id enable
  dial-peer voice 1 pots
  incoming called-number .
  destination-pattern 9T
  port 0/3/0
  telephony-service
  load 7914 S00104000100
  load 7941 TERM41.7-0-3-0S
  load 7961 TERM41.7-0-3-0S
  load 7970 TERM70.7-0-3-0S
  max-ephones 20
  max-dn 40
  ip source-address 10.10.10.1 port 2000
  calling-number initiator
  service phone videoCapability 1
  system message MKC CME
  url services http://10.10.10.1/voiceview/common/login.do
  url authentication
  http://10.10.10.1/voiceview/authentication/authenticate.do
  time-zone 21
  date-format dd-mm-yy
  voicemail 600
  max-conferences 8 gain -6
  call-forward pattern .T
  call-forward system redirecting-expanded
  moh music-on-hold.au
  web admin system name admin secret 0 test
  dn-webedit
  time-webedit
  transfer-system full-consult dss
  transfer-pattern 9.T
  secondary-dialtone 9
  create cnf-files
  ephone-dn 1 dual-line
  number 201
  label 201
  description Sarah
  name Sarah
  ephone-dn 2 dual-line
  number 202
  label 202
  description Vitthal
  name User2 Vitthal
  ephone-dn 3 dual-line
  number 203 secondary
  label 203
  description Neil
  name User3 Neil
  ephone 1
  video
  username "user1" password 201
  mac-address 0018.18EE.947F
  type 7961 addon 1 7914
  button 1:1
  ephone 2
  video
  username "user2" password 202
  mac-address 0018.18BB.B973
  type 7941
  button 1:2
  ephone 3
  video
  username "user3" password 203
  mac-address 0018.1885.6BA2
  type 7970
  button 1:3

  Hi
  Please find enclosed debug attachment for voice ccapi and ephone. First, I called from outside. Extension 202 rings but when I answered on extension 202 nothing happens. Replace the rceiever and the pone starts ringing again.Second step. I tried to call out by dialing 9 and then number but after a while phone displays unknown number.
  Thank you for your help.
  Vitthal

• MY system folder, including hidden folders are littered with duplicate folders and files with the suffix (from old Mac) How do I remove them

  I have a Macbook Pro running Leopard 10.5.8. I had a problem with my my operating system (my fault, I moved a file I shoudnt have) couldnt boot up but was able to boot up from a backup. I managed to repair my original system except now all the system folders, including hidden folders are littered with duplicate folders and files with the suffix (from old Mac).  For the most part the dupes are an exact copy, but not always.  I want to remove them to free up space and cant imagine duplicate folders in the /system/library are not hindering my computer. But I dont know where to start and am afraid of doing irreparable damage. Any ideas

  pacull,
  Use iCal>View>Show Notifications to choose what to do with the notification.

• I can't install ADE on my PC, because as I try to open it a message of error appears to me: The application will be closed. I've already try with different browsers and also with the manual installation, but nothing..

  I can't install ADE on my PC, because as I try to open it a message of error appears to me: The application will be closed. I've already try with different browsers and also with the manual installation, but nothing..

  1
  Close all iWork applications
  2
  Uninstall Keynote; this must be done with an application remover tool to delete the installation properly. Appcleaner is known to work correctly for this purpose, it is free and can be downloaded from here: Appcleaner Download
  3
  empty the trash
  4
  shutdown the Mac and restart. After the start up chime, hold down the shift key until the apple logo appears
  let the Mac complete the start up procedure completely, it will take longer than usual as the hard drive is being repaired
  5
  Reinstall Keynote by logging into the Mac App Store using download / install

• APPLE DOCKING STATION NO LONGER WORKS WITH TOUCH 3G and 4G after ios 4.2.1

  APPLE DOCKING STATION NO LONGER WORKS WITH TOUCH 3G and 4G after ios 4.2.1 update.
  I have both of these touches. I updated both 3g and 4g to ios 4.2.1 and poof...no docking station support other than charging, no audio and no remote function. My av/cable works with the tv, and the headphone jack still outputs audio, just no auido through the Apple dock and hte remote is dead. I purchased the dock from the apple store last year and it was working with both ipod 3g and 4g grrrrr...
  Is Apple now in the bug trade business?, trade one for another....
  Anyone else have this problem?

  My iPod Touch 3G running 4.2.1 works fine with the Apple docking station.
  Perhaps you have a loose cable somewhere and/or a dead battery in your controller?

• Why my MacBook pro with Maverick, when I'm connected with internet key and connect with usb cable my HTC One the Mac restat with error?

  Why my MacBook pro with Maverick, when I'm connected with internet key and connect with usb cable my HTC One the Mac restat with error?

  Solution may be found if you search in the "More Like This" section over in the right column. 

• What  is mechanism to integrate with the rdf and Rtf with concurrent manger

  hi
  what is mechanism to integrate with the rdf and Rtf with concurrent manger in oracle apps .
  can any one help me
  Thanks in advance

  1. Create executable for Oracle Reports.
  2. Create a concurrent program based on this executable with output type as xml.
  3. Now from XMLP responsibility, create a data definition with data definition short code = concurrent program short code
  4. Create template definition choosing the data definition created above. Upload RTF/other template format created.
  Now run the concurrent program and test it.
  Step by step guide is available here http://www.oracle.com/technetwork/middleware/bi-publisher/overview/xmlebsrep-132947.pdf

• I do a movie whith iMovie. I finalize the project and I pass it to iDvd. Then I do a little menu and I burn my DVD. When I play my DVD on a computer or in my TV it ALWAYS begins directly with the movie and not with the menu... PLEASE HELP!!!!

  I do a movie whith iMovie. I finalize the project and I pass it to iDvd. Then I do a little menu and I burn my DVD. When I play my DVD on a computer or in my TV it ALWAYS begins directly with the movie and not with the menu... PLEASE HELP!!!!

  Go to the Map mode in your iDVD project and make sure the blue bin at the left is empty.  That's where you drag slideshows to if you want the DVD to open immediately to that slideshow and bypass the menu. 
  Click to view full size
  If there is an item in there drag it out.
  OT

• When i open my emails with outlook first and then with my ipad 4, the ipad does not show me that i have new mail despite that it actually downloads them. iphone 3g and 4s used to do that. any suggestions please?

  when i open my emails with outlook first and then with my ipad 4, the ipad does not show me that i have new mail despite that it actually downloads them. iphone 3g and 4s used to show them as new emails. any suggestions?

  1. Open iTunes.
  2. Click the View option in the iTunes menu.
  3. Select the Show Sidebar option.
  Connect your phone, select it in the Sidebar...the various tabs will now show as before.