Can single interface accomodates multiple bridge groups
Hi,
I am working on building FW configuration to serve multiple tier environment. The FW is in Transparent Mode, Sw Ver 8.4 which supports Bridge-group.
My question is, whether FW supports having mutilple Bridge-groups under single interface. If not, what are the alternatives.
firewall transparent
interface gi0/0
nameif outside
security-level 0
bridge-group-1
bridge-group-2
interface gi0/1
nameif WebServers
security-level 50
bridge-group-1
interface e0/2
nameif AppServers
security-level 100
bridge-group-2
Thanks
Hello,
That is not possible, Each interface will need to be assigned to a specific bridge group..
Alternative would be to use a dedicated pair of interfaces for each bridge group
Regards,
Julio
Similar Messages
-
ASA 5585-X multiple bridge-groups expected behaviour
Hi all,
suppose a deploy of an asa5585-x in transparent mode made by two bridge-groups (2 interfaces each).
Now suppose that a new traffic flow in direction north-south traverses the bvi1. What's the expected behavior if the traffic going back (south-north) will traverse the bvi2? Will be that traffic correctly recognized as part of the flow previously detected?
Regards.
A.M.Discovered today that the 'fix' I mention above is more of a workaround, because when I initiated a manual failover for one of the failover groups, the alerts returned. And the failover status was again on Normal (Waiting) for a couple of monitored logical interfaces.
I was able to workaround the problem as described above. -
Can Single Trip have multiple travel expense reports?
Hi All,
Can a single trip have more than one travel expense report linked to it?
My Client requires different travel receipts for a single trip to have different paymnet cycles.
Say for a single trip (for 20 days) the airfare paid needs to be settled in next 7 days and the hotel will be reimbursed when employee finishes the trip i.e. after 20 days in this ex.
Can each of these receipts be settled and then posted to finance separately if they are part of the same travel expense report.
OR can we have different travel expense reports for the same trip which could then be settled and posted to finance individually?
Regards,
AmitHi,
I think you have some diferents posibilities:
- Let your employees create differents travel expenses in the same period (Define Schema and Individual Field Control).
- Let your employee modificate a travel expenses whith settlement status: "settle".
Marta. -
Can single machine have multiple JVM running ?
Hi ,
I have two questions.
1) I have running jboss4 and tomcat 5 running in single machine, does it mean that they are running in same same jvm?.
2) If no how i can configure the jboss and tomcat for running in same/different JVM but in same single physical machine?
Please help me
Thanks in advance
Shujatschodt wrote:
Greek wrote:
1) I have running jboss4 and tomcat 5 running in single machine, does it mean that they are running in same same jvm?.In the same JVM instance - no.
On the same Java installation - depends on how you run them.
2) If no how i can configure the jboss and tomcat for running in same/different JVM but in same single physical machine?For JBoss you set JAVA_HOME.
For tomcat - I dunno - should be in the documentation somewhere.Thanks for reply
for both jboss and tomact i have set jave_home to same the path, how i do ensure that they are running in same jvm instance. -
Hello All,
I have a question about Bridge Groups if someone can help me. So, I have two bridge groups on one FWSM obviously using two different IP Scopes. However I can only have one default route so for instance.
BVI 1 - 192.168.1.4 (outside1)
BVI 2 - 192.168.2.4 (outside2)
ip route outside1 0.0.0.0 0.0.0.0 192.168.1.1
I now obviously cannot put another default route statement in so how does the FWSM route traffic it doesn't know the destination to when the source is from 192.168.2.x. Does it send it out 192.168.1.1? If so does this become a suboptimal routing issue, and is there possibly a better solution than this? Or is thisnormal and everything is ok? Thanks in advance to all who reply!Hi John,
When the FWSM uses bridge-groups, it is configured in transparent (layer 2) mode. Because of this, the FWSM won't be responsible for routing traffic. It will use a MAC address lookup instead:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1232185
One exception to this is management traffic to/from the FWSM. For this, you'll need to specify separate static routes:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/fwmode_f.html#wp1202704
"The default route for the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because the default route specifies an interface in the bridge group as well as the router IP address on the bridge group network, and you can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic."
-Mike -
Cisco ASASM Bridge-group support
How many bridge groups total are supported. If I have 100 contexts, can each context run 8 bridge groups each for a total of 800 bridge groups? What is the max?
How many bridge groups total are supported. If I have 100 contexts, can each context run 8 bridge groups each for a total of 800 bridge groups? What is the max?
-
Provisioning multiple AD Groups from a Single Privilege
Experts,
We're encountering a situation here when we provision to multiple Active Directory groups from a single IDM Role.
The scenario is this:
We have a workflow that has multiple conditional and switch tasks that result in the provisioning of users to Active Directory 2008 (mixed mode) Our workflow uses the provisioning framework and all users have been granted the ONLY privilege for the system.
The workflow will result in adding the users to multiple AD groups sometimes two AD groups that are associated with a single IDM role. The first assignment always works, the second does simply does not occur, no entry in the system or job log although IDM does show that the role has been assigned with an 'OK' status.
We've accomplished a workaround by redesigning the workflow so that only single roles are assigned at a time and using chain result OK links to move from one provisioning activity to another, but frankly, we are unsatisfied with this. IDM should be handling this much better through
I'm wondering if we have a pending value floating out there and we should just be applying the pending value at the end of every AD group add.
Any thoughts on this would be appreciated.
Thanks,
MattMatt,
In your post you mention "I'm wondering if we have a pending value floating out there and we should just be applying the pending value at the end of every AD group add"... I'm faced with a similar issue were I'm left pending values for privileges after the group is assigned.
I've imported the AD groups as privileges. I assign them without issue. But when I review the assignments I can see that each corresponding privilege assignment now has a pending value. I can not remove the privilege from the user at this point.
Have you seen this before? Any suggestions on how I can clean this up. BTW, I'm using the SAP PF basically unchanged...
Thanks! -
How can I place calendars in multiple calendar groups?
I would like to use a group for each of my family members but reference some of the same calendars from multiple calendar groups. Here is an example:
Lets say I have a calendar for school, sport1, sport2, activity, family, and work
I would like the groups to look like this:
Me: family and work
Wife: activity and family
Son_1: school, sport1 and family
Son_2: school, sport2 and family
When a group is visible, that person can see the activities in which they participate. When several groups are visible, though, only single copies of shared events would appear and shared events would only have to be entered once.
Is there a way to do this or do I need to place this on the feedback page?Bernd Alheit wrote:
How can I place Windows Media Player in my PDF?
Why want you the media player in a pdf file?
e.g. pushing Mozart - button to listen to Mozart's music. But it must be a script not embedded player. Is it possible? -
Does anyone know how the internal DHCP server in these access points connects to virtual interfaces and bridges in the unit?
Is there some sort of default connection that connects the DHCP server to the native bridge group or VLAN?
In a test case, with an SSID in the native VLAN and bridge group, the 1702i serves an IP address to a wireless client no problem. But with a second SSID in a non native VLAN and bridge group, no IP gets served. My only guess is that since the bvi1 defaults to the native bridge group and VLAN, sub-interfaces also in this group are assumed to be in the same subnet as bvi1, or in this case:
interface bvi1
ip address 192.168.1.205 255.255.255.0
no ip route-cache
exit
It would be the ..1. subnet.
Since the dhcp pool is set as:
ip dhcp pool GeneralWiFi
network 192.168.1.0 255.255.255.0
lease 1
default-router 192.168.1.1
dns-server 8.8.8.8
exit
There may be an assumption that anything bvi1 can talk to is in the ..1. subnet, so the above pool gets activated on a request coming through bvi1.
Is the DHCP server just hanging out waiting for a request from an "area" that is assumed to be on the same subnet as the given pool?
Do I need to somehow show the device what subnet the 2nd SSID/ subinterfaces are in so the internal DHCP server can decide it needs to go to work, or is there some sort of bridging between the DHCP server and the interfaces that needs to be done? I am trying to use the same DHCP pool for the second subnet at this point, since I assume I will need another router to service an additional subnet and DHCP pool.Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
HTH,
Steve -
Can anyone explain how this works (vlans and bridge groups)
Can someone please explain how this works...I have started to have problems but nothing changed. My problems are vlan1 and 1000 getting blocked on the switchport where the root bridge is attached.
ROOT BRIDGE:
ssid state
station-role root bridge
rts threshold 4000
concatenation
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
no snmp trap link-status
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.911
encapsulation dot1Q 911
no ip route-cache
no snmp trap link-status
bridge-group 5
interface Dot11Radio0.1000
encapsulation dot1Q 1000
no ip route-cache
no snmp trap link-status
bridge-group 2
bridge-group 2 spanning-disabled
interface Dot11Radio0.2001
encapsulation dot1Q 2001
no ip route-cache
no snmp trap link-status
bridge-group 253
bridge-group 253 spanning-disabled
interface Dot11Radio0.2120
encapsulation dot1Q 2120
no ip route-cache
no snmp trap link-status
bridge-group 7
interface Dot11Radio0.2330
encapsulation dot1Q 2330
no ip route-cache
no snmp trap link-status
bridge-group 3
bridge-group 3 spanning-disabled
interface Dot11Radio0.2336
encapsulation dot1Q 2336
no ip route-cache
no snmp trap link-status
bridge-group 4
interface Dot11Radio0.2350
encapsulation dot1Q 2350
no ip route-cache
no snmp trap link-status
bridge-group 6
interface Dot11Radio0.2901
encapsulation dot1Q 2901
no ip route-cache
no snmp trap link-status
bridge-group 255
bridge-group 255 spanning-disabled
interface Dot11Radio0.2902
encapsulation dot1Q 2902
no ip route-cache
no snmp trap link-status
bridge-group 254
bridge-group 254 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
interface FastEthernet0.1
encapsulation dot1Q 1
no ip route-cache
no snmp trap link-status
interface FastEthernet0.911
encapsulation dot1Q 911
no ip route-cache
no snmp trap link-status
bridge-group 5
interface FastEthernet0.1000
encapsulation dot1Q 1000 native
ip address 10.0.32.10 255.255.255.0
no ip route-cache
no snmp trap link-status
bridge-group 1
interface FastEthernet0.2001
encapsulation dot1Q 2001
no ip route-cache
no snmp trap link-status
bridge-group 253
bridge-group 253 spanning-disabled
interface FastEthernet0.2120
encapsulation dot1Q 2120
no ip route-cache
no snmp trap link-status
bridge-group 7
interface FastEthernet0.2330
encapsulation dot1Q 2330
no ip route-cache
no snmp trap link-status
bridge-group 3
interface FastEthernet0.2336
encapsulation dot1Q 2336
no ip route-cache
no snmp trap link-status
bridge-group 4
interface FastEthernet0.2350
description 81 River Rd - Labor
encapsulation dot1Q 2350
no ip route-cache
no snmp trap link-status
bridge-group 6
interface FastEthernet0.2901
encapsulation dot1Q 2901
no ip route-cache
no snmp trap link-status
bridge-group 255
bridge-group 255 spanning-disabled
interface FastEthernet0.2902
encapsulation dot1Q 2902
no ip route-cache
no snmp trap link-status
bridge-group 254
bridge-group 254 spanning-disabled
interface BVI1
ip address 10.0.32.10 255.255.255.0
no ip route-cache
ip default-gateway 10.0.32.1NON-ROOT BRIDGE#2:
ssid state
station-role non-root bridge
rts threshold 4000
concatenation
infrastructure-client
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
interface Dot11Radio0.1000
encapsulation dot1Q 1000
no ip route-cache
bridge-group 254
bridge-group 254 spanning-disabled
interface Dot11Radio0.2001
encapsulation dot1Q 2001
no ip route-cache
bridge-group 252
bridge-group 252 spanning-disabled
interface Dot11Radio0.2336
encapsulation dot1Q 2336
no ip route-cache
bridge-group 251
bridge-group 251 spanning-disabled
interface Dot11Radio0.2901
encapsulation dot1Q 2901
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
interface Dot11Radio0.2902
encapsulation dot1Q 2902
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
interface FastEthernet0
no ip address
no ip route-cache
hold-queue 80 in
interface FastEthernet0.1000
encapsulation dot1Q 1000 native
no ip route-cache
bridge-group 1
interface FastEthernet0.2001
encapsulation dot1Q 2001
no ip route-cache
bridge-group 252
bridge-group 252 spanning-disabled
interface FastEthernet0.2336
encapsulation dot1Q 2336
no ip route-cache
bridge-group 251
bridge-group 251 spanning-disabled
interface FastEthernet0.2901
encapsulation dot1Q 2901
no ip route-cache
bridge-group 253
bridge-group 253 spanning-disabled
interface FastEthernet0.2902
encapsulation dot1Q 2902
no ip route-cache
bridge-group 255
bridge-group 255 spanning-disabled
interface BVI1
ip address 10.0.32.11 255.255.255.0
no ip route-cache
ip default-gateway 10.0.32.1 -
Hi,
I have another problem - after upgrade ios wirelles connection not work.
After reload i have :
Configuration of subinterfaces and main interface
within the same bridge group is not permitted
STP: Unable to get the port parameters.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
Please configure the bridge group on this interface first.
SETUP: new interface NVI0 placed in "shutdown" state
my old configuration work propertly in the old software, but after update i have notificatio.
Old thread:
https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
my current sh run:
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname cisco
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T6.bin
boot-end-marker
logging message-counter syslog
logging buffered 4096 informational
enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s.
aaa new-model
aaa session-id common
dot11 syslog
dot11 ssid ciscowifi
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 050D031D26595D0617
dot11 wpa handshake timeout 500
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.56.1
ip dhcp pool CLIENT
import all
network 192.168.56.0 255.255.255.0
default-router 192.168.56.1
dns-server 8.8.8.8 194.204.159.1 194.204.152.34
lease 0 2
ip cef
no ip domain lookup
no ipv6 cef
multilink bundle-name authenticated
username marek password 7 00121A0908500A
archive
log config
hidekeys
ip tcp path-mtu-discovery
bridge irb
interface ATM0
description Polaczenie ADSL do ISP$ES_WAN$
no ip address
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
hold-queue 224 in
interface FastEthernet0
description Edzia
interface FastEthernet1
description dom
interface FastEthernet2
description Dziadek
interface FastEthernet3
interface Dot11Radio0
no ip address
no ip redirects
ip local-proxy-arp
ip nat inside
ip virtual-reassembly
no dot11 extension aironet
encryption vlan 1 mode ciphers tkip
encryption mode ciphers aes-ccm tkip
broadcast-key change 3600
ssid ciscowifi
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
world-mode dot11d country AU indoor
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
description ciscowifi
encapsulation dot1Q 1 native
no cdp enable
interface Vlan1
no ip address
bridge-group 1
interface Dialer0
description Interfejs dzwoniacy
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx
interface BVI1
description Polaczenie dla sieci LAN
ip address 192.168.56.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80
ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22
logging trap debugging
logging 192.168.56.10
access-list 100 permit ip 192.168.56.0 0.0.0.255 any
access-list 100 deny ip any any
no cdp run
snmp-server community ciskacz RO
snmp-server chassis-id ciskacz
control-plane
bridge 1 protocol ieee
bridge 1 route ip
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport preferred ssh
transport input ssh
scheduler max-task-time 5000
end
please help - thanks!Hello Marek,
I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
Remove the Dot11Radio0.1 subinterface entirely
In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
In the dot11 ssid ciscowifi section, remove the vlan 1 command
After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
Best regards,
Peter -
Multiple sales groups in single salse office
Hi ,
Can we maintain multiple salses groups for single sales office in sap crmHi
No we can not maintain multiple sales groups for a single sales office in sap crm until and unless we convert org model to represent multiple assignments in SAP ECC or R/3.
Path for maintaining this setting is
spro>crm>org management>data transfer> convert org model to represent multiple assignments of SAP ECc.
or
Transaction code- CRMSC_SWITCH_ORGMODEL
Reward points if it helps
Regards
Nadh. -
VCenter Single Sign-On Permissions Assignment for Members of Multiple AD Groups
Hi all,
I ran across an interesting issue whilst assigning permissions using Active Directory groups within vCenter.
Environment
1 vCenter Appliance managing 2 Datacenters (1 Datacenter with 2 Clusters, 1 Cluster with 2 Hosts, 1 Cluster with 4 Hosts, 1 Datacenter with 1 Cluster containing 1 host.)
vCenter has an SSO Identity Source configured using Active Directory (Integrated Windows Authentication).
vCenter and all hosts are domain members of child1.parent.com.au
The Active Directory Forest contains a parent domain, let's call it parent.com.au, and two child domains child1.parent.com.au and child2.parent.com.au.
Although the Identity Source was configured for my child domain, using child domain credentials it added the parent domain and subsequently both child domains. Okay, so there are trusts, I'm okay with this. The interesting issue is yet to come.
Two Active Directory Groups were added. Deployment Admins A and Deployment Admins B.
Two vCenter Roles were created with similar names. VM Deployers A and VM Deployers B
Deployment Admins A was assigned the Deployers A role to Cluster A (Cluster, VM Folders, Datastore Folders)
Deployment Admins B was assigned the Deployers B role to Cluster B (Cluster, VM Folders, Datastore Folders)
Note: No objects overlap. All hosts, vms and datastores are isolated to each cluster.
So the next step is assign an child1 AD User to the Deployment Admins A group. As expected the user using credentials child1\user can connect to vCenter via the VI Client and see all the relevant objects. Great!
So now I assign the same child1 AD user to the second AD group Deployment Admins B. Now we wait and nothing happens. The permissions don't change. The user logs out and logs back in using the same credentials and still the permissions don't change.
So I remove the user from both AD groups and get them to log out and in and sure enough they can't.
This time I assign the child1\user account the roles as set out previously. So child1\user account is assigned to both roles in place of each AD Group. The expected behaviour is observed. As I add the second permission set, the objects become visible within the VI client.
Okay so now I remove the explicitly assigned permissions and reassign via the groups and this time I ask the user to log in via the UPN ([email protected]). Whoa! It works.
So it seems that assigning permissions for the same user in multiple AD groups across multiple roles can only be achieved when the user uses a UPN login to the VI Client.
Has anybody else found this to be the case?
If so, were you able to fix it?Hello,
I have found this to be the case and think it is more due to SSO than AD. If you look at how you login as the 'administrator' when you first configure SSO it is in effect using UPN. I would raise this as a case to VMware and make sure they are aware of the issue. There are some issues with SSO being worked each day.
Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014
Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast -
Working on a single computer with multiple users, I have set things up to allow each user to view and listen to the others' music libraries under the "Shared Library" function. Can you then connect an iPod touch and copy music from a shared library?
Was your wife logged into the libray at the time you tried to log in? I have had a similar problem and it was because another user was logged into the library when I attempted to. I got the permission denied banner.
-
Can i create a single image from multiple images in lightroom?
Can i create a single image from multiple images in lightroom?
Like a panorama, a composite or focus stack? Have you tried the Lightroom forum?
Photoshop Lightroom
Maybe you are looking for
-
Reporting issue (very urgent)
Sr.No Flt.NO ORI- DES Total Flts TS OFF FC KC TS Util FC 1 IT101 BOM-BLR 20 2,680 400 2,280 2,165 230 2 IT103 BOM-BLR 20 3,216 480 2,736 2,322 245
-
Resetting the Admin password in single user mode
Ok, my friend bought an old Imac from someone she went to school with with OS 10.4.2 on it. It works fine except that she can not install any programs because there is an admin password that she does not know. She asked the person she bought it from,
-
How to make an itemrenderer not selectable for TileList
Hey everyone, I have a custom renderer foe a TileList which displays a 3x3 grid. The items get be moved around to sort the list. Sometimes the collection may have only 7 items so I need to to create 2 more additional renderers w
-
Best Export Settings - Sony HDR-XR200 (Full HD 1080) AVCHD
Hi Adobe Community, I have a Sony HDR-XR200 Camcorder and i am having trouble choosing the best possible settings to render at. I am trying to export to a DVD which can play on a standard DVD Player, Producing top notch sound and image quality. Seque
-
hi every one, Iam trying to make a connection to Oracle9i using java, i know that first i have to load the JDBC driver and then establish a connection to the database but if faced 2 problems 1- I don't know the name of the jdbc driver. if any body ca