Cisco APPNAV Controller module on the WaaS - deployment
Hi, I am using WaaS for a long time now. With the new appnav module on the waas box, i am little confused about how to deploy. I have two WAN router connected to two firewalls in HA through L2 switches. I have two WaaS boxes in-line between the L2 switch and WAN routers and it's working so far!
Now i am upgraging the WaaS setup and i am having three 8541 WaaS box with appnav module on it and want to deploy them. What the best design deployment should i go for?
Regards
Pradyetendu,
As a Cisco partner, you have access to additional resources including some training material
Partner WAAS Community Site.
https://communities.cisco.com/community/partner/datacenter/products/waas
WAAS 5.0 Training Material
https://communities.cisco.com/docs/DOC-30438
Partners with proper certification and specialization may also engage with PDI Helpdesk.
Appnav can be deployed inline or offpath. Note that appnav interfaces do not fail open as the inline modules do. You will want to consider this in your design.
Thank You,
Dan Laden
Cisco PDI Data Center
Want to know more about how PDI can assist you?
http://www.youtube.com/watch?v=4BebSCuxcQU&list=PL88EB353557455BD7
http://www.cisco.com/go/pdihelpdesk
Similar Messages
-
Deploying a custom login module to the J2EE engine
I have developed a custom login module, and want to deploy it to the SAP j2ee engine. How should I go about this ? I tried packaging it as a jar and then using the deploytool, went into user management to register the module, but when the module was invoked I got an error in the log saying "Cannot load a login module".
The way I currently deploy it is packaged with the Example Calculator, and this works. I just add my 2 java files into the web module (in com.sap.examples.calculator.beans) and it gets packaged in the war file.
Can anyone help with the "proper" way of deploying my module ?
Thanks in advanceHi Brad,
>
> What I'm actually trying to do is NOT deploy my
> custom login module with an application. But rather
> deploy the jar file as a library to the J2EE engine,
> so that any application can use it by configuring it
> in their login stacks. I'm still not totally clear
> whether this is possible or not.
Once again - It is possible to deploy the login module as a library to the J2EE Engine; furthermore, this is the PREFERRED way to use login modules!
>
> What I have currently done:
>
> 1. developed custom login module packaged as a jar in
> NW studio (2 class files)
>
> 2. Using deploytool I deploy the jar as a library to
> the j2ee engine. This works and the library shows up
> under the libraries section.
>
> 3. Register the login module in the user
> management->manage security stores section. I'm
> unsure if this works properly. Do I just provide the
> full path to the required class ? For example
> "com.example.myloginmodule.LoginModule"
> I have a suspicion that my error of "cannot load a
> login module" stems from here.
>
> 4. I have then followed your step and added a
> reference to the libray (Hard reference) and this
> seems ok.
>
Sorry, Brad, I've made a mistake here. You need to set a reference from the Security Provider Service to the library that contains the login module (not from the application). To do that at runtime, you'll have to use the Configuration Adapter service on the J2EE Engine. For a description of the procedure, see this page in the documentation: http://help.sap.com/saphelp_nw04/helpdata/en/dd/1e3a3e5069eb6ce10000000a114084/frameset.htm
You need to provide additional entry of the following type in the security-provider.xml file:
<reference type="library" strength="weak">
Your-library-name-here
</reference>
Regards,
Ivo.
Message was edited by: Ivaylo Ivanov -
Deploying application with several web modules having the same context root
Hi,
I would like to be able to deploy an application in Weblogic 12c having one ejb module and several web modules with the same context root. Even though the web modules have the same context root, each of them is deployed to a different virtual host.
Weblogic allows deploying the modules this way as long as their targets are different (i.e. each having a distinct virtual host). However this works only when I don't select a target for the .ear:
Component Type Current Targets
application.ear Enterprise Application (None specified)
application.jar EJB AdminServer
web1.war WEBAPP virtualHost1
web2.war WEBAPP virtualHost2
However if I select as target for the .ear to be AdminServer, the deployment doesn't work anymore, complaining that the context roots are in conflict.
If I remove web2.war from the .ear and deploy the .ear and .jar to AdminServer and web1.war to virtualHost1, the deployment works but the strange thing is that the web application can be accessed also through the AdminServer's main network channel, even though I would expect that it should be accessible only through virtualHost1 network channel. I believe this is the reason why there are context root conflicts when specifying a target for the .ear, because both wars are made accessible to the main network channel.
The reason why I want to keep the wars inside the same .ear is because I want to make them access the application's local EJBs (since as far as I know it's not possible to access a local EJB outside the application even if they belong to the same VM).
Is there a way to deploy the web modules only to the virtual hosts without being targeted to the main network channel?
Regards,
AlexandruMurphy's Law: If anything can go wrong it will
A corollary to Murphy's law: When everything fails, read the manual.
Web application funda: Every web application must have its own context root. So, if wkfsocos is one
web application then, wkfsocos1 is another web application -
and hence must have its own context root.
Hello Aman,
If you are in E-Commerce version 4.0, then read this
[ISA_Buildtool document |https://service.sap.com/~sapdownload/011000358700001920472003E/ISA_BuildTool_10.pdf]
to create a copy of the application in its own context root.
From your URL pattern I guess you are in E-Commerce version 4.0.
If you are in E-Commerce 5.0 or above, then the
[Extension Guide |http://service.sap.com/~sapdownload/011000358700006120622006E/]gives steps to create a copy with its own context root for use in modification.
(See the chapter on - Creating a project specific Web Application with own context root )
Both these links require access to SAP Service Marketplace. You can also find the
documents through /instguides shortcut in Service Marketplace.
Easwar Ram
http://www.parxlns.com -
After WAAS deployment network is dead slow
Hi All
After deploying WAAS , i.e. WAE-302 module in Cisco 2811 Router on core and edge with default setting and running wccp on the router , network is dead slow .
Core and edge network are connected with dedicated 2MB lease line.
License is Transport.
I can see traffic optimizing on WAE core and Edge but netwrok is dead slow.
Any suggestions.
RegardsWhat was changed on the routers during this implementation? Only configuring the module, enabling wccp 61/62 and enabling redirection on the LAN/WAN interfaces?
Were additional routes added? Is it possible a routing loop was introduced? Do you see a reasonable number of connections on the WAEs?
I suggest looking at the following to see if any problems are indicated:
On the routers:
show ip wccp - should see most packets redirected via CEF
On the WAEs:
show wccp gre - look for any high counters that don't look right
type-tail syslog.txt 50 - look for messages indicating possible problems -
Remote access VPN with Cisco Router - Can not get the Internal Lan .
Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
endDear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon -
Need some help with a controller module
i have a controller module with a model # of CA1009. i've been trying to track down a configuration manual online but haven't had any luck. what i'm trying to determine is whether or not this particular model supports a fiber connection.
here are some other specs:
part #: 603-6332
number above part #: KC62706LS9UA
thanks for the help!Not sure what you're looking for here; supports a fibre connection? The 603-4406 CA1009 is the Apple Xserve RAID Controller Module, a component of the [Xserve RAID|http://manuals.info.apple.com/en/xserveraid_userguide.pdf]; it's the drive-facing part of the "whole show" within the SAN controller, and not part of the side "facing" the FC SAN.
-
I'm having issues installing starting the WDS server service on Win 2008 R2, this is happening on multiple (all 2008 R2) systems on this domain so I'm beginning to think it's either AD or network related, in event viewer I get the following error.
'An error occurred trying to start the Windows Deployment Services Server.'
Error Information: 0x0906
EventID : 257
single domain, single forest, 2008 R2 functional level, both system are virtual plugged into same vswitch on a flat network.
any ideas what might be the issue? I've never had an issue getting this working on many occasions before today and I've come to many a dead end looking at other articles thus far...
With WDS tracing enabled I get the following error information:
[4304] 09:22:11: ===>Starting logging of module [WDSServer]
[4304] 09:22:11: [UDPPorts] Policy: 1, Dynamic Port Range: 64001-65000.
[4304] 09:22:11: [RPC] Using Tcp Port 5040 for Rpc Calls.
[4304] 09:22:11: [RPC] Client Impersonation Logging=Disabled
[4304] 09:22:11: [RPC] Host Name: sccm.domain.local
[4304] 09:22:11: [RPC] NTLM/Kerberos Spn: ldap/sccm.domain.local
[4304] 09:22:11: [RPC] Initialized
[3756] 09:22:11: [RPC] Server Started.
[4304] 09:22:11: [BINLSVC][RPC][Ep={5F4FB9F0-C0E3-41C1-AA00-9A7C690AC3A3}] Registered
[4304] 09:22:11: [BINLSVC] Provider Initialized.
[4304] 09:22:11: [WDSDDPS][RPC][Ep={FA0A27E1-C2BA-4B3B-94B2-025E82FFAA6D}] Registered
[4304] 09:22:11: [WDSDDPS][RPC][Ep={011D24AC-CB3A-4739-A339-5D2E1B5306CE}] Registered
[4304] 09:22:11: [51][WDSDDPS] [d:\w7rtm\base\ntsetup\opktools\wds\ddp\server\ddpprovider.cpp:196] Expression: , Win32 Error=0x906
[4304] 09:22:11: [WDSDDPS][RPC][Ep={FA0A27E1-C2BA-4B3B-94B2-025E82FFAA6D}] Closed
[4304] 09:22:11: [WDSDDPS][RPC][Ep={011D24AC-CB3A-4739-A339-5D2E1B5306CE}] Closed
[4304] 09:22:11: [d:\w7rtm\base\ntsetup\opktools\wds\wdssrv\server\src\wdsprovider.cpp:144] Expression: , Win32 Error=0x906
[4304] 09:22:11: [WDSDDPS] Initialization Failed (rc=2310)
[4304] 09:22:11: [d:\w7rtm\base\ntsetup\opktools\wds\wdssrv\server\src\wdsprovhdl.cpp:172] Expression: , Win32 Error=0x906
[4304] 09:22:11: [WDSDDPS] Deleted.
[4304] 09:22:11: [d:\w7rtm\base\ntsetup\opktools\wds\wdssrv\server\src\wdsservice.cpp:178] Expression: , Win32 Error=0x906
[4304] 09:22:11: [Udp] Listen Shutdown.
[3756] 09:22:11: [RPC] Server terminated (rc=0)
[4304] 09:22:11: [RPC] Listen Stopped.
[4304] 09:22:11: [BINLSVC] Shutting down
[4304] 09:22:11: [BINLSVC][RPC][Ep={5F4FB9F0-C0E3-41C1-AA00-9A7C690AC3A3}] Closed
[4304] 09:22:11: [BINLSVC] Deleted.It seems I've found out the solution myself, the issue seems to be caused when DHCP and WDS are on the same server, The installation must identify this during the first installation of WDS but not on subsequent installations, the method to
get it working again is:
1.
Install WDS Role (using defaults)
2.
Make the following registry change:
HKLM\SYSTEM\CurrentControlSet\services\WDSServer\Providers\WDSPXE\UseDhcpPorts = 0
3.
Run the following command line to initialize Windows Deployment Services:
wdsutil /initialize-server /reminst:D:\RemoteInstall
4.
Run the following command to enable the DHCP port registry setting
wdsutil /Set-Server /UseDHCPPorts:No /DHCPOption60:Yes -
Cisco ISE Vs Cisco Anyconnect Posture module with Advanced Endpoint Protection
We are planning to use cisco Anyconnect posture module with Adv Endpoint protection to examine the VPN users- This can check whether they a antivirus/anti spyware software installed on their work station and can force to update def file if its older than specified number of days, it can also check the firewall status on their workstation and enable if its not already.This can detect keylogger and emulation softwares also.
Do we get any additional advantages in using ISE compared to Anyconnect posture module ......
SiddharthaThese are good questions. We had them last year before we decided to purchase ISE, specifically for our VPN users.
I will be watching this thread to see what kind of responses you get.
As of right now, I can verify the ISE can indeed check if specific Anti-Virus is installed (i.e., your corporate AntiVirus), or if ANY (supported by Cisco within ISE) antivirus is installed, and it can force an update process for the AV if it detects that the DAT files are older than a admin specified amount of time.
Our issue at the moment (if you haven't searched the forums) is ISE detected the proper WSUS updates are indeed installed on the users systems and allowing the users system to talk to our internal WSUS server.
We are now wondering if the Advanced Endpoint licensing on the ASA would have been a better way to go.
Wishing you luck in finding your answers for us all.
Dirk -
With Cisco equipment wlc 2500 and AP 1600 combines windows 2008 r2 domain controller to achieve the following purposes,
1, all cell phones and laptops can access the wireless network with a domain user authentication.
2, the guest network should how to do it?
My idea is:
Made a total of two ssid below
Mobile users cnnewcity_mobile: Use webportal certification, so the center certification, local forwarding
Computer users cnnewcity_wifi: transparent certification, local forwarding, local authentication
The basic steps are as follows:
1, set the Radius server clients (AP or controller)
2, locking authorization group --- this should be based on the domain user group authorization radius server
3, the mobile roaming - different locations on the DHCP server choose to do this you have to consider the next 43
4, the establishment of a two vlan to a mobile user to the computer user, create a DCHP scope on the DHCP
I do not know if you have wood there are better ways?Integrating the AD to the WLC Requires:
1. AD to be registered:
AT: Security->AAA
AT: LDAP
CLICK: New
Server IP: <AD IP>
Port Number: 389
Simple Bind: Authenticated
Bind User: CN=Administrator,CN=Users,DC=testing,DC=local,DC=com
Bind Pass: <LDAP Admin pass>
Confirm Pass: <LDAP Admin pass>
User Base DN: OU=WebAuth_Users,DC=testing,DC=local,DC=com
User Attrib: sAMAccountName
User Obj. Type: person
Enable at WLAN Profile
1. AT: WLAN->WLANs
CLICK: <Desired WLAN> -typically web authentication
2. AT: Security Tab
AT: AAA Servers
3. AT: LDAP Servers
**Select Created LDAP
4. Apply to Save
Source: Tried it in implementations :)) -
Could not resolve CISCO-LWAPP-CONTROLLER
Hi..
I have AP Cisco Aironet 1250. I want upgrade to LWAPP. AP using static IP address. When AP try to joinm error message displayed "DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER".
Loading file /c1250...
extracting info (292 bytes)
Image info:
Version Suffix: k9w8-.124-10b.JDD
Image Name: c1250-k9w8-mx.124-10b.JDD
Version Directory: c1250-k9w8-mx.124-10b.JDD
Ios Image Size: 4352512
Total Image Size: 4352512
Image Feature: WIRELESS LAN|LWAPP
Image Family: C1250
Wireless Switch Management Version: 4.2.207.0
Extracting files...
c1250-k9w8-mx.124-10b.JDD/ (directory) 0 (bytes)
extracting c1250-k9w8-mx.124-10b.JDD/c1250-k9w8-mx.124-10b.JDD (3956889 bytes)
%LWAPP-5-!CHANGED: LWAPP changed state to JOIN
%LWAPP-5-CHANGED: LWAPP changed state to IMAGE
Error messages:
*Jun 30 09:46:16.491: %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER
*Jun 30 09:46:16.491: %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER
*Jun 30 09:46:16.491: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Jun 30 09:46:16.651: %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER
*Jun 30 09:46:16.651: %LWAPP-3-CLIENTERRORLOG: DNS Name Lookup: could not resolve CISCO-LWAPP-CONTROLLER
*Jun 30 09:46:16.651: Logging LWAPP message to 255.255.255.255.
Any help?
Thanks./* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
You configuration is not correct. You can remove the line ‘domain-name CISCO-LWAPP-CONTROLLER.mydomain.com’ or replace it with ‘domain-name mydomain.com’ and configure the DNS server with both "CISCO-LWAPP-CONTROLLER.mydomain.com" and "CISCO-CAPWAP-CONTROLLER.mydomain.com" pointing to 172.16.00.25.
I suggest that you remove this line and forget about DNS and go for DHCP option 60 and 43 as you already have configured. You do not need both the DNS configuration and DHCP option 43.
Since you have configured ‘option 60 ascii "Cisco AP c1250"’ and ‘option 43 hex f104ac100019’ then your 1250s should try to associate with the controller 172.16.00.25.
Please post more of the syslog and look for events regarding DHCP option 43.
Is the address 172.16.00.25 for the WLC correct?
Regards,
André -
Hello,
I am trying to get this officeextend working.
I connected the ap and checked the H-Reap box and then officeextend and gave it a public ip. This public ip is NAT'd to the dmz controller on the firewall. (The dmz controller is 5508 running code 6.0.199.4)
I have connected this officeextend 1132 ap to a broadband connection and this gets an ip of 192.168.1.23 on its fa0 interface. all good till now.
when i console onto the officeextend 1132 AP, i get an error msg could not resolve Cisco-LWAPP-Controller.abc.uk....domain server (192.168.1.254) and Cisco-CAPWAP-Controller.home.uk...think it needs DNS set to the public ip on the local asdl box, is it ?
if this is the case, I am not sure if i can do this as this is controlled by the ISPI have added this now scott on the management interface but still cant get the AP to join the controller. This AP is connected to a broadband wireless router connected back to a ADSL router that has the DNS settings
(also i cant see any traffic hitting on ports 5246 and 5247 on the firewall. so think this AP is not trying to go out )
it comes up with
CAPWAP-5-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
Translating "CISCO-CAPWAP-CONTROLLER.Abc.uk"...domain server (192.168.1.254)
*Apr 8 16:25:39.983: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
Translating "CISCO-LWAPP-CONTROLLER.Abc"...domain server (192.168.1.254)
*Apr 8 16:25:42.095: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.Abc.uk
config on AP
service password-encryption
hostname AP6400.f14d.b6ba
logging rate-limit console 9
enable secret 5 $1$ACEH$BuOIS/RYEP5ZXvWxbyCFS/
aaa new-model
aaa authentication login default local
aaa authentication login reap_eap_methods group radius
aaa session-id common
eap profile lwapp_eap_profile
method fast
crypto pki trustpoint Cisco_IOS_MIC_cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint cisco-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-device-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-new-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
crypto pki trustpoint airespace-old-root-cert
revocation-check none
rsakeypair Cisco_IOS_MIC_Keys
username Cisco secret 5 $1$2zkE$CaKkr5zDUWwltKRFvrIto0
ip ssh version 2
interface Dot11Radio0
no ip route-cache
mbssid
speed basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
power client local
packet retries 64 drop-packet
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip route-cache
mbssid
power client local
packet retries 64 drop-packet
interface Dot11Radio1.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface FastEthernet0
ip address dhcp client-id FastEthernet0
no ip route-cache
duplex auto
speed auto
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
no ip http server
logging trap errors
logging origin-id string AP:6400.f14d.b6ba
logging facility kern
logging snmp-trap notifications
logging snmp-trap informational
logging snmp-trap debugging
logging 255.255.255.255
radius-server local
no authentication eapfast
no authentication leap
no authentication mac
nas 66.11.22.33 key 7 111D110C041B18030A2632253C363832
group hreap
control-plane
line con 0
line vty 0 4
transport input none
line vty 5 15
transport input none
end -
VLAN assignment without ACS on Cisco Wireless Controller 5508
I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead? Is there a manual or article that someone can point me in the right direction?
Thank you!Any RADIUS server will allow you to do the dynamic vlan assignment if you configure the right RADIUS attributes (64, 65 and 81 that Steve mentioned above).
This doc shows example of dynamic vlan assignment with WLC and ACS.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Same config on WLC is needed. However, on the RADIUS you need to configure the same attributes on the NPS instead.
HTH
Amjad
Rating useful replies is more useful than saying "Thank you" -
Install and configure Cisco Network Analysis Module NAM-2
Hi,
Does anyone have a step-by-step document on how to install and configure Cisco NAM-2 module ?
Thanks in advance.
Regards,
LamineHi Lamine,
The official installation guides for NAM software can be found here:
http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_installation_guides_list.html
Is this what you are looking for?
Cheers,
Shane -
Has anybody experience with "Cisco Anomaly Guard Module"
Hello,
had anybody experience with "Cisco Anomaly Guard Module" WS-SVC-AGM-1-K9 for Catalyst 6500?
We're looking for some IDS/IPS prevention system which could take 2-3 Gbits of traffic. From the documentation it looks not bad, and we can get them as used parts (6500 + Sup720 + AGM +ADM) quite cheap. The second solution is Arbor with cisco12000 as boader router (10Gbit uplink) is much more expencevie.
Arbor tries of cause sell us their solution as "Cisco Anomaly Guard Module" is ot of sale and doesn't have any new features, but from the Data sheets Cisco AGM is eactly what we need.
Or may be is there another solution which could be comparable to those two?
Thank you.Hello padatta,
AGM/ADM are IDS/IPS systems, one can of couse discuss about the terms, but it won't be productive :).
IDSM2 has not enough performance and it should sit inline, ADM/AGM can change he next hop for the diverted traffic and be out of traffic path during the normal operation.
Konstantin -
Cisco CAPWAP controller ????
Hi,
Really sorry if this isn't the right place but am desperate for help!
Have applied for a dream job for me to get into networking but one of the things that they have asked for that I haven't heard of before is a Cisco CAPWAP controller, is anyone able to explain the basics or it for me?
From quick web search it seems to be a type of wireless access point!
Any info would be useful.
Thanks
Sent from Cisco Technical Support iPad AppCAPWAP
The controller-based solution allows the splitting of 802.11 functions between the controller-based AP, which handles real-time
portions of the standard, and the Cisco WLC, which handles items that are not time sensitive. This model is called split MAC .
The AP handles the portions that have real-time requirements, such as the following:
■ Beacons management
■ 802.11 encryption and decryption
■ Frame buffering for dozing stations
■ Probe responses
■ Air monitoring for interferences and rogues
The controller handles all other functionalities, such as the following:
■ 802.11 authentication and association
■ QoS and security management
■ Mobility (roaming) management
■ RF management
■ Bridging to and from the DS in the right VLAN
Lightweight APs (LAP) communicate with the controller using a specific protocol, Control and Provisioning of Wireless Access
Points (CAPWAP). The LAP encapsulates all 802.11 data frames received from a client into a CAPWAP frame. The data frame
portion is simply encapsulated into a CAPWAP frame, and is not encrypted by default (data part encryption is possible but optional).
The LAPs also constantly exchange encrypted CAPWAP control messages with the controller via the Radio Resource Management
(RRM) engine for real-time RF management, including
■ Radio resource monitoring
■ Dynamic channel assignment
■ Interference detection and avoidance
■ Dynamic transmit power control
■ Coverage hole detection
This come from a book wrote by Jerome Henry
Maybe you are looking for
-
Why should it take over an hour to export a video that is less than 2 minutes long?
The short clip I have is only 1;51 long, but Media Encoder has been slaving away at it for over 20 minutes and still says over an hour remaining. The only thing I am doing differently with this clip is I have sped up the action x10 to give it a "Keys
-
Itunes 10 will not stop auto syncing
I have itunes 10 on a mac and a 160 gb ipod classic. it will not stop auto syncing when I plug in my ipod, even though "do not auto Sync" button is checked as well as checking off "do not open itunes automatically. It syncs FOREVER. I would love to f
-
I was recently having trouble receiving an emails. After some trial and error, here is what I was able to determine: 1. Checking my IMAP account with SquirllMail (webmail) revealed that messages were delivered as expected when mail.app was not runnin
-
Backup failure( ONLINE BACKUP)
HI, sap server and oracle database was down because of power failure when on-line backup was going on. Next time when restart the sap system then my oracle database was not coming up. can anybody suggest me what the steps i have to taken REGAR
-
I'm looking for customer references who are using Oracle IFS or OCM
Dear All, I'm looking for customer references who are using Oracle IFS or OCM or Oracle Files for their document management systems. So, if anyone can support me i appreciate.