Controller Load Balancing

I have a high school that has a computer lab with 32 laptops. Also in the area are about 5 other teacher laptops. There are approximately 3 AP's in the vicinity within -72. The controller is running 4.0.179 using RRM. It seems that the computer lab is attaching to one AP only causing association and authentication failures. I can see, at one time, 28 clients on one AP, and it looks like load balancing is not functioning. I've applied the config load-balancing window 15 command with no luck, all though I have a feeling that RRM is controlling the load balancing and that command wasn't going to do much anyway. I've heard bad things about Aggressive Load Balancing so I am hesitant to turn it on.
Is there a setting I'm missing here? Or would a code upgrade solve this issue?

Im not going to say there is not a way using code, but I will stand on John Chambers coffee table and tell him the only way to do this is via physical load balancing.
This requires smaller cells using data rates no lower than 11mbps and lower power settings. By limiting the cell (and adding more AP's to fix the subsequent holes) you will physically load balance the network. Turn RRM off. hard code the channels and power.
Depending on size of area and number of users, I would attempt to stick three AP's in your scenario with really small cell sizes that whose boundaries are no worse than -65dBm. When I have tweaked enough to roam from edge to middle to the other edge of the room and hit all three AP's based on location..you should be good. Directional antennas also would play an important role here as well, shining down from the ceiling with radiation patterns kind of like spotlights. Also you would have to turn the power down on the clients or else you just have the same problem except it is now upside down.
Aggresive load balancing tends to jack up phones and possibly create a 'host flapping' situation with data clients as well. I do not use it at all.
good luck-

Similar Messages

Load balancing to multiple anchor controllers

Checking to see if there is a way to control how the inside controller load balances to 2 anchor controllers. I was told its connection by connection, but wasn't sure if its true, and if that could be changes to a particular hash or something.
Thanks,
Jason

There is no configuration to define what will be the primary or secondary path. The foreign WLC will determine which anchor it will send the traffic to.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Load-Balancing between Foreign and two Anchors

Hi, we have two foreign controllers (one active, one standby) and two anchor controllers. All APs are connected to the active foreign controller. The layer 3 networks for the wlan clients on both anchors are different for the same SSID. SSID: Internet, anchor 1: Subnet A, anchor 2: Subnet B. So when a client is getting anchored to Anchor 1, the clients will get an ip from subnet A and when the client is getting anchored to anchor 2, the client will get an ip from subnet B.
This is so far not a big problem because we only have a few accesspoints in some rooms. But what will happen, when we have a full covered wlan and the client roams from one AP to the other AP? Is there a possibility, that the client will anchored to a different anchor while roaming? I think this will result in a lack of connectivity because without a real disconnect the client will not ask for a new IP address.
Other question: Is it possible to disable this load-balancing between anchor controllers? Or can i make a client sticky to only one anchor as long as an access-session is established?
All controllers are 5760 with 3.3.3 software.

Hi acontes,
It's an interesting question.
In this case, if all AP's are on WLC-A and there is no possibility that an L3 inter-subnet roam will occur between WLC-A and WLC-B, I would just forward WLC-A to Anchor A and WLC-B (in the event of fail over) to Anchor B (if Anchors reside on different subnets). If you must specify Anchor A and Anchor B on each WLC for redundancy purposes, it's important to understand the guidelines and limitations with regard to Foreign / Anchor Design.
As Scott mentioned, the limitation with Anchoring design is that there is no primary / secondary configuration for an Anchor on the Foreign WLC.
If WLC-A has two entries (1) for Anchor-A and (2) for Anchor-B, the EoIP tunnels are establish and load-balancing occurs in a round robin fashion.
Keep in mind the following with regard to guest N+1 redundancy:
•A given foreign controller load balances wireless client connections across the list of anchor controllers configured for the guest WLAN. There is currently no method to designate one anchor as primary with one or more secondary anchors.
•Wireless clients that are associated with an anchor WLC that becomes unreachable are re-associated with another anchor defined for the WLAN. When this happens, assuming web authentication is being used, the client is redirected to the web portal authentication page and required to re-submit their credentials.
Since traffic is transported at Layer 2 via EoIP, the first point at which DHCP services can be implemented is either locally on the anchor controller or the controller can relay client DHCP requests to an external server. Since the IP address directly correlates to the DMZ subnet or the interface where the traffic egresses, it is possible for some clients to get IP's from both Subnet A or Subnet B in the event that WLC-A is building EoIP to both anchors.
1) What happens if my clients roam?
Nothing... since all AP's are on WLC-A, it's Intra-Controller Roaming
Each controller supports same-controller client roaming across access points managed by the same controller. This roaming is transparent to the client as the session is sustained, and the client continues using the same DHCP-assigned or client-assigned IP address. The controller provides DHCP functionality with a relay function. Same-controller roaming is supported in single-controller deployments and in multiple-controller deployments.
Would it be better to choose the same DHCP Pool on both anchors?
It's probably better to have redundant anchors on the same subnet, but it's not required.
3) How would you design this :-)
WLC-A <--EoIP--> Anchor A (DHCP Pool A)
WLC-A <--EoIP--> Anchor B (DHCP Pool A)
It's important to remeber what Scott mentioned about the lack of a primary / secondary relationship. If multiple controllers are added as mobility anchors for a particular WLAN on a foreign controller, the foreign controller internally sorts the controller by their IP address. The controller with the lowest IP address is the first anchor. For example, a typical ordered list would be 172.16.7.25, and 172.16.7.28. If the first client associates to the foreign controller's anchored WLAN, the client database entry is sent to the first anchor controller in the list, the second client is sent to the second controller in the list, and so on, until the end of the anchor list is reached. The process is repeated starting with the first anchor controller.
If any of the anchor controller is detected to be down, all the clients anchored to the controller are deauthenticated, and the clients then go through the authentication/anchoring process again in a round-robin manner with the remaining controller in the anchor list. This functionality is also extended to regular mobility clients through mobility failover. This feature enables mobility group members to detect failed members and reroute clients.

Load balancing with 526 controller

Good Day,
I would appreciate confirmation of this configuration or, if it is wrong, suggestions.
I have been asked to provide wireless access for a conference of about 150 in an auditorium about 50m x 20m. The attendees will be using their access just to browse, check e-mail etc. We have a radius authentication system in place that is available.
From what I have gathered, it appears that if I get a 526 controller and 4 521 access points I can advertise one SSID and configure the access points/controller for load balancing to maintain decent speed fot the users.
Is this correct?
Also, is there a benefit to getting better equipment. Price is not really a factor but this setup will be used only a couple of times a year and I don't want to throw money away. But it has to work, and I'm on a short deadline...procurement, configuration and testing by 6/4/07.
Thanks

The Cisco 526 Wireless Express Mobility Controller can be used with up to six access points per controller. So 5 -6 access point would be a better option . Refer URL
http://www.cisco.com/en/US/products/ps7320/products_data_sheet0900aecd8060c22b.html

ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

Hello guys
Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:
Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?
Thanks in advance
Sayre

Hello Sayre-
For Question #1:
Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
You can configure Radius and Profiling to be enabled on other interfaces
Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
Take a look at this link for more info:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html
For Question #2
If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations.
The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:
–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):
http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf
I hope this helps!
Thank you for rating helpful posts!

Disable load balancing on dual PRIs - 3640 with MICA modems for dial out

We have a custom application that connects through reverse telnet to a Cisco 3640 that has 2 NM-24DM modules and 2 PRIs connected to it. Currently all outgoing calls are getting load balanced over the two PRIs. I need to change that so that all calls go over the first PRI and when all channels are used up, it starts using the second PRI. Seems like a simple enough thing to do but I can't figure out how to.
Here is my config
Current configuration : 1401 bytes
version 12.4
service timestamps debug uptime
service timestamps log uptime
service password-encryption
hostname DIALOUT01
boot-start-marker
boot-end-marker
enable secret 5 xxxxxxx
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
no ip routing
no ip cef
no ip domain lookup
ip domain name xxxxxxx.xxx
isdn switch-type primary-ni
controller T1 0/0
framing esf
linecode b8zs
pri-group timeslots 1-24
description xxxx
controller T1 0/1
framing esf
linecode b8zs
pri-group timeslots 1-24
description xxxx
interface FastEthernet0/0
ip address dhcp hostname dialout01
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
interface Serial0/0:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
no fair-queue
no cdp enable
interface Serial0/1:23
no ip address
encapsulation hdlc
isdn switch-type primary-ni
no fair-queue
no cdp enable
no ip http server
control-plane
line con 0
line 33 56
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input telnet
transport output telnet
line 65 88
modem InOut
modem autoconfigure type mica
transport preferred telnet
transport input telnet
transport output telnet
line aux 0
line vty 0 4
password 7 xxxxx login
end
Thanks,
Shahid

If I understand the question I think that isdn bchan-number-order is the command you are interested in. I think it detaults to round-robin, sounds like you want ascending (that is isdn bchan-number-order ascending). It is an interface subcommand.
See http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ibcac.html#wp1055853
That may only apply to native ISDN calls and not MICA based calls, but see if that helps.

Guest N+1 redundancy & load balancing in seperate data centers

I need assistance in aquiring documentation to setup N+1 redundancy & load balancing between two seperate guest anchor controllers installed in seperate data centers. Can you explaing how it should be setup or point me in the right direction for documentation? If you can't point me in the right direction to aquire documentation; can you answer the following questions?
1) How do I setup my mobility groups on my guest anchor controllers installed in the DMZ? Should both guest anchor's be in the same mobility group.
2) Do both guest anchors share the same virtual IP or do they need to be seperate (DMZ01 - 1.1.1.1 / DMZ02 - 2.2.2.2)? I think seperate!
3) Are there any configuration parameters on the guest anchors for load balancing?
4) Do either on of the guest anchors need to be setup as a master controller? I'm not sure?
5) Are there any configuration parameters on the foreign controllers for load balancing?
6) How do I setup my foreign controllers? Should both guest controllers be added to the mobility group on the foreigh controller? I would think both of them would be added to the foreign controller mobility group.
7) Should both guest anchors be added as an anchor on the WLAN? I would think both controllers would need to be added as anchors under the WLAN!
8) Am I missing anything here? This is how I think it should logically work?
Thanks,
Gordon

I need to elaborate on my questions:
1) Do both of my guest DMZ anchors need to be in a seperate mobility group on their own or can the guest anchors be in completely seperate mobility groups? All 100 + foreign controllers are in seperate mobility groups.
I) Example #1: Guest anchor number 1 (Mobility group: DMZ) / Guest anchor number 2 (Mobility group: DMZ)
II) Example #2: Guest anchor number 1 (Mobility group: DMZ01) / Guest anchor number 2 (Mobility group: DMZ02)
2) Do both guest anchor controllers have to be configured with seperate virtual IP's or do they share the same address?
I) Follow up to this question: I want to register the DMZ controllers with our DNS servers so that my clients receive a name when authenticating through my customized webauth. I am currently using 1.1.1.1 as the virtual address and I'm pretty sure this is the address I need to register with my external DNS server. My question is this. Does the address I use for the virtual interface matter? 1.1.1.1 is not a valid address with my network. Do I need to assign a valid address registered with my network if I'm going to add this address to my external DNS servers?
3) No change to my original question.
4) No change to my original question.
5) No change to my original question. I have run into Cisco documentation that mentions guest anchor load balancing, but the documentation is very vague. I'd love to be able to load balance as the network group wants to limit my guest traffic to the internet. I could double my pipe if I could load balance the guest anchors.
6) No change to my original question, but the answer to question one is key to the setup of my foreign controllers.
7) Elaboration: Should both guest controllers be added as an anchor under the WLAN on the foreign controllers? I would think both of them would be added.
8) No change:
9) Should my secondary guest controller be added as an anchor on the WLAN of the primary guest DMZ controller and visa versa?
Can my Cisco expert answer this or do I need to open a TAC case?
Thanks,
Gordon Shelhon
SR. Wireless Services Engineer
Company: Not specified

H-REAP and Client Load-Balancing

I'm told by Cisco that H-REAP does not support client load-balancing.
We have a situation where we want to deploy LWAPPs using H-REAP into a conference room where training would take place.
Any suggestions on how to overcome the inevitable slowness these people are going to experience from being unevenly associated with the APs?
We can't re-write the application so we are looking for a wireless solution.
Anyone hear about how other organizations have dealt with this type of situation?
I'll be glad to supply more details if I am not being clear in my description of the problem.
Thanks in advance. All responses will be rated.
Paul

This is the functionality which is missing in H-REAP: Client and Network Load Balancing
"Radio Resource Management (RRM) load-balances new clients across grouped lightweight access points reporting to each controller. This function is particularly important when many clients converge in one spot (such as a conference room or auditorium) because RRM can automatically force some subscribers to associate with nearby access points, allowing higher throughput for all clients. The controller provides a centralized view of client loads on all access points. This information can be used to influence where new clients attach to the network or to direct existing clients to new access points to improve wireless LAN performance. The result is an even distribution of capacity across an entire wireless network.
Note: Client load balancing works only for a single controller. It is not operate in a multi-controller environment."
I suppose if we limit the number of users that can associate with a particular AP then we will achieve some client load-balancing. Though a hard limit on the number of end-users will also lead to situations where some end users will not be allowed any access.

Load balancing issues?

Could someone help me with load balancing, current stats:
I have a limited understanding, but from what I can make out, we have a significant number of clients being denied association and load balancing to different AP's but then the candidate count suggests a significant number of clients that failed to load balance, presumably because there wasnt an AP available in range that wasn't busy?
Uptime is 27 days, client count can reach around 220 at busy times, 63 AP's in the building 1142's, 5508 controller. I am wondering if increasing the window size would offer a more robust solution, or will this just degrade user experience further?
I am having a number of issues with failed client association now, and devices just not being able to operate wirelessly at all
Client count reaching 25 on some AP's

I guess per radio per AP client count is more in your case, clients more than the threshold are being shown busy status ( code 17 ) by AP. Therefore, clients are unable to associate to that AP. When the number of retries are over , they are denied. I guess there are network holes as well ( no coverage b/w the cells of differenet APs ). You can increase the window count , however, it depends on the AP model finally ( max. no. of clients associated ).

WLC - Aggressive Load Balancing?

Hello,
The Wirless LAN Network bulit is as follows -
1. 1 x 4404 WLC
2. 40 x LWAPP 1131AG Access Points
3. Windows Clients used by the Laptop Clients.
4. Only one Wireless VLAN across the Capmus network - hence AP's, WLC & Clients are all in one VLAN / IP Subnet.
5. No Access Point Group is created.
6. Aggressive Load Balancing is enabled allowing 15 Clients as max connection per Access Point.
Problem facing -
1. Tried configuring the Aggressive Loadbalancing allowing only 2 x Clients per AP. But noticed that the 3rd Client connecting to the same AP as of the previous 2 Clients have connected. 3rd client is not associating to a different AP which is nearby.
Please can one help me, if i'm configuring & testing Aggressive Load Balancing in the right way!
Regards,
Keshava Raju

AMR is on target. In fact I just completed 20 hours worth of testing with variuos clients with ALB for a white paper I am doing. Code 17 isnt honored by most clients and is only sent 1 time from the AP. The clients will contiue to attempt to associate to the AP and the AP will allow them on.
Here is a peek of my white paper "still in draft"
WLC - Cisco WLC Aggressive Load Balancing; What is it and where did it go in 6.0!
I've spent the majority of my WLC experience at code level 4.2. Not by choice really, more
based on the fact that 4.2 is pretty darn stable and it is the only safe harbor to date for the Cisco WLC. Healthcare and Enterprise enviroments are typically slow to move on upgrades, especially when things are operating fine.
Since my latest project involves the deployment of hundreds of Cisco 1142s @ location grade, it required that I move to later code to support the 1142 access points. After much research, conversations with our
local Cisco Wireless SE, conversation with peers at other healthcare organizations, and direct contact with the aware team I had decided that 6.0.188.0 was a release that was of great interest.
As I start to get fimilar with the new code I am starting to see that things got moved around a little. One of the items is Aggressive Load Balancing. If you aren't fimilar with Aggressive Load Balancing (ALB) you definitly need to be and let me share why.
First lets look at what ALB is and how it works and then we will dive into the differences between the 4.2 code and the new options 6.0 gives us. ALB when enabled, allows the Cisco WLC to load balance wireless clients on access points that are joined to the same controller. “Key word here – same controller”. You can configure the load balancing window globally in the controller. What is the load balancing window you ask? Well is the maximum number of clients that should be allowed on the access point BEFORE it will start to load balance.
Lets assume for a moment you have an access point with 5 clients already attached. When client #6 sends association request to the access point the access point will kindly respond with an associaton response frame with the reason code of 17. The wireless client will see reason code 17 in the association response and will kindly find other access points to associate with. However, some devices will ignore this frame and yet still continue to try and associate to the access point. Note: The Cisco WLC will ONLY send 1 reassociation frame with a reason code of 17. It doesn’t flood the medium / client with multiple frames.
Its up to the client to honor this information and move on. But I can tell you from my experience and testing this isn’t always the case.
By default, 4.2 and 6.x both have a load balancing window of (5). Lets look at an example.
The window setting controls when aggressive load−balancing starts. With a window setting of five, for
example, all clients after the sixth client are load−balanced.
I know, what is the reason code talk, right. Lets cover this as well. If you dive into the 802.11 frames you will see “Reason Codes”. When a client sees the reason code of “17”, it indicates to the client that the access point is busy and the client should look else where.
yada yada yada
I will post the complete paper on my site: my80211.com in the next week or so ...

DNS load balancing for Enterprise serevrs

Hi All
In my test Lync 2010 Enterprise environments, recently i have implemented the DNS load balancing with webservices
My environment is two lync 2010 ent servers , 1 SQL server, 1 Monitoring + Archive server (Same Box)
The below steps was performed from me for DNS load balancing.
PLEASE NOTE: NO HARDWARE LOAD BALANCING IN MY SETUP
Create a Host record for the Pool name with respective front end servers
Pool name : Pool2.doitnow.com with 2 lync 2010 enterprise servers named lyncfe01n.doitnow.com (192.168.1.5) and lyncfe02.doitnow.com (192.168.1.6)
Two host A records in DNS as POOl2 with IP of 192.168.15 and 192.168.1.6
1. From the Lync Server 2010 program group, open Topology Builder.
2. From the console tree, expand the Enterprise Edition Front End pools node.
3. Right-click the pool, click Edit Properties, and then click
Web Services.
4. Below Internal web services, select the Override FQDN check box.
5. Type the pool FQDN that resolves to the physical IP addresses of the servers in the pool. in
(my case it is Pool2.doitnow.com )
6. Below External web services, type the external pool FQDN that resolves to the virtual IP addresses of the pool, and then click
OK. ((my case it is Pool2.doitnow.com ) - is that REQUIRED ?
7. From the console tree, select Lync Server 2010 , and then in the
Actions pane, click Publish Topology.
IS THERE ANY THING TO BE DONE APART fROM ABOVE POINTS
Now
what i did is. in lyncfe01n.doitnow.com - i have disabled the network card and try to login lync 2010 client , but not succeesfull
my assumption is, it should work via lyncfe02.doitnow.com, since load balanace in DNS is in already in place
do i need to open / firewall rule to be creany port in second lync server
here is the below seqeunce of event viwer from lync
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:34:31 PM
Event ID:      32108
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Pool Manager changed state of Registrar with FQDN: lyncfe02.doitnow.com to Inactive.
======
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:35:01 PM
Event ID:      32109
Task Category: (1006)
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Pool Manager changed state of Registrar with FQDN: lyncfe02.doitnow.com to Active
====
Log Name:      Lync Server
Source:        LS Routing Data Sync Agent
Date:          1/14/2014 3:50:58 PM
Event ID:      48003
Task Category: (1058)
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
The Routing Data Sync Agent has initiated a sync cycle with: [pool2.doitnow.com]
=====
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:56:21 PM
Event ID:      32108
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Pool Manager changed state of Registrar with FQDN: lyncfe02.doitnow.com to Inactive.
===============
Log Name:      Lync Server
Source:        LS File Transfer Agent Service
Date:          1/14/2014 3:56:45 PM
Event ID:      1008
Task Category: (1121)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Failed to read Central Management database information from AD connection point. Microsoft Lync Server 2010, File Transfer Agent will continuously attempt to retrieve this information.
While this condition persists, configuration changes will not be delivered to replica machines.
Exception:
Microsoft.Rtc.Management.ADConnect.ADTransientException: Active Directory error "-2147016646" occurred while searching for domain controllers in domain "doitnow.com": "The server is not operational.
Name: "doitnow.com"
" ---> System.DirectoryServices.ActiveDirectory.ActiveDirectoryServerDownException: The server is not operational.
Name: "doitnow.com"
---> System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational.
   at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
   at System.DirectoryServices.DirectoryEntry.Bind()
   at System.DirectoryServices.DirectoryEntry.get_AdsObject()
   at System.DirectoryServices.PropertyValueCollection.PopulateList()
   at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
   at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   --- End of inner exception stack trace ---
   at System.DirectoryServices.ActiveDirectory.PropertyManager.GetPropertyValue(DirectoryContext context, DirectoryEntry directoryEntry, String propertyName)
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.GetDCForDomain(String fqdn, NetworkCredential networkCredential)
   --- End of inner exception stack trace ---
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.GetDCForDomain(String fqdn, NetworkCredential networkCredential)
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.DiscoverDC()
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.ReportDownServer(String serverName, ADServerRole role)
   at Microsoft.Rtc.Management.ADConnect.Connection.ADConnection.MarkDown(LdapError ldapError, String message)
   at Microsoft.Rtc.Management.ADConnect.Connection.ADConnection.AnalyzeDirectoryError(DirectoryException de)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.AnalyzeDirectoryError(ADConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find(ADObjectId rootId, String optionalBaseDN, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate
arrayCreator, Boolean includeDeletedObjects)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.GetTopologySetting()
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.GetBackEndServer()
   at Microsoft.Rtc.Xds.Replication.Common.Utils.TryGetConnectionPointFromAD(String& sqlStorePath, Exception& exception)
Cause: Possible issues with configuration or AD access.
Resolution:
Ensure that activation is completed and AD is accessible from this machine.
   at Microsoft.Rtc.Xds.Replication.Common.Utils.TryGetConnectionPointFromAD(String& sqlStorePath, Exception& exception)</Data>
====================
Log Name:      Lync Server
Source:        LS Master Replicator Agent Service
Date:          1/14/2014 3:56:45 PM
Event ID:      2014
Task Category: (2122)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Failed to read Central Management database information from AD connection point. Microsoft Lync Server 2010, Master Replicator Agent will continuously attempt to retrieve this information.
While this condition persists, configuration changes will not be delivered to replica machines.
Exception:
System.ApplicationException: Domain "doitnow.com" cannot be contacted or does not exist. ---> System.DirectoryServices.ActiveDirectory.ActiveDirectoryObjectNotFoundException: The specified domain does not exist or cannot be contacted.
   at System.DirectoryServices.ActiveDirectory.Domain.GetDomain(DirectoryContext context)
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.GetDCForDomain(String fqdn, NetworkCredential networkCredential)
   --- End of inner exception stack trace ---
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.GetDCForDomain(String fqdn, NetworkCredential networkCredential)
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.DiscoverDC()
   at Microsoft.Rtc.Management.ADConnect.Connection.DirectoryServicesTopologyProvider.ReportDownServer(String serverName, ADServerRole role)
   at Microsoft.Rtc.Management.ADConnect.Connection.ADConnection.MarkDown(LdapError ldapError, String message)
   at Microsoft.Rtc.Management.ADConnect.Connection.ADConnection.AnalyzeDirectoryError(DirectoryException de)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.AnalyzeDirectoryError(ADConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find(ADObjectId rootId, String optionalBaseDN, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCreator, CreateObjectsDelegate
arrayCreator, Boolean includeDeletedObjects)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find(ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties, CreateObjectDelegate objectCtor, CreateObjectsDelegate arrayCtor)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.Find[TResult](ADObjectId rootId, QueryScope scope, QueryFilter filter, SortBy sortBy, Int32 maxResults, IEnumerable`1 properties)
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.GetTopologySetting()
   at Microsoft.Rtc.Management.ADConnect.Session.ADSession.GetBackEndServer()
   at Microsoft.Rtc.Xds.Replication.Common.Utils.TryGetConnectionPointFromAD(String& sqlStorePath, Exception& exception)
Cause: Possible issues with configuration or AD access.
Resolution:
Ensure that activation is completed and AD is accessible from this machine.
===============
Log Name:      Lync Server
Source:        LS Inbound Routing
Date:          1/14/2014 3:56:46 PM
Event ID:      45005
Task Category: (1037)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Unexpected exception occurred in the Inbound Routing Application.
======================================
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:56:53 PM
Event ID:      30975
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Encountered a connection failure while executing a request against the back-end.
Back-end: sql.doitnow.com\rtc
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:56:53 PM
Event ID:      32134
Task Category: (1006)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Failed to connect to back-end database. Lync Server will continuously attempt to reconnect to the back-end. While this condition persists, incoming messages will receive error responses.
Back-end Server: sql.doitnow.com\rtc   Database: rtc Connection string of:
driver={SQL Server Native Client 10.0};Trusted_Connection=yes;AutoTranslate=no;server=sql.doitnow.com\rtc;database=rtc;
Cause: Possible issues with back-end database.
Resolution:
Ensure the back-end is functioning correctly.
=================
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:56:53 PM
Event ID:      32112
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Pas with FQDN: Pool2.doitnow.com has been detected to be down.
=================
Log Name:      Lync Server
Source:        LS User Services
Date:          1/14/2014 3:56:54 PM
Event ID:      32098
Task Category: (1006)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Failed processing conference status requests. This error might delay the freeing up of PSTN meeting ids in conference directories homed on this pool.
Error code: 0x800407D0
Cause: Possible issues with back-end or Lync Server health.
Resolution:
Ensure the Lync Server service is healthy.
===========
Log Name:      Lync Server
Source:        LS User Replicator
Date:          1/14/2014 3:58:33 PM
Event ID:      30022
Task Category: (1009)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
The connection to domain controller DC01.doitnow.com appears to have been terminated. The domain controller could have gone down. User Replicator will attempt to reconnect to an available domain controller for this domain.
=====
Log Name:      Lync Server
Source:        LS File Transfer Agent Service
Date:          1/14/2014 3:58:43 PM
Event ID:      1035
Task Category: (1121)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      lyncfe01n.doitnow.com
Description:
Failed to register with back-end database. Microsoft Lync Server 2010, File Transfer Agent will continuously attempt to reconnect to the back-end. While this condition persists, no replication will be done.
The Connection string: Data Source         = sql.doitnow.com\rtc;
                Database            = xds;
                Max Pool Size       = 5;
                Connection Timeout = 60;
                Connection Reset    = false;
                Enlist              = false;
                Integrated Security = true;
                Pooling             = true;
Exception: [-1] Could not connect to SQL server : [Exception=System.Data.SqlClient.SqlException: A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that
the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)
   at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
   at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
   at System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
   at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
   at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
   at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options)
   at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject)
   at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
   at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
   at System.Data.SqlClient.SqlConnection.Open()
   at Microsoft.Rtc.Common.Data.DBCore.PerformSprocContextExecution(SprocContext sprocContext)]
Cause: Possible issues with back-end database.
Resolution:
Ensure the back-end is functioning correctly.
=================

Thanks Andrew.
may be i missed to create SRV records for the second FE server - Let me check this point and come back -- is it mandatory to create the SRV records for second FE server?
Are the clients using "Automatic Configuration"? Yes.
so web service need a hardware load balancer right?

WLC Load Balancing Threshold

I am trying to understand how the load balancing threshold is calculated but I am finding conflicting information, even withing Cisco's own documentation. I would be grateful if anyone could help.
Cisco's latest Wireless LAN Controller Configuration Guide for software release 7.0.116.0 (April 2011) contains the following information for configuring Wireless > Advanced > Load Balancing Page (emphasis mine):
In the Client Window Size text box, enter a value between 1 and 20. The window size becomes part of the algorithm that determines whether an access point is too heavily loaded to accept more client associations:
load-balancing window + client associations on AP with highest load = load-balancing threshold
In the group of access points accessible to a client device, each access point has a different number of client associations. The access point with the lowest number of clients has the lightest load. The client window size plus the number of clients on the access point with the lightest load forms the threshold. Access points with more client associations than this threshold is considered busy, and clients can associate only to access points with client counts lower than the threshold.
Option 1
The formula shown is correct (load-balancing window + client associations on AP with highest load = load-balancing threshold). If so, this would mean that if you had a window size of 5 and the AP with the highest load at the time of calculation was 15, the threshold would be 18. However, as no APs have 18 associations then this threshold would never be reached. Even if an AP reach 18 associations, the next client trying to associate would trigger another calculation for the threshold which would be 21 (3 + 18) and so still, this threshold would never be hit.
Option 2
The description in the paragraph below is correct (The access point with the lowest number of clients has the lightest load. The client window size plus the number of clients on the access point with the lightest load forms the threshold). This sounds much more sensible to me. In this case, the window size was 3 and the AP with the lowest number of associations already had 7 clients associated, the load balancing threshold would be 10 i.e. no load balancing would occur until a client tried to associate with an AP which already had at least 10 clients associated.
Option 3
I have seen many descriptions on forums etc of the load balancing threshold being essentially the Client window size, i.e. if the client window size is 3 then load balancing will kick in when a client tries to associate to an AP with at least 3 clients already associated. This doesnt match the above documentation unless the AP with the least number of clients associated doesnt have any associated clients i.e. 0 clients.
Questions
I think Option 2 is the correct description of load balancing and the formula given stating use of the AP with the highest load is a typo (albeit still not corrected in the latest documentation). Am I correct?
The problem with using the option 2 method of calculating the load threshold is that you will be unnecessarily performing load balancing in an environment where some of your APs do actually have zero clients associated, unless you set the window size to somehing close to 10.
I read here http://www.perihel.at/wlan/wlan-wlc.html#aggressive-load-balancing that when calculating the load threshold, it only accounts for the 8 'best' APs for a given client. In other words, if you have 60 APs on your campus but only 20 are visible to the client, the controller will only perform its load threshold calculations bases on the 8 APs which have the best signal to the client. This would ,ake sense as there is no point setting a load threshold based on the lightest loaded AP which is not even within 'reach' of the client. Is this correct as I can not find any other documentation which supports this?
Thanks in advance for your help with this.

Interesting, the config guide contradicts itself in the same paragraph.....    I thought maybe we had two different documents with different explanations. I don't see any open documentation bugs asking to correct this, but I swear I've heard discussion on this in the past.......
First off: Option #3 was the "old way". I think it changed in 6.0.    If you had a threshold of 5, then as soon as you had 5 clients on an AP it would reject the association (3 times and then let them on the 4th attempt). Now its a sliding window/scale.
Option #1 I think is completely wrong. As you described, how in the world would you ever surpass the threshold if the highest AP + the window is what you have to beat to load-balance....?    RIght, that just doesn't make any sense to me.....
Option #2, the way you explain it is correct to my understanding...
Your question #3 is also correct (not sure if it is Top 8 or based on an RSSI threshold though.)
The idea is that you don't want some AP in a remote office with 0 clients being your starting point.   So I believe that it is based on the top X candidate for your client.    If your client has 4 viable candidates (lets just say -70 or better), and one of those APs has 5 clients and the rest have 15, I'd expect loadbalancing to try to get you to the 5 client AP if your window size was ~10...... something like that anyhow...

Wireless clients load balancing on the APs on WLC 4404

Hi Experts,
I'm just wondering if the WLC 4404 with firmware 4.2.207.0 can load balance the wireless clients on different WAPs. Let's say that an AP is already handling 15 Wireless devices. When the 16th is trying to join, the controller somehow puts it on another nearby AP, even the signal from this AP is weaker. I heard the similar feature on other Wireless solution vendors. I'm just wondering if Cisco has the similar feature or not.
Thanks!

Yes it is known as aggressive load balancing sending a code 17 making the wireless client to loook at another nearby AP.
here it is the documentation:
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00809c2fc3.shtml

WLC Voice Audit - Aggressive Load Balancing on WLAN not disabled

I am running v6.0.196 on 2 WLCs. Aggressive Load Balancing is disabled globally via WCS. (Configure / Controller / General / Aggressive Load Balancing = Disabled). When running the Voice Audit Tool against the VoWLAN, I receive the following:
"Aggressive Load Balancing on WLAN not Disabled"
I am unable locate the command or the screen to actually disable this on an individual WLAN. Is this perhaps a code glitch?
-Robert

This is not available on the WCS. I was able to locate this on the individual WLCs.
But thanks for pointing me where to look nonetheless!
-Robert

Cisco 1921 Dual ADSL Load Balancing/Failover?

Hello,
We have purchased a Cisco 1921 with twin ADSL after advice from a Cisco sales rep. However I am having trouble working out the load balancing/fail over config for the device.
I would like traffic to balance over both ADSL lines and if one goes down not to interrupt connectivity.
I had a look at ppp multilink but I am unsure our ISP (BT) support this?
This is my current config which I think only one ADSL line is being used. Some input would be appreciated
Robbie
! Last configuration change at 13:18:34 UTC Tue Mar 29 2011
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname xxxxxx
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 xxxxx
enable password xxxx
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip name-server 194.74.65.68
ip name-server 194.72.0.114
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx0
revocation-check none
rsakeypair TP-self-signed-xxxxx!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 02 nvram:IOS-Self-Sig#4.cer
license udi pid CISCO1921/K9 xxxxx
username admin privilege 15 secret 5 xxxxxxxxxx/
interface GigabitEthernet0/0
description lan$ETH-LAN$
ip address 10.0.8.1 255.255.248.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/0/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
dsl operating-mode adsl2
interface ATM0/1/0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
ip flow ingress
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface Dialer0
mtu 1483
ip address negotiated
ip access-group spalding in
ip access-group spalding out
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
interface Dialer1
mtu 1483
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxx
ppp chap password 0 xxxxx
ppp link reorders
ppp multilink
ppp multilink links minimum 2
ppp multilink fragment disable
ppp timeout multilink link add 2
no cdp enable
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.0.15.201 3389 interface Dialer0 3389
ip nat outside source static tcp 195.194.75.218 3389 10.0.15.200 3389 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 permit 10.0.0.0 0.254.255.255
dialer-list 1 protocol ip permit
control-plane
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
end

Hi,
Can anyone help me with this config? not very reliable.
Building configuration...
Current configuration : 17349 bytes
! Last configuration change at 06:08:06 UTC Sun Apr 5 2015 by Shawn
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Router
boot-start-marker
boot system flash0:c2900-universalk9-mz.SPA.154-3.M2.bin
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$sNeA$GB6.SMrcsxPf51tK2Eo9Z.
aaa new-model
aaa authentication login local_authen local
aaa authorization exec local_author local
aaa session-id common
no ip source-route
ip port-map user-protocol--8 port udp 3392
ip port-map user-protocol--9 port tcp 3397
ip port-map user-protocol--2 port udp 3391
ip port-map user-protocol--3 port tcp 14000
ip port-map user-protocol--1 port tcp 3391
ip port-map user-protocol--6 port udp 3394
ip port-map user-protocol--7 port tcp 3392
ip port-map user-protocol--4 port udp 14100
ip port-map user-protocol--5 port tcp 3394
ip port-map user-protocol--10 port udp 3397
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.10.1 192.168.10.49
ip dhcp pool DHCP_POOL1
import all
network 192.168.1.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.1.1
lease infinite
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 139.130.4.4 203.50.2.71
default-router 192.168.10.1
lease infinite
no ip bootp server
ip host SHAWN-PC 192.168.1.10
ip host DIAG 192.168.1.5
ip host MSERV 192.168.1.13
ip name-server 139.130.4.4
ip name-server 203.50.2.71
ip cef
ip cef load-sharing algorithm include-ports source destination
no ipv6 cef
multilink bundle-name authenticated
cts logging verbose
crypto pki trustpoint TP-self-signed-1982477479
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1982477479
revocation-check none
rsakeypair TP-self-signed-1982477479
license udi pid
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
redundancy
controller VDSL 0/0/0
operating mode adsl2+
controller VDSL 0/1/0
operating mode adsl2+
no cdp run
track timer interface 5
track 1 interface Dialer0 ip routing
delay down 15 up 10
track 2 interface Dialer1 ip routing
delay down 15 up 10
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 104
match protocol user-protocol--7
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 103
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 103
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--7-2
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 102
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 102
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--3-2
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--8-2
match access-group 101
match protocol user-protocol--8
class-map type inspect match-all sdm-nat-user-protocol--9-2
match access-group 104
match protocol user-protocol--9
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
match access-group 104
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 104
match protocol user-protocol--8
match access-group 102
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--10-2
match access-group 104
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
match access-group 104
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--7-2
inspect
class type inspect sdm-nat-user-protocol--8-2
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-2
inspect
class type inspect sdm-nat-user-protocol--9-2
inspect
class type inspect sdm-nat-user-protocol--10-2
inspect
class type inspect sdm-nat-user-protocol--3-2
inspect
class type inspect sdm-nat-user-protocol--4-2
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
interface Null0
no ip unreachables
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface ATM0/0/0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
interface Ethernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 2
interface Ethernet0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no mop enabled
interface GigabitEthernet0/3/0
no ip address
interface GigabitEthernet0/3/1
no ip address
interface GigabitEthernet0/3/2
no ip address
interface GigabitEthernet0/3/3
no ip address
interface GigabitEthernet0/3/4
no ip address
interface GigabitEthernet0/3/5
no ip address
interface GigabitEthernet0/3/6
no ip address
interface GigabitEthernet0/3/7
no ip address
interface Vlan1
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 1444405858557A
ppp pap sent-username [email protected] password 7 135645415F5D54
ppp multilink
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 2
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 01475E540E5D55
ppp pap sent-username [email protected] password 7 055F5E5F741A1D
ppp multilink
router eigrp as#
router eigrp 10
network 192.168.1.1 0.0.0.0
router rip
version 2
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static udp 192.168.1.10 3392 interface Dialer1 3392
ip nat inside source static tcp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static udp 192.168.1.35 3391 interface Dialer0 3391
ip nat inside source static tcp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static udp 192.168.1.5 3394 interface Dialer0 3394
ip nat inside source static tcp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static udp 192.168.1.17 3397 interface Dialer0 3397
ip nat inside source static tcp 192.168.1.10 14000 interface Dialer0 14000
ip nat inside source static udp 192.168.1.10 14100 interface Dialer0 14100
ip nat inside source route-map ADSL0 interface Dialer0 overload
ip nat inside source route-map ADSL1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 track 2
ip access-list extended NAT
remark CCP_ACL Category=18
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
remark CCP_ACL Category=1
ip access-list extended STATIC-NAT-SERVICES
permit ip host 192.168.1.35 any
permit ip host 192.168.1.5 any
permit ip host 192.168.1.10 any
permit ip host 192.168.1.17 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
route-map ADSL0 permit 10
match ip address NAT
match interface Dialer0
route-map ADSL1 permit 10
match ip address NAT
match interface Dialer1
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 10 remark INSIDE_IF=NAT
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 139.130.227.0 0.0.0.255 any
access-list 100 permit ip 203.45.106.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.10
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.35
access-list 101 permit tcp any any eq www
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.35
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.17
control-plane
banner login ^CCE-Rescue Systems^C
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
scheduler allocate 20000 1000
end
Thanks
Shawn

Controller Load Balancing

Similar Messages

Maybe you are looking for