Default class inspection policy
Hi Everyone,
Need to know if default class inspection policy matches the incoming or outging traffic flowing through the ASA?
Example when i ping from PC connecting to the ASA to outside world will then it will match icmp traffic entering the ASA then ICMP reply coming
to outside interface?
Thanks
MAhesh
Hello,
The ASA is stateful in both directions, so the policy matches incoming and outgoing traffic.
What happens is that you also have security levels, so from high to low it is allow but from low to high it will be deny unless you configure an ACL.
Regards,
Felipe.
Similar Messages
-
Potential Impact of Disabling Default HTTP Inspection Policy
I have a 5500-series firewall configured with basic HTTP inspection via the default global policy-map. The software for this firewall is recent 8.2(x).
Some questions:
1. I am under the impression that default HTTP inspection will do basic validation of RFC compliance for HTTP traffic without any custom configuration. All such traffic is inspected by the appliance. Am I correct in this understanding?
2. If so, would basic HTTP inspection create the potential for additional latency in the environment for matched traffic?
3. Would removing the policy via the "no inspect http" command within the global policy-map be service disrupting? Would I see any noticeable impact to HTTP traffic by doing this?
Thank you for your responses in advance.
JeffHi,
These are the response to your queries:-
1) Yes ,HTTP inspection will check all the connections destined to port 80 through the ASA device as per the RFC standards.
2) Might be yes , As the HTTP connections are the major amount of traffic on the ASA device , too much traffic have to be inspected by the ASA device and re-assembling will also cause the ASA device to do some extra processing.
3) No , I think you would reduce the processing for the ASA after disabling this inspection.
This would not cause any disruption in the traffic as it is not applied on the existing connections but only on the new connections which are made through the ASA device after the policy is modified.
Also , check this:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113393-asa-troubleshoot-throughput-00.html
Thanks and Regards,
Vibhor Amrodia -
Default FWSM inspection policy
On FWSM (running version 4.1 in my case) the default global policy uses the following class map:
class-map inspection_default
match default-inspection-traffic
Does anyone know what "default-inspection-traffic" includes? Is it all traffic? If so, do I really want all my traffic to go through the inspection engine? I would imagine this would have a performance impact on traffic that is not part of the protocols being inspected.
Any insight would be greatly appreciated.
David W.The CLI help in the FWSM actually displays what's included in the "default-inspection-traffic" match definition:
FWSM/context1(config)# class-map inspection_default
FWSM/context1(config-cmap)# match ?
mpf-class-map mode commands/options:
access-list Match an Access List
any Match any packet
default-inspection-traffic Match default inspection traffic:
ctiqbe----tcp--2748 dns-------udp--53
ftp-------tcp--21 gtp-------udp--2123,3386
h323-h225-tcp--1720 h323-ras--udp--1718-1719
http------tcp--80 icmp------icmp
ils-------tcp--389 mgcp------udp--2427,2727
netbios---udp--137-138 rpc-------udp--111
rsh-------tcp--514 rtsp------tcp--554
sip-------tcp--5060 sip-------udp--5060
skinny----tcp--2000 smtp------tcp--25
sqlnet----tcp--1521 tftp------udp--69
xdmcp-----udp--177
port Match TCP/UDP port(s) -
According to Cisco dumentation (http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mpc.html)
, the ASA is equipped with two default class-maps
class-map inspection_default
match default-inspection-traffic
and
class-map class-default
match any
The first makes perfect sense, but what is the class-default used for? Cisco says
"This class map appears at the end of all Layer 3/4 policy maps and essentially tells the adaptive security appliance to not perform any actions on all other traffic. You can use the class-default class map if desired, rather than making your own
match any class map. In fact, some features are only available for class-default."
But I see stuff like this:
policy-map MyPolicy
class class-default
inspect tfp MyFTPpolicy
Obviously it is being used here to act on traffic! So I am confused.
I also noticed that when you upgrade from 8.2 to 8.4, all default class-maps are removed from the configuration: you have to re-create everything (strange)Hello Collin,
This is Mike. I dont think it is well documented. Basically it is just a class map (that does not appear on the configuration unless an action is specified) that will match all traffic passing through the ASA firewall. Some features like NSEL (Netflow) and Traffic shaping are only allowed to use this kind of class maps because they dont support any other match command.
The one that you currently have (and God I hope its not applied) will look for tftp traffic on every IP packet passing across the ASA.
This specific type of policy you have there can only be applied on the interface (as it is not a layer 7 inspection policy) you can check if it is applied or not by running the show "run service-policy command"
Mike -
Default class map is dropping all Packets
Hello I have a Cisco 871 router that used to have Access list based security. now I am trying the ZBFW for the first time. I thought I had a pretty good program until I found all my traffic was getting dropped. This is my first stab at ZBFWs and I am a bit confused esp with the default class part. Any help is greatly appreciated!!!!
The router is for my house and thus also has to have priority for gaming. I will add the gaming and voice QOS once I get it working,
Guest VLAN has access to 2 IP's in Data for printing.
Cisco871#sh run
Building configuration...
Current configuration : 8005 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
hostname Cisco871
boot-start-marker
boot-end-marker
logging buffered 4096
no logging console
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock summer-time PST recurring
crypto pki trustpoint TP-self-signed-4004039535
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4004039535
revocation-check none
rsakeypair TP-self-signed-4004039535
crypto pki certificate chain TP-self-signed-4004039535
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303034 30333935 3335301E 170D3038 30323037 30373532
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30303430
33393533 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEC2 7B89C73F AB4860EE 729C3B64 82139630 239A2301 8EA8B4C4 05505E25
B0F24E7F 26ECEC53 3E266E80 F3104F61 BDDC5592 40E12537 2262D272 08D38F8E
147F5059 7F632F5E 635B9CDF 652FFE82 C2F45C60 5F619AF0 72E640E0 E69EA9EF
41C6B06C DD8ACF4B 0A1A33CF AF3C6BFB 73AD6BE0 BD84DD7F 435BD943 0A22E0E5
F4130203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 144C7570 696E2E44 61627567 61626F6F 732E6F72 67301F06
03551D23 04183016 801473C6 E0784818 29A89377 23A22F5E BDD430CE E282301D
0603551D 0E041604 1473C6E0 78481829 A8937723 A22F5EBD D430CEE2 82300D06
092A8648 86F70D01 01040500 03818100 299AD241 442F976F 4F030B33 C477B069
D356C518 8132E61B 1220F999 A30A4E0C D337DCE5 C408E3BC 0439BB66 543CF585
8B26AA77 91FA510B 14796239 F272A306 C942490C A44336E0 A9430B81 9FC62524
E55017FA 5C5463D7 B3492753 42315BEC 32B78F24 D10B0CA7 D1844CD5 C3E466B9
3543BD68 A4B2692D 05CBF6DC C93C8142
quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.5
ip dhcp excluded-address 172.16.15.1 172.16.15.5
ip dhcp excluded-address 172.16.15.14
ip dhcp excluded-address 172.16.17.1 172.16.17.5
ip dhcp excluded-address 192.168.19.1 192.168.19.5
ip dhcp pool MyNetNative
import all
network 10.0.0.0 255.255.255.248
default-router 10.0.0.1
domain-name MyNetNet.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
lease 0 2
ip dhcp pool MyNetData
import all
network 172.16.15.0 255.255.255.240
dns-server 172.16.15.14 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
default-router 172.16.15.1
domain-name MyDomain.org
ip dhcp pool MyNetVoice
import all
network 172.16.17.0 255.255.255.240
dns-server 172.16.15.14
default-router 172.16.17.1
domain-name MyDomain.org
ip dhcp pool MyNetGuest
import all
network 192.168.19.0 255.255.255.240
default-router 192.168.19.1
domain-name MyNetGuest.org
dns-server 4.2.2.1 4.2.2.6 8.8.8.8 208.67.220.220
ip domain name MyDomain.org
ip name-server 172.16.15.14
ip name-server 4.2.2.4
ip inspect log drop-pkt
multilink bundle-name authenticated
parameter-map type inspect TCP_PARAM
parameter-map type inspect global
username MyAdmin privilege 15 secret 5 MyPassword
archive
log config
hidekeys
class-map type inspect match-all MyNetGuest-access-list
match access-group 110
class-map type inspect match-any Base-protocols
match protocol http
match protocol https
match protocol ftp
match protocol ssh
match protocol dns
match protocol ntp
match protocol ica
match protocol pptp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all MyNetGuest-Class
match class-map MyNetGuest-access-list
match class-map Base-protocols
class-map type inspect match-all MyNetNet-access-list
match access-group 100
class-map type inspect match-any Voice-protocols
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any Extended-protocols
match protocol pop3
match protocol pop3s
match protocol imap
match protocol imaps
match protocol smtp
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
class type inspect MyNetGuest-access-list
inspect
class class-default
policy-map type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
class type inspect MyNetGuest-Class
inspect
class class-default
policy-map type inspect MyNetNet-zone
class class-default
pass
zone security MyNetNet-zone
zone security MyNetGuest-zone
zone security MyNetWAN-zone
zone-pair security MyNetNet->MyNetGuest source MyNetNet-zone destination MyNetGuest-zone
service-policy type inspect MyNetNet-zone_to_MyNetGuest-zone_policy
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetWAN source MyNetGuest-zone destination MyNetWAN-zone
service-policy type inspect MyNetGuest-zone_to_MyNetWAN-zone_policy
zone-pair security MyNetGuest->MyNetNet source MyNetGuest-zone destination MyNetNet-zone
service-policy type inspect MyNetGuest-zone_to_MyNetNet-zone_policy
interface FastEthernet0
description Cisco-2849-Switch
switchport mode trunk
speed 100
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
description SBS-Server
switchport access vlan 10
spanning-tree portfast
interface FastEthernet4
description WAN
no ip address
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security MyNetWAN-zone
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
interface Vlan1
description MyNetNative
ip address 10.0.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
ip tcp adjust-mss 1452
interface Vlan10
description MyNetData
ip address 172.16.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan20
description MyNetVoice
ip address 172.16.17.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetNet-zone
interface Vlan69
description MyNetGuest
ip address 192.168.19.1 255.255.255.240
ip nat inside
ip virtual-reassembly
zone-member security MyNetGuest-zone
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 100 remark MyNetnet
access-list 100 permit ip 10.0.0.0 0.0.0.7 any
access-list 100 permit ip 172.16.15.0 0.0.0.31 any
access-list 100 permit ip 172.16.17.0 0.0.0.15 any
access-list 110 remark MyNetGuest
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.2
access-list 110 permit ip 192.168.19.0 0.0.0.15 host 172.16.15.3
access-list 110 deny ip 192.168.19.0 0.0.0.15 10.0.0.0 0.0.0.7
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.15.0 0.0.0.31
access-list 110 deny ip 192.168.19.0 0.0.0.15 172.16.17.0 0.0.0.15
access-list 110 permit ip 192.168.19.0 0.0.0.15 any
control-plane
banner login ^CC
You know if you should be here or not.
if not please leave
NOW
^C
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
ntp server 172.16.15.14
webvpn cef
end
Cisco871#sh zone security
zone self
Description: System defined zone
zone MyNetNet-zone
Member Interfaces:
Vlan1
Vlan10
Vlan20
zone MyNetGuest-zone
Member Interfaces:
Vlan69
zone MyNetWAN-zone
Member Interfaces:
FastEthernet4
Cisco871#sh zone-pair security
Zone-pair name MyNetNet->MyNetGuest
Source-Zone MyNetNet-zone Destination-Zone MyNetGuest-zone
service-policy MyNetNet-zone_to_MyNetGuest-zone_policy
Zone-pair name MyNetNet->MyNetWAN
Source-Zone MyNetNet-zone Destination-Zone MyNetWAN-zone
service-policy MyNetNet-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetWAN
Source-Zone MyNetGuest-zone Destination-Zone MyNetWAN-zone
service-policy MyNetGuest-zone_to_MyNetWAN-zone_policy
Zone-pair name MyNetGuest->MyNetNet
Source-Zone MyNetGuest-zone Destination-Zone MyNetNet-zone
service-policy MyNetGuest-zone_to_MyNetNet-zone_policy
Cisco871#sh int faste4
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 0016.9d29.a667 (bia 0016.9d29.a667)
Description: WAN
Internet address is 10.38.177.98/25
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:34:50, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 2000 bits/sec, 3 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
593096 packets input, 73090812 bytes
Received 592752 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
9940 packets output, 1016025 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
Zone-pair: MyNetNet->MyNetWAN
Service-policy inspect : MyNetNet-zone_to_MyNetWAN-zone_policy
Class-map: MyNetNet-Class (match-all)
Match: class-map match-all MyNetNet-access-list
Match: access-group 100
Match: class-map match-any Voice-protocols
Match: protocol h323
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol skinny
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol sip
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Extended-protocols
Match: protocol pop3
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pop3s
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imap
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol imaps
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol smtp
0 packets, 0 bytes
30 second rate 0 bps
Match: class-map match-any Base-protocols
Match: protocol http
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol https
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ftp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ssh
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol dns
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ntp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol ica
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol pptp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol icmp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol tcp
0 packets, 0 bytes
30 second rate 0 bps
Match: protocol udp
0 packets, 0 bytes
30 second rate 0 bps
Inspect
Session creations since subsystem startup or last reset 0
Current session counts (estab/half-open/terminating) [0:0:0]
Maxever session counts (estab/half-open/terminating) [0:0:0]
Last session created never
Last statistic reset never
Last session creation rate 0
Maxever session creation rate 0
Last half-open session total 0
Class-map: class-default (match-any)
Match: any
Drop (default action)
5196 packets, 256211 bytes
Cisco871#sh log
Syslog logging: enabled (1 messages dropped, 0 messages rate-limited,
0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 1745 messages logged, xml disabled,
filtering disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
ESM: 0 messages dropped
Trap logging: level informational, 1785 message lines logged
Log Buffer (4096 bytes):
001779: *Feb 15 11:00:55.979: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:61806 => 168.94.0.1:53 with ip ident 511 due to policy match failure
001780: *Feb 15 11:00:59.739: %FW-6-DROP_TCP_PKT: Dropping Other pkt 172.16.15.6:4399 => 168.94.69.30:443 due to policy match failure -- ip ident 515 tcpflags 0x7002 seq.no 974122240 ack 0
001781: *Feb 15 11:01:26.507: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:51991 => 168.94.0.1:53 with ip ident 625 due to policy match failure
001783: *Feb 15 11:01:57.891: %FW-6-DROP_UDP_PKT: Dropping Other pkt 172.16.15.6:64470 => 168.94.0.1:53 with ip ident 677 due to policy match failureHello Charlie,
I would recomend you to investigate a little bit more about how the ZBFW features works
Now I am going to help you on this one at least, then I will give you a few links you could use to study
We are going to study traffic from MyNetNet-zone to the MyNetWan-zone
First the zone-pair
zone-pair security MyNetNet->MyNetWAN source MyNetNet-zone destination MyNetWAN-zone
service-policy type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
so lets go policy-map
policy-map type inspect MyNetNet-zone_to_MyNetWAN-zone_policy
class type inspect MyNetNet-Class
inspect
class class-default
Finally to the class map
class-map type inspect match-all MyNetNet-Class
match class-map MyNetNet-access-list
match class-map Voice-protocols
match class-map Extended-protocols
match class-map Base-protocols
That keyword MATCH-ALL is the one causing the issues!!
Why?
Because you are telling the ZBFW to inspect traffic only if matches all of those class-maps so a packet will need to math the base protocols and the extended protocol and as you know that is not possible ( Just one protocol )
So here are the links
http://blogg.kvistofta.nu/cisco-ios-zone-based-policy-firewall/
https://supportforums.cisco.com/thread/2138873
http://pktmaniac.info/2011/08/zone-based-firewalls-something-to-keep-in-mind/
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
You have some work to do
Please remember to rate all the helpful posts
Julio
CCSP -
Changing the application wide default focus traversal policy
Hi,
I have a Swing application built using JDK1.3 where there lots of screens (frames, dialogs with complex screens - panels, tables, tabbed panes etc), in some screens layouts have been used and in other screens instead of any layout, absolute positions and sizes of the controls have been specified.
In some screens setNextFocusableComponent() methods for some components have been called at some other places default focus traversal is used. (which I think is the order in which the components are placed and their postions etc). Focus traversal in each screen works fine.
Now I have to migrate to JDK1.4. Problem now is that after migrating to JDK1.4.2, focus traversal has become a headache. In some screens there is no focus traversal and in some there is it is not what I wanted.
So I thought to replace applicaiton wide default focus traversal policy and I did the following:
///////// Replace default focus traversal policy
java.awt.KeyboardFocusManager.getCurrentKeyboardFocusManager().setDefaultFocusTraversalPolicy(new java.awt.ContainerOrderFocusTraversalPolicy());
But there is no change in the behaviour.
Then I tried following:
///////// Replace default focus traversal policy
java.awt.KeyboardFocusManager.getCurrentKeyboardFocusManager().setDefaultFocusTraversalPolicy(new java.awt.DefaultFocusTraversalPolicy());
I did all this in the main() method of the application before anything else just to ensure that all the components get added after this policy has been set. But no luck.
Does someone has any idea what is the problem here ? I do not want to define my own focus traversal policy for each screen that I use (because thats lot of codes).
Thanksnot that hard if you only have the one focus cycle ( > 1 cycle and it gets a bit harder, sometimes stranger)
import javax.swing.*;
import java.awt.*;
class Testing
int focusNumber = 0;
public void buildGUI()
JTextField[] tf = new JTextField[10];
JPanel p = new JPanel(new GridLayout(5,2));
for(int x = 0, y = tf.length; x < y; x++)
tf[x] = new JTextField(5);
p.add(tf[x]);
final JTextField[] focusList = new JTextField[]{tf[1],tf[0],tf[3],tf[2],tf[5],tf[4],tf[7],tf[6],tf[9],tf[8]};
JFrame f = new JFrame();
f.setFocusTraversalPolicy(new FocusTraversalPolicy(){
public Component getComponentAfter(Container focusCycleRoot,Component aComponent)
focusNumber = (focusNumber+1) % focusList.length;
return focusList[focusNumber];
public Component getComponentBefore(Container focusCycleRoot,Component aComponent)
focusNumber = (focusList.length+focusNumber-1) % focusList.length;
return focusList[focusNumber];
public Component getDefaultComponent(Container focusCycleRoot){return focusList[0];}
public Component getLastComponent(Container focusCycleRoot){return focusList[focusList.length-1];}
public Component getFirstComponent(Container focusCycleRoot){return focusList[0];}
f.getContentPane().add(p);
f.pack();
f.setLocationRelativeTo(null);
f.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);
f.setVisible(true);
public static void main(String[] args)
SwingUtilities.invokeLater(new Runnable(){
public void run(){
new Testing().buildGUI();
} -
Bandwidth allocation | default class|CBWFQ
Hi everybody
Let say we have 100 mig circuit. Max -reserved bandwidth is 100 mig as well. We make following allocations:
Class A
bandwidth 20
Class B
bandwidth 60
Class Default.
1)We did not make any bandwidth allocations for default class. Assuming We are congested ( i.e class A, class B ), What is the maximum bandwidth Class Default can use?
2) Let say we are congested ( classA,classB) but there is no traffic in default class. How will this unused 20 mig will be distributed among these classA and class B?
++++++++++++++++++++++++++++++++++
I am getting confusing answers:
For example:
From one of theblog ( Dont want pick on author so did not quote it)
You'll want to configure a bandwidth command under the class class-default Otherwise, IOS will divide any unallocated bandwidth equally among all classes; this can result in the class-defaulthaving a very small amount of bandwidth.
Cisco QOS Documentation says:
http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_cr.pdf
From the above link:
The following output from theshow policy-map interfacecommand on serial interface 3/2 shows that 500 kbps of bandwidth is guaranteed for the class
named voice1. The classes named class1 and class2 receive 50 percent and 25 percent of the remaining bandwidth, respectively. Any unallocated bandwidth
is divided proportionally among class1, class2, and any best-effort traffic classes
Which One is true statement?
If Cisco documentation is correct, then what proportion of unallocated bandwidth is given to default class as there is no bandwidth percentage configured under default class.
ThanksDisclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
#2 If there's just traffic for classes A and B, they will proportionally share it 20:60 or 1:3 (or 25%:75%). (NB: the former is assuming they want "more". If not, actual usage might not reflect bandwidth allocation. For example, if class B only used/wanted 50% of link, class A could obtain the other 50%.)
#1 recall finding some blog that really went deep into what class-default gets when you don't explicitly allocate bandwidth. I also recall it may have been IOS version dependent and whether FIFO or FQ was defined in class-default (this also was pre-HQF).
It was very complicated, and IMO, best avoided by defining bandwidth in class-default, if class-default usage, relative to other defined classes, is important to your QoS policy.
Generally, if something isn't clearly documented as expected behavior, I avoid relying on "discovered" actual behavior, because it might change with next IOS release. -
Problem in database fields creation using default class of B1DE Wizard
Hi Experts
In an AddOn I am creating database fields in default class "Project_DB'. It does not give any message weather it creates fields or not. My code for database creation is given below
Namespace FormARE
Public Class FormARE_Db
Inherits B1Db
Public Sub New()
MyBase.New
B1Connections.theAppl.StatusBar.SetText("Please wait. AddOn is updating database", BoMessageTime.bmt_Long, BoStatusBarMessageType.smt_None)
Columns = New B1DbColumn() {New B1DbColumn("OCRD", "BondNo", "Bond No.", BoFieldTypes.db_Alpha, BoFldSubTypes.st_None, 20, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OCRD", "BFrDate", "Bond From Date", BoFieldTypes.db_Date, BoFldSubTypes.st_None, 10, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OCRD", "BTDate", "Bond To Date", BoFieldTypes.db_Date, BoFldSubTypes.st_None, 10, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OINV", "Cntner_no", "Container No.", BoFieldTypes.db_Alpha, BoFldSubTypes.st_None, 20, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OINV", "Cntnr_Seal", "Container Seal No.", BoFieldTypes.db_Alpha, BoFldSubTypes.st_None, 20, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OINV", "Cust_Seal", "Custom Seal No.", BoFieldTypes.db_Alpha, BoFldSubTypes.st_None, 20, New B1WizardBase.B1DbValidValue(-1) {}, -1), New B1DbColumn("OINV", "ctryOrgn", "Country of Origin", BoFieldTypes.db_Alpha, BoFldSubTypes.st_None, 20, New B1WizardBase.B1DbValidValue(-1) {}, -1)}
GC.Collect()
B1Connections.theAppl.StatusBar.SetText("Successfully updated database", BoMessageTime.bmt_Short, BoStatusBarMessageType.smt_Success)
End Sub
End Class
End Namespace
It does not give first message. and second message come properly and immediately when I start the AddOn. I checked it makes all fields accuratly. But when I open the related form it gives error message "Data Source not found". I checked fields name are same as used in form and database .What can the reason? Should I use a simple function for creation of database fields which will run when a button is pressed? Is it fine to using default class for database fields creation?
Thanks
Best Regards
JitenderI solved the problem.
Procedure I followed :
UNINSTALL ORACLE WRAEHOUSE BUILDER SOFTAWARE.
'GLOBAL_NAMES = FALSE' in init.ora file.
RESTARTED MY MACHINE.
INSTALL THE ORACLE WRAEHOUSE BUILDER SOFTAWARE. -
Can't edit default domain controllers policy on windows 8 or server 2012
I have found that I can't edit the "Default Domain Controllers Policy" from a Windows 8 or Server 2012 machine. I can edit and save changes fine from a Windows 7 machine. The domain controllers are running Windows 2012 Standard upgraded
from Windows 2008 R2. Is there a security setting I am missing?Posting the resolution from the other thread. Hope it helps!
I just accidentally resolved this issue today. I added the GPMC to a 2008 R2 server so I could make a needed firewall
change within the Windows Firewall with Advanced Security section of the Default Domain Controllers GPO (I enabled the Remote Event Log management rule for the Domain profile). About an hour later, I forgot I was using my Windows 8 machine and I went
to edit the Default Domain Controllers GPO and opened for edit without a problem. I can now edit it from Windows 8 and from Windows Server 2012. Until now, I was using a Windows 7 VM to make the edits, so in my case the problem was resolved by
editing the GPO once from a 2008 R2 machine. -
Hi guys.
When configuring Inspect HTTP there is an option to use Default HTTP Inspection Map.
Its used here as an example on the documentation;
From the Select HTTP Inspect Map window, check the radio button next to Use the Default HTTP inspection map. The default HTTP inspection is used in this example. Then, click OK.
However I cannot actually see anywhere what these Default settings are.
For example; it is possible to set varying security levels when configuring manually (low-medium-high) with differing options in each, but what are the security level and specific settings when choosing default?
I cannot find any reference to these.
If anyone can help that would be great.
Thanks.
MikeI'm not sure which reference you're citing, but in ASDM if you go to "Configuration > Firewall > Objects > Inspect Maps > HTTP" and click on "Add" you will see a dialog box with a slider which shows what each level consists of by default. You can further customize by choosing the Details, URI Filtering, etc.
(Very very few people actually use the built-in http inspection and instead use either a 3rd party solution like WebSense URL filtering or a Proxy server like WSA or BlueCoat or else use the ASA CSC module of NGFX CX module with AVC and WSE.)
See the following screenshot for what I wan talking about in my first paragraph: -
Multiple-node WebCenter Spaces config with default file-based policy
hi,
My customer will use web center 11g on multiple linux server, I noticed there is a comment in wc doc like this:
=========================================
The default file-based policy store can only be used for single-node WebCenter Spaces configurations. For multi-node configurations, you must reassociate the policy and credential store with an external LDAP-based store (such as Oracle Internet Directory) as described in Section 23.4, "Configuring the Policy and Credential Store."
The policy store can be configured to use Oracle Internet Directory 11gR1 and 10.1.4.3, and OVD 11gR1 with the Local Store Adapter (LSA).
The identity store can be configured to use the following LDAP servers:
Oracle Internet Directory (OID) 11gR1 and 10.1.4.3
Oracle Virtual Directory (OVD) 11gR1 and 10.1.4
Sun iPlanet version 4.1.3
Active Directory shipped as part of Windows 2000
Open LDAP version 2.0.7
Novell NDS version 8.5.1
========================================
My customer only has AD, they don't have budget to buy oid at this time, according to the statement "The policy store can be configured to use Oracle Internet Directory 11gR1 and 10.1.4.3, and OVD 11gR1 with the Local Store Adapter (LSA).", does that mean the wc policy store can not use other ldap such as ad in multiple-node wc configuration?
If performance is not an issue, can I use default file-based policy store in this case?
If it's impossible for the customer to buy oid at this time, what's the possible solution?
Thanks a lot!
RegardsYou can configure directly with AD.
Basically your WebLogic server needs to be configured to talk to AD. You can configure an Identity provider in Weblogic server which uses AD as LDAP.
This should work in multi-node environment.
Also, i do not see any reason why file based jazn-data should not work.
Best solution from my perspective if Weblogic AD configuration does not work:
Create and manage your users and roles in Weblogic embedded LDAP. All you have to change in your application is the realm to the name of weblogic realm(default is myrealm) and while deploying make sure you uncheck the create users and roles.
Regards,
Venkat -
Windows 2012 R2 default domain controllers policy set to enforced
Hi Guys,
So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2 and so far everything is running ok. Had a few problems relating to orphaned DC's but have cleared this up now. However, i'm now trying to get to grips with using group policy. When
i migrated, the old policy settings seemed to have come across and things seem to be still locked down ok, in relation to certain OUs. I run a network at our local college so i have a student container which applies a lock-down policy. All these GPOs where
previously setup by someone else.
I setup a test network at home before i did the said migration and am now comparing some group policy settings, namely the default ones, and i have noticed that default domain controllers policy has been set to enforced on my newly migrated domain. At home
on my test server i see it is not enforced by default and am wondering why this is? I have been reading up but i can't find anything that tells me it should be enforced but wary to disable this setting. The students return on Monday so i don't want to mess
it up at this stage.
One thing that i did find odd is when i first opened up the GPO's, i was prompted with a message which stated that the policies in the sysvol folder where not consistent with the ones in AD so i followed its recommendation to update.
Any advise you guys have on this would be greatly appreciated.
David> So I've migrated my domain from Windows 2003 R2 over to Windows 2012 R2
> and so far everything is running ok.
This does NOT touch any GPOs, so your GPOs are not "migrated" or
something like that - they are still what they were before.
> enforced on my newly migrated domain. At home on my test server i see it
> is not enforced by default and am wondering why this is?
"A sever misunderstanding of how group policy inheritance and link order
works" is the closest reason I see for this. The DDCP is linked to
"Domain Controllers", and as long as you do not create subordinate OUs
there (which I've never seen) and block inheritance on them, there's no
reason to enforce.
To add my experience from the field: When I see enforced GPOs, in most
cases this enforcement is not required. People simply use it because
they do not understand "link order".
> One thing that i did find odd is when i first opened up the GPO's, i was
> prompted with a message which stated that the policies in the sysvol
> folder where not consistent with the ones in AD so i followed its
> recommendation to update.
That's fairly ok and nothing to hassle about.
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Reboot domain controller changes audit policy on Default Domain Controller Policy
This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
Thanks and regards.Hi,
>>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was applied after rebooting? Besides, we can also try to run command
auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
Best regards,
Frank Shen
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Recursive generic classes - Automatically assign default class?
Hello,
I'm working on a kind of ArrayList with some extra features... (named FullRangeList)
To realize this, I need a way to create a new Object of my generic type for the current instance.
Basicly, it works for me as described here: http://forum.java.sun.com/thread.jspa?forumID=31&threadID=5221886
But in my case, my generic type will very often be the very same class, and I want my class to set its default class automatically.
Here is my code:
public class FullRangeList<E>
private Class<?> defaultClass;
public void setDefaultClass(Class<?> def)
this.defaultClass = def;
@SuppressWarnings("unchecked")
public E getOrCreate(int index) throws Exception
E elem = this.get(index);
if (elem == null)
if (this.defaultClass == null) throw new Exception("Cannot create Default Element: no default class set");
try
elem = (E)this.defaultClass.newInstance();
if (elem instanceof FullRangeList)
{ // <- Here is the problem ;-)
//elem.setDefaultClass(foo);
this.set(index, elem);
catch (Exception e)
e.printStackTrace();
return elem;
}There are two problems now:
1. I have no idea how to get to know what foo should be.
if defaultclass is FullRangeList<FullRangeList<String>> foo is FullRangeList<String>... but how to realize that?
2. It turns out that I have to cast elem in order to use ist.
((this.defaultClass)elem) causes a "Syntax error on token "elem", delete this token"-Error... what's wrong about that?
hope anyone can help...
nafurnafur wrote:
I want the "getOrCreate" method to fetch an item and, if it has not been created yet, to create it.
For this, I need the class, and that works so far.
But what, if E is again a FullRangeList?
Then, this child would need a default-class too!
If I have a FullRangeList<FullRangeList<FullRangeList<SomeObject>>> list, i would say "list.setDefault(Class<FullRangeList<FullRangeList<FullRangeList<SomeObject>>>>)"
But how do I get to know in my code, that a child of list should get "Class<FullRangeList<FullRangeList<SomeObject>>>" as default class?
and their Childs "Class<FullRangeList<SomeObject>>"?As spoon_ already mentioned, there are no generic types at runtime. Working with reflection targets runtime, so no Generics.
Another point is, that there is no FullRangeList<SomeObject>.class but only a FullRangeList.class. Hence, what you desire does not make sense in Java.
Reading your approach, I would suggest working with some factory approach rather than implicit contracts on parameters given. Initializing the FullRangeList with some factory would provide what you need. -
Restore Default Domain Controllers Policy in its original state
Hello,
Our domain has 2003 DCs. For some reason, someone has unlinked Default Domain Controllers Policy from Domain Controllers OU and also modified it extensively.
Domain Controllers OU has a GPO with basically same settings as DDCP but it has also been heavily modified.
I'm in the process of upgrading our domain to 2012 level and would like to sort out DDCP before doing so.
What would be the best course of action to restore DDCP in its place? I was planning to match all settings between custom GPO and currently unlinked DDCP and then disable custom GPO and enable DDCP. But sincerily I'm not sure what would be the best way to
go.Hi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet Subscriber Support
If you are
TechNet Subscription user and have any feedback on our support quality, please send your feedback
here.
Andy Qi
TechNet Community Support
Maybe you are looking for
-
Hello as mentionned before I cannot get my macbook pro to switch on. when it is not plugged as I press the power button nothing happens, when the computer is power plugged, it gives me the white blackground with the apple centered and the loading but
-
Web Inspector not opening in v3.1
I can not get the Web Inspector to open. Nor the Error Console or Network Timeline. Snippet Editor does open properly. Anyone else having this issue or have any suggestions? On Windows XP Pro and using v 3.1 (525.13)
-
Adding/DELETING Titles & Comments to Individual Photos In An iDVD Slideshow
I am running iDVD 6.0.3 where I have 85 titled photos [selected, not imported, from Media/Photos into iDVD] already entered into an iDVD slideshow. I would like to have a title on ONLY the FIRST photo. The iDVD "Help Menu" makes it sound like this wi
-
Hi, I'm running TFS2013.4 with a number of build servers and all working fine. I'm also running Release Management with update 4 (12.0.31101.0) and am running into trouble when trying to run my first dummy release. I have setup my servers, stages, r
-
Two different currencies in single Service PO
Dear All, Can I create a service PO with two different currencies ? I want one item to be paid in EUR and one in INR. I have separted these two items at item overvivew level. I have tried vendor sub range also. Please help. Regards, Rakesh