Deploying vlan and limiting traffic from not reaching network core

Similar Messages

• WIndows 7 and Server2008 machines will not remember network discovery preferences, requires setting every start up or wake up.

  hello
  I wondered if anybody here could be so kind as to help me solve this situation
  i have two Windows 7 machines and Server2008 machines will not remember network discovery preferences,
  i am running software on the windows server machine that collects data and serves information to two windows 7 machines, and network discovery is required for this purpose
  these machines are configured in a local stand alone network configured as a workgroup the only other items on network are none PC based equipment that the server happily communicates with and reads data from
  once the network discovery is set for the network the system runs as expected but on every start-up (or wake up) the network discovery is lost and need to be re allowed. this is the case in both windows server 20008 r2 and windows 7
  how do i make these preferences permanent. so that it will restart and re establish communication its self without intervention
  am i missing a setting or if not  is there a way i can script the the selection of preference on each start(/wake)up.
  the final user need to be able to turn system on/restart and use it with out having to have any IT/networking knowledge to get system running.
  thank you for taking the time to read my query

  You can use group policy to enable network discovery so that it is always configured
  1. In the Group Policy editor on a Win7 or Windows Server 2008 R2 computer, open the GPO that you want
  to use in the Group Policy Editor.
  2. Expand "Computer Configuration", "Windows Settings", "Security Settings", "Windows Firewall with Advanced
  Security", and then "Windows Firewall with Advanced Security - {policy you have open}".
  3 Right-click "Inbound Rules", and then click "New Rule".
  4 In the Rule Wizard, on the Rule Type page, select"Predefined", and then select Network Discovery from
  the list.  Click Next.
  5 On the Predefined Rules page, ensure that the check box is on each rule that is part of the Network
  Discovery group, and then click Next.
  6 On the Action page, select "Allow the Connection", and then click Finish.

• Warning for ArchCD seeders: strange traffic from Kaia Global Networks

  Since at least 2013/12/16 morning I'm observing strange torrent traffic from hosts located in subnets belonging to Kaia Global Networks:
  79.141.160.0/24
  79.141.162.0/24
  79.141.173.0/24
  The traffic consists of massive downloads of Arch CD, and also Ubuntu LTS CDs (desktop and alternate). While I could believe this is just a coincidence, the problem is that:
  At least one of the hosts is confirmed to make a full download of the same file more than once, and others seem to do the same.
  All hosts have identical configuration (same services, exactly the same client version, unconfigured nginx server...)
  I'm warning other Arch seeders, because they may be unaware that such traffic is using up their bandwidth. If others will confirm the traffic, I'll also notify Ubuntu seeders.
  Kaia Global Networks has been notified, but they neither responded nor resolved the problem in the past 24 hours.
  Last edited by mpan (2013-12-20 14:04:52)

  mpan wrote:
  I don't think it's an attack. I don't see motives too. Hating Linux is not good enough reason to spend money on such thing .
  During a talk with a friend we have came up with an idea that possibly someone is testing their own equipment on expense of others bandwidth. This is the only plausible explaination I can find for now. There were few others (students downloadnig Linux during a course, someone wanting to mirror images, misconfigured equipment), but they have flaws.
  I would wait for reports/confirmations from other seeders, before jumping into conclusions. It's unlikely, but possible that it's just a very strange coincidence that just happened to me.
  -- edit --
  95.141.28.0/24
  Only 2 hosts from this range in past 24 hours. One of them has downloaded Arch three times.
  Is anyone else experiencing the issue?
  -- edit --
  79.141.161.0/24
  From which (exact) IP addresses are the connections coming from? I'll take a look into this then.

• Windows 8 and Server 2012. Not detecting network is a domain.

  Hi Guys,
  I hope I have posted this to the correct forum.
  I have 2 x Windows 8 PCs that do not detect that they are connected to a domain (network location awareness not working). I can join them to the domain but they still don't recognise the network as a domain. Instead they identify it as "private".
  Other PCs on the network (Win XP and Win 7) work prefectly, just the windows 8 machines don't work.
  Also, when I do join them to domain I also receive this message.
  "changing the Primary Domain DNS name of this computer to "" failed. The name will remain xxxx.local. The error was: the specified domain either does not exist or could not be contacted. "
  I have tried the following
   - DHCP and DNS has being tried both as static and dynamic (can ping DNS server which is the domain controller Windows Server 2012) .
   - Updated PC NIC drivers.
   - No AV is installed on either server or PC.
   - Updated PC to windows 8.1.
   - Disabled both server and PC firewalls.
   - Check NLA service and all dependent services are running.
   - Disabled all adapters on server except for one.
  I am really hoping someone can help with this as I would really appreciate it.
  Thanks.
  Shaun

  Hi Guys,
  I managed to find a solution to the problem. I noticed that the DNS server zones did not look quite right. The _msdcs zone was missing the subfolders (dc, domains, gc, pdc).
  To fix this issue: on the NIC adapter I had to tick the box "register this connection's addresses in DNS" (found under TCP/IP v4 > advanced > DNS tab).
  I then had to remove the DNS role, reboot then re-add the role. Problem solved. Hopefully this saves someone else pulling their hair out for an entire day.

• How do i install and run labview from a local network?

  How do I install a single copy of labview on our local network. Are their any special licences needed for this?

  I assume you would need a license for each computer which will be using LabVIEW to develop code. Their may be a network license, but I am not familiar with one. I would contact NI just to be sure (612.683.0100). It's better that you tell them than they figure it out!
  J.R. Allen

• Bapi_pr_create not working for package number for service and limits

  Hi Experts,
  I am copying the existing service and limits values from the existing package number to new package number using BAPI_PR_CREATE. I am getting Some error (In case of account assignment, please enter acc. assignment data for item).
  Please let me know any one get the solution for this problem. If anyone know some thing about this problem Please throw some light, so that I will check it out further.
  Thanks for you help in Advance.
  Regards,
  Nagaraju.

  Hello,
  I got almost the same problem.
  Im trying to copy existing PR's too, all works well until it comes to services. Functions return says to enter account data etc.
  How should i copy service records?
  Best regards
  P.S. Old function "BAPI_REQUISITION_CREATE" doesnt work because of Unicode system.

• Transparent vlan and management of remote switch

  Hi,
  I'm a bit confused regarding the native Vlan of 1262 bridge ...
  My design is LAN---RAP ---- MAP---remote-SWITCH with two Vlan : one for the data and one for the management.
  I keep the vlan 1 for management at this point, but I'm still unable to access the remote switch.
  On LAN side, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
  On RAP the Gigabit Ethernet is on normal mode
  On MAP the Gigabit Ethernet is on normal mode
  On remote-SWitch, the switch port is on trunk mode (native vlan 1 and vlan 2 allowed)
  Transparent vlan is disabled on WLC and Ethernet Bridging is checked for both AP.
  It seems that it's not possible to bridge the Vlan1 as it used for the backhaul so does it means
  that for management purpose I must use a specific Vlan-id ? And if my understanding is correct, to define this vlan-id
  as native on MAP with the Ethernet Port set as Trunk and on others switchs ( LAN side and remote-Switch).
  thks for your reply

  If you have Ethernet bridging enabled and have defined the vlan for the bridging, then the rap has to be connected to a trunk port and the traffic from the device that is connected to the MAP will egress out of the RAP's Ethernet port onto the trunk port. If you don't define and vlan for bridging then the traffic will be placed on the vlan the RAP is assigned to.
  https://supportforums.cisco.com/servlet/JiveServlet/downloadBody/21766-102-1-53166/Understanding%20mesh%20ethernet%20bridging.pptx
  https://supportforums.cisco.com/docs/DOC-21766
  Sent from Cisco Technical Support iPhone App

• VLAN for Management Traffic

  Hello Everyone,
  I'm still learning cisco and networks in general but I need to separate management traffic from the regular network.  The switch is a cisco catalyst 5406-E.  My question is do I need to create a new subnet for the VLAN and how would I do that? The commands I have to create a VLAN and add the switch ports are
  Switch(config)# vlan 15
  switch(config-vlan)# name Management
  switch(config)# interface GigabitEthernet2/6
  switch(config-if)# switchport access vlan 15
  Now this creates vlan 15 and adds the GE 2/6 interface to vlan 15.  How do I add it to a new subnet?  Am I going in the right direction?

  In general, if you want to use separated VLAN for management, you can create VLAN + SVI (routed interface of the VLAN) with IP address + some access list on SVI and VTY (“SSH/telnet lines”) for better security.
  Example:
  ==== C4500 – L3 SWITCH CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create access list with ip addresses, from which management of all switches with SVI 15 will be accessible
  //Note: this access list (ACL) does not control access to management of L3 switch/router where the ACL is applied on SVI, only to all other switches in VLAN 15 that have default gateway set to ip address 10.0.15.1 (see next step)
  ip access-list extended MGMT_SWITCH
  remark ====ICMP====
  permit icmp any 10.0.15.0 0.0.0.255
  remark ====ADMIN====
  permit ip 10.0.1.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit ip 10.0.100.0 0.0.0.255 10.0.15.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit ip 10.0.200.0 0.0.0.255 10.0.15.0 0.0.0.255
  //create SVI/interface of the VLAN 15, add IP address and assign access list
  //Note: DO NOT assign empty access list to interface, it can make your router inaccessible!
  interface Vlan15
  description MGMT
  ip address 10.0.15.1 255.255.255.0
  ip access-group MGMT_SWITCH out
  //create ACL for VTY line of L3 switch/router; this ACL controls access only to management of L3 switch, access to all other switches with SVI 15 is controlled by previous ACL
  ip access-list standard VTY
  remark ====ADMIN====
  permit 10.0.1.0 0.0.0.255
  remark ====MONIORING-SERVERS====
  permit 10.0.100.0 0.0.0.255
  remark ====NTB-SERVICE====
  permit 10.0.200.0 0.0.0.255
  //assign ACL to vty lines
  line vty 0 4
  access-class VTY in
  ==== OTHER L2-ONLY SWITCHES CONFIG ====
  //create VLAN 15
  vlan 15
  name MGMT
  //create SVI 15
  interface Vlan15
  description MGMT
  ip address 10.0.15.50 255.255.255.0
  //set default gateway/default route to SVI of c4500
  ip default-gateway 10.0.15.1
  //some higher-level switches require use of following CLI parameters instead:
  ip routing
  ip route 0.0.0.0 0.0.0.0 10.0.15.1
  This is just one of many ways to do the management separation.

• Copp and management traffic

  Good afternoon fellow Ciscorians.
  I have configured a Copp to rate limit ICMP traffic and fragmented traffic from saturating the RP via the control-plane and also ignore the same traffic class from our trusted IP addresses.  But i am wondering about management traffic such as telnet and SSH, we have an access list on the VTY lines dropping traffic from un-trusted sources on 22+23, i am wondering what the benefits are to employing a Copp policy as well as the access-list on the VTY lines?
  Could an attack still saturate the RP with an access-list dropping the un-trusted traffic on the VTY lines?  (6509-Sup720)
  Matthew.

  Hi Matthew,
  access-list applied on interface is applicable for all traffic, data traffic (transit traffic) and control-plane traffic (destined to router or punted to RP), while CoPP is only applicable to traffic punted to RP.
  Access list will either permit or drop but CoPP is service-policy and you can rate-limit the traffic. So if we take example of ICMP traffic, and requirement is we want to allow ICMP traffic to router (ICMP is useful tool to check reachability and latency) but not more than 500kbps (to avoid any DDOS attack), in this case blocking ICMP with ACL on interface will not solve the purpose but CoPP will do the job.
  If you are blocking some traffic via ACL, it should not saturate the RP.
  --Pls dont forget to rate helpful posts--
  Regards,
  Akash

• Client proxy data not reaching XI ?

  Hi Guys,
  I have a scenario proxy-soap asynchronus. when i execute the report on the R/3 side the report executes successfully and in the sxmb_moni receiver which is IE of xi is not identified and the data is not reaching XI.
  But when i execute the report on the same R/3 system for an synchronus proxy-soap scenario the data reaches xi and everyhting is fine. so i think there is no problem with the proxy setings.
  Why the EO asynchronus messages are not identifying the receiver which is IE ?
  any help would be really appreciated
  Thanks,
  Raj

  did u check moni in r3 side?

• View/Change User Accounts From Across The Network - Do not have Server

  Is there a program or utility that can be run in Mac OS X Tiger or Leopard to manage user accounts on other Macs that are located across the network? Is there anything that will do this that is free, or not too much money?
  Our setup: multiple Macs on a network that is primarily a Windows AD Domain. For various reasons, we do not have the Macs setup as members of AD. We also do not have a Mac OS X Server. I am wondering if there is something that is built-in, free, or on the cheaper-end, to manage user accounts and their permissions from across the network on the Macs?
  Thank you for your help!
  Dan

  If the systems are not bound to a parent domain, then local account policy will need to be set individually. There is a way to get Workgroup Manager working on OS X client, but I do not know of a way for it to see remote NetInfo/DS Local data stores. It will only see the local store. NetInfo in the 10.2 days could pull this off. But Apple removed those features in favor of LDAP and eventually DS Local.
  You will probably need to use a combination of tools. Start with defining base settings in the User Template to ensure that all new home folders are created equal. Then use ARD or ssh to define user policy with pwpolicy and other tools like niutil (Tiger) or dscl. Test with mcxquery. If you get Server Admin Tools, you can use Workgroup Manager to craft the needed xml for mcx values, then inject into the user account.
  But this is only going to get you local policy. If users are connecting to file shares and mail, they are using their network credentials so those policies need to be managed at the domain level.
  I would encourage binding the machines to the domain. While this can, and has (sadly), been done, being part of the domain is so much easier. If you need a system for storing the LDAP schema, get a Mini and do it on the cheap. Otherwise, consider AD schema modification and then practice your xml skills.
  Hope this helps

• Deploy EAR file to OC4J from PL/SQL Store Procedure

  Hi
  Can you deploy an EAR File from PL/SQL Store Procedure?
  are there any API'S to achieve that?
  Thanks.

  Customer has an IAS 10.1.3 Environment with multiple OC4J's for different projects.
  We would like to allow each Project Team to be able to perform deployment on their own.
  Problem is, that we want to be able to control which OC4J Container each project team can deploy to and restrict them from creating into other containers.
  Although IAS 10.1.3 does allow you to define different users and groups, it doesnt allow you to restrict a user/group into one specific OC4J.
  This is a big problem for customer and in the quest of searching some Creative Solutions, we wanted to try and create a simple Web UI (i.e, in APEX) that will allow customer to
  upload new EAR (or WAR) file and it will deploy it to their container automatically.
  to achieve this, we need to find (easy) way to deploy files from PL/SQL.
  we can always use external pl/sql procedure that run a Shell Script which does this,
  but customer is searching for a more "direct" way to do this.
  any suggestions on this issue?

• Private vlan and HSRP

  Hi, guys. I have a question about Private Vlan and HSRP implement. In my network topology, there are 2 switch 6509 as core switches and Internet outlet. There are a 3750 as a distribute swtich, and 3550 as a access swtich. the topology is as below:
  | |
  7609----7609
  | |
  3750
  |
  3550
  |
  servers
  Now there are some Server will connect to 3550, and 3750 and 3550 will be treated as Layer 2 switch, that is these servers's default gateway will be on vlan interface on 7609, and I have configured HSRP between the vlan on 2 6509. My question is how to implement private vlan on 3550 with HSRP on 7609, so that these servers can have redundancy gateway, and be kept isolated between other servers.

  It looks like the 3550 do not support private VLAN.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_tech_note09186a0080094830.shtml
  More info. on private VLAN :
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00802c30c4.html#wp1138148
  Did you configure the VLAN trunking between 7609, 3750 and 3550 ? Once we enable the VLAN trunking then the server can plug to the assigned VLAN and communicate to the 7609 via the trunk w/o interference w/ other VLAN. However, you have to enable the VLAN routing at 7609 to make it able to connect to other VLAN user if you want.
  Hope this helps.

• HOW TO CONFIGURE GUEST NETWORK AND LIMITE BANDWIDTH

  Dear all,
  Please help me how to configure internet access rule and limited the bandwidth for guest network via TMG Forefront 2010.
  Thanks you & best regards,
  Hung Viet 

  Hi，
  First you can create the new network set which is mapped to guest subnet, after that you can create access rule for this network set.
  If you want to control bandwidth, you may need 3-party tool like this:http://www.bsplitter.com/
  Best Regards
  Quan Gu

• ISE Could not locate Network Device or AAA Client

  When authenticating using 802.1x and MAB, I recieve an authentication failure with the error 11007(Could not locate Network Device or AAA Client). The root cause that ISE spits back at me is "Could not find the network device or the AAA Client while accessing NAS by IP during authentication." I did pretty much everything by the book except instead of using a loopback interface I used a vlan with a defined ip address.  Could this be causing the problem?
  Here is the config of the port that I'm testing on:
  interface GigabitEthernet1/0/9
   switchport access vlan 9
   switchport mode access
   switchport voice vlan 8
   ip access-group ACL-ALLOW in
   srr-queue bandwidth share 1 30 35 5
   queue-set 2
   priority-queue out
   authentication event fail action next-method
   authentication event server dead action reinitialize vlan 4
   authentication event server dead action authorize voice
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication violation restrict
   mab
   mls qos trust device cisco-phone
   mls qos trust cos
   dot1x pae authenticator
   dot1x timeout tx-period 10
   auto qos voip cisco-phone
   spanning-tree portfast
   service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
  end

  I can ping both the vlan and the endpoint from the ISE.  As far as allowing ISE to speak snmp and RADIUS to the NAD, I have enabled it on the NAD config inside the ISE. I have also double checked the snmp and radius shared passwords.
  I have gotten MAB authentication to work but I am still getting the same error for dot1x authentication. Here are some of the configs on the switch.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authentication dot1x defualt group radius
  aaa authentication dot1x group group radius
  aaa authorization network default group radius
  aaa accounting dot1x default start-stop group radius
  aaa server radius dynamic-author
  aaa session-id common
  ip radius source-interface TenGigabitEthernet1/0/1
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 10.10.10.47 auth-port 1812 acct-port 1813 test username test key 7 097940581F5412162B464D
  radius-server vsa send accounting
  radius-server vsa send authentication
  dot1x system-auth-control
   authentication order dot1x mab
   authentication priority dot1x mab
   dot1x pae authenticator
   dot1x timeout tx-period 10