Design help related to ACE to Switch connectivity using Port-Channel

Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
  description One-arm mode port to DMZ Switch 1 port 20
  channel-group 1
  no shutdown
interface gigabitEthernet 1/2
  description One-arm mode port to DMZ Switch 2 port 20
  channel-group 1
  no shutdown
interface port-channel 1
  switchport access vlan 51
  port-channel load-balance src-dst-ip
  no shutdown
interface vlan 51
  ip address 10.40.56.131 255.255.255.128
  access-group input everyone
  access-group output everyone
  nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
  service-policy input LB
  service-policy input remote-access
  no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..

Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces.  The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE

Similar Messages

  • SAN Switch 9148 UPG procedure when using Port Channel

    Hi,
    I am kind of new to the UPG procedure of Cisco Switch, and the customer i am working with is using Port Channel.
    Do i have to shutdown the port channel before executing the switch UPG or if everything can stay up?  Will i lose connection when the UPG will proceed ?
    If anyone has some documentation that describe the process, it would be much appreciated.
    Thank you
    Christian

    Hi,
    I am kind of new to the UPG procedure of Cisco Switch, and the customer i am working with is using Port Channel.
    Do i have to shutdown the port channel before executing the switch UPG or if everything can stay up?  Will i lose connection when the UPG will proceed ?
    If anyone has some documentation that describe the process, it would be much appreciated.
    Thank you
    Christian

  • Help with 10.4.5 VPN connection using PPTP to Windows 2003 Server

    Hi,
    I've looked on the discussions for an answer to this but have had no luck so far, can anyone help?
    I'm trying to connect my 10.4.5 PB to my Wn2k3 server (with RRAS) using PPTP VPN, however I keep getting stuck at the Negotiating phase of the connection and finally get this error in OSX Internet Connect:
    Could not negotiate a connection with the remote PPP server. Please verify your settings and try again.
    I can connect from my Win XP laptop so no issues with the router etc, do I need to make any changes to the server config?
    Thanks,
    Sahajesh.
    12" PB (G4)   Mac OS X (10.4.5)  

    Resolved elsewhere.

  • Cannot connect using webserviceclient+ssl.jar

    Hello!
    I installed Verisign test certificate on my server and I am able to connect
    to the server using Web Service client with JSSE adapter class. Funnily
    enough, I cannot connect using WebLogic SSL library, I get an exception.
    Could someone help me understand, why I cannot connect using WebLogic SSL
    implementation?
    To connect using JSSE I use following system properties:
    java^
    -classpath
    .;abcconnect-client.jar;webserviceclient.jar;..\lib\jcert.jar;..\lib\jnet.ja
    r;..\lib\jsse.jar;^
    -Dweblogic.webservice.client.ssl.adapterclass=com.xxx.yyy.webservice.ssl.AB
    CJSSEAdapter^
    -Djavax.net.ssl.trustStore=abc.keystore^
    -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol^
    Client https://MyServer:7002/webservice/ABCConnectService?WSDL
    where abcconnect-client.jar is the client jar file, and abc.keystore
    contains getcacert.cer root CA, which I downloaded from Verisign from this
    page: https://digitalid.verisign.com/server/trial/trialStep4.htm,
    ABCJSSEAdapter is the adapter class, implementing SSLAdapter. JSSE test
    works fine.
    To connect using WebLogic SSL implementation I use following system
    properties:
    java^
    -classpath .;abcconnect-client.jar;webserviceclient+ssl.jar;^
    -Dweblogic.webservice.client.ssl.trustedcertfile=getcacert.cer^
    -Dweblogic.webservice.client.ssl.strictcertchecking=false^
    -Dweblogic.webservice.security.verbose=true^
    -Dweblogic.webservice.client.verbose=true^
    -Dbea.home=.^
    -Djava.protocol.handler.pkgs=com.certicom.net.ssl^
    Client https://MyServer:7002/webservice/ABCConnectService?WSDL
    I converted binary format of the certificate to PEM, but it did not help.
    I am getting this exception:
    [BaseWLSSLAdapter] : SSLAdapter verbose output enabled
    [BaseWLSSLAdapter] : Strict cert checking disabled by default
    [BaseWLSSLAdapter] : Trusted certificates will be loaded from getcacert.cer
    [BaseWLSSLAdapter] : Loaded local trusted certificates from
    java.io.FileInputStream@73a7ab
    [BaseWLSSLAdapter] : Disabling strict checking on adapter
    weblogic.webservice.client.WLSSLAdapter@4faf8
    [BaseWLSSLAdapter] : Set TrustManager to
    weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@78c6df
    [WLSSLAdapter] : Set HostnameVerifier to
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [BaseWLSSLAdapter] : Loaded local trusted certificates from
    java.io.FileInputStream@57c2bd
    [BaseWLSSLAdapter] : Disabling strict checking on adapter
    weblogic.webservice.client.WLSSLAdapter@323210
    [BaseWLSSLAdapter] : Set TrustManager to
    weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@74f44a
    [WLSSLAdapter] : Set HostnameVerifier to
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [BaseWLSSLAdapter] : Got new socketfactory
    javax.net.ssl.impl.SSLSocketFactoryImpl@18c56d
    [WLSSLAdapter] :
    openConnection(https://MyServer:7002/webservice/ABCConnectService?WSDL)
    returning
    weblogic.webservice.client.https.HttpsURLConnection:https://MyServer:7002/we
    bservice/ABCConnectService?WSDL
    [WLSSLAdapter] : -- using HostnameVerifier
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [WLSSLAdapter] : -- loaded certs from getcacert.cer
    java.io.IOException: Write Channel Closed, possible SSL handshaking or trust
    failure
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at
    com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
    Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Un
    known Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(U
    nknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
    Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at
    com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
    Source)
    at
    com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
    Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown Source)
    at
    com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown
    Source)
    at
    weblogic.webservice.client.https.HttpsURLConnection.getInputStream(HttpsURLC
    onnection.java:216)
    at
    weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(Definitio
    nFactory.java:71)
    at
    weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.java:62)
    at
    weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
    106)
    at
    weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
    82)
    at
    weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.java:67)
    at Client.main(Client.java:136)

    Michael,
    I guess the getcacert.cer, which is on the client side, should have the
    server's certificate followed by the root CA certificate in .pem format.
    I have it working with this format.
    Could you please try this out and let us know.
    Regards,
    Anurag
    "Michael Jouravlev" <[email protected]> wrote in message
    news:[email protected]...
    Hello!
    I installed Verisign test certificate on my server and I am able toconnect
    to the server using Web Service client with JSSE adapter class. Funnily
    enough, I cannot connect using WebLogic SSL library, I get an exception.
    Could someone help me understand, why I cannot connect using WebLogic SSL
    implementation?
    To connect using JSSE I use following system properties:
    java^
    -classpath
    .;abcconnect-client.jar;webserviceclient.jar;..\lib\jcert.jar;..\lib\jnet.ja
    r;..\lib\jsse.jar;^
    -Dweblogic.webservice.client.ssl.adapterclass=com.xxx.yyy.webservice.ssl.AB
    CJSSEAdapter^
    -Djavax.net.ssl.trustStore=abc.keystore^
    -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol^
    Client https://MyServer:7002/webservice/ABCConnectService?WSDL
    where abcconnect-client.jar is the client jar file, and abc.keystore
    contains getcacert.cer root CA, which I downloaded from Verisign from this
    page: https://digitalid.verisign.com/server/trial/trialStep4.htm,
    ABCJSSEAdapter is the adapter class, implementing SSLAdapter. JSSE test
    works fine.
    To connect using WebLogic SSL implementation I use following system
    properties:
    java^
    -classpath .;abcconnect-client.jar;webserviceclient+ssl.jar;^
    -Dweblogic.webservice.client.ssl.trustedcertfile=getcacert.cer^
    -Dweblogic.webservice.client.ssl.strictcertchecking=false^
    -Dweblogic.webservice.security.verbose=true^
    -Dweblogic.webservice.client.verbose=true^
    -Dbea.home=.^
    -Djava.protocol.handler.pkgs=com.certicom.net.ssl^
    Client https://MyServer:7002/webservice/ABCConnectService?WSDL
    I converted binary format of the certificate to PEM, but it did not help.
    I am getting this exception:
    [BaseWLSSLAdapter] : SSLAdapter verbose output enabled
    [BaseWLSSLAdapter] : Strict cert checking disabled by default
    [BaseWLSSLAdapter] : Trusted certificates will be loaded fromgetcacert.cer
    [BaseWLSSLAdapter] : Loaded local trusted certificates from
    java.io.FileInputStream@73a7ab
    [BaseWLSSLAdapter] : Disabling strict checking on adapter
    weblogic.webservice.client.WLSSLAdapter@4faf8
    [BaseWLSSLAdapter] : Set TrustManager to
    weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@78c6df
    [WLSSLAdapter] : Set HostnameVerifier to
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [BaseWLSSLAdapter] : Loaded local trusted certificates from
    java.io.FileInputStream@57c2bd
    [BaseWLSSLAdapter] : Disabling strict checking on adapter
    weblogic.webservice.client.WLSSLAdapter@323210
    [BaseWLSSLAdapter] : Set TrustManager to
    weblogic.webservice.client.BaseWLSSLAdapter$NullTrustManager@74f44a
    [WLSSLAdapter] : Set HostnameVerifier to
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [BaseWLSSLAdapter] : Got new socketfactory
    javax.net.ssl.impl.SSLSocketFactoryImpl@18c56d
    [WLSSLAdapter] :
    openConnection(https://MyServer:7002/webservice/ABCConnectService?WSDL)
    returning
    weblogic.webservice.client.https.HttpsURLConnection:https://MyServer:7002/we
    bservice/ABCConnectService?WSDL
    [WLSSLAdapter] : -- using HostnameVerifier
    weblogic.webservice.client.WLSSLAdapter$NullVerifier@4ac00c
    [WLSSLAdapter] : -- loaded certs from getcacert.cer
    java.io.IOException: Write Channel Closed, possible SSL handshaking ortrust
    failure
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at
    com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown
    Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(UnknownSource)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Un
    known Source)
    at
    com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(U
    nknown Source)
    at com.certicom.tls.record.ReadHandler.interpretContent(Unknown
    Source)
    at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
    at
    com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown
    Source)
    at
    com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown
    Source)
    at com.certicom.tls.record.WriteHandler.write(Unknown Source)
    at com.certicom.net.ssl.HttpsClient.doHandshake(Unknown Source)
    at
    com.certicom.net.ssl.internal.HttpURLConnection.getInputStream(Unknown
    Source)
    at
    weblogic.webservice.client.https.HttpsURLConnection.getInputStream(HttpsURLC
    onnection.java:216)
    at
    weblogic.webservice.tools.wsdlp.DefinitionFactory.createDefinition(Definitio
    nFactory.java:71)
    at
    weblogic.webservice.tools.wsdlp.WSDLParser.<init>(WSDLParser.java:62)
    at
    weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
    106)
    at
    weblogic.webservice.WebServiceFactory.createFromWSDL(WebServiceFactory.java:
    82)
    at
    weblogic.webservice.core.rpc.ServiceImpl.<init>(ServiceImpl.java:67)
    at Client.main(Client.java:136)

  • Mac OS X Lion freezes often in help related activities

    Hello, Mac OS X Lion 10.7.3 freezes often on my 13-inch, Mid 2009 MacBook Pro. It seems it's (almost) always related to some activities with help system - it mostly happens when I use search input field in Help menu of any application or sometimes if system help viewer is opened.
    The freeze is little bit strange. Typical symptoms are
    mouse doesn't freeze, but cursor changes to spinning wheel when it's placed over application which caused freeze
    frozen application doesn't respond to any input
    it's possible to switch to another application with mouse or keyboard shortcut
    any other application appears to be working correctly (mouse cursor is not spinning wheel at least), but UI interactions (with mouse or keyboard) get it to the same state as described above
    applications can't be forced to quit, even with keyboard shortcut
    finally, all applications and OS X freezes, mouse cursor still moves (even using Magic mouse), but nothing works anymore. Only solution is to switch MacBook off and on
    I tried to delete Caches/* in /Library and ~/Library, but it didn't help. My MacBook is upgraded to 8 GB RAM with Kingston DDR3 modules (choosed via Kingston compatibility tool) and Kingston SSDNow V200 Series 256GB SSD disk (trim enabled with Trim Enabler). Crashes are probably not related to RAM upgrade, but it may relate with SSD installation (but I'm not sure when they appeared first).
    Freezes almost don't happen in other situations than described.
    Any ideas what could cause these problems? Thank you.

    I am having similar problem with my machine, a Mac Pro (1,1) with Kingston V200 256GB SSD installed. It is fairly random when it chooses to freeze up, and you described it exactly-- I can still move the mouse and select programs, but nothing is happening, requiring me to do a hard reboot. I have noticed the past few instances it seems the trigger might have been an unattended alert box from Apple Mail (asking for a password) which I didn't see until getting home from work, so it could have been sitting there for hours. Not addressing the alert box holds up all the other Mail processes and I guess it just snowballs (?)
    Anyways, I'm thinking the problem is this particular Kingston SSD (the V200). I have another Kingston SSD (the SSDNow V Series SNV425-S2/128GB) which I was using as the boot drive and it has worked flawlessly since I installed it. Later, I got a good deal on the V200 and decided to use it as a secondary drive to hold my working data, for things such as my huge iPhoto library file. Not long after installing the V200 I noticed the problems starting, and after a lot of troubleshooting I noticed this pattern with iPhoto:
    If I had just booted up and was using the computer actively and then launched iPhoto, everything was fine. If the computer went idle for a while and then I launched iPhoto, I would get an error about it not being able to write to the iPhoto library (remember the library was housed on the V200). After many trial and errors I found that the solution to this was to use Disk Utility and unmount the V200 (sometimes having to force eject it), then remount it, and then I could run iPhoto fine.
    And then of course there were times when I was just trying to browse the V200 in the Finder and it would cause the system freeze as described above. It seems like the drive somehow goes to sleep and then you just can't get it to wake up and it causes all sorts of problem. Whenever I have to hard reboot I run FSCK in single user mode, and I've been getting this error notice a lot:
    AppleAHCIDiskQueueManager::setPowerState(0x1c7b1600, 1 ->2) timed out after 100892 ms
    SATA WARNING: Enable auto-activate failed.
    However, it will finish the disk check and say the disk is OK, with that "File System was Modified" note. Then when I run the check again it goes through with no problems.
    I ended up doing a warranty exchange with Kingston and got a new replacement drive (as opposed to them refurbishing the drive I sent in). I am now using the new V200 as the boot drive, which is turning out to be a bad idea, but I kind of wanted to test it out.
    I read on this forum that it might have been my Icy Dock adapter case, which is used to fit the SSD into the Mac Pro hard drive sled, perhaps a faulty case causing the problems. But when I installed the replacement drive I nixed the Icy Dock and have it directly connected, and the problems still remain. I had used TRIM enabler at one point but turned it off long ago to troubleshoot, so I don't think that affects this problem.
    Incidently, while I was waiting for Kingston to send back the replacement V200, I was using an external firewire drive in its place as a secondary data drive (ie. the drive housing my iPhoto library) and never had any problems or freezes.
    So that's my woes. I can't pinpoint it exactly or definitively but the evidence I have points to something screwy with this particular Kingston SSD model. I am going to contact them again and see about returning it for a refund. If anyone has any helpful information or insight I'd appreciate the info.

  • BPEL designer default relative URI when importing wsdl

    I'm using BPEL designer 10.1.3.1.0 The designer generated a reference service wsdl file "MyServiceRef.wsdl" that imports the service "MyService.wsdl" I intended to use.
    The import line reads like:
    <import namespace="http://my.namespace/" location="../public_html/WEB-INF/wsdl/MyService.wsdl"/>
    When deploying the BPEL project, I got error that "Failed to read wsdl", in which the deploying process looked for the wsdl file at location
    <BPEL HOME>\domains\default\tmp\.bpel_ProjectName_ff8d276f54525c078b0828ce6f764002.tmp
    I tried to modify the line to use the full URI to point to the correct location but it wouldn't compile. Can someone help point out what is wrong?
    Thanks,
    Wen

    1. The web service "MyService" was generated using BPEL designer's wizard: New -> Business Tier -> Java Web Services (There's one java class compiled within the project.)
    2. When I was adding the service into my BPEL flow, jdeveloper automatically generated the reference "MyServiceRef" as mentioned in the first post. This reference service imports MyService, at relative URI as correctly described in the import statement.
    3. Compiling the BPEL ->success
    4. Deploying BPEL, somehow it looks for MyService.wsdl at a wrong location
    MyService.wsdl
    <definitions
    name="MyService"
    targetNamespace="http://my.target/"
    xmlns="http://schemas.xmlsoap.org/wsdl/"
    xmlns:tns="http://my.target/"
    xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"
    xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
    >
    <types>
    <schema xmlns="http://www.w3.org/2001/XMLSchema">
    <import namespace="http://my.namespace/FlowName" schemaLocation="FlowName.xsd"/>
    </schema>
    <schema xmlns="http://www.w3.org/2001/XMLSchema" targetNamespace="http://my.target/"
    elementFormDefault="qualified" xmlns:tns="http://my.namespace/" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:soap11-enc="http://schemas.xmlsoap.org/soap/encoding/">
    <import namespace="http://my.namespace/FlowName" schemaLocation="FlowName.xsd"/>
    <element name="Demo_ServiceElement">
    <complexType>
    <sequence>
    <element name="String_1" type="string" nillable="true"/>
    <element name="String_2" type="string" nillable="true"/>
    </sequence>
    </complexType>
    </element>
    <element name="Demo_ServiceResponseElement">
    <complexType>
    <sequence>
    <element name="result" type="string" nillable="true"/>
    </sequence>
    </complexType>
    </element>
    </schema>
    </types>
    <message name="MyService_Demo_Service">
    <part name="parameters" element="tns:Demo_ServiceElement"/>
    </message>
    <message name="MyService_Demo_ServiceResponse">
    <part name="parameters" element="tns:Demo_ServiceResponseElement"/>
    </message>
    <portType name="MyService">
    <operation name="Demo_Service">
    <input message="tns:MyService_Demo_Service"/>
    <output message="tns:MyService_Demo_ServiceResponse"/>
    </operation>
    </portType>
    <binding name="MyServiceSoapHttp" type="tns:MyService">
    <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    <operation name="Demo_Service">
    <soap:operation soapAction="http://oracle.crm.dnbconnect//Demo_Service"/>
    <input>
    <soap:body use="literal"/>
    </input>
    <output>
    <soap:body use="literal"/>
    </output>
    </operation>
    </binding>
    <service name="MyService">
    <port name="MyServiceSoapHttpPort" binding="tns:MyServiceSoapHttp">
    <soap:address location="http://130.35.75.232:8888/QuickStartWrkspc-DnBFlow-context-root/MyServiceSoapHttpPort"/>
    </port>
    </service>
    </definitions>
    Error:
    #### Deployment incomplete. ####
    BUILD FAILED
    D:\work\jdevhome\jdev\mywork\QuickStartWrkspc\FlowName\build.xml:79: A problem occured while connecting to server "localhost" using port "8888": bpel_FlowName_1.0.jar failed to deploy. Exception message is: ORABPEL-05215
    Error while loading process.
    The process domain encountered the following errors while loading the process "FlowName" (revision "1.0"): Failed to read wsdl.
    Error happened when reading wsdl at "D:\product\10.1.3.1\OracleAS_1\bpel\domains\default\tmp\.bpel_FlowName_1.0_ff8d276f54525c078b0828ce6f764002.tmp\MyServiceRef.wsdl", because "Error reading import of file:/D:/product/10.1.3.1/OracleAS_1/bpel/domains/default/tmp/.bpel_FlowName_1.0_ff8d276f54525c078b0828ce6f764002.tmp/MyServiceRef.wsdl: Failed to read wsdl file at: "file:/D:/product/10.1.3.1/OracleAS_1/bpel/domains/default/tmp/public_html/WEB-INF/wsdl/MyService.wsdl", caused by: java.io.FileNotFoundException. : D:\product\10.1.3.1\OracleAS_1\bpel\domains\default\tmp\public_html\WEB-INF\wsdl\MyService.wsdl (The system cannot find the path specified)".
    Make sure wsdl exists at that URL and is valid.

  • WAAS Design Help Needed - URGENT!

    Hi,
    I am currently designing and implementing a WAAS solution for s client in their Data Center. It is deployment of a single Accelerator and one CM.
    It has been decided that the WAAS accelerator (7341) will have its two NICs connected to two of their core switches (both 6500). The two core switches have a Layer 3 Etherchannel link between them and are running OSPF for network convergence (i.e. Layer 2 connectivity is not used).
    I am facing a problem in the design, since I know that the Active/Standby configuration for the accelerator would require a redundant gateway via HSRP (at least) but this is not possible in a routed environment in the core switches. Furthermore, I am to run WCCPv2 for redirection.
    Therefore, I am confused as to how to proceed in such a case considering that I can only configure one default gateway on the accelerator when I need high availability on two different subnets.
    Please assist at your earliest.
    Thanks.

    Amir,
       Considering your question below
    "I am facing a problem in the design, since I know that the Active/Standby configuration for the accelerator would require a redundant gateway via HSRP (at least) but this is not possible in a routed environment in the core switches. Furthermore, I am to run WCCPv2 for redirection."
    Do WAE is configured for Standby interface and is this your Primary Interface as well? If answer is yes then see below
    You will need a common VLAN for WAAS on both 65K swicthes in order for Active / Standby interface to work properly.
    1: When using OSPF make sure your tcp flows has both ingress and egress flows transit from same switch
    2: Use Generic GRE method for Egress under WAAS intercept configuration.
    Since you are running WCCP each swicth will be able to redirect its TCP traffic via GRE Tunnel to WAAS and WAAS will send the packet back to the same swicth. This will ensure packet path is not modified when WAAS / WCCP is introduced.
    Also make sure that you do not have any WCCP redirect on Layer 3 connection between 2 swicthes. Let me know if this helps.
    Ahsan Khan

  • Design Help - Firewall/DMZ

    Hi,
    I am about to purchase two 5515-X next generation firewalls and I need to decide what to do as far as the design goes so I need some help from the experts. This appliances seem to come with 6 1Gbps ports which is enough. In our LAN, we have two 6500 running on VSS mode and we are also going to get our second ISP. Doing the obvious which is cross-connect each firewall with the two 6500s and possibly with the internet routers. Is it something else you recommend?
    Planning to trunk a couple interfaces and connect them to a DMZ switch; however, how do I make that one switch redundant? Some of the vendors currently connected do not offer a redundant link in case of failure.
    I'll be deploying the devices as active/standby and this is because I have VPNs configured which it is my understanding that both devices can't be active with this type of configuration. Can someone advise on this matter? However, the company wants to use them both at the same time.
    Using two ISPs, how do I deal with the Public-Internal NAT?
    Any help is greatly appreciated. Thanks.

    Planning  to trunk a couple interfaces and connect them to a DMZ switch; however,  how do I make that one switch redundant? Some of the vendors currently  connected do not offer a redundant link in case of failure.
    Well, you could use the 6500s if you have enough free interfaces on it.  Create the DMZ VLAN on the 6500s as well as on the new DMZ switch.  On the 6500 and the DMZ switch configure the ports as trunk but only allow the single VLAN on that trunk.  Create a subinterface on the ASA and place that subinterface in the new DMZ VLAN and give it an IP.
    I'll be deploying the devices as  active/standby and this is because I have VPNs configured which it is my  understanding that both devices can't be active with this type of  configuration. Can someone advise on this matter? However, the company  wants to use them both at the same time.
    What the company wants isn't always what is the best solution and they should be told that, from time to time.  However, it is possible to configure the ASAs in an Active/Active setup.  This will require that the ASAs are configured in multiple context mode.  On one ASA context 1 is active while context 1 on the second ASA is in standby mode. then on the second ASA context 2 is the active context and on ASA context 2 is in standby mode.  This setup will alow the use of both ISP connections and be able to maintain VPN connections.  Keep in mind that the VPN connections will not be active on both ASAs.  It wil only be active on the active context, but will failover to the standby context if a failure occurs.
    Using two ISPs, how do I deal with the Public-Internal NAT?
    the ASA does not support two active default gateways, and therefore support for two ISPs is not supported in single context mode.  So if you have a requirement to use both ISP connection simultaneously then you need to have multiple contexts. Each context is a virtual firewall and completely seperate from eachother.
    So, back to the active contexts.  context 1 on ASA1 is the active context and is connected to ISP1.  context 2 on ASA2 is the active context and is connected to ISP2.  You would perform NAT in the exact same way as you would in a single context ASA no hocus pocus.  The only difference is that the traffic that goes towards each context and subsiquently each ISP are not from the same subnet.  They need to be seperated and then diveded between the two contexts.
    So, context 1 would have traffic for VLANs 1, 3, 5, 7, 9 and context 2 would have traffic for VLANs 2, 4, 6, 8, 10.
    here is a link on how to configure active/active failover.
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#wp1163513
    Please remember to rate and select a correct answer

  • How can I connect airport extremes using a wired-switch connection and have roaming capability?

    My goal is to have 2 airport extremes and 1 timecapule connected via an ethernet switch so that I can enable roaming. I have no problems connecting them wirelessly where I create the wireless network on a primary airport wireless then add the others "extending" the network. However, if I attempt to do the same thing with a wired connection everything stops working (no connections from any airport). Here's the topology I'm trying to achieve. I believe my problem relates to the switch and the fact that I am serving up DHCP from a separate server. Is there a way I can achieve this (or similar) type of configuration? Thanks in advance.
    BTW, I have read the various documents on the roaming network topology  but none seem to be a match to this.

    To answer your question, yes, if I _only_ have the main "create wireless network" airport connected/wired to the switch, everything works correctly.
    OK, got that.
    Also, if I have each of the 3 airports/timecapsule "create wireless network" using the same ssid name and passwd/protocol, everything works correctly (but of course, no roaming under this scenario
    Sorry, you have me confused on this one. When the AirPorts are all configured to "create a wireless network", use the same SSID, security and password, and all AirPorts are in Bridge Mode........that is the exact definition of a "roaming" network.
    Not sure what you mean when you say "no roaming" in this configuration.
    Also, if I have the main "create wireless network" configured and have the 2 other airports "extend the network" and _not_ have them connected via the ethernet cable, everything works correctly (wireless airport interconnection)
    That is correct.
    However, if I plug the 2 other "extend the network" airports into the switch via ethernet, all connectivity shuts down.
    This is not a correct setup. The "extend" setting on the AirPort assumes that they will connect using wireless.  If you then try to connect an Ethernet cable to an AirPort that is expecting a wireless connection, that will result in a big feedback loop and effectively crash the network.

  • Wireless design help

    Hi guys........just have  few qestions about designing WLC 5508
    The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
    T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
    Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
    Now my question is as follwow.
    1- Keeping in mind that there is only one WLC where should i physically put it?
    2- How guest users will work ? How the authentication will be done?
    3-There are 8 SFP ports in WLC how physical topology will look like?
    4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
    my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
    Thanks guy and hope to get a response ASAP.

           OSITAN N Many thanks  please comment
                                        Internet
                                                   FW 1
                                                       !                                                        <---------------------Traffic comming this way
                                                    FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                              ------Trusted-----  !                                                                                                        !
                                                       !                                                     ------Branch Router------->               RT 
                                    !           !               !                                                                                               SW
                                 DSN      AD            DHCP                                                                                          !
                                                                                                                                                                AP  
                                                                                                                                                              USER
    1 Where WLC Place so that Guest trafice dont go to Trusted area?
    2. Its gona be H-Reap so DHCP would be local for branch
    3. Voce user  Qos? priority how ? example
    4 Guest Firewall rules to use only internet ?

  • New LAN Design Help

    I'm new to Cisco and hoping to implement a large Cisco solution. Unfortunately we're not in the position to hire an expert so I'm seeking some much needed advice!
    The general plan for phase 1 would be:
    A router with 9 interface cards, that will have a 4Gbps trunk to an Internal Network Switch, 1gbps to DMZ switch, 1gbps to WLAN router, 1gbps to identical router for HSRP, 1gbps to WAN switch, and 100mbps to Internet router
    The router will need to participate in OSPF, HSRP and do trunking. It needs to do IPSEC vpn tunnels
    The Internal Network Switch would have about 40 Vlans to individual departments. Each department uplink to the Internal Network Switch would be 100mbps. Eventually this switch will be doubled up for redundancy.
    There would be about 1000 clients going through it via the Internal Network Switch, and through the Router, using the DMZ servers as well as the Internet.
    So I have a few questions regarding this setup:
    1/ Which type of router should I use?
    2/ Which type of switch should I use?
    3/ Is the network schema at all correct or would there be a better way of doing it?
    Hoping for some help!

    1) I recommend going with Cisco 2800 ISR for the IPSec VPN http://www.cisco.com/en/US/products/ps5854/index.html
    2) I recommend going with Cisco 3750G for the DMZ, WLAN, WAN switch connections. This switch provides (with the right image) HSRP, OSPF, EIGRP services.
    http://www.cisco.com/en/US/products/hw/switches/ps5023/index.html
    3) Drop all connections down to the 3750G (all ports support up to 1Gb speed) and perform all the routing there as well as layer2 VLANs.
    Nice, clean and inexpensive solution.
    In addition, 3750s support stackwise cabling so if you purchase more than one switch for port density, in the config it looks like a single switch.

  • Unable to toggle between LiveCycle Designer & Help

    If we opened the LiveCycle Designer Help window, we are unable to switch to the Designer util the help window is minimized. This is slightly annoying the developers.
    It would be better if it can behave like other applications (e.g. Adobe Workbench ES)
    Thanks,
    Nith

    Charlie
    I am unable to duplicate the problem you are experiencing.  I was able to use Acrobat Pro 9 and X, to apply the Reader Extension permissions (to the sample form I posted earlier) and open and sign the form in both Reader 9 and X.
    What is the exact version of Acrobat you are using to apply the Reader Extension rights.  The dialog I see when doing so with Acrobat 9 Pro is...
    If you are using Acrobat Standard, it seems there is a limitation (save data only) on the Reader Extension permissions that you can apply.
    Regards
    Steve

  • Need help with setting up a PPTP connection

    Hello all,
    I am having trouble setting up a PPTP connection in Mac OS X "Snow Leopard". The ISP has provided the following info:
    — Protocol: PPTP
    — Login
    — Password
    — IP Address
    — Subnet mask
    — Default Gateway
    — IP Address of the VPN Server
    I am using the Airport Express as rounter, so here's what I entered in the Airport Utility on the Internet tab:
    Connection: Ethernet
    IP Address (as provided)
    Subnet mask (as provided)
    Router address (from Default Gateway)
    Then I went to Connections, and created a new PPTP connection, setting the properties of the latter as follows:
    VPN Server (as provided)
    Account name (from Login)
    Authenrification->Password (from Password)
    and chose "Send all traffic over VPN connection".
    The Airport is reported to have connected successfully, but the specified VPN Serverd does not ping, and when I try to connect via PPTP, an error is displayed saying that the PPTP-VPN server did not respond. Playing with different Encryption types did not help.
    This same connection, when set up on a Windows machine, works well so I think I must have goofed with the Mac OS X settings. Could you help me find out what I could have done wrong?
    Thanks in advance,
    Anton

    Pete Corelio:
    {quote}You do have more network devices, at least a dsl or cable modem and maybe a switch connected to it. Are your PC and the AX connected to the same modem/switch?{quote}
    No. There's only the Ethernet cable leading to some central (building-wide, or even wider) device. It was routed to my friend's apartment by the ISP people.
    {quote}It's a bit uncommon to manually set the IP address within the TCP/IP section of the VPN network settings like you did. That's usually set to automatically get an IP via PPP... Please try a quick test using PPP instead.{quote}
    Having the AX using DHCP and VPN using PPP makes part of the ISP settings unnecessary... Hmmm. Anyway, I did try PPP in VPN connection settings, to no avail. Alas.
    {quote}It's also suspicious that you cannot open a connection to port 1723 with the telnet command. Are you sure the VPN type is PPTP and not LT2P over ipsec?{quote}
    Yes, I am sure. The ISP's support confirmed it over the phone. Also they said they hadn't been able to set up any Mac with their network, but I am loth to believe the latter statement. And I clearly remember it was PPTP (not LT2P) in the Windows settings.
    {quote}lease verify the IP settings on your PC...{quote}
    OK, will do this Wednesday. Also I'll take a closer look at the VPN settings.
    {quote}So your PC is on the same network and the VPN works from there? Is the PC using 3rd party VPN software or the built-in software?{quote}
    No other clients, just a VPN connection configured using Windows built-in tools.
    Anton
    EDIT:
    {quote}'m assuming the Mac gets an IP in the 10.x range and gets online OK right? {quote}
    The AX is saying it's connected but there's no internet. This ISP is providing access to the internet through that VPN. The same AX works well with my MacBook at home, although I am using PPPoE.
    Message was edited by: Ant_222

  • Design thoughts: Replacing a L2 aggregation switch

    Hi,
    I have purchased a 4507R switch to replace a 2924M-XL switch that acts as an aggregation switch in our network. Let me explain further what I plan to do.
    I have 20 remote sites connected point to point via 100 Mbps dark fibre to the 2924M-XL. Most of the sites have only a handful of users but 5 of them are bigger (ie. 20-70 users). Some of the larger remote sites (small campuses really) have 2-5 switches in a star topology with the "hub" switch connecting back to the 2924M-XL. Each site has 1 or 2 user VLANs and a management VLAN. The 2924M-XL trunks all VLANs back to a 6513 at the core of our network.
    I will be connecting the 4507R along 2 seperate dark fibre runs (for layer 1 redundancy) to 2 6513s in our core. This will give us fault-tolerence should our primary 6513 fail.
    My problem is I'm struggling with the decision to go layer 2 or layer 3 between the 4507R and the 6513s. Layer 2 would be alot easier to implement and support (I'm the sole administrator of this rather large network) but then I'd have RSTP to deal with among the 2 6513s and 4507. I'm comfortable with RSTP since I run it between 2950G switches dual connected to the 6513s but my gut feeling is that I should be putting in layer 3 between the 6513s and the 4507.
    We will be implementing VoIP is the next 2 years and I'm unsure how that affects my decision.
    One last comment. Would layer 2 trunking of VLANs from the 4507 to the 6513s WITHOUT trunking these VLANs between the 6513s be a viable optionand would HSRP between the 2 6513s still work OK for layer 3 redundany? The remotes sites are setup with unique user VLANs but there is a special use VLAN that spans 4 of the sites and my manegement VLAN spans all the sites (I'm planning to change this).
    Thanks everyone for your thought/opinions.
    Ian.

    Hi there Ian,
    I'm a big fan of routing over switching, which I read is becoming Cisco's recommended way of doing things.
    I would route between the 2 x 6513's and the 4507 as it will not only give you fault tolerance, but also load balancing, plus cutting down on broadcast domains and all those other nice things.
    As far as configuration goes, onec you've got it up and running, then it'll just keep running. It seems like you will only need straight forward routing here and nothing too complex. Setting it up would be a simple affair.
    VoIP, in my experience, is much better implemented over a routed network than a switched one. There are loads more things that you can do at layer 3 than you can at layer 2. Think about all the QoS that you'll be able to implement, with shaping and policing, etc. Much more security can be built in at layer 3 too. You'll get the likes of NBAR and all other features that you'll be able to (over time) tweak you network with.
    As for performance, you'll never spot a difference. The 4507 will be lots faster than the 2924 and using cef, the 4507 will keep a forwarding table for ip's the same way a 2900 keeps a mac table.
    You will not regret routing it.
    Hope this helps - if so, please give it a rating.
    LH

  • Disable portfast on switch-to-switch connection

    Hi,
    From http://www.cisco.com/en/US/customer/tech/tk389/tk621/technologies_configuration_example09186a008009467c.shtml, it says, "do not use portfast when you have switch-to-switch connection. In this case, the command can result in a loop."
    For e.g. when someone connects a switch port(with portfast enabled) to another switch port(with portfast enabled)
    1) can this scenario cause a loop even though the connection between these switch is only a single link?
    2) If it does not cause a loop, what will happen? STP recalculation which causes a short network outage?
    Thanks.
    Christina

    Hi Christina,
    1) Only if there is a redundant physical path between the switches, such as through another switch. If the only physical path between the two switches is the switch-to-switch link in question, then no loop can occur.
    2) Portfast simply ignores the standard STP state transitions and immediately enters the forwarding state, so assuming no loop, a switch-to-switch link that has portfast configured will skip the 50 second STP convergence time and immediately forward traffic.
    HTH,
    Bobby
    *Please rate helpful posts.

Maybe you are looking for

  • YOGA 2 PRO (13) Feedback

    On December 1 I ordered a Yoga 2 Pro and it arrived a couple weeks later.  The laptop definitely is nice to look at and is light weight.  Unfortunately that's where the good feelings end.  The system arrived with Windows 8.1 and I am starting to ques

  • IPod Classic 120gb completely unusable.

    I bought my Classic in late(ish) 2008, I use it every day, it's had a lot of use, but it's been looked after really well, and it hasn't skipped a beat... however recently there has been some intermittent problems with transferring files over. It woul

  • Creative Cloud Desktop application installer stalls at downloading

    Hi When I download and run CC installer (CreativeCloudSetup.exe) on Win8 It stalls at about 8% and will not download the files needed.  To clarify I can download the CreativeCloudSetup.exe just fine, but when I run it it stalls when trying to downloa

  • WiFi working about half the time

    I have been having a very annoying problem with my iPod touch and getting it to connect to the internet at my office. We have a Linksys WRT54GS wireless router, and some days I am able to connect to the net and surf just fine, access iTunes, the App

  • Safari (after the latest update) crashes when I fill in forms

    Hi all. I updated the other day and Safari crashes whenever I try to enter info into an online form. I am using Firefox now and am no longer having this problem. This happened a few years ago and Firefox was the answer for me then too. If Apple can't