Different Vlans and interfaces to Management and Production
Hi.
I am trying to configure an ISE with one interface in the management vlan (just the admins will have access to this vlan, this Vlan is not routed on our network) and other interface in the production vlan where the ISE will works and wveryone else will have to reach (guest portal, sponsor portal, etc...)
I read the management interface must to be the Giga 0.
¿Can anyone help me? It is my fist ISE so I am a bit lost.
Thanxs.
You can put G0 on the management VLAN that you are referring to. However, if you are using the guest portal/services then you need to dedicate an interface for that as well. You do that from "Administration > Web Portal Management ? Settings > General > Ports"
If you don't want to deal with this then you can put ISE on a general VLAN that is different than the management one that you are using and then restrict access to the management via:
"Administration > Admin Access > Settings > Access > IP Access" there you can define the IPs from which management is allowed. Perhaps there you can set your management subnet.
Hope this helps!
Thank you for rating helpful comments!
Similar Messages
-
Hi,
i am using OEL 5.3 and have two nodes, one for db and other for apps. Due to security reasons i want DB-NODE be in different VLAN and apps in a different VLAN. during this test i didn't apply ACL on router, and no error in oracle apps/db logs. i am using Nortel Switch/Router.
the problem is when i change both nodes to different vlan, i am unable to view even login page of EBS app. even though no router envolment is there. both nodes are in single network 172.20.201.0/24 . no error in logs .
After this failure i changed the scenario and moved both nodes to single VLAN id=200. but same issue on this, no login page. then i rewerted both nodes to default vlan and default network and its working fine.
I want to know is there any problem with oracle EBS when working in VLAN?Hi,
Can you ping the IP Address of the application/database nodes?
Can you ping the database server from the application node and vice versa?
There should be no issues in using different VLANs as long as all the nodes see each other. Just make sure you have proper entries in FND_NODES table and that AutoConfig run successfully on all tier nodes -- See (Note: 260887.1 - Steps to Clean Nonexistent Nodes or IP Addresses from FND_NODES).
Regards,
Hussein -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
Vlan and physical interface of vlan shwing different utilizations
Puzzled???
Anyone know why the physical interface of the vlan and the vlan interface show differnt utilizations? For instance the physical interface shows 60% utilization and the vlan interface is double that.
Thanks in advance
Mike G.as per my knowledge, the Subinterfaces are logical interfaces created on a hardware interface. These software-defined interfaces allow for segregation of traffic into separate logical channels on a single hardware interface as well as allowing for better utilization of the available bandwidth on the physical interface.
http://www.cisco.com/univercd/cc/td/doc/product/software/iosxr3/int_c3/hc3vlan.htm -
How do I route multiple SB302 switches at different sites and their VLANs?
Hello Cisco Support Community,
First thank you for any replies.
The video posted today on 302's and multiple VLAN's on one switch was nice.
Thank you, I have that working but it's not really what I need.
Though pictures are worth a 1000 words so I hope someone will post something similar to my question.
I have 7 - SB 302-08 switches with the most recent firmware. (updated firmware today, thanks to the video, and TG for the CLI)
All 302's are configured for layer 3.
This is my first experience with the SMB line of switches.
I have a main office and several satellite branch offices.
All locations are connected back with a "Q to Q" circuit on individual ports to a vendor supplied switch at the main office.
I need to link all branch office 302 switches back to the main office 302 switch and allow traffic amongst them.
Mainly traffic between each branch office and the main office.
There maybe a future need to incorporate VoIP on them as well, but that is a back burner issue.
These locations will have an individual VLAN and 302 switch but need to receive data from the main VLAN and possibly others.
I have a "core" SB 302 setup at the main office with its own VLAN.
Each branch switch has its own VLAN.
I would also like to have a centralized management VLAN for the switches.
In trying to configure the core 302 I keep losing connectivity and having to reset it.
On the branch switches I end up getting them to only link to themselves with different IP's and not the core.
I'm assuming this is caused by my not configuring interconnectivity using ACL.
Please let me know if you need additional information.
ThanksAlllan,
Well first you want to make sure you are running latest firmware 1.1.1.8 I do believe
Next either console into the switch or you can turn on SSH/Telnet under Web gui (Security••àTCP/UDP services and make sure SSH/Telent is enabled)
Now we configure the switch via Cli
We need to enter global configuration mode.
Configure Terminal
(next add our vlans)
Vlan database
Vlan 10
Vlan 20
Vlan 30
Exit
(you can run show command to see your vlans)
do show vlan
(Now configure the port how you would like)
Interface GE1
Switchport mode access (this is making Gigabit port 1 an access port)
Switchport access vlan 20 (this command is changing access port vlan from 1 to 20)
(less configure a trunk port)
Interface GE2
Switchport mode trunk (this makes port 2 for trunking)
(Now less add our Vlans)
Switchport trunk native vlan 1
Switchport trunk allowed vlan add 10,20,30
Exit global configuration
(Use this command to copy your settings to startup)
Copy running-config startup-config
(Some screen shots attached)
I see you have a WRT54G router which i don't think support vlans unless you have 3rd party OS installed.
So currently is the SG300 swtich operating in layer 2 or layer 3 , guessing this is why you choose to move up to 300 series switch?
If the switch is not in layer 3 mode but in layer2 when setting it to layer3 the switch will default all pervious settings.
If the switch is set in layer 3 mode you might have forgot your default route
(Command setting default route)
configure terminal
ip route 0.0.0.0 0.0.0.0 192.168.1.1 (192.168.1.1 being address of your WRT54G)
Now you would need to set up ACL's to deny and allow what traffic you wanted to filter on the SG300
Also reading your post we would need you to call into support center SBSC @ 1-866-606-1866
This way we could get a better idea of your current configuration and assist with fixing or finding a solution for you.
you have 1 year phone support with this product
Thanks,
Jasbryan -
How to populate SNDPRN with different values in Development and Production?
Hello experts,
I have to fill the field SNDPRN in the message mapping with a different value in Development and in Production. As I am new to PI, I used a simple solution - but it is rather ugly: I set a constant value in the mapping in development and a different one in Production. However, I would like to know if there is any solution to have a condition in the mapping like:
IF system is Development, set SNDPRN as Constant1.
IF system is Production, set SNDPRN as Constant2.
(And eventually IF system is Test, set SNDPRN as Constant3)
Thanks in advance for your help,
LuisHi Luis,
You can go with the parameterized mapping , where you can provide different values for SNDPRN in interface determination for development and production.
At point of time if you want to change the values it requires only a change in the configuration.
Please refer the below links for reference;
Parameterized Mapping Programs - Enterprise Services Repository - SAP Library
http://scn.sap.com/people/jin.shin/blog/2008/02/14/sap-pi-71-mapping-enhancements-series-parameterized-message-mappings
We are following the same approach for some of our interfaces.
- Muru -
Vlan and SSID not showing in AP Web Interface
We have a couple of APs that do not show the Vlans and SSIDs through the AP web interface. If you go to the SSID manager page in web interface, the page comes up but does not show any of the SSIDs configured. The same goes for Services - Vlan. That page comes up but does not show any Vlans configured. If you telnet to the APs, you see the listed mssid and all the SSID interfaces. The SSIDs on the APs are functional and working. This just makes it difficult to use the web interface for these APs. I have tried to compare running configs on APs where web interface is not showing this and on APs that it is showing but cannot see any differences.
Thanks.Unsupported things are never documented. You can't possibly list all browsers that you don't support.
But if it's not mentionned clearly as supported then it means "it might work but we never tested with it".
Let us know how it goes with the 12.4.21
Nicolas
===
Don't forget to rate answers that you find useful -
Jumpstarting changes with U6: VLAN tagged interfaces and sysidcfg
Hello,
I've been banging my head on U6 for a few days and finally have to give up and cry for help. I can no longer build a jumpstarted server which ends up on a separate VLAN tagged LAN after first reboot.
I have an existing U5 SPARC jumpstart environment setup. We use VLAN tagging a lot in our environments and by default the only time a non VLAN tagged interface is used is during jumpstart. With the existing jumpstart we are using the following profiles:
root_password=mypassword
security_policy=NONE
timezone=GB
timeserver=localhost
terminal=vt100
network_interface=none {hostname=hostname}
system_locale=en_GB
name_service=NONE
system_locale=CIn the U5 profile we let the jumpstart server obtain its network configuration via DHCP and then obtain the profile above, which excludes all network settings. All the network settings were added as part of a finish script. This worked fine with U5. As far as I can see, with U6 at the point where the sysidcfg is first evaluated it removes the network settings and obviously then kills the jumpstart. So I have had to try a different approach. I have tried both of the following:
network_interface=PRIMARY { default_route=none protocol_ipv6=no}
network_interface=PRIMARY { dhcp default_route=none protocol_ipv6=no}However, using either of these causes the ce0, bge0 or whatever to remain defined, instead of the ce200000 and ce206000 interfaces that I have explcitly defined in hostname.ce200000 separately. I also get a number of arp errors on initial reboot, such as
Nov 20 20:27:29 unknown ip: ip_arp_done: init failed
Nov 20 20:27:29 unknown /sbin/dhcpagent[44]: configure_v4_lease: cannot set interface flags for ce0: Cannot assign requested addressI don't know if I am barking up the wrong tree but I believe I need to get the server on initial boot (or during finish) to reevaluate a different sysidcfg file. Alternatively, it might need some combination of presence/absence of /reconfigure or /etc/.UNCONFIGURED. I think I might also need to stop /sbin/netstrategy return dhcp specific results (I only use DHCP for jumpstart booting and not for normal boot), but I have no idea how to do that...
# /sbin/netstrategy
ufs ce0 dhcpAny help much appreciated!
thanks
PaulPaul,
I don't want to suggest that I understand your problem but have you seen the comments about tagged vlans on the Opensolaris LDoms forum?
Near the bottom of thread [Solaris 10 10/08 (update 6)|http://www.opensolaris.org/jive/thread.jspa?threadID=81505&tstart=0] there is some discussion of tagged vlan support changes with U6.
It sounds like tagged vlans are going to be a problem with U6.
have a good weekend,
Glen -
About the Native Vlan and Management Vlan.
I wanted to know that Management vlan and Native vlan can be different vlan id or both should be same vlan id. Why should not be native vlan 1.
The use of a native VLAN is generally frowned upon now as there are some well known security exploits that leverage this untagged VLAN. Cisco often recommends setting the Native VLAN to an unused VLAN in your infrastructure in order to render it useless for attacks.
It is also recommended that you create a separate VLAN for your Management traffic and that this VLAN be tagged (therefore not a Native VLAN).
Native Vlan is the vlan which will be sent untagged even in Trunk links. Consider a Trunk link configured between two switches SWA and SWB, if a system in vlan1 of SWA is sending a frame via SWB, then this frame will be received as untagged by SWB, then switch B decides that the untagged frame is from native vlan 1 and handles accordingly. By default native vlan is 1, this can also be changed as per requirement.
Example: In the below figure if a IP phone and system are connected toa switch port as below, the the Phones will send its frames tagged with vlan 10 where as the frames sent by system will be untagged. So here the the corresponding switch port should be configured as native vlan 20. So that it can recognise and handle the frames from system and IP phone properly.
a
Management vlan is different, it means that this vlan will be used for management purposes like Logging into the switch for management, Monitoring the switch,collecting Syslog ans SNMP traps, etc will be done by management vlan IP. This also by default vlan 1 in cisco. So as Antony said the it is always a Best practice and security measure to not use the default vlan and use custom vlans.
Hope this helps ! -
The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?
Hello
I think the following topologies are supported for Cisco Routers
And the Physical interface also can be using as Native VLAN interface right?
Topology 1.
R1 Gi0.1 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
R1 - configuration
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
Topology 2.
R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3
Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4 (same VLAN-ID)
R1 - configuration
interface GigabitEthernet0
ip address 10.0.0.1 255.255.255.0
interface GigabitEthernet8.20
encapsulation dot1Q 20
ip address 20.0.0.1 255.255.255.0
Any information is very appreciated. but if there is any CCO document please let me know.
Thank you very much and regards,
Masanobu HiyoshiHello,
The diagram is helpful.
If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
Best regards,
Peter -
Batch management - Shelf life and Production date
Hi All,
I am working with batch management where i did all the setting of characterestics, Batch class and neccessary settings. i am working with three characterestics shelf life expiration, production date and last goods reciept.
I have to active shelf life and production date in Migo screen so that at the time of recieving my characterestics can store data. kindly help in customizing setting
Thank you in advance
MajidHi,
You need to activate shelf life expiration check in T.Code OMJ5 for movement type 101 and also plant.
This will activates the entry of Shelf Life expiration/Production Date at the time of goods receipt.
If you are using std. SAP Characteristic (LOBM) for Manufacturing Date,Best Before Date and Goods Receipt Date then the value of this characteristic will updates automatically in Batch ,depends on your goods receipt data.
Regards,
Dhaval -
DRQ: Different default warehouse for Sales,Purchase and Production Process
Hi Experts,
In my recent Implementation Project I realised that there should be provision of capturing and using different default warehouse for Sales,Purchase and Production.
For example in manufacturing company
1. Default ware house for Purchase process should be QC ware house for raw material.
2. Default ware house for Production process should be RM ware house for raw material (components).
3. Default ware house for Production process should be QC ware house for Finished Good (Parent Item).
4. Default ware house for Sales process should be FG ware house for Finished Good (Parent Item).
I hope the idea is clear, I am looking for 3 different set as default warehouse for each item in Item master Inventory tab.
Internally when a user create a document than default warehouse is to be picked up from this setting !
Best Regards,
Samir GandhiHi !
I guess the indicator "Exclusive" in the accessess of the access sequence can meet the requirement if I have note misunderstood the issue.
Press : F1 help on Exclusive Indicator -
Indicator: Exclusive condition access
Controls whether the system stops searching for a record after the first successful access for a condition type within an access sequence.
Thanks & Regards -
I am facing this problem while start debugging the Provider-Hosted app through VS2013. I want to deploy the app with same version. So please let me know any solution
to remove the app instance from office365 online, so that I can deploy the same app with same version on the specified "Developer Site".
Note: If I change the version in AppManifesst.xml file then this problem/error gets resolved. But I want to deploy with the same version as
per my business requirement.
The actual error renders while I click to "Start" button of the Visual Studio 2013 to deploy the provider-hosted app, for the sake
to deploying it on say "ABC" site collection (i.e. developer site). I work on office365 online. Therefore, request you to please provide the solution for SharePoint online office 365. The occurrences is:
"Error occurred in deployment step 'Install app for SharePoint': The provided App differs from another App with the
same version and product ID."
Please assist me anyone. It will be so kind of you.....
Naveen Kumar
Steria India Ltd.Did you updated the AppManifest.xml file
and change the version.
If this helped you resolve your issue, please mark it Answered -
Mapping Design - SOAP body content needs to be different between test and production
Hello,
We are integrating with a 3rd party SOAP receiver who uses the same web service URLS for test and production.
So to differentiate they exposed 2 web services which do the same thing but have different root and payload node names...along with account details.
For example, for production our SOAP XML must follow pattern like:
<Envelope>
<Body>
<appRequest>
<userID>produser</userID><password>prodpwd</password>
<appPayload>
<?xml>
blah blah this XML is the same between test and production
</xml>
</appPayload>
etc
But for their testing we must use:
<Envelope>
<Body>
<appRequestTest>
<userID>testuser</userID><password>testpwd</password>
<appPayloadTest>
<?xml>
blah blah this XML is the same between test and production
</xml>
</appPayload>
etc
So I'm trying to think of a good way to handle this difference in one set of mappings that we can use in our 3 PI platforms Dev / Test / Prod
Since these differences are in the SOAP Body does it need handled in mapping or is there a way to handle it in the Adapter Config which is naturally different between our environments (mapping we like to keep the same).
What is a smart way to handle this scenario?
Many thanks,
AaronI second Artem when he states that this is a bad design decission from the caller's side.
However this is not gonna help you in the current situation, right?
The problem you are facing is that by poor design the message does not have a root node which you may use to handle occurences. Let me explain further
You would be good if prod message looked like so
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<appData>
<appRequest>
</appRequest>
</appData>
</soapenv:Body>
</soapenv:Envelope>
and test message looked like so
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header/>
<soapenv:Body>
<appData>
<appRequestTest>
</appRequestTest>
</appData>
</soapenv:Body>
</soapenv:Envelope>
--> Then you would have been able to specify occurence of <appRequest> and <appRequestTest> as 0..1
So I think you have (besides what Artem already pointed out) 2 other options:
1. activate "do not use SOAP envelope" on sender SOAP channel and then designing the data types like above
2. Use HTTP instead of SOAP adapter and designing data types like above
Hope I didn't miss something crucial :-)
Cheers
Jens -
Point of sales (POS) and Product data management (PDM)
Hi guys,
please any one can tell me what is Point of sales (POS) and Product data management (PDM) in SD module and give me structures on thisAs i know it is not supported.
Oracle supports counter sales order. But if performance is considered invoicing and receipt is slow in Oracle. So this can have workaround...
Maybe you are looking for
-
I originally had two libraries in iPhoto, my wife and I share two iMacs at different locations but we wanted to share the photos and it was set up this way Apple Geniuses at the store I have no idea why. Anyway, I updated to OS X Yosemite Version 10.
-
My husband and I share one computer. We want to be able to share the same music on our iPhones, but we don't want to share the same contacts and applications. How can I set this up so we still share music, but everything else is separate on our iPh
-
Hi We are facing one issue that while write-up of depreciation system is posting the values in ordinary depreciation ZUSNA and Ordinary depreciation on transactions NAFAB and due to this some balance in the asset values left. Scenario : APC at FY 200
-
I am new to XML Publisher and am using the Java API to read from templates to output PDFs etc. How can I embed dynamic images via URLs in the templates? How do I assign the URL to the template image variable via the Java API? Thank you in advance. -J
-
SQL- 2005 : User Input in select statement's where cond [Input Parameter]
Hi All i am using SQL Server 2005 , i want to select the data based on the user input in where condition, but i am not sure what to give in where condition,can anyone have any idea on this SELECT [NO] ,[NAME] ,[PAGE_COUNT] FROM [DS].[DB