IGMP configuration (flooding, static group)
Hello all,
Looking to change my IGMP configuration as it is flooding numerous switches with unnecessary traffic and causing high CPU on switches that are connected to my 6500 cores.
The requirement is that all servers need to send/receive broadcast traffic between each other with IP address of 22.22.22.22. All servers are on the same VLAN with same L3 gateway which is configured on my 6500 core. Below is current configuration of VLAN interface on 6500 core:
interface Vlan1
description VLAN 1 - Server VLAN
ip address 10.10.0.1 255.255.0.0
ip flow ingress
ip igmp snooping querier
The "ip igmp snooping querier" was added when the servers were physical and resided on separate 3750 switches that connected to the core. May not have been ideal configuration, but it worked.
We have now migrated the servers to virtual and I need to remove the flooding that is occurring to all access switches and causing the high IGMP CPU process to be pegged. My thought is that I need to configure an IGMP Static Group. Looking for suggestions on what to configure? How to configure? Where to configure? Probably simple, however, I don't have a test environment to play with. I could configure different options to try, but that will disrupt the production servers which are 24x7. please refer to attached diagram.
Thanks,
Tim
Rajesh
Static RP can co-exist with dynamic RP mechanisms (ie: Auto-RP). Dynamically learned RP takes precedence over manually configured RPs. If a router receives Auto-RP information for a multicast group that has manually configured RP information, then the Auto-RP information will be used.
http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ip-multicast/whitepaper_c11-508498.html
Jon
Similar Messages
-
I can't find iplanet-am-static-group
After intstallation JES, and during configuring now
postinstallation, Access Manager step, i cant find the
attribute iplanet-am-static-group.
I enbaled successfully the plugin Referential integrity
postoperation. But when adding the indexes.
Anyone has a response for my problem.
Thanks in advance.enlarge your DS admin window. Find out Additional Indexes:
Scrolling down as attributes are alphabetic order. You will find iplanet-am-static-group is below iplanet-am-modifiable-by attribute. Jerry -
Can you configure a static port to use with certsrv.msc?
I am trying to use certsrv.msc to connect from my workstation to the CA for administration purposes. Workstation is Win7, CA is 2008 R2 Enterprise running Enterprise Subordinate on a dedicated box.
I configured a static DCOM port for certsvc by following this article, including bouncing the service and also rebooting the CA box:
http://social.technet.microsoft.com/wiki/contents/articles/1559.how-to-configure-a-static-dcom-port-for-ad-cs.aspx
The static port was opened in the firewall from my workstation to the CA. We also found that TCP 445 was required, so that has been opened as well, port 135 & other ports normally needed for autoenrollment should be open. Sniffing the firewall
showed that a random high numbered port that is not the static dcom port is being attempted - this is the only port showing dropped packets & no traffic on the static port.
I am wondering if there is a way to configure a static port for this high-level random port to use with certsrv.msc as I was able to do with the certsvc dcom port? I am trying to avoid having tens of thousands of network ports wide open going to my
CA... Thanks in advance!Hi Steve,
I am sorry that I wasn’t able to find references about restricting certificate services only use one port in the random port range.
However, we can configure RPC dynamic ports allocation to restrict port range. In the meantime, we should keep at least 100 ports open to keep necessary system services running.
More information for you:
How to configure RPC dynamic port allocation to work with firewalls
http://support.microsoft.com/kb/154596/en-us
Service overview and network port requirements for Windows
http://support.microsoft.com/kb/832017/en-au
Firewall Rules for Active Directory Certificate Services
http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx
Best Regards,
Amy Wang -
LDAPAuthenticator Static Groups
I setup a custom LDAPAuthenticator that successfuly reads users and groups from our internal LDAP server. The problem I'm running into is setting up group membership; I checked with our admins and I believe static is what I want. The following is a sample of our LDAP schema that defines a group and its members:
dn: cn=group1,ou=group,<BASEDN>
cn: group1
gid: 1000
memberUid: user1
memberUid: user2
memberUid: user3
objectClass: top
objectClass: posixGroup
So I setup the static group settings in my custom authenticator as follow:
Static Group Attribute: cn
Static Group Class: posixGroup
Static Member DN Attribute: memberUid
Static Group DNs from Member DN: (&(memberUid=%u)(objectClass=posixGroup))
Using this, none of my LDAP users get marked as members of the groups they're in. I'm a little worried that the documentation for the "Static Member DN Attribute" says that it should be an attribute that specifies the DN of the group members, but according to our schema we only list the uid of the group members. I tried to account for this in the filter by using %u instead of the default %M, but I'm not having any luck.For anyone who stumbles across this, I did figure out the problem. The answer is that, indeed, whatever attribute you specify that contains members, it must specify full DNs of the members.
For example, this is how our LDAP looked when it did not work:
dn: cn=group1,ou=group,<BASEDN>
cn: group1
gid: 1000
memberUid: user1
memberUid: user2
memberUid: user3
objectClass: top
objectClass: posixGroup
To solve the proble, the memberUid parameter needed to use full DNs:
dn: cn=group1,ou=group,<BASEDN>
cn: group1
gid: 1000
memberUid: user1,ou=people,...
memberUid: user2,ou=people,...
memberUid: user3,ou=people,...
objectClass: top
objectClass: posixGroup -
I have run into a big problem setting and searching dynamic groups and was told static groups are the most supported and most understood. I created a static group and added some members; now I am trying to search for members of this group and am facing difficulties. This is the code I am using and its on Windows 2003 Will appreciate your help as always.
<cfldap action="QUERY"
name="GetLDAP3"
attributes="uid"
start="ou=new group, ou=groups,dc=example,dc=com"
Scope="subtree"
filter="(|(&(objectclass=groupofuniquenames)(uniquemember=cn=New Group,uid=xxxx,ou=xxxx,dc=example,dc=com)(member=uid=xxxx)))"
server="xxx.xxx.x.xxx"
Port="1389"
username="cn=ldapforwindows"
password="sunforwindows">have you tried this ?
ldapsearch -p 1389 -b dc=example,dc=com uid=xxx isMemberOf -
Configure custom query group in navigation menu
How do we configure custom query groups? Say for example: I have created a custom query group and added my custom query definitions to it. How do I configure this so that when I click on Contract Management Tab on the workbench, my custom query group is invoked?
I need to configure custom query group in navigation menu. Any help would be appreciated.
Regards,
Bindu SharmaHi Bindu,
As per my understanding, it is standard and query group cannot be added in the navigation but you can add your quries under Agreement and Claus Library.
Kindly refer the blog for the same: http://scn.sap.com/docs/DOC-55733
Let me know if you need any other information.
Thanks,
Kushagra A -
Using the iplanet-am-static-group-dn attribute
Hi,
I'm trying to construct a user query filter that would return me all the users in a particular static group, in order to integrate with some Synchronisation Services in Plumtree Portal.
I'm thinking of using the iplanet-am-static-group-dn attribute to do so.
However it seems that although I can see this attribute, there are restrictions using this for queries. I could only use this attribute to query when using the root account. When I tried the same query with my application account, it returned no results.
I need advice on a few issues:
1) Are there other better ways to query for the users in a static group? I'm not sure if the iplanet-am-static-group-dn attribute will remain stable in future releases.
2) If there are no better ways to do this, can the right to query using this attribute be delegated? This is a system attribute, so I'm not sure if we can really open this out to be searchable by other users other than root?
Appreciate any advice on this at all, as I'm running on a tight deadline for this solution.
Thanks!The best way to query for members of a static group is to read the list of uniqueMembers in the group entry itself.
The iplanet-am-static-group-dn attribute is an attribute whose usage is private to Identity Server, and is not guaranteed to be up to date, accurate, or maintained by any other tool that used the directory. -
Static group performance down considerably in 5.2?
With the caveat that this system is supporting a set of applications that require static groups (and therefore preventing us from moving to a more scalable alternative), i've found that iPlanet 5.2 is much slower than 5.1 when it comes to handling static groups.
Consider this simple case.
1 - Create a sample tree with 500 inetOrgPerson entries and one groupOfUniquenNames entry.
2 - Create an LDIF file that adds the users to the group in 500 separate operations (e.g. 500 individual changetype: modify stanzas).
3 - Create an LDIF file that deletes the 500 users from the group in the same way (500 individual changetype: modify stanzas).
In 5.1, this operation takes 20 seconds to add, 15 seconds to delete for a total of 35 seconds.
In 5.2, this operation takes 31.2 seconds to add, 125.5(!!!) seconds to delete, for a total of 156.7 seconds.
Any ideas? I've worked with Sun support a bit and have implemented the nsslapd-search-tune parameter, but that's about it so far.
Help?Well first lets start with what exact version of 5.1
and 5.2 you are comparing?DS 5.2 is 5.2 Patch 2 (DS 5.2_2)
DS 5.1 is 5.1 Service Pack 2 (DS 5.1 SP2)
Second do you have the referential integrity plugin
enabled? If yes is it properly indexed on 5.2?Yes it is enabled. The current attributes it is monitoring are:
- member
- uniquemember
- owner
- nsroledn(note, this only shows up in the dse.ldif, not the gui)
All attributes are indexed for equality
What value for nsslapd-search-tune are you using and
what was you case number?Current nsslapd-search-tune is set to 57. Case was 64814323
Is 5.2x installed on exactly the same machine as 5.1?
Using the same disk partitions?Yes and yes. Tests are being run one at a time. System is a 4CPU SunFire 480R with 8GB of memory.
Upon further investigation, it appears that group modifications are where we have the biggest hit. In my test case, i build have an ldif file with 1,000 'add single user to a specific group' operations in it. I then have a file that deletes all of those users, one at a time, from the same group.
I then time how long it takes for ldapmodify to execute these files against the respective versions of the directory server.
In 5.1 it takes 43 seconds to add the users, in 5.2 it takes 97.
In 5.1 it takes 33 seconds to delete the users, in 5.2 it takes 750!!!(12.5 mins)
This is with the same content in the tree to start with (it isn't empty). We did run into an allids threshold issue before, it is now set to 8000, which gives us enough room to avoid hitting it for objectclass=groupOfUniqueNames.
Thanks for any suggestions you may have. -
Dynamic Group pull from static group
We've been restructuring our distribution groups to utilize dynamic groups for some areas. We're finding this minimizes the amount of confusion and management we have to perform on the groups.
What I'd like to know is if it is possible to create a dynamic group that pulls from a static group. An example, we have a static group made up of all members of a specific group. What I'd like to accomplish, is to create a dynamic group that
would pull from members from this group based on their Job Title. Example: Static Group members with Title PartnerAccording to this document, MemberOf is a filterable property. You're welcome to give it a try.
https://technet.microsoft.com/en-us/library/bb738157(v=exchg.150).aspx
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
External emails in members of static group
Hi,
I have been using static groups as list of emails (like alias) but all emails members of this groups are internal emails all from my domain. Someone ask me to do a list or group of emails but email members are external (yahoo, hotmail etc). How could I do this?.Hi jay,
Your assumptions are correct but,
The command "commadmin group modify
" reported OK when I tried to add an external member but did'nt add the member. So I just add the attribute
mgrpRFC822MailMember: [email protected]
with an ldif file and it works fine. -
Configure Balance logon Group in Portal
Hello experts,
I've installed the portal central instance in one machine and a dialog java instance for this portal in another machine, after i installed the webdispacher in central instance machine, now I want to configure the Logon Group, does anyone could help me ?
I don't have idea to do this, if someone does this configuration please help make the same.
ThanksHi,
Please check the below link for configuring the logon groups:
Link: [http://help.sap.com/saphelp_nw70/helpdata/en/c4/3a64b4505211d189550000e829fbbd/content.htm]
Hope it helps.
Thanks & Regards,
Gourav -
Static Group headers while scrolling "Down"
Finally got Row Header to stay present while "scrolling down".
Now I would like to have the 1st group row also remain present while scrolling down in the details. Any
options?Hi Marzipan24,
Sorry for misunderstanding you question in my former reply.
In a table, if we want to freeze column header, we should make the changes in the first Static row group in Row Groups pane with Advanced Mode. For more details, please see:
In the Grouping pane, click the arrow that appears to the right of the Column Groups label, and click Advanced Mode to display all groups. You have done this according to the picture you posted.
In the Row Groups sections, click the first Static group, and then in the Properties window, set the RepeatOnNewPage property to True.
The following screenshot is for your reference:
Besides, if we want to freeze column header in a matrix, we can enable “Repeat header columns on each page” and “Keep header visible while scrolling” options in Column Headers in Tablix Properties dialog box.
If there are any other questions, please feel free to ask.
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support -
Need Help for configuring Floating static route in My ASA.
Hi All,
I need your support for doing a floating static route in My ASA.
I have tried this last time but i was not able to make it. But this time i have to Finish it.
Please find our network Diagram and configuration of ASA
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1 track 1
route outside 0.0.0.0 0.0.0.0 6.6.6.6 1
route rOutside 0.0.0.0 0.0.0.0 3.3.3.3 10
route inside 10.10.4.0 255.255.255.0 10.10.3.1 1
route inside 10.10.8.0 255.255.255.0 10.10.3.1 1
route inside 10.10.9.0 255.255.255.0 10.10.3.1 1
route inside 10.10.15.0 255.255.255.0 10.10.3.1 1
route rOutside x.x.x.x 255.255.255.255 5.5.5.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 10.10.3.77 255.255.255.255 inside
http 10.10.8.157 255.255.255.255 inside
http 10.10.3.59 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
type echo protocol ipIcmpEcho 8.8.8.8 interface outside
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set cpa esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn_cpa 1 match address acl_cpavpn
crypto map vpn_cpa 1 set peer a.a.a.a
crypto map vpn_cpa 1 set transform-set abc
crypto map vpn_cpa 1 set security-association lifetime seconds 3600
crypto map vpn_cpa interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
track 1 rtr 123 reachability
telnet 10.10.3.77 255.255.255.255 inside
telnet 10.10.8.157 255.255.255.255 inside
telnet 10.10.3.61 255.255.255.255 inside
telnet timeout 500
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.10.3.14
webvpn
tunnel-group .a.a.a.a ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
smtp-server 10.10.5.11
prompt hostname context
Cryptochecksum:eea6e7b6efe5d1a180439658c3912942
: end
i think half of the configuration stil there in the ASA.
Diagram.
Thanks
RoopeshYou have missed the last command in your configuration, Please check it again
route ISP1 0.0.0.0 0.0.0.0 6.6.6.6 track 1
route ISP2 0.0.0.0 0.0.0.0 3.3.3.3
sla monitor 10
type echo protocol ipIcmpEcho 8.8.8.8 interface ISP1
num-packets 3
frequency 10
sla monitor schedule 123 life forever start-time now
track 1 rtr 123 reachability
You can do NAT in same way, here the logical name of the interface will be different.
Share the result
Please rate any helpful posts. -
How to configure Multiple static NATs
Hi,
I am trying to configure a Cisco 871 router.
I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
Thanks in advance for any help.You can execute multiple apply processes ( parallel parameter ). It is pretty much scalable.
There is one thing why 2 propagate processes can be helpfull: I consulted one client with different reqs for replication delivery for different tables. In this case you can create 2 propagate processes in different schemas (with different db links).
For maitainence point of view one propagation and one apply is better
Regards,
SergeR -
No Internet Access while Apps configure with Static IP - How to resolve?
Dear Legends,
I have installed a development instance which my configuration as follows:
OS - Oracle Enterprise Linux 5.7 64 bit
Instance - R12.1.3
HDD - 500 GB
RAM - 8GB
IP - static - 192.168.1.10
Subnet mask - 255.255.255.0
Gateway - 192.168.1.1 --> router ip
I need to setup a static ip only, but if i setup a static ip am able to access instance but no internet access, so that if i need to do any automation work like cron and sendmail is not working. How do i resolve this?
1. I tried to setup a static ip configuration as editing the /etc/hosts and entry as
192.168.1.10 hostname alias
2. edited the resolv.conf for adding a nameserver as follows
search hostname
nameserver primary dns
nameserver secondary dns
but these entries are not available when i issue a service network restart
3. Edited /etc/sysconfig/network-scripts/ifcfg-eth0
# Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller
DEVICE=eth0
BOOTPROTO=none --> even i have changed this to STATIC/none but no change
HWADDR=B8:88:E3:30:1A:ED
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes
HOSTNAME=devl.rel.net
IPADDR=192.168.1.10
NETMASK=255.255.255.0
GATEWAY=192.168.1.1
Since i'm trying to update my old threads if it is similar to this but i dont find any old threads, please kindly request you to provide your valuable suggestions.
Regards,
Karthik Singhkarthiksingh_dba wrote:
Hi Hussein,
As per your request i am continuing this thread in the followiing link HOW TO ACCESS MY VISION INSTANCE GLOBALLY? is it correct?
Regards,
Karthik SinghYes.
Thanks,
Hussein
Maybe you are looking for
-
How to move one DB of oracle9i on windowns2000 to one on linux
I have one db running on windowns 2000. Now I am going to move this db to one running in linux box also with its data. Is anyone knows how to approach it? thank you.
-
IPhone sync problems with Windows 7 64 bit
I am using Windows 7 64 bit and Outlook 2010. I am trying to sync my iPhone 4 with my Outlook calendar and contacs but am not able to do so. I have checked that I want to sync under the info tab in iTunes and I have the latest iTunes and the latest i
-
Workflow Pattern FYI Task Issue
Hi, BPEL PM version 10.1.2.0.2. I am trying to create a workflow using FYI Task pattern. I have only one action 'Acknowledge'. The task gets created and shows up in the worklist application under my group, but the status of the task is 'Withdrawn' an
-
I have my router configured to automatically communiation with MI424WR (Rev. I) - Wireless Broadband Router when the IP address changes. For the last couple of weeks the router indicated it can't connect to the DNS service provider. I contacted them
-
HT1379 Why Adobe Illustrator CS6 does not open on startup
I just downloaded this from Adobe Creative Cloud membership. All other apps work except this one. Any clues?