Internet pipe redundancy

Similar Messages

• Internet anchor redundancy

  Hi experts,
  We have two main data centers. Currently we have two WLC4402 in the same data center as internet anchors for two different guest SSIDs. They are sitting on different DMZs.
  We are planning to replace them with two WLC5508 and have guest internet redundancy as well.
  May I please what would be the best option?
  Currently there are three options in my mind.
  Option 1, build a HA pair in the same data center with both guest SSIDs configured.
  Option 2, put one WLC5508 in one data center and the other WLC5508 in the other data center. Each WLC5508 has both guest SSIDs configured.
  Option 3, put both WLC5508 in the same data center but not HA pair. Each WLC5508 has both guest SSIDs configured.
  Your feedback will be appreciated.
  Thanks
  Cedar

  Why do HA on Guest Anchors... to me I just don't see any benefit.... AP SSO doesn't work since AP's are not joined to these WLC.  Client SSO only seems to work on foreign WLC's.  Again, it's really up to you and if you plan on doing HA, make sure you stick with v7.4.110.0 which seems pretty stable.  Others are also running v7.5 and v7.6, but I haven't unless the customer requires certain features.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Guest Internet Access

  Hi
  Looking for input on Guest Vlan subject.
  How can I avoid routing of Guess VLAN traffic to DATA VLAN, any traffic from Guest VLAN should be routed to Internet directly.
  Looking for similar setup as in Hotels, Guest are provided with username/password with time duration to access internet and limit the download speed.
  Do I need to create another SSID on the WLC and how the guest users will acquire ip, from WLC DHCP or Windows DHCP.
  If its Windows DHCP then Guest traffic reaches my Data VLAN
  Any Help

  We got WLC 4420 ----- Do you mean a 4402-xx
  AP 1200 series ( 5 in quantity )
  I am new to WLC, can you help me to understand
  How many SSID we can configure on WLC, does each ssid can have different config parameters.
  The AP's and the Code you might have will only support 8-16.  You don't want to configure too many (best practice is around 4) because of all the beacons that needs to be sent might cause issues with certain devices.  You can configure eash ssid the same of different, it is up to you.  Follow best practices on this.
  can we broadcast specific SSID on AP configured with WLC ( AP#1 can be used for SSID DATA & SSID Guest ) ( AP#2 can be SSID Guest & SSID Partners )
  You can create WLAN Override (depends on code - http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807669af.shtml) to specify what AP's will braodcast what SSID's.  This can be messy if you have gaps for roaming, unless that is not an issues.
  For Guest SSID is it recommended to connect to a seprate port on WLC
  You have different options:
  You can use a guest anchor controller in you DMZ
  You can use one port on the WLC connected to your internal network and the other port to the DMZ
  You can trunk vlans and use ACL's to block guest traffic from inside networks.
  All this depends on you current infrastructure and if you plan on buying more equipment or use the existing.
  Instead of creating Guest Users on WLC with time restriction, can this be done third party with ease of management. ( Office secretary can give access to internet to guest )
  You can use a NAC Guest Server... if you want to spend a lot of money.  You can configure a Lobby Admin account on the WLC so that the secretary has only read/write to add guest accounts.  This would be the same if you have WCS with a lobby admin account.
  http://www.cisco.com/en/US/docs/wireless/wcs/4.2/configuration/guide/wcsmanag.html#wp1078208
  How to have bandwidth control on WLC, restrict users with bandwidth limit
  You would need to use a 3rd party tool for this like ZoneCD or again you can use the NAC Guest Server.
  http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/data_sheet_c78-456124.html
  http://www.google.com/url?q=http://cisco.com/application/pdf/paws/107630/WLC_NGS.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=1&ved=0CAgQzgQoAA&usg=AFQjCNF0eA-Z8nss7WzgpPRnFjtSdZnvWQ
  http://www.google.com/url?q=http://www.cisco.com/en/US/solutions/collateral/ns340/ns394/ns348/ns787/DeployingGuestAccess_051308.pdf&ei=WtSTS9HpN43OM_WnkYoN&sa=X&oi=nshc&resnum=1&ct=result&cd=2&ved=0CAkQzgQoAQ&usg=AFQjCNGKgF_wWKQaI8lqHoFfwbg0iztVFg
  Any configuration sample link with one Internet connection having DATA and Guest VLAN  using ACL to restrict  the traffic.
  I put some links above... hope this helps.  Again, it will come down to your existing environment and how much more you want to spend.  You also have to look at the time it might take to setup, will the secertary want to do this, etc?  How I see guest access..... well.... they go out a seperate internet pipe, so I don't really care about bandwidth.  Its guests so they would have to deal with that anywhere the go, even hotspost or even worse hotels:)  Make it simple and make it work... then you can add to that later when you get more familiar to configuration and troubleshooting.

• Inbound Internet QoS

  My company accesses WAN web applications (webmail) over a DMVPN tunnel. A problem with this is that normal Internet traffic can consume the entire circuit and then the corporate webmail becomes really slow. I decided to make a QoS policy to protect the DMVPN traffic. Creating the outbound policy was very simple. I made a CBWFQ policy and applied it outbound to the outside interface. The problem with this is that the Internet link typically congests inbound, not outbound. I did some research and found a couple of solutions.
  One: Police non-DMVPN inbound traffic from the Internet to leave room for the DMVPN traffic. The problem with this solution is that now the Internet traffic cannot spike to full circuit speed when there is no DMVPN traffic.
  Two: Request the ISP to provide QoS for ESP traffic destined to us. I was hoping to find a solution that I could apply to our router so that we could deploy the solution to all of our DMVPN sites without having to negotiate with each ISP to configure QoS policies.
  Three: Tunneling all Internet access through regional hubs. This solution isn't an efficient use of bandwidth; however, I see the benefits of being able to centralize security devices.
  So I played around a little bit and came up with another solution.
  Create an outbound QoS policy on the inside interface of the router. (It has to be an outbound QoS policy to allow for queuing QoS methods.)
  The trick is that you first have to shape down the traffic to match the download rate of the Internet circuit so that the interface can reach congestion. In fact, I decided to shape the traffic to 90 percent of the maximum download rate so that I knew my router was dropping the packets before the ISP. Then I created a policy within that shaped policy to apply my queuing based QoS.
  For simplicity I am just tagging packets to DSCP 21 at the DMVPN head end and then using WRED as the queuing policy at the remote site.
  Sample:
  policy-map wred_in
  class class-default
  fair-queue
  random-detect dscp-based
  policy-map qos_in
  class class-default
  shape average [BANDWIDTH * .9 kbps]
  service-policy wred_in
  int [INSIDE INT]
  service-policy output qos_in
  So far the results have been very positive. Before applying this policy we were experiencing slowness with our webmail. We have been running this code for months now and it hasn't been slow since. When I look at the policy-map stats I see more DSCP 0 packets being dropped than DSCP 21. I have also added some tweaks to the WRED queue sizes because I wanted the policy to react faster to bursts of traffic.
  I'm looking for comments and suggestions. Has anyone else found ways to deal with inbound QoS on an Internet pipe?

  I've done the same (or similar), and as you noticed, it does work. The two major disadvantages were the need to artificially shape slower than the inbound link and how far you might have to shape down to avoid queuing on the far side. I recall starting at 90% but had to keep working my way down to fully control inbound traffic. Think I had to get down to about 60%. (This might have a been influenced by the size or our links and how busy they were.)
  Another technique I tried was shaping outbound TCP ACKs. The purpose of this was to attempt to keep TCP bandwidth hogs from being extremely bursty. It too worked, it could also be used with the inbound shaping. However, it was very sensitive. Much to do with delayed ACKs and/or piggybacked ACKs, I suspect.
  In our case, I believe the truly correct solution is to manage the traffic at the real bottleneck, which our ISPs were unwilling to do. The above techniques allow you do at least have some control.
  Something you might consider is separate circuits for regular Internet vs. VPN Internet. Often DSL or cable Internet is a low cost option that can be used to support ordinary Internet access without breaking the budget.

• Arch without Internet

  I am rehashing an interest in Linux,  I've been goofing off with it since 1991.  Including installing many distros Slackware 0.94 being my first ever distro off of 3.5 diskettes.  I have been working with Crux for the last two months, but I'm tired of watching my Thinkpad T30 compile and compile and compile.  So now I've become intrigued with Arch and their precompiled binaries.  This is merely an exercise and toy for me to enjoy and learn from.
  Here's my problem, I don't have internet at home.  I have free use of it at work.  So I've been carring tarballs home to compile.  Then realizing I missed a dependency and having to bring them home the next day.  I can't continue doing this as the frustration is certainly going to kill my wife.
  Finally here comes the question
  Is there an Arch install disk with Xorg and a basic desktop so I can at least get that far?
  Is there a repository I can burn to a CD with the most common apps and their dependents?
  Is there any other way to install and maintain Arch without internet? (redundent I know)
  Am I going to be forced to go to the library to access a network point just to get a base (not core) system up and running?  Things I want to install are Abiword, Xine, XMMS, burn some CD's, and maybe later play some small games.
  Thanks

  Bear Chow wrote:
  I am rehashing an interest in Linux,  I've been goofing off with it since 1991.  Including installing many distros Slackware 0.94 being my first ever distro off of 3.5 diskettes.  I have been working with Crux for the last two months, but I'm tired of watching my Thinkpad T30 compile and compile and compile.  So now I've become intrigued with Arch and their precompiled binaries.  This is merely an exercise and toy for me to enjoy and learn from.
  Here's my problem, I don't have internet at home.  I have free use of it at work.  So I've been carring tarballs home to compile.  Then realizing I missed a dependency and having to bring them home the next day.  I can't continue doing this as the frustration is certainly going to kill my wife.
  Finally here comes the question
  Is there an Arch install disk with Xorg and a basic desktop so I can at least get that far?
  Is there a repository I can burn to a CD with the most common apps and their dependents?
  Is there any other way to install and maintain Arch without internet? (redundent I know)
  Am I going to be forced to go to the library to access a network point just to get a base (not core) system up and running?  Things I want to install are Abiword, Xine, XMMS, burn some CD's, and maybe later play some small games.
  Thanks
  You could eg install faunos to disc.
  Edit: A better solution would probably be to make a mirror of the arch mirrors on a external hd, and sync that on work from time to time.
  Last edited by Mr.Elendig (2008-11-14 16:03:40)

• Internet Link Sharing on cisco 1841 router

  Dear All,
  We want to share our head office internet link with regional office users.
  Existing Setup at head office = Internet Lease Link with bandwidth = 2Mbps over Ethernet interface.
  Proposed setup = Additional point to point link between head office and regional office over ethernet.
  Requirement = Serve internet to regional office lan users from head office internet pipe using subinterface on the internet router at head office and natting the regional office lan.
  Do we need to enable dot1q on the switch where the regional office point to point link will terminate.
  Pls suggest.
  Regards

  attached diagram

• Slow website responses from flash intensive sites on guest wireless

  We are in the process of implementing Cisco ISE along with guest wireless.  The guests are pulling their addresses from a WLCE 5508.  Their DNS is coming from external servers, i.e. google dns.  When we log on a tablet, phone or laptop  to the guest wifi we are redirected to the auth page and then are allowed to surf. 
  The issue is that going to flash intensive sites such as www.cnn.com, www.espn.com, etc. the pages take 30 seconds to a minute to load, it's not a gradual load it loads all at once.  If I goto a site such as google.com, cisco.com the page loads immediately.  Speed tests show that we have plenty of bandwidth.  It reminds me of an MTU issue I used to see on Cisco 1700 routers.  If I changed the pc mtu the problem would go away. 
  Any ideas?  Thanks in advance!

  I have a few clients that anchor guest traffic from their remote site all over the USA back to one of their DC. I haven't heard any complaints or concerns from them. The links vary in bandwidth. The only thing is different than what you have is that they are not using the anchor WLC as a dhcp. I have had many issues in the past using the WLC in large environments that I don't recommend it. Many of my customer also have redundant guest anchors but only a few would have a dedicated internet for guest. The others share the same internet pipe.
  Sent from Cisco Technical Support iPhone App

• HREAP not allocating correct ip address!

  Hi,
  Help please!
  I have two sites.
  Main site (local) has two Vlans: Vlan1 and Vlan2. Each has its own IP address range.
  VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.33.4.*
  VLAN 2 is for guest access to the internet IP range 10.10.10.*
  I have a WLC4402 on the this site with 2 WLANs: CORP on Vlan1 and GUEST on Vlan2.
  I also have..
  Branch site (remote) which has 2 Vlans: Vlan1 and Vlan2. Each has its own IP address range.
  VLAN 1 is the default Vlan and is used for CORPorate traffic. IP range 10.125.15.*
  VLAN 2 is for guest access to the internet IP range 10.10.11.*
  I have an 1141 on this site using HREAP.
  Each site has its own internet pipe
  My Issue is:
  Locally, if you connect to CORP, you get a CORP ip address and access to CORP network. If you connect to GUEST, you get a guest ip address and guest access to the guest network. Simple so far....
  Remotely, if you connect to CORP, you get a CORP ip address 10.125.15.x and access to CORP network (great). If you connect to GUEST, you get a CORP ip address 10.125.15.x and access to CORP network (not great). This is with the HREAP native vlan ID for the access point set to 2 on the controller.
  If I set the native vlan ID to 1 on the controller, I can not get an IP address at all.
  If I do not set the native vlan ID on the controller, I can not get an IP address at all.
  What am I doing wrong?
  Many thanks.

  At first what is the idea of the the Hreap?
  On the remote side should wireless clients be getting an IP address from that network  or should these be getting an IP from your local network?
  Please send us the show run from the remote switch, and show cdp neig.
  From the WLC show us the configuration of the AP and thef vlan assignment and the show run-config
  Thanks

• Can I run two DSL lines into my airport network?

  I have a 1.5M line from Qwest and can not get faster speed from anyoe else in my semi-rural community. Can I run two 1.5 DSL lines into one or two airport extremes and get the equivalent of a 3.0 line?

  If I have two DSL lines each connected to its own Actiontec modem with each modem connected via ethernet to its own airport extreme then it sounds like I need to have two wireless networks to take advantage of the second DSL connection. Correct? We have a lot of computers being used in the household so could put the kids on their own network.
  Apparently the airport extreme can not manage a network with two internet connections even if they are connected via separate airport extremes? I have worked at companies that have done this for internet connection redundancy purposes so there must be devices that can handle this.
  Message was edited by: David in Colorado
  Message was edited by: David in Colorado

• Webcam video recording bandwidth

  hi all,
  When capturing a webcam feed using FMS - is there any loss of
  information during the upload process?
  If my client has a limited uplink (for instance a poor DSL
  uplink bandwidth) - does the resulting FLV file will suffer from
  lost frames etc.? (is RTMP reliable or lossy)
  If not lossy- how does it works?? does Flash client buffer
  the recorded webcam feed on the client (because of the upload
  limitations)?
  where can I find more formal information about this (searched
  FMS docs with no luck),
  thx,
  Chen.

  Yes... the Flashplayer will drop frames if the client's
  connection to the server isn't fast enough. You can set the amount
  of data that is bufferred on the client (see the FMS docs about the
  client side netstream buffer), but if the buffer fills and can't
  empty out to the server, you'll start losing frames.
  As I understand things, audio takes precidence over video, so
  video frames will drop before audio data is dropped.
  What you might want to do is test your client's connection
  speeds (you can do that with FMS), and then employ a little dynamic
  bitrate/framerate control in your client side AS. That way, you can
  ensure that the client doesn't try to transmit more data than their
  internet pipe can handle, and you won't lose and data.

• ISA Server 2006 + Average response time for Non Cached requests = performance issues?!?!?!

  All,
  I am in a predicament with internet browsing speeds...We have a 3rd party look after our line and internet facing f/w  so I cant troubleshoot them, so at the moment Im looking at ISA as the potential bottleneck - we have a fairly standard environment:
  Internal > Local Host > Perimiter n/work > Firewall > Internet
  I have been running custom reports on the ISA server to see what data can be collected - I have noticed that "Average response time for non cached requests" (traffic by time of day) can be as high as 76 seconds!!!!!! Cached hits are between .5
  and 2 seconds.
  I have also coonfigured a connectivity verifier which is also flagging slow connectivity, massively over the >5000ms and also reporting "cant resolve server name on occassions- and this is configured for
  www.Microsoft.com --- DNS ???!?!, however I have looked through DNS (no obvious errors / config issues) which I can see 
  I have run the BPA on ISA server to ensure its Health - - connectivity verifier errors flagged timeouts to microsoft.com as expected...
  Can anyone advise any obvious areas to investigate as Im struggling! - as always the 3rd party have told us the internet pipe is fine :O

  Problem resolved.
  DNS forwarders have been changed on the ISA server / DNS and this has improved lookup speed considerably.
  thanks all :)

• IWeb Publish to FTP: Double Site Name

  My attempt to mount an iWeb site publishing via FTP to my commercial host server on my acquired domain name josephscriven.org works well EXCEPT when it is up on the Internet a redundant duplication creeps into the URL. After clicking on or entering josephscriven.org the website comes up beautifully but the URL is listed as http://josephscriven.org/Home/Home.html.
  Changing the "Home" to anything else does not help as then the new name is simply duplicated.
  Any thoughts out there?
  Thanks

  I ran into that as well. Even worse, the redirect that iWeb set up to send site visitors to the subdomain that it stored the actual site files in didn't work in some browsers, including Microsoft Internet Explorer, which accounts for roughly 80% of site traffic on most of my sites.
  I just bought a Mac, so I set up a simple test site, just to help me get the feel of it. If you have access to your site via FTP. I had to use my PC for this, since I am thus far unfamiliar with any of the FTP programs available for a Mac, but I'm sure they will work well enough once I figure them out.
  Anyhow, if you access your site through FTP, you can move your site files and folders down one level, back to the command line for your domain, and everything should work fine, without the silly redirect.
  The only glitch I had in this is that the Index.html file that was used for the redirect that iWeb set up capitalized the first letter in the file name, whereas the index.html file used in the site itself was not capitalized. When I first did that, I would get a 404 upon trying to navigate back to the index (home) page of the site using the navigation menu. Changing the site index.html file to Index.html fixed that problem, as you can see in http://www.pinegrovealpacas.net/.

• Low Bandwidth

  Hi,
  I have cisco 2950 24 port switch and Cisco pix 506E firewall. here are my network design
  swtich -- port 2/3 Vlan 2(public Vlan)
  rest of the port on Vlan 5(private Vlan)
  Internet pipe(1 mbps brustable to 10MB) connected to port 2(public VLAN)
  Pix outside connected to POrt 3(public Vlan)
  pix Inside port 4 (Private Vlan)
  Now I'm getting very low internet speed around 80K/Sec download speed.
  ISP people directly tested Internet pipe -- they got 5.5 MBPS download speed.
  Can any body help me

  Take the PIX out of the equation and test again to see if its the problem...

• Guestnet -no authentication requested after a user reboots

  On our guest wireless, at times when a user shuts down their laptop
  and powers back up they are not asked to re-authenticate.
  The only security is a login and password then the user is tunneled
  to our 440 in our DMZ then out the internet pipe.
  My question is if the user shuts the laptop off then starts it back up
  shouldn't they be prompted for the user login and password?

  I assume you are talking about webauth.
  You don't want your user to re-webauth every time they roam, right?
  So when your client shuts down its laptop, unless it told the AP it was disassociating, then the WLC still think he is a connected client.
  When they reboot and connect again, as far as we're concerned the client just "roamed" somewhere else.....
  The bottom line is that the Idle Timeout is what cleans up an entry that is no longer associated. By default this is 5 minutes (TYPO earlier), so if you reboot in less than 5 minutes, you'll get connected and stay authenticated.   At which point, the total session timeout is the next authentication period..
  So long story short, if you want a reboot to cause clients to fully authenticate again with webauth, you're going to either find a way to tell the client to disassociate properly... or you're going to have to drop your idle timeout to a number that will expire while a client is rebooting....
  Make sense?

• Is FMS Unicast or Multicast? Pro/Con FMS vs WMS

  Hello,
  I have two questions:
  Is FMS Unicast or Multicast?
  What are the pros/cons with FMS vs WMS?
  The reason for my questions is that my company has a Flash
  Streaming Server and a Windows Media server and we would like
  streaming video of conferences displayed on our Intranet. I have
  setup the streaming service and am using flash media encoder.
  However, we also stream other content to a windows media player and
  the benefits of that is the ability to Multicast. I would like to
  use FMS because I can customize the experience but I know I will
  have to justify against a multicasting system
  Thank you for your time

  quote:
  Originally posted by:
  solostruggle
  JayCharles, Thank you for your response. It is very much
  appreciated.
  I had no idead that our 1000/40/ Unlimited would not be
  sufficient. WOW
  I am looking at the adobe pricing here
  http://www.adobe.com/products/flashmediaserver/productinfo/pricing/
  and I have a question regarding your suggestion of the
  150/unlimited. I was under the impression that concurrent meant
  simultaneous and how could I meet my 800 user needs with only 150
  concurrent connections?
  The FMS pro license has 3 profiles. You can choose one
  profile per server, and the profile you select applies to all
  licenses installed on that server (you can stack up to 10 licenses
  on a single server).
  Assuming you configure the server with the 150/unlimited
  profile, you can accomodate 150 users simultaneously on a single
  license, and they can each consume as much bandwidth as they want
  (limited by the physical server and the internet pipe/LAN
  bandwidth, of course). If you were to buy two licenses and put them
  on the same server, you could have 300 users with no bandwidth
  limits, 450 users with 3 licenses, and so on.
  In the case of the 40/1000 license profile, each license on
  the server will give you 1000 connections, or 40mpbs of throughput.
  As soon as either one of those limits is reached, the server will
  reject new connections until both the number of connections and the
  bandwidth usage are below license limits. If you were to install 2
  licenses under the 40/1000 profile, you can have 2000 concurrent
  users, or 80mpbs of bandwidth, whichever comes first.
  So, assuming you want to serve good quality video to 800
  users simultaneously, you'll need 6 licenses... which will run you
  somewhere on the order of $27,000