IPv6 ACL host limitation also for private network?

Hello,
I'm using a cisco WS-C3750G-24TS-1U 12.2(44)SE5. I know the IPv6 ACL limitations for this hardware
However, I think that private network(fc00::/7) should not be the case. In my case, I'm using EUI addresses.
switchcore(config-ipv6-acl)#permit tcp any host 2001:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
switchcore(config-ipv6-acl)#permit tcp any host 3FFF:0:0:0:222:64ff:fec2:1f5a eq www sequence 20  
switchcore(config-ipv6-acl)#permit tcp any host fdc8:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
% Host address FDC8::222:64FF:FEC2:1F5A can not be supported
% ACE can not be added
% Failed to modify access list
switchcore(config-ipv6-acl)#permit tcp any host fc00:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
% Host address FC00::222:64FF:FEC2:1F5A can not be supported
% ACE can not be added
% Failed to add access list
Is IOS right?

Hum... yes, you are right. I missed this point. Thanks.
Anyway, "Private Network" would fit very well in this list
–aggregatable global unicast addresses
–link local addresses

Similar Messages

  • Oracle RAC and crossover cable for private network

    Hi,
    I have the following configuration: two database servers, each has four network cards, two for public network and two for private, cluster network. Each public card has own IP-address and both have virtual IP-address, defined in operation system (SLES-9) for redundancy. Because I have only two machines in the cluster I want to connect the two machines for private with crossover cable without switch. For redundancy I want to make two connections between machines. Is it at all possible? How should I defined all network interfaces and what should be included in /etc/hosts for properly work of Oracle cluster?
    Best Regards,
    Jacek

    Hi,
    You can build a RAC witch CROSSOVER, but the Oracle no homolog.
    As you have 4 cards, 2 to public (redundancy) and 2 to interconnect (redundancy) you need of a software to to make a TEAM, and create a card virtual that will have a IP address.
    Eder

  • Build a gateway server for private network ???

    Hello all good friends,
    I has a private network, and one Linux box with public IP address, two NICs connecting direct to ISP. Now, I want to set up this linux box to operate as Gateway server so that all my private networks can use Internet. I have asked this question to many peoples and got much suggestions such as install IPchains (NAT server), IPtables (NAT server), SQUID (Proxy server), ... But until now the big question to me is which software is the best one, I mean which software allow my private network accessing to Internet fastest ? (Proxy server or NAT server only ?) and which one is the most secure ? Besides, you know another opinion, please tell with me if you don't mind.
    I very grateful to all of you answers me in all my life.
    Tu from Vietnam

    Best thing I would suggest is to buy a Gateway Router. I have D-Link 804, but you can buy anything that pleases you more or suits your demands. Also this way, you donot have to have a computer "turned-on" all the time. Some other advantages are that functions like DHCP, NAT and other features are built into the router. This way you can connect upto 253 Computers to a router and also have a 100Mb/sec, internal home network. You can also go for the wireless option, if you have more money to spend. Just look up on the net for more information.
    i2l2

  • Limiting / ChargeBack for Virtual Networks Per Tenant

    Hi,
    Is it possible to limit the number of virtual networks that a tenant can provision in Azure Pack, or even better is it possible to ChargeBack at a fixed cost per virtual network that is provisioned?
    Reason being that every virtual network that is created uses one public IP address and these are limited and cost money to purchase... they are not an infinite resource for us.
    Thanks in advance.
    Microsoft Partner

    If you follow Mark's advice, you will at the Plan level in the service admin portal see that you can limit the amount of VM networks that can be created.
    This is for the plan in general.
    Regarding usage and billing. Are you using CloudCruiser or any other third party integration with Azure Pack today? If you don't plan to expose any of the cost metrics to your tenants, I would say it is a matter of decision on how you plan to bill the tenants
    in the end of the day.
    Also note that you can "easily" create your own billing adapter using the billing API's available (using Powershell or/and JSON).
    We have done this for several customers and stored the required data in a dedicated database for reporting. 
    -kn
    Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

  • Nvidia's frame limiter also for linux?

    Hi, I was wondering if that pretty darn good fps limiter that's in nvidia's windows drivers (I believe from 290.53 on) is also in nvidia's linux drivers.
    Read through basically everything I could find but I couldn't find a hint on the fps limiter for linux.
    So I was hoping someone here knows about that.

    Checked that, couldn't find it in there. Though that doesn't mean overly much, the docs have always been missing a lot. That's why I was hoping someone here knows more about it.
    Well yes, vsync does limit the number frames that are being put out to the refresh rate of the display. But that has it's glitches, for example if the frame rate drops for a moment below that given rate. That's what triple buffering is for but that has it's own downsides amongst losing one frame, losing video memory to the extra backbuffer and in some cases it still doesn't prevent tearing.
    The frame limiter though lets me limit the rendering/computing of the frames directly: Instead of computing everything to the max and then discarding the excess frames, this frame limiter (unlike very most limiters in common applications) actually has the graphics card only compute those x nmuber of frames that I set it to. Thus decreasing the load on the graphics card. That is what I'm personally opting for the most.

  • Setting up PIX515E VPN for two networks

    Hello,
    We have a PIX515E and I want to set it up so it can serve client VPN connections for a network on the inside interface and also for a network on the dmz interface.
    On a client machine we set up the ip address of the PIX in a VPN connection and the user can log on using credentials and domain. Now the PIX has to look up credentials using RADIUS, but some users are known on domain A (inside interface) and some users are known on domain B (dmz interface). Domain B is completely different and uses other internal ip addresses, dns servers, ip pool etc.
    Already I have set up VPN for the inside interface and that was easy and it works ok.
    But can I create such a configuration? We only have one DSL line and we want both networks (domain A 192.168.1.x and domain B 192.168.10.x) to go through this PIX.
    Your help is more than appreciated!
    Regards,
    Frank

    rob,
    i don't know your budget requirements, but here is a relatively easy solution:
    http://www.apple.com/server/macosx/features/networkingvpn.html
    and here is an OSS solution that will take a bit more work (but should run on an older box with bsd, linux, or os x running on it):
    http://openvpn.net/
    cheers,
    b

  • Proper routing for lan through verizon private network (GRE) to airlink gateways

    Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
    no aaa new-model
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1 
     lease 0 2
    ip domain name yourdomain.com
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 one-time secret 
    redundancy
    crypto isakmp policy 1
    encr 3des
    hash md5
     authentication pre-share
     group 2
    crypto isakmp key AbCdEf01294 address 99.101.15.99  
    crypto isakmp key AbCdEf01294 address 99.100.14.88 
    crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
    mode transport
    crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
     description Verizon Wireless Tunnel
     set peer 99.101.15.99
     set peer 99.100.14.88
     set transform-set VZW_TSET 
     match address VZW_VPN
    interface Tunnel1
     description GRE Tunnel to Verizon Wireless
     ip address 172.16.200.2 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.101.15.99
    interface Tunnel2
    description GRE Tunnel 2 to Verizon Wireless
     ip address 172.16.200.6 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.100.14.88
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    interface GigabitEthernet0/0
     description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
     ip address 10.10.10.1 255.255.255.248
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     ip address 192.168.11.1 255.255.255.0
     duplex auto
     speed auto
    interface GigabitEthernet0/2
     ip address 22.20.19.18 255.255.255.0
    duplex full
     speed 100
     crypto map VZW_VPNTUNNEL
    router bgp 65505
     bgp log-neighbor-changes
     network 0.0.0.0
     network 192.168.11.0
     neighbor 172.16.200.1 remote-as 6167
     neighbor 172.16.200.5 remote-as 6167
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip route 0.0.0.0 0.0.0.0 22.20.19.19
    ip access-list extended VZW_VPN
     permit gre host 99.101.15.99 host 22.20.19.18
     permit icmp host 99.101.15.99 host 22.20.19.18
     permit esp host 99.101.15.99 host 22.20.19.18
     permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
     permit gre host 22.20.19.18 host 99.101.15.99
     permit gre host 22.20.19.18 host 99.100.14.88
    access-list 23 permit 10.10.10.0 0.0.0.7
    control-plane
    end
    So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
    ip route 192.168.1.0 255.255.0.0 22.20.19.19
    That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
    Now for a couple of questions for those that are still actually hanging around.
    #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
    #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
    #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
     I actually have alot more questions, but I will keep reading for now.
    I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

    My first comment is that you have two posts in this forum and as far as I can tell they are exact duplicates, other than changing the title of the posts. It is better to figure what you want to ask and then to ask once.
    My second comment is that you have given us information about your central site. At some point we may also need some information about what is at the remote and how that is set up. But for now we will deal with what we know about your site.
    Before I deal with your specific questions I will comment that if you are able to access the remote airlinks that it is a pretty good indicator that the tunnels are probably working. But to understand the significance of this it would help if you clarify for us what address is on the local computer when you change the subnet to 255.255.0.0.
    Also what you have shown us allows us to see that BGP is configured but provides no insight into whether BGP is working or now. It would provide helpful information if you would post the output of show ip bgp sum.
    So to address your specific questions:
    You suggest that adding a static route for 192.168.1.0 might be part of the solution. But we have no information about what that network is or its significance. So we have no way to know whether the static route would help or not. But my guess (based on very scant information and therefore based mostly on assumptions) is that if BGP is working correctly that the static route is not needed.
    1) asks about an Ethernet address on the tunnel. I assume that you really meant to ask about the IP address assigned to the tunnel. The reason that the tunnel needs it own IP address is that we want a unique subnet assigned to the tunnel. If we used the address from the physical interface as you suggest then both tunnels would have the same address and that implies that they both connect to the same place, and that assumption is not correct.
    2) Yes it is correct to point the default route to the IP address that is the next hop from the Ethernet interface. You might want to have a route pointing at the tunnel address for remote subnets reached via the tunnel. But in looking at the config and trying to understand what was intended it is pretty obvious that running BGP over the tunnel is intended to learn the remote addresses over the tunnel and therefore there is no need for static routes for the remote resources.
    3) You should not need an additional permit for TCP 402. The TCP packet will be carried through the tunnel and the access list you are referring to will see the packet will modbus polling as GRE traffic and not as TCP traffic.
    HTH
    Rick

  • IPv6 ACLs for ZBFW with changing IPv6 prefix?

    Hi all
    Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
    Background:
    6RD based residential internet access.
    Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
    A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
    No big deal, one would think...
    zone security Z-INTERNET
     description * the outside world *
    zone security Z-DMZ
    zone security Z-OUTSIDE
    zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
     service-policy type inspect PMAP-INBOUND-TRAFFIC
    policy-map type inspect PMAP-INBOUND-TRAFFIC
     class type inspect CMAP-IN-TRACE-TRAFFIC
      pass
     class type inspect CMAP-IN-INSPECT-TRAFFIC
      inspect 
     class class-default
      drop log
    class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
     match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
    class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
     match access-group name ACLv6-INBOUND-TRAFFIC 
    Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
    ipv6 access-list ACLv6-INBOUND-TRAFFIC
     sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
    ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
    For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
    However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
    router6rd(config-ipv6-acl)#permit ip any ?
      X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
      any                 Any destination prefix
      host                A single destination host
    router6rd(config-ipv6-acl)#
    D'oh. What now?
    I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
    Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
    Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
    Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
    thanks for your thoughts and ideas.
    Marc

    Hi all
    Is there a trick to keep IPv6 ACLs for ZBFW working when the IPv6 prefix will change ?
    Background:
    6RD based residential internet access.
    Provider has a /28 6RD-Prefix, and will append the whole 32bits of the DHCP assigned public IPv4 address, leaving a /60 to use at home. Inside should be subnet 0, DMZ should be subnet 1 from that /60.
    A few of my DMZ IPv6 hosts should be reachable from the outside world on specific udp/tcp ports, without having to open the whole DMZ subnet towards the IPv6 internet.
    No big deal, one would think...
    zone security Z-INTERNET
     description * the outside world *
    zone security Z-DMZ
    zone security Z-OUTSIDE
    zone-pair security ZP-OUTSIDE-TO-DMZ source Z-OUTSIDE destination Z-DMZ
     service-policy type inspect PMAP-INBOUND-TRAFFIC
    policy-map type inspect PMAP-INBOUND-TRAFFIC
     class type inspect CMAP-IN-TRACE-TRAFFIC
      pass
     class type inspect CMAP-IN-INSPECT-TRAFFIC
      inspect 
     class class-default
      drop log
    class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
     match access-group name ACLv6-ICMP-UNREACH   <-- some ICMP listed in this ACL, irrelevant here
    class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
     match access-group name ACLv6-INBOUND-TRAFFIC 
    Now.. what would I put into ACLv6-INBOUND-TRAFFIC? Manually setting...
    ipv6 access-list ACLv6-INBOUND-TRAFFIC
     sequence 10 permit tcp any host <MYcurrent6RDPREFIX>1::<$MYHOSTID> eq http
    ... works well, until MY6currentRDPREFIX becomes MYnew6RDPREFIX. It does so seldomly, but it does, especially after outages.
    For adressing (and re-adressing) the DMZ interface, "ipv6 general prefix MY6RDPREFIX 6rd tunnel6" helps a lot and it works pretty well.
    However, one cannot seem to make use of "ipv6 general prefix" in an ipv6 ACL, neither as source nor destination (and neither when defining a stateful DHCPv6 server, for that matter).
    router6rd(config-ipv6-acl)#permit ip any ?
      X:X:X:X::X/<0-128>  IPv6 destination prefix x:x::y/<z>
      any                 Any destination prefix
      host                A single destination host
    router6rd(config-ipv6-acl)#
    D'oh. What now?
    I do know that scanning the whole /64 would take aeons to complete, but I would like to use predetermined addresses with SLAAC and stateless DHCPv6 (with the help of http://man7.org/linux/man-pages/man8/ip-token.8.html).
    Opening the entire subnet makes me cringe, even more since these hosts are bound to be in some public DNS as well. For that matter, it becomes largely irrelevant if the Host-ID comes from ip-token, EUI-64, RFC7217 or privacy extensions (allright, the latter wouldn't quite apply here, I know.)
    Am I caught in the "IPv6 is like IPv4 but with longer addresses" trap? Should I just do away with my wish to have only the given DMZ servers reachable, and open up the entire subnet? 
    Or: Is there a completely different way of doing ZBFW things in IPv6 that I didn't think of?
    thanks for your thoughts and ideas.
    Marc

  • Best practice for IPv6 ACL on 6500

    Hi,
    I am trying to implement IPv6 ACL on Cisco 6500.
    Any suggestion for the example of the good IPv6 ACL for 6500 would be appreciated.
    Thank you
    Salja

    Salja,
    Example of config can be found here:
    http://www.cisco.com/c/en/us/td/docs/security/fwsm/fwsm31/configuration/guide/fwsm_cfg/exampl_f.html#wpxref44215
    Configuring IPv6 Access Lists
    Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
    To configure an IPv6 access list, perform the following steps:
    Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose from, one for creating access list entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
    •To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
    hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source
    destination [icmp_type]
    •To create an IPv6 access list entry, enter the following command:
    hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source
    [src_port] destination [dst_port]
    The following describes the arguments for the ipv6 access-list command:
    •id—The name of the access list. Use the same id in each command when you are entering multiple entries for an access list.
    •line num—When adding an entry to an access list, you can specify the line number in the list where the entry should appear.
    •permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
    •icmp—Indicates that the access list entry applies to ICMP traffic.
    •protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object group using object-group grp_id.
    •source and destination—Specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr.
    •src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to,neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the rangekeyword).
    •icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in "Addresses, Protocols, and Ports". Alternatively, you can specify an ICMP object group using object-group id.
    Step 2 To apply the access list to an interface, enter the following command:
    hostname(config)# access-group access_list_name {in | out} interface if_name
    HTH
    Regards
    Inayath

  • Configure IPv6 ACL Extensions for Hop by Hop Filtering

    I have IPv6 ACL questions and concerns.  The following code is an example:
    ipv6  access-list inbound-to-enclave
         remark block IPv6 DO Invalid Options
          deny 60 any any dest-option-type 5
         deny 60 any any dest-option-type 194
         deny 60 any any dest-option-type 195
    I see that dest-option-type became available in IOS release 12.4(2)T.  I can't tell if this option was added to later releases of 12.2.  Also, is it available in all releases of 15.x.
    I am guessing that if a version of the IOS that is used is prior to 12.4(2)T that the default action will be to pass this traffic, correct?  Thank you for any assistance that you can provide.

    Hi Forrest,
    This is correct. By default, this traffic would be allowed.
    Regards

  • How to create a private network for OCFS2 in OVS 2.2.1

    Does anyone know how to create a separate netwok for ocfs2 and leave the regular vm traffic on the main network.
    I have done the following
    - configured 3 vm servers connected fia fibre channel to a SAN
    - Bonded 2 network cards on each server to provide 1 bridge on each. (172 network)
    - Installed a 3rd network card in each server and configured on a 10 network with a separate switch.
    so my servers are called bart, lisa, flanders
    I can communicate between them effectively and the VM manager on a different server can talk to them all.
    I have also configured entries for bart2, lisa2, flanders2
    which are on the 10 network. I can ping and talk between these successfully.
    I can't however configure the cluster.conf to use the bart2, lisa2, flanders2 as it has a problem with the names not matching the local name of the machine.
    Im not sure if changing the server name will affect the VM agent.

    Basically, Oracle VM uses the IP address you specify when adding the Oracle VM server to configure OCFS2 and Live
    Migration. So you should use the private ip when adding the server.
    Then, the "regular" VM guests network traffic will be on the network/bridge/bond the guest itself belongs to.
    Maybe this old thread would be interesting for you to read:
    Live Migration and private network
    HTH

  • Broken Link - Firewall and Virtual Private Network Communication for Oracle

    The link for Firewall and Virtual Private Network Communication for Oracle Enterprise Manager on http://otn.oracle.com/products/oem/files/best_practices.html returns a 404 error. It is not pointing to the correct document

    This link is still broken !
    Can you please correct this ASAP ?
    Best regards, Yolanda
    Oracle HUB support services

  • TS1398 Where do you get passwords for wiFi networks that pop up under "choose a network"? When I tap one it asks for a password. When I tap "join" nothing happens (join is also faded).

    How do you find out who is operating a network and how do you then contact them for a password?

    Copied from my previous post.
    If you don't have access to an available wi-fi network - one that is password locked/protected, you can't join that network - not unless you know the owner of the network and the owner gives you permission to access the network, which means giving you the password for the network.
    If the wireless network is not locked/password protected, you should be able to join it. If a free public wi-fi network, many require agreeing to their terms of use which is done via a web page with Safari. A free public wi-fi network at a restaurant that I frequent requires logging in each time with a website provided - without a user name and password. My iPhone connects to the network automatically but I won't have internet access until I login with the website provided automatically with Safari.

  • IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

    Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
    no aaa new-model
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp pool ccp-pool
     import all
     network 10.10.10.0 255.255.255.248
     default-router 10.10.10.1 
     lease 0 2
    ip domain name yourdomain.com
    no ipv6 cef
    multilink bundle-name authenticated
    username cisco privilege 15 one-time secret 
    redundancy
    crypto isakmp policy 1
    encr 3des
    hash md5
     authentication pre-share
     group 2
    crypto isakmp key AbCdEf01294 address 99.101.15.99  
    crypto isakmp key AbCdEf01294 address 99.100.14.88 
    crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
    mode transport
    crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
     description Verizon Wireless Tunnel
     set peer 99.101.15.99
     set peer 99.100.14.88
     set transform-set VZW_TSET 
     match address VZW_VPN
    interface Tunnel1
     description GRE Tunnel to Verizon Wireless
     ip address 172.16.200.2 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.101.15.99
    interface Tunnel2
    description GRE Tunnel 2 to Verizon Wireless
     ip address 172.16.200.6 255.255.255.252
     tunnel source 22.20.19.18
     tunnel destination 99.100.14.88
    interface Embedded-Service-Engine0/0
     no ip address
     shutdown
    interface GigabitEthernet0/0
     description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
     ip address 10.10.10.1 255.255.255.248
     shutdown
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     ip address 192.168.11.1 255.255.255.0
     duplex auto
     speed auto
    interface GigabitEthernet0/2
     ip address 22.20.19.18 255.255.255.0
    duplex full
     speed 100
     crypto map VZW_VPNTUNNEL
    router bgp 65505
     bgp log-neighbor-changes
     network 0.0.0.0
     network 192.168.11.0
     neighbor 172.16.200.1 remote-as 6167
     neighbor 172.16.200.5 remote-as 6167
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip route 0.0.0.0 0.0.0.0 22.20.19.19
    ip access-list extended VZW_VPN
     permit gre host 99.101.15.99 host 22.20.19.18
     permit icmp host 99.101.15.99 host 22.20.19.18
     permit esp host 99.101.15.99 host 22.20.19.18
     permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
     permit gre host 22.20.19.18 host 99.101.15.99
     permit gre host 22.20.19.18 host 99.100.14.88
    access-list 23 permit 10.10.10.0 0.0.0.7
    control-plane
    end
    So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
    ip route 192.168.1.0 255.255.0.0 22.20.19.19
    That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
    Now for a couple of questions for those that are still actually hanging around.
    #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
    #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
    #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
     I actually have alot more questions, but I will keep reading for now.
    I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

    This post is a duplicate of this thread
    https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
    which has a response. I suggest that all discussion of this question be done through the other thread.
    HTH
    Rick

  • Screen Sharing works for alien hosts but not for LAN hosts

    Hello!
    I am having a really strange problem in a customer network. The network is a local private network with one MacOS Server 10.6.8 and around 12 iMacs running MacOS 10.6.8. The server is running headless in cellar so the user maintain the backup via screen sharing from an iMac to the server.
    Since a few weeks they can not login to the server via screen sharing from any local host BUT I can login from my MBP (alien) via ARD or Screen Sharing without any problem. Even hosts connected to the network via VPN can connect to the server via screen sharing.
    In short:
    Every local host gets a message that login is not possible and my MBP and VPN-hosts get connected without any problems with the same credentials.
    At the local clients I get this message in system.log:
    Oct 28 09:33:41 verwaltung1 LKDCHelper[228]: Starting (uid=501)
    Oct 28 09:33:48 verwaltung1 com.apple.launchd.peruser.501[166] (com.apple.Kerberos.renew.plist): Throttling respawn: Will start in 530 seconds
    Oct 28 09:34:17 verwaltung1 /System/Library/CoreServices/RemoteManagement/AppleVNCServer.bundle/Contents/Ma cOS/AppleVNCServer[195]: CGSKeyTranslateInitialize: KLGetCurrentKeyboardLayout or KLGetKeyboardLayoutProperty is not available, fall back to USA keymap
    and at the server I get:
    Oct 28 09:33:48 solserv AppleVNCServer[11503]: no such user: adminloc@LKDC:SHA1.DE03ABCC86F74D11AD139E44388D6B94155B4D9E: 2
    When I connect from VPN or my MBP I get no messages in system.log.
    I tried to kickstart ARD at the server but it does not change anything, I bound the clients to OpenDir of the server with no effect also.
    I do not have any idea what is happening here. Every help is welcome,
    Christop

    Hello MrHoffmann!
    changeip says "The names match. There is nothing to change."
    To give more infos, the server and all the clients are connected to the same network switch, all belong to 192.168.183/24 and when I use my MBP, it is connected via WLAN and gets an IP-address from this server with an IP from this range. my MBP is in the same broadcast domain.
    VPN clients connect via PPTP to the gateway (192.168.183.1) and get IP addresses assigned from 192.168.183.48-52.
    There is no routing between the clients and the server.
    There is no other problem - every client reaches the server for file serivces (AFP/SMB), smtp, imap, DHCP and DNS.
    BTW. screen sharing from the clients worked without a problem when I first setup the network about 1 year ago, but since a few weeks no client that belongs to this network can use screen sharing except for my MBP when I am at customer site.
    History:
    The new SLS is a replacement for an old Windows 2000 Server. Both servers ran in parallel for some time but within different IP-networks (all Macs at 192.168.183/24 - all Windows at 192.168.2/24) the gateway routed between both networks. But now it is time to switch off every windows computer because every service now runs at the SLS. AFAIK the windows 2000 Server is the last Windows machine in the network. We switched off DHCP at the windows server and switched on DHCP at the SLS a few weeks ago. Hm .... maybe there is something wrong? But the clients have fixed ip-addresses.
    Still wondering what is going on here, bye,
    Christoph

Maybe you are looking for