IronPort Port Based HA
Dear all,
If P1 and P2 enable, P1 for incoming packet and P2 for outgoing packet.
My question, can P1 and P2 enable, P1 for incoming and outgoing, and P2 for incoming and outgoing.
Thanks,
G
Sent from Cisco Technical Support iPad App
Yes you can enable this method however since there is only one default route for DATA interfaces P1 and P2, all data would flow out of one of the interfaces. Example: default route for DATA is assigned to P1 which handles internal network. You enable P2 to handle a guest wireless network. Those requests on P2 would route out of P1 to the Internet. There is no way to enable multiple default routes for DATA interfaces. So while it would appear that both interfaces are used for incoming and outgoing in reality only one interface is used for outgoing.
Similar Messages
-
How to do .1x port based network access authentication through ACS
How to do .1x port based network access authentication through ACS.
Hi,
802.1x can authenticate hosts either through the username/password or either via the MAC address of the clients (PC's, Printers etc.). This process is called Agentless Network Access which can be done through Mac Auth Bypass.
In this process the 802.1x switchport would send the MAC address of the connected PC to the radius server for authentication. If the radius server has the MAC address in it's database, the authentication would be successful and the PC would be granted network access.
To check the configuration on the ACS 4.x, you can go to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/configuration/guide/noagent.html
To check the configuration on an ACS 5.x, you can go to http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-2/user/guide/acsuserguide/common_scenarios.html#wp1053005
Regards,
Kush -
Port-Based Authentication on 877
Hi
I have applied following commands to enable Port-Based Authentication but when I run command sh mac address-table it shows static mac on this port ( xx 0000.xxxx.xxxx STATIC Gi1/0/3) .
authentication control-direction in
authentication event fail retry 1 action authorize vlan xx
authentication event no-response action authorize vlan xx
authentication host-mode multi-domain
authentication order dot1x mab
authentication port-control auto
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout quiet-period 10
dot1x timeout tx-period 10
dot1x timeout supp-timeout 10
As I remove command authentication port-control auto then sh mac address-table command shows me DYNAMIC MAC.
Anyone can please let explain me why it is happing
Regards,Any input?
-
IEEE 802.1x port-based authetication
I want to configure IEEE 802.1x port-based authentication on cisco switches, preferable 2960 series. Which models support this feature?. I have try with some older switches but it doesn't works properly on everyone.
I have upgraded them whitout better results, there is namely an issue with TLS handshaking on some switches which produces authentication to fail.Hi Claudia,
do you mean that the EAP-TLS authentication fails only on some 2960 switches and it works on other 2960s?
What is the IOS version you're using there?
What is the RADIUS server in use?
What is the exact error message you see on the RADIUS side?
Usually, the reason for the EAP-TLS handshake failure is to be troubleshoot on the supplicant and AAA server, however, there may be something on the switch depending on the certificate size and MTU settings on the switch(es).
What is the server cert size and the MTU configured on the switches?
With the info you provided it's difficult to say what's the reason of this failure.
I would suggest to start looking into the above mentioned topics, else you would need to proceed with deeper debugging and sniffer traces, which may be better/easier to handle through a TAC case.
I hope this helps.
Regards,
Federico
If this answers your question please mark the question as "answered" and rate it, so other users can easily find it. -
Hi,
My Mac connects to Internet through ADSL router, and to a PPTP-VPN host through this connection.
And I want to FORCE all my http/https connections(that use destination port 80, 443, and perhaps some more) to use the VPN, while keep anything else go through the ADSL router directly.
Is this possible?Did you find any solution?
I'm trying to find a way to do this too.. on linux port based routing can be done with iptables. Mac OS X uses ipfw but:
The fwd action does not change the contents of the packet at all.
In particular, the destination address remains unmodified, so
packets forwarded to another system will usually be rejected by
that system unless there is a matching rule on that system to
capture them.
Then there is natd? I'm not sure if this can be used..
And another one is /etc/pf.conf which has this openbsd guide but fails with "PF ERROR! No ALTQ support in kernel. ALTQ related functions disabled". -
Dear Gurus,
Im trying to configure port based mpls, however i find my 7206 doesnt support any encapsulation mpls, only l2tpv3. Is this IOS dependency?
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 12.4(9)T1, RELEASE SOFTWARE (fc2)
R2(config-if)#xconnect 3.3.3.3 100 encapsulation ?
l2tpv3 Use L2TPv3 encapsulation
tia.Hello Jepoy,
according to feature navigator it is supported on C7200 port mode C7200
but you need some specific feature sets
like
c7200-adventerprisek9-mz.124-24.T2.bin
I have a pair of C7200 with advanced security and xconnect is not supported on them
Hope to help
Giuseppe -
Does the SLM224G switch support port-based VLAN's?
I am looking for a simple solution to create two LAN's. One for my own and one for my customers, who will be able to use desktop PC's with internet access. I have only one internet connection (DSL over ISDN) and wil not getting another just for my customers.
My own network should not be accessible or visible to users who are using the customers-PC's. The other way around is allowed, but not really necessary. My setup requires me to hook up the switch to the (ISP) router, and that router just has one LAN port not able to do anything related to VLAN's.
I read about port-based VLAN's here, where it is stated that creating seperate LAN's is just putting ports into VLAN's on the switch, nothing else needs to be done... However, they used a NetGear smart switch.
I checked out Cisco's SLM224G as it is affordable, has 24 ports (instead of 8 for the NetGear) and should support VLAN's. I have read a lot about VLAN's, including:
"- Port-based VLAN's means that you can reconfigure ports to be in different VLAN's. Port-based VLAN's do not confirm 802.1q VLAN support.
- 802.1q VLAN's means that you can tag VLAN's with 802.1q headers to create a trunk between two devices that carries frames for multiple VLAN's. 802.1q VLAN's confirm that there is also Port-based VLAN support."
I known from the spec sheets that the SLM224G supports 802.1q (tagged) trunking. So it should, given found text above, also support port-based VLAN's.
My question is whether it indeed will support port-based VLAN's?
Am I able to use it directly behind my ISP's router and create two seperate LAN's?
If so, one extra question: how are the PC's behind the switch (inside the two VLAN's) get their IP-adresses from the ISP-router? Or will it service only one of the two LAN's and should I install a DHCP-server in the other LAN?
Any information is very welcome!
Thank you.Thanks for your responce, mr. Carr.
I have read more about vlan's and their setup. I think the article about port based vlan's was lacking some information about the router/firewall. May be it was set up to work with different vlan's from the start. Strangely, in the text it is said that nothing needs to be set up besides the (Netgear) vlan-capable switch.
So, from your response and other texts I learned I needed a vlan-capable router. I have to say that I need to be able to manage a server on the LAN from the outside (internet). I already tried to set up a Cisco/Linksys WRT54G router behind the ISP's (ZyXel) single LAN-ported router and that would not work at all (even when the Linksys was set in router-mode). I lost the connection to internet setting it up that way. I even tried to setup the Linksys in the DMZ of the ZyXel, with no luck. I was unable to set that up with working internet-access form the LAN. So I was not too happy with the suggestion to set up a (second) vlan-capable gigabit router behind the ISP's router....
Eventually, I bridged the ZyXel to get rid of the double NAT/gateway mode of the two routers as routing mode did not work on the Linksys. The Linksys is now getting the WAN-ip from the ISP on it's WAN port and I furthermore used DD-WRT's firmware to enable the build-in vlan-capabilities of the Linksys.
Now I have set up the Linksys with two vlan's and I bought the SLM224G as an inexpensive manageable 24-port vlan-capable switch to provide the number of ports I needed. I devided the SLM in two vlan's and used two wires from the Linksys to the SLM. So the SLM does support port-based vlan's by simply setting up two ranges of ports with different PVID settings. Trunking and 802.1q tagging isn't needed that way. I know I could have used two dumb switches to get two separate subnetted networks, but this way I get just enough ports in a single device where I have ample space to put it.
Anyway, thanks for helping me understanding the way vlan-capable switches work. -
Hi,
I have a question about vlan based qos. I am happy with qos configuration as applied to ports. However, vlan based qos confuses me somewhat.
Is vlan based qos intended for situations where packets are to cross vlans? In that case, am I correct in assuming that vlan based qos has no effect on packet flows within that vlan? In that case the idea of vlan based qos would be to police/mark traffic leaving/joing that vlan?
Or, does vlan based qos extend queuing (priority queue etc) down to ports that are members of that vlan are configured with vlan based qos? I think not but I'm not absolutely sure.
I can't seem to get to the bottom of this on cco.
Thanks, SteveHi Steve,
Packets do not have to cross VLANs for you to need VLAN-based QoS.
VLAN-based QoS gives you an additional layer of queueing hierarchy. With port-based Qos, there is a set of software queues per physical port. As packets are scheduled from these queues, they are emitted from the port.
With VLAN-based QoS, there is another layer. Each VLAN configured for VLAN-based QoS will have a set of queues associated with it, instead of having a set of queues for the physical port. This comes in useful for providers of Metro Ethernet service who offer multiple classes of service. Such ethernet services are usually sold with a fixed bandwidth per-VLAN. At egress switch ports, the provider will use vlan-based QoS to police/shape traffic in order to conform to the sold rate. Within this shaped rate, queueing will be used to ensure that the higher classes of service get preference.
In answer to your questio, vlan-based qos does have an effect on packet flows within that vlan.
Hope that helps - pls rate the post if it does.
Regards,
Paresh. -
IEEE 802.1x Port based Authentication with Restricted VLAN
Hi all,
I have the following configuration:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization exec default local
dot1x system-auth-control
radius-server host 10.10.10.10 key cisco
interface FastEthernet0/1
switchport mode access
authentication event fail retry 1 action authorize vlan 2
authentication port-control auto
dot1x pae authenticator
spanning-tree portfast
But it takes quite a while for the user who is not authorized to be switch to vlan 2.
I would like to know what is best practice when using this kind of configuration and if it is possible to optimize on how long it takes to switch the unauthorized user to the restricted VLAN?
Regards,
LaurentLaurent,
Based on your configuration it looks as if it will take one retry attempt before the client is placed in vlan2. Try to remove the 'retry 1' from command and see if that speeds up the time. Also take the output of the 'show authentication sessions interface '. Please post the output of the 'debug radius authentication' as that will help to see how long it is taking the radius server to respond.
thanks,
Tarik Admani -
Two gateways, port-based load balancing
Hello,
I have a simple question on Mac OS X Leopard/SL Server regarding the use of 2 distinct internet connections on a single LAN.
Gateway #1 : 10.0.1.1 (delivering IPs) - 18 mbps
Gateway #2 : 10.0.1.254 - 4 mbps
Any computer accessing the network is delivered an IP by the DHCP server (10.0.1.1), thus uses #1 as of main gateway.
The main server (10.0.1.16) is running DNS services and a Squid proxy-cache.
Now, is it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
For example:
mail,http,https,jabber -> #1
skype,rtsp,... -> #2
Thank you very much for your help
Tha
Message was edited by: Kwintinis it possible to set all the computers that connect to the network up so that they use the main server as of main gateway and see their requests redirected to #1 or #2 according to the port in use ?
No. routing is based on destination IP address, not port.
Therefore each client will send all traffic for a specific address to a specific router address. It doesn't matter whether it's talking HTTP, SMTP, IMAP, POP, AIM, or any other protocol - any traffic for that IP will go to the same router.
You have three ways of getting around this.
One is to install a router that supports dual WAN connections. Point all internal clients to the LAN address of the router and let it do the work of routing the traffic as needed, based on its routing policies (routers may be able to route based on port).
Option two is to setup a proxy server for specific services - for example you could setup a HTTP/HTTPS proxy server on a machine that has router #1 as its default gateway and configure the clients to talk to router #2. All traffic on the clients will go over router #2 except the proxied traffic which will go to the proxy and then out via router #1.
This is relatively simple to setup, but is limited to traffic that can be easily proxied (e.g. that probably excludes email).
The third option is static routing. Look at the servers each machine is contacting and setup static routes for the smaller set of addresses. For example, if you're only splitting off traffic to Skype's servers then set each client with a default route of router #1, and static routes to Skype's server to router #2. Now all traffic except that to Skype will use router #1.
This is really only viable if you have a relatively small number of destination addresses you're trying to divert. That's why it works well for Skype (single server address), but wouldn't work well for something more generic such as 'web traffic' since you cannot predict which web servers (and therefore which IP addresses) need static routes.
Of the three options, only option #1 will cover all protocols for all clients, but it's also the only option that costs $$s if your current router doesn't support multiple WAN interfaces. -
Port based LB and Local Director
My customer would like to know whether the Local Director supports Load Balancing using the source port information. If this is possible any document on the configuration wouldbe highly appreciated.
Regards,
Maheshhttp://www.cisco.com/en/US/products/sw/iworksw/ps2769/products_maintenance_guide_chapter09186a008007d9fa.html#xtocid225795
as per this document i think the loadbalancing based on source port information cannot be done.
''The MNLB Services Manager makes the load-balancing decisions based on application availability, server capacity, and load distribution algorithms such as round robin or least connections, or the Dynamic Feedback Protocol (DFP).'' -
ERROR OWS-04045 during accessing multiple ports based web service
I use WSA to publish a web service which have multiple ports.
The ant build script :
<oracle:assemble appName="${app.name}" ear="${app.name}.ear"
targetNamespace="http://www.xxx.com" classpath="${domestic.class.path}"
input="${web.home.path}/WEB-INF/classes" output="${archive.output.path}"
style="rpc" mappingFileName="type-mapping.xml" appendToExistingDDs="true"
serviceName="${app.name}">
<oracle:porttype interfaceName="com.xxx.service.ICompanyDefinerWebService"
className="com.xxx.CompanyWebServiceImpl">
<oracle:port name="company" uri="company" />
</oracle:porttype>
<oracle:porttype interfaceName="com.xxx.IUserDefinerWebService"
className="com.xxx.UserProfileWebServiceImpl">
<oracle:port name="userprofile" uri="userprofile" />
</oracle:porttype>
</oracle:assemble>
There is a class name UserDTO which extends another class AbstractDTO, which locates in another package. I used a type-mapping file for giving them different namespaces.
After deployment, I can use the url http://localhost:8888/xxx/userprofile to access the web service. OC4J provided a javascript based stub for testing.
But I met some problems. When I use the web stub to access it , error occurs.
ERROR OWS-04045 Malformed Request Message:Caught exception while handling request: unexpected element name: expected={http://www.xxx.com/framework/bean}operationRecord, actual={http://www.xxx.com/user/dto}operationRecord
I switched the form to display in xml before invoke, I found there are different and correct namespaces on these 2 elements (UserDTO and OperationLog) .So, I'm very strange why the server will response such a fault information.
In addition, if I use default style (just document-wrapped) to publish web service, almost all methods can not be accessed on web stub which is provided by oracle.
Surely, the problem is caused by multiple port. The soap specification is 1.2 and JDK is SUN 1.5.0-b6, OC4J is 10.1.3.3
I just want to konw whether oracle have some better practices or suggestion for publishing a web service which will have multiple ports.
The other problem is we can not use abstract class(only support interface) when we want to use WSA to assemble a web service based EAR.Is it possible to use several "class L4VIPCLASS" inside the "policy-map multi-match VIPs" in order to have several VIPs to load-balance services for several serverfarms?
Something like this:
class-map match-all L4VIPCLASS-1
2 match virtual-address 172.16.1.1 tcp eq www
class-map match-all L4VIPCLASS-2
2 match virtual-address 172.16.1.2 tcp eq www
class-map match-all L4VIPCLASS-3
2 match virtual-address 172.16.1.3 tcp eq 8081
policy-map type loadbalance http first-match WEB_POLICY-1
class class-default
serverfarm-1
policy-map type loadbalance http first-match WEB_POLICY-2
class class-default
serverfarm-2
policy-map type loadbalance http first-match WEB_POLICY-3
class class-default
serverfarm-3
policy-map multi-match VIPs
class L4VIPCLASS-1
loadbalance vip inservice
loadbalance policy WEB_POLICY-1
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 11
class L4VIPCLASS-2
loadbalance vip inservice
loadbalance policy WEB_POLICY-2
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 22
class L4VIPCLASS-3
loadbalance vip inservice
loadbalance policy WEB_POLICY-3
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 3 vlan 33
interface vlan XX
service-policy input VIPs
Many thanks for your support. -
IronPort, user based filtering with MS terminal / Citrix?
Hi there,
Can someone tell me if the IronPort can handle user based filtering on MS terminalserver / Citrix (multi-user server) with AD-integration?
Thanks a lot.
Greets,
NorbertIf you're using transparent redirection on the Citrix boxes you can use
Use Cookie Surrogates
Turn on the "Virtual IP" feature in Citrix. (which really means Citrix is dealing with the problem, not the WSA)
The issue with cookie surrogates is that https traffic appears to be unauthenticated to the WSA and some applications can't deal with them. (check the help file on the box under "Understanding How Authentication Affects HTTPS and FTP over HTTP Requests")
How are you doing the redirection? If you're using explicit redirection, you can turn off surrogates for an identity and it does authentication that is session based...
The simplest would be Virtual IP on Citrix, since that looks the most like a regular workstation to a WSA... -
802.1X Port Based Authentication - IP Phone- MDA - Port Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI am currently trying to get 802.1x port authentication working on a Cat3550 against Win2003 IAS but the IAS log shows a invalid message-authenticator error. The 3550 just shows failed. When I authenticate against Cisco ACS (by simply changing the radius-server) it works perfectly.
However, I am successfully using IAS to authenticate WPA users on AP1210s so RADIUS appears to be OK working OK.
Are there special attributes that need to be configured on the switch or IAS? -
802.1X Port Based Authentication Security Violation
I have configured 802.1X authentication on selected ports of a Cisco Catalyst 2960S with Micorsoft NPS Radius authentication on a test LAN. I have tested the authentication with a windows XP laptop, a windows 7 laptop with 802.1X, eap-tls authentication and a Mitel 5330 IP Phone using EAP-MD5 aithentication. All the above devices work with with the MS NPS server. However in MDA mode when the 802.1x compliant windows 7 laptop is connected to the already authenticated Mitel IP Phone, the port experiences a security violation and the goes into error sdisable mode.
Feb 4 19:16:16.571: %AUTHMGR-5-START: Starting 'dot1x' for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %DOT1X-5-SUCCESS: Authentication successful for client (24b6.fdfa.749b) on Interface Gi1/0/1 AuditSessionID AC10A0FE0000002F000D3CED
Feb 4 19:16:16.645: %PM-4-ERR_DISABLE: security-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state
Feb 4 19:16:17.651: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1, changed state to down
Feb 4 19:16:18.658: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down
If the port config is changed to "authentication host-mode multi-auth", and the laptop is connected to the phone the port does not experience the security violation but the 802.1x authentication for the laptop fails.
The ports GI1/0./1 & Gi1/02 are configured thus:
interface GigabitEthernet1/0/1
switchport mode access
switchport voice vlan 20
authentication event fail action authorize vlan 4
authentication event no-response action authorize vlan 4
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
mab
mls qos trust cos
dot1x pae authenticator
spanning-tree portfast
sh ver
Switch Ports Model SW Version SW Image
* 1 52 WS-C2960S-48FPS-L 15.2(1)E1 C2960S-UNIVERSALK9-M
Full config attached. Assistance will be grately appreciated.
DonfricoI believe , you need to configure re-authentication on this switch port:
! Enable re-authentication
authentication periodic
! Enable re-authentication via RADIUS Session-Timeout
authentication timer reauthenticate server
Maybe you are looking for
-
Trouble using apple tv in a new location
I use Apple TV every day at home via WiFi to watch Netflix, Hulu, etc on our television. We are in a different location for a month and I'm depending on it for our entertainment. I've logged it in to the WiFi where we are staying along with my MBA. T
-
CX_SY_CONVERSION_NO_NUMBER?While uploading an Excel File.
Hi, I am trying to upload an excel which contains customer number, shipping point details , time details....... The upload program was working before upgrade to ECC 6.0. But right now when i try to uplaod the file i get the following dump messege. Un
-
Problem to set focus to the particular cell in matrix
Hi All I want to set the focus on the particular set on the matrix. i used following code oMatrix.Columns.Item("MinSal").Cells.Item(iRow).Click(SAPbouiCOM.BoCellClickType.ct_Regular) but it execute two times and doesnt work Properly. Thanks Rupind
-
Vector to String[] Conversion
Hi All, I am trying to convert Vector to String Array. the problem is when I tried to print the String Array out side the loop I am getting only last value. I want to pass String Array to another function. How to do that? Find the code below:- Vector
-
Will time capsule also back up external hard drives?
will time capsule also back up external hard drives?