NAC OOB & Desktops with redundant/failover NICs

Similar Messages

• NAC OOB disconnection with IP Phone

  Folks,
  I have a question about NAC behavior, when i have a Ip phone connected, my workstation never goes down because
  even if I turn off that workstation my swichport still on Link UP state.
  Does anyone know how can I get around that issue?
  thanks a lot

  Hi,
  That is by design. The only instance when CAM will know that your PC is not on the network anymore (if it's behind an IP phone) is when a new MAC address is noted on the port. For this to work you have to use MAC-NOTIFICATION, and not the LINKUP-LINKDOWN traps on the CAM
  In the upcoming 4.8 release you'll have an option of notifying the CAM when you logoff the machine, but that is not out yet.
  HTH,
  Faisal

• Urgent-NAC OOB VG Deplyment

  hi all,
           Iam in the middle of design of NAC OOB Virtual Gateway.
  I have the following doubts regading the placement of NAC Server to my existing Network
  I have two Core ( redundancy -HSRP ) running VTP & 25 Edge Switches ( VTP Client )
  According to CISCO , we can place NAC Server either in the Core or distribution Switches only , not on the edge switches, in OOB Virtual Gateway deployment.
  But currently my existing core switches is not having copper connectivity, customer don't want to invest on core switches.
  so I have to forcefully move the NAC server to one of the EDge Switches with both interfaces ( trusted & untrusted ) connected to same Edge switch, but CISCO is not recommending to do so in NAC OOB VG Deployment.
  I need to know why we cannot place NAC server at one of the Edge Switches. ( NAC OOB VG Deployment ) , what are the issues behind that ?
  One more thing is that , as my Network is running VTP , what are the things to be consider during the design of NAC OOB VG Deplyment.
  Iam attaching the Network Diagram, Please go through that.
  Expecting your valuable suggestions.
  Regards
  Dileep

  Dileep,
  You can put them on the edges, but you have to make sure you extend all the VLANs necessary to that edge. It's just bad design, but I don't see why it won't work.
  Unfortunately you don't have enough details in the map you provided to get a more detailed answer :-)
  HTH,
  Faisal

• NAC OOB Configuration

  Hi!
  I'm implementing an NAC oob solution. tTe CAS and CAM are in the Data-center on an remote network, and i need to control the vlan's that my users access on my remote sites.
  How do i make them authenticate on the remote CAS? (the Cas is on an remote network)
  TKX
  Miguel

  Hi,
  Well, it looks like you are starting now, so I would advise to get in touch with the OOB concept and guidelines:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_oob.html.
  You have L2/L3 mode.
  You have OOB/InB mode.
  You have Real-Ip/Virtual gateway mode.
  You have 2 main VLANs for the clients: authentication (untrusted) and access (trusted) vlans.
  The goal is to make the client fall into the auth vlan prior to login, and the traffic flow through the CAS so that the CAS can permit/deny the client from passing traffic.
  You have also, nice chalk-talks where you can see VODs explaining the steps for configuring several features/deployments:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/prod_presentation0900aecd80549168.html.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Storage spaces + Hyper-V with multiple 1GBe nics for storage?

  Hi guys!
  So I just got my private cloud hardware. I actually put in the order before summer, but due to firmware and certification issues on my desired SuperMicro JBODs delivery was seriously delayed. So much that I've completely forgotten my networking ideas. I
  need help/verification. Or at least a URL - most described setups are 10 GBe nowadays... Or even a "not gonna work"  :-)
  My setup is supposed to be a 3 JBOD, 2 head node storage spaces/sfos cluster providing storage to a 4 node Hyper-V cluster. I didn't have a budget for a 10 GBe setup, but got a great price on a lot of 1 GBe nics. After allocating management, Hyper-V, etc
  I have 3x 1 GBe ports left on all Hyper-V and Storage servers. 
  I think my original plan was to create three subnets and add one nic from each server. And then I guess I've imagined some kind of SMB3 magic discovering these paths between Hyper-V and storage and just aggregating bandwitdh and providing fault tolerance
  by sprinkling fairy dust. Must have been the heat...
  So now I'm "replanning" and I realize that I'm going to create a failover cluster at the storage level providing a cluster name and IP. I'm thinking the management subnet where domain info resides is appropriate, but then what about the other three
  subnets? I don't want to flood my management subnet with storage traffic, but do want bandwidth and resilience. Did I make a design error, and how do I make the best of the situation?
  Disclaimer: My previous experience on virtualization clusters is ISCSI SAN and 2008 R2 Hyper-V clusters. Storage Spaces is completely new to me :-)
  And due to overlapping technologies I struggled a bit on placing this thread. Hope I got it right

  Hello,
  i did not understand how many NICs you have in each Host. Hyper-V Cluster with 1 GBe NICs work as long as you know that it is not 10 GBe.
  In this article is the complete Hyper-V Cluster design in checklist form. I think you should work with this list for some further ideas:
  http://blogs.technet.com/b/askpfeplat/archive/2013/03/10/windows-server-2012-hyper-v-best-practices-in-easy-checklist-form.aspx
  Sorry that i cant give a better answer, but i lack information about about your environment.
  Regards,
  Thomas
  Thomas Hanrath [MCT | Regional Lead Germany] |
  http://www.hanrath.de
  Microsoft Learning Blog |
  http://blog.microsoftlearning.de
  MCSE | Private Cloud

• Windows Server 2012: SMB share with transparent failover

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!
  You need to have your storage you want to export as being a shared storage visible to your cluster (part of CSV). Then you'll configure failover file shares using content accessible from both cluster nodes. Refer to this manual for diagrams (ignore StarWind
  and replace it logically with your existing shared storage you've used to create your cluster):
  http://www.starwindsoftware.com/configuring-ha-file-server-on-windows-server-2012-for-smb-nas
  Also see these manuals from MS on how to create failover file server:
  http://technet.microsoft.com/en-us/library/cc753969.aspx
  http://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx
  http://blogs.technet.com/b/askcore/archive/2010/08/19/working-with-file-shares-in-windows-server-2008-r2-failover-clusters.aspx
  However if you want to use existing storage located on the both nodes you're out of luck. Microsoft does not provide anything representing local DAS to the cluster nodes. If you want to use existing DAS then you'll have to stick with a third-party product
  like StarWind, SteelEye or DataCore. To create something like in this picture:
  So you'll have a configuration with only two nodes, no physical shared hardware (SAS JBOD, FC or iSCSI) and vSAN. Refer to this manual:
  http://www.starwindsoftware.com/ns-configuring-ha-file-server-for-smb-nas
  Hope this helped :)
  StarWind iSCSI SAN & NAS

• NAC OOB VIRTUAL GW PROBLEM

  Hi,
  I am trying to setup a NAC OOB Virtual GW Scenario (attached is the visio schematic of the setup):
  Switch: 3550 (ios 12.2(46) adv ip serv)
  NAC 4130 appliances: v4.1.6 (also tried v4.5)
  Switch Configuration of the trunks to the CAS):
  - int f0/23 (connected to CAS e0) -> dot1q trunk with native vlan 999 and allowed vlans 199 (mgt vlan of cas) and 10 (hosts access vlan)
  - int f0/21 (connected ro CAS e1) -> dot1q trunk with native vlan 998 and allowed vlans 100 (hosts authentication vlan)
  - SVIs on switch: 199, 10, 200 (CAM mgt vlan), 99 (dns, dhcp)
  The problem I am facing is that the host once connected to a managed port is able to acquire an ip from the access vlan from the dhcp server but is not redirected to the login page. I tried to follow some hints provided in previous posts but none of them worked for me. I configured the following:
  - Login Page
  - Configured IP based traffic control on the unautheticated role to permit all traffic (also host based to permit https://192.168.199.1 -> cas' ip with trusted dns my dns server 192.168.99.1)
  - Managed subnet with unused ip in access vlan (192.168.10.253) and vlan id that of the auth vlan (100)
  - vlan mapping between untrusted vlan 100 and trusted vlan 10
  - tried to access a resolvable website by my dns from the host (as per the suggestion from a previous post for someone who was facing the same prob)
  - also tried to access the cas' login page from the host with vain, eventhough it is accessible from trusted subnets
  Note: I followed the configuration guide of both v4.1.6 and v4.5 and with both versions I was facing the same problem.
  I would be very thankful for any hints to help me solve this issue.
  Questions: When the host is connected to a managed host (assigned to the managed vlan 100) and it is assigned an ip from the a access vlan 10. Shouldn't I be able to access the managed subnet case I configured ip traffic control policy to permit all traffic from untrusted to trusted? also shouldn't I be able to resolve website's ip with "nslookup x.com" since dns traffic is by default configured and also trusted dns server 192.168.99.1 is configured?
  Thanks in advance for any help.

  It arised to be that the 3550/3560/3750 are not supported for Central Deployment. The problem is solved.
  Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment
  For Cisco Clean Access (NAC Appliance) in In-Band Central Deployment mode, when a Cisco Catalyst 3560/3750 series switch is used as a Layer 3 switch and if both ports of the Clean Access Server (CAS) are connected to the same 3560/3750 switch, the minimum switch IOS code required is Cisco IOS release 12.2(25)SEE.
  Because caveat CSCdu27506 is not fixed on the Catalyst 3550 series switch, when the Catalyst 3550 is used as a Layer 3 switch, it cannot be used in NAC Appliance In-Band Central Deployment.
  For further details, refer to switch IOS caveat CSCdu27506:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCdu27506
  See also Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB).
  Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)
  Table 6 describes Cisco Catalyst switch model support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band deployments (OOB). This table is intended to clarify CAS network deployment options when connecting the CAS in Virtual Gateway (bridge) mode to the switches listed.
  Table 6 Switch Support for CAS Virtual Gateway In-Band/OOB VLAN Mapping Feature
  Cisco Catalyst Switch Model Virtual Gateway
  Central Deployment
  (both interfaces into same switch) Edge Deployment
  (each interface into different switch)
  6000/6500 Yes Yes
  4000/4500 Yes Yes
  3750/3560 (L3 switch) Yes with 12.2(25) SEE and higher 1
  Yes
  3550 (L3 switch) No 1
  Yes
  3750/3560 (L2 switch) Yes Yes
  3550 (L2 switch) Yes Yes
  2950/2960 Yes Yes
  2900XL No 2
  Yes
  3500XL Yes Yes
  28xx NME Yes with 12.2(25) SEE and higher 1
  Yes
  1 Due to switch caveat CSCdu27506. See Cisco Catalyst 3550/3560/3750 and NAC Appliance In-Band Central Deployment for details.
  2 2900 XL does not support removing VLAN 1 from switch trunks.

• NAC - OOB - Virtual IP - users lost connecti

  Hi.
  So my problem is the follow:
  I have i my customer a NAC OOB - Virtual Ip Gateway.
  So, we have a many port profiles. Each Port profile witch its own authentication vlan and access vlan, for example:
  TI -  auth vlan 585 -  access vlan 85
  ENGINEERING - auth vlan 586 - access vlan 86
  And works very very fine.
  BUT
  There is a common location called PLATFORM (auth vlan 587, access vlan 87) where, to put port profile on each User interface on the switch after 20 minutes or less, the machines that are on this profile (VLANs 587, 87) lose network connectivity, without bounce.
  I checked and, some machines for no reason, are changed to vlan authentication without snmp Linkdown and even get stuck in with User certifield device list.
  Other machines remain in vlan access, but lose all connectivity to the network without ping gateway and any other device.
  Another vlan (for ex: vlan 1) that is not controlled by NAC continues to communicate normally.
  I tried to see any logs on the switch but could not see anything abnormal (yet).
  Other locations with others port profiles work normally.
  The uplinks on this switches and interfaces users dont have any CRC or errors.
  Could anyone help me? This is causing problems in my account.

  Hi,
  I understand then that the clients are not connecting through local or SSO mode, is that correct?
  I would suggest 3 things so far:
  1. Check the logs on the switches where the CAS's are connected, I had a similar problem where CAS would stop responding and the switches would complain about vlan mismatch or mac flapping, if you notice errors on the switches verify that you have:
  * Vlan mapping enabled correctly
  * Different native VLAN on the switch interface for trusted and untrusted CAS ethx.
  * The correct vlans configured on each port: for untrusted just the authentication (layer 2) vlans, for trusted interface the access vlan (20) and the management vlan.
  2. Enable the management vlan tag on the trusted interface of the CAS and use your CAS management vlan.
  3. On the CAM go to the Clean access server section, manage one of your CAS's, the first window will show the services currently running on the CAS, verify if the SSO service is running, if it's not running, verify the configuration. If it's not allowing you to enable it, verify the time settings on your devices, the AD user and all the other settings needed for this to work.
  Hope this helps,
  Regards,

• NAC OOB and 6500 in Virtual Switch Mode

  Is there any issue or special care to implement NAC OOB in Central Deploy, VGW, using AD SSO for wired clients where the Core Switch is a pair of 6500 in Virtual Switch Mode?
  The customer uses Radius IAS for authentication. How does it fit with the AD SSO?

  Hi Bruce,
  I am afraid there are some arguments missing in your db command.
  To manually add the OID of  Cat4507R+E to CAM's database here is the  procedure to do this.
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "INSERT INTO supported_switch VALUES ('1.3.6.1.4.1.9.1.1286', '4', 'Cisco Catalyst 4507 R+E')" INSERT 0 1
  psql: warning: extra command-line argument "INSERT" ignored
  psql: warning: extra command-line argument "0" ignored
  psql: warning: extra command-line argument "1" ignored
  INSERT 0 1
  Then to make sure it is there:
  [root@cca-3140-cam ~]# psql -h localhost -U postgres controlsmartdb -c "SELECT * FROM supported_switch" | grep 1286
  The output should be:
  1.3.6.1.4.1.9.1.1286      |     4 | Cisco Catalyst 4507 R+E
  Restart perfigo service on NAC Manager and try to manage the switch  using the model used by the above command.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC OOB L2 VG Managed Subnet

  I have configured OOB Virtual Gateway. However, the CAS fail to detected and redirect to the login web page.
  sometime i change the managed subnet, I work...
  I wonder what exact IP address should be typed into the managed subnet?
  Suppose I have 10 trust VLANs (10,11,12,13 ...) , and i create related 10 untrusted VLAN (20,21,22,23...)
  IP address for VLAN 10: 192.168.10.0/24
  IP address for VLAN 11: 192.168.11.0/24
  IP address for VLAN 12: 192.168.12.0/24
  IP address for VLAN 13: 192.168.10.0/24
  I have tried 4.1.x version of CAM/CAS, the page allowed us to input subnet address.
  However, in 4.5.x or above, we must input host ip address. Now i upgraded to 4.7.2 versions, what IP address and VLAN should i type into this page?
  192.168.10.254/24 VLAN20
  192.168.11.254/24 VLAN21
  192.168.12.254/24 VLAN22
  192.168.13.254/24 VLAN23
  or
  192.168.10.254/24 VLAN10
  192.168.11.254/24 VLAN11
  192.168.12.254/24 VLAN12
  192.168.13.254/24 VLAN13
  also, I wanna to ask the Network page of CAS. The Set management VLAN ID of untrust interface should set to "0" ,"left it blank" or "one of trust VLAN"??
  I'm green hand in NAC...hope someone guide. Many Thanks

  Successful to get IP NOW... coz some VTP set to transparent and can't learn all VLAN.
  Even that... some issues i face.. Since User Flat network is big enough and cover thousand of switches. I find some characteristic ..
  The big flat network is using "3750 stack" as core switch. The version of IOS is 12.2(25). I did check with doc.
  Extracted as below:
  Stacked Cisco Catalyst 3750 Switches and NAC Appliance Out-of-Band Deployment
  For Cisco Clean Access (NAC Appliance) customers with OOB deployments running stacked Cisco Catalyst 3750 switches with Cisco IOS 12.2(25) SEC2 or lower, SNMP mac-notifications can fail, and SNMP does not report MAC addresses to the OOB Clean Access Manager and Server.
  So.................... my Question is:
  Although this Switches might fail to snmp notification to CAS/CAM, all other switches connected to this 3750 would fail to report snmp notification also???
  My case seems like all switches connected away from the switch connected to CAS/CAM is success performing login and authentication by CAS, However, all switches connected to this core 3750 fail to perform the login ..even no login page find..
  SW1 --- 3750 -- SW2 --- SW3 --CAS & CAM
  SW2 and SW3 could success performing CAS login.
  SW1 fail to get login page and fail to do authentication. But could get DHCP and stuck in untrust VLAN.

• NAC OOB Logoff feature workaround ?

  Hi,
  We have a NAC OOB, Real-Ip Layer2 setup and the new option "Logoff Clean Access Agent users from network on their machine logoff or shutdown" does not apply when using OOB mode (which is annoying). Anybody found a way to make sure that when a users logs off from his PC he's automatically put back to the authentication VLAN ? We thought of maybe put a program in Windows XP logoff script that would disable/enable the NIC card but it seems a bit tricky...
  I'm sure I'm not the only one who's trying to find a solution for this. Hopefully Cisco will support this feature right from the clean access agent in a future release...
  Thanks.
  Dominic

  for now we are waiting for the feature to become available from Cisco in Q2 or Q3 of 2007.
  And yes, we are using SSO in a Windows XP - Windows 2003 environment.
  Dominic

• Using multiple desktops with a 4 finger swipe on a Mac Book Pro running Lion- is there a way that I can allow Safari open on several but not all??  Looks like I can set it for one but not others.  All, one, or nothing

  Using multiple desktops with a 4 finger swipe on a Mac Book Pro running Lion- is there a way that I can allow Safari open on several but not all??  Looks like I can set it for one but not others.  All, one, or nothing

  Hey Eric,
  Thanks for taking the time. Unfortunately no that does not solve it. Same as swipe it will get me there and it will show separate programs spaced out. The issue I am having is that all my open word files are bunched up in a pile on top of each other. I can see the edges of each one but I want them to be separated from each other enough that I can visually identify what file is what.
  Again, thanks for trying, it is appreciated.

• Photosmart D7160 connected to desktop with Windows XP, issues with new laptop & network printing

  We have a Photosmart D7160 connected to our desktop that runs Windows XP. I just got a new Acer laptop that runs Windows 7 (64bit). We set up a network to connect to the internet and so I can access documents that had been made on the desktop. I have not had issues using the printer off the desktop with any programs. I installed a creative program to create flyers, cards, etc onto the laptop. Same one as on the desktop. When trying to print off the laptop, I can not access the whole options on the printer. I forget the name of the options I want (maybe called printing preferences) but I would like to choose wether I am using the photo tray or presentation printing or economy printing, etc. I can only choose print.  That is not  good for printing cards, etc. I had made a recipe care template with that program and wanted to print one out.
  What have I not done in setting up my laptop? I tried the to "add a printer" on a network and that did not fix my issue. Any help is appreciated. thanks.

  Hi Bayratlj
  Dunno if you've sorted your problem out, but I had exactly the same problem with a HP Photosmart 3100. I found some advice on http://discussions.apple.com/thread.jspa?messageID=6201674 regarding the firewall on the Mac and yes that is the problem. But as you'll see with my last post in that topic I cant figure out how to keep my firewall on AND have printer sharing. Just allowing printer sharing in the firewall settings is no help.
  Cheers

• Problem with redundancy in CSS 11051

  I have a problem with redundancy in CSS 11051. I use firewall load balancing and server load balancing. Load balancers which only load balance over 3 firewall switch from primary to master with no problems.
  problem is with load balancers which load balance over firewalls and over servers two. whene the master is shutdown, backup keeps master function, all services on backup LB are alive, but it is not possible to display web page on address 10.10.7.16. Even if I try from the network 10.10.7.0/24, so before firewalls. below my config. any help appreciate.
  ===primary LB=====
  !Generated on 10/30/2002 10:42:53
  !Active version: ap0500002
  configure
  !*************************** GLOBAL ***************************
  ip redundancy master
  no console authentication
  restrict ftp
  app
  app session 10.10.60.13
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.22.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.14 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  keepalive type tcp
  keepalive port 443
  service cc2
  ip address 10.10.3.130
  keepalive type tcp
  keepalive port 443
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  application ssl
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  ======
  ===backup LB=====
  !Generated on 10/29/2002 20:47:30
  !Active version: ap0503015
  configure
  !*************************** GLOBAL ***************************
  ip redundancy
  console authentication primary none
  restrict ftp
  app
  app session 10.10.60.14
  ip firewall 1 10.10.7.1 10.10.8.1 10.10.8.10
  ip firewall 2 10.10.7.2 10.10.8.2 10.10.8.10
  ip firewall 3 10.10.7.3 10.10.8.3 10.10.8.10
  ip route 0.0.0.0 0.0.0.0 firewall 1 1
  ip route 0.0.0.0 0.0.0.0 firewall 2 1
  ip route 0.0.0.0 0.0.0.0 firewall 3 1
  ip route 10.10.1.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.2.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.12.0 255.255.255.0 10.10.3.1 1
  ip route 10.10.14.0 255.255.255.0 10.10.3.1 1
  !************************* INTERFACE *************************
  interface e1
  phy 100Mbits-FD
  bridge vlan 62
  interface e2
  phy 100Mbits-FD
  bridge vlan 7
  interface e3
  phy 100Mbits-FD
  bridge vlan 3
  interface e4
  phy 100Mbits-FD
  bridge vlan 7
  interface e5
  phy 100Mbits-FD
  interface e6
  phy 100Mbits-FD
  bridge vlan 6
  interface e7
  phy 100Mbits-FD
  interface e8
  phy 100Mbits-FD
  bridge vlan 6
  !************************** CIRCUIT **************************
  circuit VLAN62
  ip address 10.10.60.13 255.255.255.252
  redundancy-protocol
  circuit VLAN7
  redundancy
  ip address 10.10.7.10 255.255.255.0
  circuit VLAN3
  redundancy
  ip address 10.10.3.10 255.255.255.0
  no redirects
  circuit VLAN6
  redundancy
  ip address 10.10.6.10 255.255.255.0
  !************************** SERVICE **************************
  service cc1
  ip address 10.10.3.129
  active
  service cc2
  ip address 10.10.3.130
  active
  service ssl1
  ip address 10.10.6.131
  keepalive port 443
  keepalive type tcp
  active
  service ssl3
  ip address 10.10.6.133
  keepalive port 443
  keepalive type tcp
  active
  service ssl4
  ip address 10.10.6.141
  keepalive type tcp
  keepalive port 443
  active
  service ssl6
  ip address 10.10.6.143
  keepalive port 443
  keepalive type tcp
  active
  service www1
  ip address 10.10.6.101
  keepalive type tcp
  keepalive port 443
  weight 2
  active
  service www3
  ip address 10.10.6.103
  keepalive type tcp
  keepalive port 443
  active
  service www4
  ip address 10.10.6.121
  keepalive port 443
  keepalive type tcp
  active
  service www6
  ip address 10.10.6.123
  keepalive type tcp
  keepalive port 443
  active
  !*************************** OWNER ***************************
  owner L5_Owner
  content L5_Rule
  vip address 10.10.7.6
  protocol tcp
  port 443
  url "/*"
  add service www1
  add service www3
  add service www4
  advanced-balance sticky-srcip
  add service www6
  balance weightedrr
  active
  content L5_Rule_CC
  vip address 10.10.3.120
  advanced-balance sticky-srcip
  add service cc1
  add service cc2
  active
  content L5_Rule_SSL
  vip address 10.10.7.16
  protocol tcp
  port 443
  url "/*"
  add service ssl1
  add service ssl3
  add service ssl4
  advanced-balance sticky-srcip
  add service ssl6
  active
  !*************************** GROUP ***************************
  group CC
  vip address 10.10.3.120
  add destination service cc1
  add destination service cc2
  active
  =======

  Please visit the folloiwing page where you can find many configuration examples on configuring CSS for Load Balancing.
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_configuration_examples_list.html
  Hope it helps.

• How to add shortcuts to user Start Menu and Taskbar or Desktop with using Microsoft Office 2013 Config file.

  Hello,
  How can i add the shortcuts for Office 2013 feature (Word, excel, ext) to the users taskbar or desktop with using config.xml file while installing the Microsoft Office 2013 from SCCM?
  I know how to do that with OCT, but i have another problem if i use OCT. So i have to do it with Config.file, but i don't know which code can i write on config.xml file to create shortcut on desktop or taskbar...
  Regards,

  Hi
  There is a known issue about
  changing the shortcut location for an Office 2013 application:
  When you try to change the shortcut locations for Office 2013 applications in the Office Customization Tool (OCT), you receive the following error message:
  Invalid start in folder. Please try again.
  Then, you add the Start in location for Office 2013 and run a customized installation. When you double-click the shortcuts that are displayed on the desktop, Configure shortcuts does
  not work and you receive the following error message: 
  Sorry, we couldn’t find your file. Is it possible it was moved, renamed or deleted?
  To work around this issue, type a single open bracket ([) in the Start in
  field.  
  In addition, refer to the link below on "Configure shortcuts" in OCT:
  http://technet.microsoft.com/en-us/library/cc179097.aspx#Configure_shortcuts
  Regards
  Tylor Wang
  TechNet Community Support