Named ACL issue

Similar Messages

• Named ACL and ACE numbering

  I created a new extended named ACL and enter a few ACEs numbered 10,20,30,100,110,1000 to give them plenty of space apart. When I reload the switch, the numbering has disappeared and they are all spaced 10 apart. Why does this happen and is there a way to maintain larger spaces? I am thinking that in time I may come to make many modifications to the ACL and the gap between two entries may reduce to nothing. I am not going to reload my switch just to reset the gaps and I would rather not remove the ACL completely and replace it to achieve the same.
  thanks for any advice
  Chris

  The ACL is stored in RAM initially. When you display your access-list for instance you see the seqeunce numbers. When you display your're running configuration you don't see them.
  Are you using ip access-list or the traditional access-list?
  ip access-list extended Popey
  10 permit ip host 10.10.10.10 any
  100 permit ip 10.10.20.0 0.0.0.255 any
  1000 deny ip any any

• 3850 mobility - - named ACLS From ISE

  Hi all
  i'm middle in the test for 3850 MC- Downloadable ACLs,  i settle up at ISE and working good in 2960. But as you know
  when i use DACL with WLC(3850). ISE just send ACLs name and WLC get that ACLs name then ACLs working on.
  But i think ISE send a acls name but wlc not working... i already double check acls name..and.. what?
  So do you have any document for this? Step by Step. 
  thank you

  thank you salodh
  OK Not a downlodable ACLs in WLC, I want know is  ISE give a named ACLs to WLC and ACLs works in
  WLC for Wireless Client. am i clear?
  i configured ACLs of WLC at ISE and also made same acl in WLC but ACLS didn't work.

• Does QPM 4.1 support Named ACLs

      Could any help with this, i downloaded a trial version of QPM and i am trying to import a QoS policy from our switches and its failing as the ACLs used for classification on the switches are Named ACLs. Does QPM support Named ACLs or not?

  A lot of it stems from the large and complex nature of the models we employ. Hardly a week goes by that we don't grind to a halt due to a bug in jpox. That then leeds to the thorny problem of trying to discuss the problem on the jpox forums, where there are basically only two members that know the product well enough to help... Net result, they are overwhelmed, and from one of them it comes across in the rudeness of replies. This puts people off, including us.
  I contrast this with the Hibernate and Spring communities, which I have personally been involved with and found to be both thriving and rewarding.
  A bit of QA and respecteful support will be wonderfull. We are happy to pay a company for that because of the man hours it saves. I sincerely hope that Kodo JDO works out for us.

• PLM Web UI ACM/ACL issue

  Hi All,
  I am configuring PLM Business package/ Web UI in portal. Version EHP4. (PLM Web UI)
  Every screen (Material, BOM) giving me error "Authorizations are missing" . I know this trusted user issue.
  I provided the role "SAP_PLMWUI_TRUSTED_USER_ALL" in ECC System.
  How I can fix the problem? Which roles I need to assign to resolve the problem. FYI, Document are working fine. Because documents are not the part of ACM
  2. I am looking in to SAP Help for authorizations  but there are not detailed steps to set up these ACM/ACL .
  3. How I can generate Root Context. There is a program we can run in SE38. But before that I need to assign Context Admin role to in IMG. Which role I need to assign as Context Admin.
  I appreciate your help. Thanks in Advance.
  Regards
  Mark

  administrator can set up the whitelist in Customizing for SAP NetWeaver under SAP
  Web Application Server Web Dynpro ABAP Set-Up Active Controls Whitelist .
  o The whitelist has to be named DEFAULT.
  o File Extension
  All files of this type can be executed in an external program by using the
  Customizing option %auto%. For more information see Customizing for Logistics
  General under Product Lifecycle Management PLM Web User Interface
  Objects Document in PLM Web UI Define Workstation Application
  o Application
  Enter applications to be used for viewing or editing a file.
  o Download
  Enter at least one directory and one server. The system opens the directory and
  all subdirectories for the download.
  o Upload
  Enter at least one directory and one server. The system opens the directory and
  all subdirectories for the upload.
  Make an entry for each option (File Extension, Application, Download,
  Upload).
  o Find the correct server name for upload and download
  Working with a local whitelist in a SAP system requires a certificate for the system used.
  The administrator must download the certificate using transaction WDR_ACF_GEN_CERT.
  Alternatively, the administrator can create the new certificate in Customizing for SAP
  NetWeaver under Application Server Web Dynpro ABAP Generate Certificate for
  Whitelist
  3. Each user has to install the certifcate using transaction ACF_WHITELIST_SETUP.
  Alternatively, the user can install the certificate via Customizing for SAP NetWeaver
  under Application Server Web Dynpro ABAP Activate Active Controls Whitelist .
  o The provided list of whitelists is only for display reasons. The certificate is always
  installed for the DEFAULT whitelist.
  o You have to install the certificate after each change of the DEFAULT whitelist

• Robocopy ACL Issue

  Hello,
  I am trying to copy a folder from one server to another using Robocopy in Windows 2008.  The security permissions on the folder (ACLs) are not copying properly.
  Folder Details:
  Folder #1 on Server A has the following ACLs: Domain Admin -> Full Control, UserX -> Full Control
  When I use robocopy with the /copyall parameter and copy Folder #1 from Server A to Server B it is missing the "UserX" permission under the security tab.  The parent folder on Server B does not have inheritance turned on and its security is set to Domain Admin -> Full Control.  Why aren't my security/ACLs (namely the permissions ofr USERX) copying properly?
  Thanks in advance,
  D

  I came across this thread because I have been researching the very same issue. Likewise I am running Windows Server 2008 X64 SP2 on both servers.
  Be wary of those who throw out suggestions to check your syntax, yet are not intimately familiar with this issue. Many people making such suggestions often do not know what the different versions of Robocopy are, what limitations each version has, how to get each version or what has changed syntax-wise from version to version. Yet they talk with authority. This has always been and will always be part of open public forums. Of course we should always look at our syntax. However this seems to be an issue with the new version of Robocopy.
  I haven't hammered the solution down yet, but here are some things to try:
  1) Note that many people on other forums are saying that if the source has inheritance turned on, then Robocopy will not copy the permissions over, especially those at the root of a drive. Others have suggested turning off inheritance on the source. I don't like that solution. I turn on inheritance for a reason.
  2) I have tried copying one level down from the root with some success. For example, instead of this:
  Robocopy.exe \\server1\e$  e:   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1 (or whatever your parameters are...)
  try going down one level...
  Robocopy.exe \\server1\e$\folder1  e:\folder1   /TEE /S /E /COPY:DATS /PURGE /R:1 /W:1
  I don't like this solution either. It is so much simpler to copy from the root of one drive to the root of another drive on another server. I don't want to have to do extra scripting to gather the names of the folders one level below the root and then add For Loops to my script.
  3) In some forums people are suggesting to use Robocopy to copy data and icacls.exe to handle the permisssions, at least on the root. I plan to explore this option next. Once again, I don't like the solution. I expect Robocopy to be able to handle this.
  Of course I'll eat my shoe if it turns out that Robocopy works just fine and I simply don't have the right syntax.

• TopLink named query issue

  We are using Jdeveloper 10.1.3.3, TopLink, ADF JSF Faces. I have an issue with TopLink named query. I am passing a value to parameter defined in the TopLink named query. The problem is that the parameter value is not being set when JSP page is loading for the first time and TopLink named query is not returning any results. When I click a button or refresh the page or some user action, then only the parameter value is set in the TopLink named query and returning the query results.Is this TopLink issue or is there any way to invoke action to fire the TopLink named query with the parameter value being passed at the time of loading JSP page ?
  Our project is held up due to this issue and I will highly appreciate if someone can help on this?
  Thanks in Advance.

  Go to your toplink map in the application navigator, select the descriptor in the structure pane and then click on the "Queries" tab in the editor pane. You should be able to configure your named query there.
  Hope this helps.
  Anuj

• Acl issue in L3 Switch SVI

  HI
  I hope might be a number of issues has reported like this, I am gettnig confused about the direction of an acl, when it is on a router's physical interface and when it is on a Layer Switch SVI interface, I think my understanidng about acl needs to get cleared, need your kind input please.
  I have a L3 switch with 3 vlans
  Vlan 1 - Routing-Vlan (Connecting to another network directly) - 172.16.1.254 /24 (connect to another router some where in in another network on 172.16.1.1/24)
  Vlan 10 - Server-Vlan - 172.16.10.1/24
  Vlan 11 - User-Vlan - 172.16.11.1/24
  I want to allow only specific network to come inside to my network to access all the subnets, other all must be blocked.
  I want all in my network to access any thing outside the network.
  i tried to configure acl as below-
  access-list 101 permit ip 172.16.100.0 0.0.0.255 172.16.10.0 0.0.0.255
  int vlan 1
  ip add 172.16.1.1 255.255.255.0
  ip access-group 101 in
  When i am trying from outisde (172.16.100.1) -
  Ping 172.16.10.1 - Good (expected)
  Ping 172.16.11.1 - NOT (expected)
  When I am trying to ping from inside Server-Vlan (172.16.10.1)
  Ping 172.16.100.1 - Good
  The problem -
  When i am trying to ping from inside User-Vlan (172.16.11.1) to go outside to 172.16.100.1 am not getting reply
  what is wrong happening here in this scenario?
  regards
  Sunny

  Hi Jon,
  I was working on the ACL for the above issue. i have found the below thigs-
  int vlan 1
  des Routing vlan
  ip 172.16.1.1 255.255.255.0
  ip access-group 110 in
  int vlan 10
  des server vlan
  ip 172.16.10.1 255.255.255.0
  int vlan 11
  des Users
  ip add 172.16.11.1 255.255.255.0
  ip access-group 100 in
  acl applied on vlan 10 and and 11 are inbound in direction so as like we have mentioned before, the traffic coming from each vlan (172.16.10.x OR 172.16.11.x) can be filtered at the SVI itself. infact i need to put below statement in bold to ping its own gateway.
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.10.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.11.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.100.0 0.0.0.255
  ip access-list 100 permit 172.16.11.0 0.0.0.255 172.16.101.0 0.0.0.255
  And for filtering the traffic coming from outside, i had to put the acl on interface vlan 1 and called in INBOUND direction.
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.100.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.10.0 .0.0.0.255
  access-list 110 permit ip 172.16.101.0. 0.0.0.255 172.16.11.0 .0.0.0.255
  what i understood,
  for vlan 10 or 11 - if i call outbound means the traffic coming from outside and destined to inside of that vlan.
  for vlan 10 or 11 - if i call inbound means the traffic coming from inside of that vlan and destined to outside.
  But for Vlan 1, which is the routing vlan,connecting to the other network the behaviour is just reverse-
  If i call inbound means the traffic coming in to that vlan initerface from Outside
  If i call outbound means the traffic that going out through that interface.
  so i ddint call any acl in outbound direction as of now.
  Dear Jon, thanks for taking time to describing the scenario in detail before.
  please check this and let me know that my conclusion is correct or is there anything left to be in the loop again...!!!
  Thanks and Regards
  Suuny

• ACL issue

  Hi
  I have activated the ACL switch by selecting ACL FLAG & Edit ACL check boxes in Tcode dcswitch but the authorization tab is not  coming in DMS screens (CV01N, CV02N & CV03N). Can you please help me to solve it.
  Regards
  Harris

  Hi Deepak Kori
  The link provides the steps to get the option for turn on / off the ACL/browser switch. But in our system i can see these option in the Tcode dcswitch.
  I selected (tick mark) the ACL FLAG & Edit ACL checkboxes in Tcode dcswitch but i can't see the Authorization tab in CV01N. This problem exist only in DEV client not in IDES.
  If i don't select "Use ACM" check box in DC10 for the particular document type then the authorization tab is coming for that document type in IDES system. But in DEV client there is no field like "Use ACM" check box in DC10. Can you please clarify that 1. The ACL authorization tab will come only in IDES system?
  2. The ACL authorization can be used only in SAP Easy Document Management System or we can use it for SAP GUI also?
  3. Do we need to install anything (ex: PLM WebUI) to use the ACL authorization?
  Regards
  Harris.

• Complex NAT and ACL issue with multiple VLANS

  Hello Forum. 
  We have about 12 different VLANS behind an ASA 5515-x. One of those vlans contains a webserver and a DNS server (different machines, different IP addresses). ASDM 7.1.3
  From outside the firewall, people need to be able to get to the webserver via http, https and a custom  port (3390). From outside the firewall, no one needs DNS access.
  From INSIDE the firewall, things are much more complicated. They need access to the DNS server from all VLANS and they need access to Webserver from all VLANS
  The VLANS themselves are defined on the core switches, not the ASA The Vlan labels and network subnets increment by 5 (except in the first 5 numbers) and the VLAN subnets are equal to the vlan name. So for example VLAN 10 is on the 10.10.10.x subnet, vlan 20 is on the 10.10.20.x subnet, and so on. Each subnet is 24 bits
  WHAT WORKS:
  Outside_in: http, RDP work fine. Pretty sure I will be able to get https myself, so not looking for help there
  Inside_in: traffic from vlan 10 to vlan 5 works fine, but I think that is in part to the any any allow rule on the vlan 10 interface. Apart from that, all vlans can get out to the web, but they cannot get proper DNS resoliution or access the webserver across vlans
  I have looked at the access lists, I have looked at NATting the DNS, but it is not working, and I am not sure why. Any assistance would be appreciated

  Tried that, no joy. It said that the problem was a NAT issue, but I cannot figure it out. The NAT rule looks right, but is not because it doesn't work

• MS Excel Tab Naming Convention Issue

  Issue Description :   
  Summary excel file was confirming the source of workbook before opening the file.(Message : Excel found untraceable content in - Lex-1(Lex-Total) Summary report. Do you want to recover contents of
  workbook? If you trust the source of this workbook, Click Yes.).Where 'Lex-1(Lex-Total) Summary report' is the tab name   
  Fix :Remove the Brackets from the tab name.
  Can you please help us with the root cause of the issue ?  One of our assumptions is that the Excel sheet if created in the machine with English OS  & opened in a machine with Japanese OS could be the
  root cause of the issue

  Hi,
  This is the forum for Developing Apps for Office 2013, for your question is more about Excel culture, I will suggest you post your thread in Japanese TechNet for Excel forum.
  Japanest TechNet   
  https://social.technet.microsoft.com/Forums/ja-jp/home
  Best Regards
  Lan
  We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
  Click
  HERE to participate the survey.

• ACE ACL issue

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  I am trying to allow access to one of the ace contexts from out-of-band network. I'd like to secure it so nothing from the ace side should be able to connect to the OOB network, and some particular hosts should have access to the ace context by ssh.
  I have already configured the appropriate management class-map that secure the SSH access to the ace, but I have a problem with securing the opposite way. I've configured the ACL that deny all ip and icmp traffic and I applied it to the outside direction of the management vlan.
  Unfortunately I can still ping and access some resources in the OOB network from the ACE context.
  Do you know what else should I do to make it works ?
  Thanks in advance for any help.
  Regards
  Lucas

  Hello
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Thanks. I've check it from different vlan and in fact the ACL does not allow the traffic to pass through the ACE. I also observed that modification made in the ACL do not impact the already established sessions.
  Do you know any recommendation regarding the management access design in the ACE environment? I am wondering if it is more recommended to implement one mgmt vlan for all the ACE contexts or one mgmt vlan per context.
  Thank you for the answer.
  Ragards
  Lucas

• ACL issue in EasyDMS 7.0

  Hi all,
  I had created one DIR in Easy DMS and later given the Read access to one of the user. but when i had logged on from his id to view the DIR. It says you do not have necessary authorization.
  How it comes when i had given him the rights to read DIR.
  Does i have to control it from PFCG, then what is the use of giving ACL Feature at Doc level. What i believe is, if Access rights are defined in ACL then it should by pass other object authorization. Pls correct me if i'm wrong.
  Pls note: User has following OBJECTS Authorization from PFCG.
  ACO_SUPER profile with ACO_ACT_S value ' ' and ACO_OTYP_S value ' '.
  C_DRAD_OBJ  , C_DRAW_BGR ,  C_DRAW_DOK,  C_DRAW_MUP, C_DRAW_STA, C_DRAW_TCD, C_DRAW_TCS
  In the above object list, all activities are assigned.
  Regards,
  S Anand

  check http://wiki.sdn.sap.com/wiki/display/PLM/CADMS-AuthorizationObjects

• Cannot get into development Infrastructure (ACL Issue)

  Hi We are on SP15. When I try to get into the development infrastructure using the URL
  http://<server>:<port>/devinf and input the login ID and password
  , it says not authorized.
  The ID is the Admin ID and is assigned to the groups NWDI.Administrator.
  I understand you need to do some ACL settings through the DTR prespective in the developer studio to grant the permissions. Can someone let me know step by step how to do this..
  Thanks

  Hi Angel,
  First of all, thanks for trying to help.
  defaultTrace.trc gives 2 entries when I try to reach http://host:port/devinf.
  The first is:
  User Guest, IP address
  HTTP request processing failed. HTTP error [401] will be returned. The error is [No login module succeeded.No details available].
  The second is:
  User Administrator, IP address
  HTTP request processing failed. HTTP error [403] will be returned. The error is [You are not authorized to view the requested resource.No details available].
  Besides that: no users are locked.
  Do you have a clue now?
  Regards, Fred

• Extended ACL Issue

  I have a question, I am trying to make an extended ACL to deny HTTP, Telnet, and FTP traffic from the internet to PC1 in the one exercise I am doing.
  I made the following ACL and applied it to the loopback interface on R2 (where the ISP is coming in from the "cloud") PC1 is connected to R1 which is obviously connected to R2.
  ip-access-list extended ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 established
  permit tcp any any established
  Is there a better way to do this? Does this extended ACL work for my purpose?

  What direction did you apply this? I'm assuming in the inbound direction?
  Take the established keyword off. That's generally to allow return traffic on an interface that's denying traffic.
  Try the following:
  ip access-list ext ACL_TCP
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq http
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq ftp
  deny tcp 209.165.200.160 0.0.0.31 10.0.0.0 0.0.0.127 eq telnet
  Apply to your loopback:
  ip access-group ACL_TCP in
  Next question:
  Why do you have an acl applied to your loopback and not the physical interface that your internet connection comes in on? Normally, you would apply to say s0/0 (serial interface) that has your public ip assigned to it. That may be why it's not working. You actually have the acl applied to LoopbackX?
  HTH,
  John