Network Access Layer (NAL) option

Similar Messages

• ACS 5.3 cannot create default network access authorization rule

  Hi, when I click 'Create...' under Access Policies > Default Network Access > Authorization, and then press the 'OK' button, it says 'Please configure at least 1 condition.' However I have no way to configure conditions as the 'Conditions' text is just bold text and not a link or any sort of configurable area. If I go to 'Customize' on the bottom right and add conditions to the right list box, I still have no options when I press Create. Also, the 'green light' next to Default Network Access is grey with a line through it. This is the most cryptic system I have ever used.. anyone have an idea? Thank you!

  Looks like you are using chrome amd it's not a supported browser.
  Supported Web Client/Browsers
  You can access ACS 5.3 administrative user interface using the following Web Client/Browsers:
  •Windows 7 32 bit
  •Windows XP Professional (Service Pack 2 and 3)
  •Windows Vista
  •Internet Explorer version 7.x
  •Internet Explorer version 8.x
  •Internet Explorer version 9.x
  •Mozilla Firefox version 3.x
  •Mozilla Firefox version 4.x
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp222016
  Jatin Katyal
  - Do rate helpful posts -

• LMS 4.1 Network Topology Layer 2 view - Re layout map not working

  I've finally got Topology Data Collection working on Prime LMS 4.1.
  However, when I run Network Topology Layer 2 view and try and re-layout the view to any of the options, Circular, Hierarchical, Symmetrical or Orthogonal, the map never re-draws to that type of layout.It always stays as a mess.
  I think it must be a 'feature'.
  Any ideas ?
  Cheers
  Barry

  I searched again and didn't find any errors in the same line as the IP or Hostname of the unconnected switches. But I did notice that these switches and all of the devices upstream have "Discovery ani TopoSMFGenerateAbstractTopology" lines where the rest have "Discovery ani TopoSMFGenerateCdpTopology". Do I need to delete everything upstream to the seed device and then rerun a Data Collection? I've included the log. One of the unconnected switches is: 192.168.40.11 Display name: TC160_C. Thanks again.

• Windows 7 hangs and switches off network access

  We are running a Windows 7 Ultimate 32-bit operating system as our server.
  About on 30 minute intervals the computer hangs and switches off network access.
  If the computer is in this state and you try and access it from another computer nothing happens.
  While in this state you can see the desktop indicating that it's not in sleep mode.
  The problem is rectified by click the mouse on the computer.
  It has not gone into a sleep mode as everything on the power options is set to never.
  Please help?
  Regards,
  Andries Malherbe
  Vizier Systems

  About on 30 minute intervals the computer hangs and switches off network access.
  If the computer is in this state and you try and access it from another computer nothing happens.
  Could you plaese share more information about "switches off network access" with us? I don't quite understand this situation
  Please also check the event viewer to collect related information about this issue when you re-use the Windows 7.
  Meanwhile, Please update the driver for network adapter or reinstall for a test.
  Regards
  Yolanda
  TechNet Community Support

• Lost network access to external drives

  Hi, I'm using Leopard on my MacBook Pro and my iMac. My iMac has several external FW and USB drives connected. They use Mac OS Extended Filesystem (Journaled).
  I have AFP and SMB sharing turned on in my System Preferences. The only folder that's listed as shared is my home folder.
  It used to be on my MBP, I can browse to my iMac in Finder, and it would show my home folder plus all my external hard drives. I would be able to click on the drives and start using them like any network mounts.
  All of a sudden these drives are no longer showing up when I browse. I only see my home folder listed.
  However I plugged in another drive via USB on my iMac... this is a FAT32 drive. It automatically showed up in the list of shares I can connect to on the iMac, just like how my external drives used to be.
  I haven't made changes to System Preferences or to the Sharing pane.
  In the Sharing pane, I tried specifying one of my FW drives as shared, but that didn't work. I've made sure the share has read & write permission for my account, and read permission for everyone. On a separate note, I'm not able to set the permission for everyone to "No access". That option is greyed out. I can only choose Read or Read & Write.
  However, even with that, I can't see this new share in the list of shares I can connect to from my MBP.
  Does anyone know where I went wrong? Thank you!

  I had the same problem. I repaired permissions and now all is well.

• Layer 3 to the Access Layer and MPLS Design Considerations

  Hi,
  We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers.
  We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.
  All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.
  We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain,  the point to point links alone just to get one additional VRF on each floor required far too many Vlans.
  As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
  My query is one of design surrounding MPLS and how this maps to an enterprise network with a routed access layer. Do Cat 4500s become the CEs and take part in MPLS / BGP and Label Distribution, or does the BGP peering and Label Distribution only occur between the Distrubtion - Core - Distrubtion layers, mapping to the PE - P - PE topology in an ISP environment, the access layer simply uses the IGP (OSPF in this case) to learn routes ?
  Any help would be greatly appreciated.
  Chris.

  Hi Andy,
  Thanks for your response.
  I have been doing a little bit more research it seems the Cat 4500s do not support MPLS!! Nor do Cisco have any plans to support it on this platform. I find this a little rediculous considering the level that Cisco are pitching this platform. With the Sup 7E only VRF Lite is supported, with plans to support EVN (which still uses trunk links for logical separation).
  So it looks like we are going to have to go back to the drawing board.
  (perhaps we should have gone HP or Juniper!)
  Chris.

• Bandwidth from Access Layer to Distribution Layer

  Folks:
  I am currently on Chapter 12 of “CCNP Switching 642-813, Official Certification Guide” ISBN: 978-1-58720-243-8. I am currently not grasping the three layers entirely, and I was hoping someone could offer insight in a different way.
  I believe I understand, that switches in the Access-Layer can be layer2 devices (2950, etc), and devices in the Distribution Layer should be Multilayer devices such as Layer-3 switches (3750) and inter-vlan routing takes place at the Distribution layer. But what I do not understand – how does one account for bandwidth and traffic from the Access Layer switches to the Distribution Switches?
  Let use a 24 port 2950 switch located at the Access-Layer. If everyone was online and communicating, the total traffic for the switch would be 4.8 Gbps. The latter is due to each port providing 100 Mbps but in Full-Duplex, so (100*2)*24. So, how does an engineer spec out the required uplink ports from the Access Layer to the Distribution?
  I am sure this is easy; however, I am not getting the concepts. Any insight is great.

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  As noted by Peter, edge hosts don't generally all concurrently push/pull their full port bandwidth for substained periods.  However, host bandwidth usage often varies much by "kind" of host.  For example, many server hosts are "busier" than most user hosts, so when designing networks you normally design for lower oversubscription ratios for server hosts than for user hosts.  Old rule-of-thumbs ratios suggest oversubscription ratios of about 8:1 to 4:1 for servers, and about 48:1 to 24:1 for users.
  Keep in mind that oversubscription ratios can be "skewed" by what the host is doing, i.e. not all server or user hosts have similar bandwidth demands.  For example, your primary mail server or primary file server might be much "busier" than other server hosts.  Likewise, some user hosts might be much "busier", for example, years ago I supported a LAN segment of CADD (20) workstations which had more traffic on their local LAN than the (2,000 user) corporate backbone.

• Wake for network access won't wake

  I have my MacPro connected wirelessly to my MacBook Pro and both are set to "Wake for network access" but neither of them wakes the other up when trying to connect to each other.
  Any ideas?
  Thanks guys!

  Check the Log Me in Client, it has an option for Wake for Network access - which enforces the option.
  I had the same issue and wanted to kill someone

• Wake for network access doesn't wake

  I have my computer set to wake for network access, but when my other computers in the house try to access the the Itunes library stored on my Mac, it won't wake up.

  Do you have a Apple AirPort Base Station or Time Capsule?
  Mac OS X v10.6: About Wake on Demand:
  Wake on Demand requires an Apple AirPort Base Station or Time Capsule with firmware 7.4.2 or later installed.
  Is the option on the computer: Wake for network access, Wake for Ethernet network access, or Wake for AirPort network access ?
  Is the effected computer running 10.6?

• Mavericks: Wake for network access

  Hello,
  I am trying to disable (uncheck) the option called "Wake for network access" from System Preference > Energy Saver in Marvericks.    The Window "Energy Saver" has a lock and it said "Click the lock to make changes".  I tried to click on it so I can uncheck the option "Wake for network access" but nothing happened.  What

  Launch the Console application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Console in the icon grid.
  Make sure the title of the Console window is All Messages. If it isn't, select All Messages from the SYSTEM LOG QUERIES menu on the left. If you don't see that menu, select
  View ▹ Show Log List
  from the menu bar.
  Click the Clear Display icon in the toolbar. Then try the action that you're having trouble with again. Select any messages that appear in the Console window. Copy them to the Clipboard by pressing the key combination command-C. Paste into a reply to this message by pressing command-V.
  When posting a log extract, be selective. In most cases, a few dozen lines are more than enough.
  Please do not indiscriminately dump thousands of lines from the log into this discussion.
  Important: Some private information, such as your name, may appear in the log. Anonymize before posting.

• 802.1x Guest Vlan and Routed access layer design

  Hi!
  For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
  Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

  You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
  The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
  Hope this helps,

• Query: Best practice SAN switch (network) access control rules?

  Dear SAN experts,
  Are there generic SAN (MDS) switch access control rules that should always be applied within the SAN environment?
  I have a specific interest in network-based access control rules/CLI-commands with respect to traffic flowing through the switch rather than switch management traffic (controls for traffic flowing to the switch).
  Presumably one would want to provide SAN switch demarcation between initiators and targets using VSAN, Zoning (and LUN Zoning for fine grained access control and defense in depth with storage device LUN masking), IP ACL, Read-Only Zone (or LUN).
  In a LAN environment controlled by a (gateway) firewall, there are (best practice) generic firewall access control rules that should be instantiated regardless of enterprise network IP range, TCP services, topology etc.
  For example, the blocking of malformed TCP flags or the blocking of inbound and outbound IP ranges outlined in RFC 3330 (and RFC 1918).
  These firewall access control rules can be deployed regardless of the IP range or TCP service traffic used within the enterprise. Of course there are firewall access control rules that should also be implemented as best practice that require specific IP addresses and ports that suit the network in which they are deployed. For example, rate limiting as a DoS preventative, may require knowledge of server IP and port number of the hosted service that is being DoS protected.
  So my question is, are there generic best practice SAN switch (network) access control rules that should also be instantiated?
  regards,
  Will.

  Hi William,
  That's a pretty wide net you're casting there, but i'll do my best to give you some insight in the matter.
  Speaking pure fibre channel, your only real way of controlling which nodes can access which other nodes is Zones.
  for zones there are a few best practices:
  * Default Zone: Don't use it. unless you're running Ficon.
  * Single Initiator zones: One host, many storage targets. Don't put 2 initiators in one zone or they'll try logging into each other which at best will give you a performance hit, at worst will bring down your systems.
  * Don't mix zoning types:  You can zone on wwn, on port, and Cisco NX-OS will give you a plethora of other options, like on device alias or LUN Zoning. Don't use different types of these in one zone.
  * Device alias zoning is definately recommended with Enhanced Zoning and Enhanced DA enabled, since it will make replacing hba's a heck of a lot less painful in your fabric.
  * LUN zoning is being deprecated, so avoid. You can achieve the same effect on any modern array by doing lun masking.
  * Read-Only exists, but again any modern array should be able to make a lun read-only.
  * QoS on Zoning: Isn't really an ACL method, more of a congestion control.
  VSANs are a way to separate your physical fabric into several logical fabrics.  There's one huge distinction here with VLANs, that is that as a rule of thumb, you should put things that you want to talk to each other in the same VSANs. There's no such concept as a broadcast domain the way it exists in Ethernet in FC, so VSANs don't serve as isolation for that. Routing on Fibre Channel (IVR or Inter-VSAN Routing) is possible, but quickly becomes a pain if you use it a lot/structurally. Keep IVR for exceptions, use VSANs for logical units of hosts and storage that belong to each other.  A good example would be to put each of 2 remote datacenters in their own VSAN, create a third VSAN for the ports on the array that provide replication between DC and use IVR to make management hosts have inband access to all arrays.
  When using IVR, maintain a manual and minimal topology. IVR tends to become very complex very fast and auto topology isn't helping this.
  Traditional IP acls (permit this proto to that dest on such a port and deny other combinations) are very rare on management interfaces, since they're usually connected to already separated segments. Same goes for Fibre Channel over IP links (that connect to ethernet interfaces in your storage switch).
  They are quite logical to use  and work just the same on an MDS as on a traditional Ethernetswitch when you want to use IP over FC (not to be confused with FC over IP). But then you'll logically use your switch as an L2/L3 device.
  I'm personally not an IP guy, but here's a quite good guide to setting up IP services in a FC fabric:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/ipsvc.html
  To protect your san from devices that are 'slow-draining' and can cause congestion, I highly recommend enabling slow-drain policy monitors, as described in this document:
  http://www.cisco.com/en/US/partner/docs/switches/datacenter/mds9000/sw/5_0/configuration/guides/int/nxos/intf.html#wp1743661
  That's a very brief summary of the most important access-control-related Best Practices that come to mind.  If any of this isn't clear to you or you require more detail, let me know. HTH!

• 2630. java applications. Allow network access?

  when entering some java application on nokia 2630 ,for example google maps, it asks:
  "Allow network access? the application is not from a trusted supplier" for three times. On the fourth time: "try again later or try to install new version".
  Some other applications are working allmost properly... but they use to ask every 5-10 seconds the same question: "Allow network access? The application is not..."
  And some applications are working correctly. miniopera and jimm.
  So, the problem is not in gprs settings.
  What can i do with this problem?

  You can either try to get hold of a trusted build of the application you want to run or you can change the Application access setting. When you have an application selected, click Option then Application Access and set the Network access Ask first time only.
  Knowledge should be your Advisor when you need help.
  1610»2110»8110»5110»3310»6210»7250i»6220»6230»6230i»6233
  Love me or hate me, its still an obsession. Love me or hate me, that is the question. If you love me then Thank you! If you hate me then ...

• Anyconnect Secure Mobility Client, Network Access Module, wired PEAP

  Hello there,
  I am testing AnyConnect Secure Mobility Client, Network Access Module as supplicant with PEAP authentication for wired network users. With default configuration it is working well.  With default configuration it is Trusting any Root CA certificates installed on the OS.  Do you know how to configure NAM that it will validate ACS certificate with specific Root CA Certificate ?
  In Network Access Module profile editor it has two options about Certificates:
  One is Certificate Trusted Authority which has two options by its self  first is too trust any Root CA certificate that is installed on OS, and second is to import Root CA certificate in Profile. Potentially Second option can help in my case, I can manually import Root CA certificates in each profile. But I think it will be hard to update Root CA certificates in future  in that way.
  Second is Certificate Trusted Server Rules,  this option have matching capability by certificate Common Name.  For what can be used this option ?

  Normally the way it works is that you set up your Enterprise Root CA, and then have it issue a certifcate for the AAA server (ie ACS, ISE, etc). You then install this certificate on the AAA server and (in an Active Directory environment) add the Root CA certificate to the client systems local certificate store. What that means is that any certificates (such as the one installed on the AAA server) that are presented to the client that are signed by the root are automatically trusted.
  Server validation is an extra step in terms of proving the identity of the AAA server to the authenticating client. As such, when you build the policy in the NAM editor, it would look similar to the image below:
  I like to use the CN (Common Name) as the match criteria and build my CA issuance policy to always include the FQDN in the certificate for identity purposes.
  Hope this helps!

• 802.1x - fallback to unauthorized network access

  Hello
  Is there possible to uncheck box "fallback to unauthorized network access" for 802.1x via GPO?
  Cheers,
  Kriss

  Hi,
  There is any other way to uncheck this option on client machine? e.g. regedit
  Hi,
  I'm not sure, but you can try to use RegShot to capture the Registry changes after deselect the option. After that, using
  Regshot make a compare should be able to find the key registry key.
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]