OD over 2 subnets

Hi,
We have 2 XServes, and over 300 Mac Client machines. Users authenticate via AD and receive forced preferences via OD. The main Mac Suite area is on a VLAN, due to needing our own Broadcast domain for multicast purposes.
I have some Labs that are not within our broadcast domain, on another subnet, they can connect via LDAP to our servers and login but I cannot see them in the Computer list in WGM, I believe this is because this information is received via Bonjour ?? which is a broadcast.
I can (as i have tested it) connect a Mac up here on this domain to the Server via OD then put on the other subnet and forced prefs are still forced out. However, I have over 40 Macs that are not within this subnet, so it would be a pain to do that individually.
I can bind to the AD Server and pull over in WGM the machines to the specified Groups but forced prefs do not work. There are no MAC address' contained within the copied over comptuer info.
My questions are;
1, Do OD listed Computers need to have the MAC address in order to force permissions? Or how does OD force over forced prefs?
2, is there a way of adding the out of subnet computers to the OD list without allowing multicast on the VLAN?
3, Anybody have and resolved a similar issue?
All I want to do is force Application, Dock and some System Prefs over to the client Macs without using Parental Controls.
Any help always appreciated,
C

I assume that each server is on its own subnet... Make one the OD master and the other a replica preferences will replicate from one to the other and distribute from the server on the subnet they reside in so long as you bind the computers in that subnet to the appropriate server in Directory Utility. You can then manage all the preferences you want from either server since it will write back and forth.

Similar Messages

Creating cluster over subnet, controller cant find cluster!

Hi,
Running a macbook pro running 10.6.5 with a subnet of mac mini's (all ppc) via a netgear gigabit switch.
Have set up the three minis to service only and in QAdministrator I can see them all together in the service browser.
However, with my mac book pro set to controller i cant see anything but my mac books cores in the service browser. Am I doing something wrong? Is this a fools errand? Any help greatly appreciated.

I believe it's part of the pro apps: FCS, Logic, Shake, etc.
What I'm suggesting is leaving the minis alone. Removing QM from the MacBook Pro, and then using the same disc that you used to install QM on the minis to reinstall QM on the MacBook Pro. That may entail pulling more off than QM, like the whole prokit module. FCS Maintenance pack is good at pulling off selected sections.
Conversely, you could just try updating the minis with a later copy of QM. It's been noted that the later versions apparently work on PPC machines. However, the installer baulks and sees that PPC and refuses to continue the installation. Someone listed a workaround here very recently. And you could try doing a migration to the other machines. That might pull along the parts you need.

SG300-28P Multicast (IGMP) and IGMP routing..

A brief background on the setup:
I recently switched out my switch. It was a Cisco 3750 10/100 switch and I wanted to upgrade to Gig. The cost of a Gig+POE 3750 is too much to bite so I opted for the SG300. My router is a Cisco 891. Here is the setup:
Cisco 891:
two SVI's: vlan1 and vlan 100
Vlan1 = 10.0.1.1/24
Vlan100 = 10.0.100.2/24
Connected to SG300 via Fa0
DHCP Server for vlan1+vlan100
Cisco SG300-28P:
two SVI's: vlan 1 and vlan 100
vlan 1 = 10.0.1.21/24
vlan 100 = 10.0.100.1/24
Connected to 891 on via Gi18
The connection between 891 and SG300 = trunk, vlan1-u, vlan100-t
The problem:
With the 891+3750, I was able to add "ip pim sparse-dense-mode" on all the SVI's and hosts could join any multicast group, irregardless of which vlan the host was a member of.
Now I've changed switches, and I dont get the same love. I have the PIM statement on both SVI's on the 891, but Im unsure of what I need to configure on the SG300. I have enabled "Bridge multicast filtering" + "IGMP snooping". What can I do to get similar functionality using the SG300 + 891? I assume this is my lack of understanding IGMP in general, but was able to get away with it using the PIM statements on the 891+3750 stack.
Jeff

You should be able to filter unregisted multicast on every port.
To be able to pass multicast over subnets two things must be certain, the node/device is able to send and receive multicast packets but also register the multicast address being listened to by the node so the local and remote routers can route the multicast packets.
When the switch learns a multicast address through IGMP snooping, this is a registered multicast. The switch will only forward multicast to ports that are registered to the multicast group. Where unregistered multicast comes in, is the multicast that is not statically defined or learned through IGMP which in turn will be forwarded to all ports of the vlan.

Is it OK to have two SBS Servers with same name, on different subnets but connected over a VPN?

Hi Everyone,
I'm just about to connect up two SBS 2011 Servers with the same server name but on different subnets & domains over a VPN.
So for example both servers will have the name Server01, one would have an ip address of 192.168.85.5, the other 192.168.86.5, they both then would be connected over a VPN.
Can anyone foresee any issues with this configuration, like DNS & DHCP requests, adding new machines to the domain, mapping drives etc.
Many thanks,
Nick

Hi Larry & Strike First,
Thank you for your responses. I understand that this is an unusual situation. Basically I've recently taken over the IT support for this client. The client has just had a new phone system installed
& are asking if they can speak to each office internally, which can easily be done once I setup the VPN.
However I noticed whilst looking at this further that the Server names are the same, hence my question?
Am I right in saying that providing the workstations have a trust relationship with their own domain controllers through their individual domains on separate subnets, that hopefully there shouldn't be any DNS issues between the two domains and Servers?
I could build a new VM if you feel it would be better practice to do so?
Many thanks for your assistance,
Nick

RMI over different subnets causing TCP BAD CHECKSUM

I have a customer that is trying to run my system over different subnets and is getting large performance hits due to a TCP BAD CHECKSUM error that they have been able to monitor when they have the RMI server on one subnet and the RMI client on another.
We don't see the problem on our systems (because we run on the same subnets) as do all of our other customers.
We've written a little program that just does some simple RMI calls over the different subnets and are still seeing the TCP BAD CHECKSUM errors.
Is there some reason that they are seeing these errors when the two are on different subnets? Is there any way to solve this problem (as it is causing a big hit in our performance)?

It is certainly nothing to do with RMI. The most probable culprit is bad hardware between the two subnets.

Natting of subnet ip address exist over wan

I have branch office having subnet 172.26.48.0/22 one ip from this subnet say 172.26.48.100 assigned toa server . now our erequirement to access this
server from outside mean from internet . tis branch office is coonected throuth leased line to main office. now main office has firewall and loacl subnet
in which server are there and natted to access over internet . we try to make it possible we got ping response of outised also but latency get stuck that
firewall looking to be in hang mode latency around 900 ms if natting is done otherwise 250-300 ms. what can we do , any alternat approach suggested.
dig. attachement is there
Regards,
Rajat

NO i mean we get normal response 250-300 ms HQ to outside link ping responsc of 4.2.2.2 . no branch included . if we nat branch ip mentioned above sudenly latency get high while pinging 4.2.2.2 so firewall does not behave normally in this case.
howwver if we remove natting command from firewall still we get latemcy after rebooting only it comes normal
second it is possible or practical to nat ip of branch office in headquarter firewall. it is suggested by cisco ?
please help
Regards,
Rajat

Shared ethernet over wifi changes 'second machine' subnet

I have a Mac mini (MM) that I connect to the LAN via an access point. I also have a Linux laptop that I want to also share on the LAN. I've connected the laptop into the ethernet port on the MM and I can browse the net. The problem is that where the local subnet is 192.168.x.x the laptop has received an ip address of 192.168.2.x via DHCP.
Consequemntly, I cannot SSH into the laptop via my MM as the two machines now reside on different subnets. I had thought originally that when connecting to a MM, this would 'share' the ethernet port and would simply pass packets between the router and the 'second machine' thus using the MM as in 'bridge' mode.
Is there any reason why the second machine has now received an ip address on a different subnet?

You do need to turn on AFP sharing.. since SMB is not used by TM.. although I have to admit to some confusion..
What application are you using that is spitting out rsync errors?? That is not Time Machine. Are you trying to do this by rsync directly?
You clearly do not have sufficient permissions on the Mac Pro to whatever directory you have set.. make sure you do the rsync with su login.. and make sure on the pro you set full permissions to everyone.
"failed: Permission denied (13)", "*** Skipping everything below this failed directory ***", "failed: No such file or directory (2)", and "rsync error: some files could not be transferred (code 23) at /SourceCache/rsync/rsync-45/rsync/main.c(992) [sender=2.6.9]".
Have you tried Carbon Copy Cloner?? That might be worth it.
Much better than Time Machine for backup over the network.
It is rsync based.
time machine app used in the guide appears to be an older version pre OS X 10.10.3
Another excellent reason to avoid TM.. it is flakey as !heaven in Yosemite.

All the subnets are not reachable over the VPN

Hi all,
We have a EZVPN connection to one of our branch office. Connectivity diagram is attached with this discussion.
HO LAN (10.1.0.0/16 & 192.6.14.0/24) --------- ASA5520-------- Internet ---------- Cisco2911-------- LAN of remote location (10.2.0.0/16)
we are using 10.2.0.0/26 subnet at remote office and 10.1.0.0/16 & 192.6.14.0/24 subnets at HO. From HO through 10.1.0.0/16 & 192.6.14.0/24 all the devices are reachable except the firewall which is connected with GigabitEthernet0/2 interface of cisco2911 router(on which VPN is created).
Its a fortigate firewall and it is reachable locally from the network 10.2.0.0/16. I believe its an issue with phase2 ACLs but didn't able to resolve the issue.
I'm not able to take GUI / CLI interfaces of fortigate firewall even i'm not able to ping the IP of GigabitEthernet0/2 interface of cisco2911.
kindly advise on same.
Below is the configuration of ASA5520 of HO and cisco2911 router of branch office
ASA5520:-
access-list inside_access_in extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 192.6.14.0 255.255.255.0 10.2.0.0 255.255.0.0
access-list splittunnelacl_JNC_AUH extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0 255.255.0.0
access-list Outside_cryptomap_65534.191 extended permit ip object-group DM_INLINE_NETWORK_103 10.2.0.0 255.255.0.0
jashanmalasa/sec/act# sho run obj
jashanmalasa/sec/act# sho run object-group | b DM_INLINE_NETWORK_103
object-group network DM_INLINE_NETWORK_103
network-object 10.1.0.0 255.255.0.0
network-object 192.6.14.0 255.255.255.0
group-policy AUHNEW internal
group-policy AUHNEW attributes
dns-server value 192.6.14.189 192.6.14.182
vpn-access-hours none
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec
ip-comp disable
re-xauth disable
pfs enable
ipsec-udp disable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value
default-domain value xxxxxx
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout none
ip-phone-bypass disable
leap-bypass disable
nem enable
tunnel-group AUHNEW type remote-access
tunnel-group AUHNEW general-attributes
authorization-server-group LOCAL
default-group-policy AUHNEW
tunnel-group AUHNEW ipsec-attributes
pre-shared-key *****
peer-id-validate nocheck
isakmp ikev1-user-authentication none
Cisco2911:-
Current configuration : 10258 bytes
! Last configuration change at 19:06:18 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
! NVRAM config last updated at 19:01:43 AST Thu May 8 2014 by admin
version 15.1
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
hostname AUHOffice_RTR
boot-start-marker
boot system flash:c2900-universalk9-mz.SPA.151-4.M4.bin
boot-end-marker
card type e1 0 0
no aaa new-model
clock timezone AST 4 0
network-clock-participate wic 0
network-clock-select 1 E1 0/0/0
no ipv6 cef
ip source-route
ip cef
ip name-server 213.42.xxx.xxx
multilink bundle-name authenticated
isdn switch-type primary-net5
crypto pki token default removal timeout 0
voice-card 0
dspfarm
dsp services dspfarm
voice service voip
fax protocol pass-through g711ulaw
voice class codec 1
codec preference 1 g711ulaw
codec preference 2 g711alaw
codec preference 3 g729r8
codec preference 4 g729br8
voice class h323 1
h225 timeout tcp establish 3
voice translation-rule 1
rule 1 /^9$.*$/ /\1/
voice translation-rule 2
rule 1 /^0$2.......$$/ /00\1/
rule 2 /^0$3.......$$/ /00\1/
rule 3 /^0$4.......$$/ /00\1/
rule 4 /^0$5........$$/ /00\1/
rule 5 /^0$6.......$$/ /00\1/
rule 6 /^0$7.......$$/ /00\1/
rule 7 /^0$9.......$$/ /00\1/
rule 8 /^00$.*$/ /0\1/
rule 9 /^.......$/ /0&/
rule 10 // /000\1/
voice translation-rule 3
rule 1 /^3../ /026969&/
voice translation-profile FROM_PSTN
translate calling 2
translate called 1
voice translation-profile TO_PSTN
translate calling 3
license udi pid CISCO2911/K9 sn xxxxxxxxx
license accept end user agreement
license boot module c2900 technology-package securityk9
hw-module pvdm 0/0
hw-module sm 1
username admin privilege 15 secret 4 Ckg/sS5mzi4xFYrh1ggXo92THcL6Z0c6ng70wM9oOxg
redundancy
controller E1 0/0/0
framing NO-CRC4
pri-group timeslots 1-10,16
crypto ipsec client ezvpn jashanvpn
connect auto
group AUHNEW key jashvpn786
mode network-extension
peer 83.111.xxx.xxx
acl 150
nat allow
nat acl 110
xauth userid mode interactive
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address 10.2.0.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1430
ip policy route-map temp
duplex auto
speed auto
crypto ipsec client ezvpn jashanvpn inside
h323-gateway voip interface
h323-gateway voip bind srcaddr 10.2.0.1
interface GigabitEthernet0/1
description *** Connected to 40MB Internet ***
no ip address
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
interface GigabitEthernet0/2
ip address 10.2.0.11 255.255.255.248
duplex auto
speed auto
interface Serial0/0/0:15
no ip address
encapsulation hdlc
isdn switch-type primary-net5
isdn incoming-voice voice
no cdp enable
interface SM1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 10.2.0.3 255.255.255.248
!Application: CUE Running on SM
service-module ip default-gateway 10.2.0.1
interface SM1/1
description Internal switch interface connected to Service Module
no ip address
interface Vlan1
no ip address
interface Dialer0
description *** JASHANMAL 40MB Internet ***
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 0252150B0C0D5B2748
ppp pap sent-username xxxxxx password 7 15461A5C03217F222C
crypto ipsec client ezvpn jashanvpn
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.2.0.0 255.255.248.0 10.2.0.2
ip route 10.2.0.3 255.255.255.255 SM1/0
ip route 10.2.6.1 255.255.255.255 10.2.0.2
ip route 10.2.7.1 255.255.255.255 10.2.0.2
ip route 172.16.5.0 255.255.255.0 10.2.0.2
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 100 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 deny   ip 172.16.5.0 0.0.0.255 10.1.6.0 0.0.0.255
access-list 100 permit ip 10.2.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.5.0 0.0.0.255 any
access-list 110 deny   ip 10.2.0.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.3.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.2.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.1.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.0.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 10.2.4.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 10.2.6.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 192.6.14.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.0.0 0.0.255.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.9.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.50.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.15.0 0.0.0.255
access-list 110 deny   ip 172.16.5.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 110 permit ip host 10.2.6.1 any
access-list 110 permit ip host 10.2.6.2 any
access-list 110 permit ip host 10.2.6.3 any
access-list 110 permit ip host 10.2.6.4 any
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.201.72 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 86.96.254.136 eq 10008
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 216.52.207.67 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.151.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.148.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.149.22 eq www
access-list 110 permit tcp 10.2.0.0 0.0.255.255 host 199.168.150.22 eq www
access-list 110 permit tcp 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.4.0 0.0.0.255 any
access-list 150 permit ip 10.2.0.0 0.0.0.255 any
access-list 150 permit ip 10.2.1.0 0.0.0.255 any
access-list 150 permit ip 10.2.2.0 0.0.0.255 any
access-list 150 permit ip 10.2.3.0 0.0.0.255 any
access-list 150 permit ip 10.2.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.6.0 0.0.0.255 any
access-list 150 permit ip 172.16.5.0 0.0.0.255 any
access-list 150 permit ip 10.2.7.0 0.0.0.255 any
route-map temp permit 100
match ip address 100
set ip next-hop 10.2.0.9
route-map temp permit 110
route-map nonat permit 10
match ip address 110
snmp-server community xxxxxxxx
snmp-server location JNC AbuDhabi Office
snmp-server contact xxxxxxxx
snmp-server enable traps tty
snmp-server enable traps cpu threshold
snmp-server enable traps syslog
snmp-server host xxxxx version 2c jash
control-plane
voice-port 0/0/0:15
translation-profile incoming FROM_PSTN
bearer-cap Speech
voice-port 0/1/0
voice-port 0/1/1
voice-port 0/1/2
voice-port 0/1/3
mgcp profile default
dial-peer cor custom
name CCM
name 0
name 00
dial-peer cor list CCM
member CCM
member 0
member 00
dial-peer cor list 0
member 0
dial-peer cor list 00
member 0
member 00
dial-peer voice 100 voip
corlist incoming CCM
preference 1
destination-pattern [1-8]..
session target ipv4:10.1.2.12
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 101 voip
corlist incoming CCM
huntstop
preference 2
destination-pattern [1-8]..
session target ipv4:10.1.2.11
incoming called-number [1-8]..
voice-class codec 1
voice-class h323 1
dtmf-relay h245-alphanumeric
no vad
dial-peer voice 201 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 0[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
dial-peer voice 202 pots
corlist outgoing 0
translation-profile outgoing TO_PSTN
destination-pattern 00[1-9]T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 0
dial-peer voice 203 pots
corlist outgoing 00
translation-profile outgoing TO_PSTN
destination-pattern 000T
incoming called-number .
direct-inward-dial
port 0/0/0:15
prefix 00
gateway
timer receive-rtp 1200
gatekeeper
shutdown
call-manager-fallback
secondary-dialtone 0
max-conferences 8 gain -6
transfer-system full-consult
timeouts interdigit 4
ip source-address 10.2.0.1 port 2000
max-ephones 58
max-dn 100
system message primary Your Current Options SRST Mode
transfer-pattern .T
alias 1 300 to 279
call-forward pattern .T
time-zone 35
date-format dd-mm-yy
cor incoming 0 1 100 - 899
line con 0
password 7 030359065206234104
login local
line aux 0
password 7 030359065206234104
login local
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 110E1B08431B09014E
login local
transport input all
line vty 5 15
password 7 030359065206234104
login local
transport input all
scheduler allocate 20000 1000
ntp master 1
end

Attached is the result from packet tracer of ASA5520-ASDM

Services with different IP address subnets over CSS 11500 series

Hi all folks!
I have two CSS 11500 series...
In just a few months i will have ready a DRS (Disaster Recovery Site), where i will have 2 more servers to add to the environment.
But this servers will be in a different subnet from that today i have for the servers who are configured in the current services of my CSS.
So then the doubt i arises is:
Is correct to add two new services with these servers, but using the IP addressing of the DRS site???, and including on the CSS a static route to this network, (of the DRS) in order to reach them?? is it correct, it will work well?
This would be so....
             ________________LAN to LAN_____________________
             |                                                                                |
             |                                                                                |
|------SITE A------|                                                        |------SITE B------|
     [Firewall] ===============IPSEC============= [Firewall]
           |                                                                                |
           |                                                                                |
[CSS-A]-[CSS-B]                                                            [SWITCH]
       |          |                                                                     |         |
     [SWITCH]                                                                    |         |
[srvA] [srvB] [srvC]                                                          [srvD] [srvE]
So, at [CSS-A] & B, i will put a static route to firewall that know the subnet of site B through the IPSEC tunnel.
So In the CSSs, i will add the new services for the Servers "D" & "E" with the IP address of Site B.
This should be seen as well:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 [IP FIREWALL]
ip route SITE B [IP FIREWALL]
!************************** SERVICE **************************
service srvA
ip address A.A.A.x
port 8080
service srvB
ip address A.A.A.x+1
port 8080
service srvC
ip address A.A.A.x+2
port 8080
service srvD
ip address B.B.B.y
port 8080
service srvE
ip address B.B.B.y+1
port 8080
I know that this practice is not the most desirable, in fact should use"Basic Global Server Load Balancing Site Redundancy Using the CSS with DNS", but I don't have much time to change the entire environment today, and in this first stage i have to begin with this poor but quick solution that i thought and i wanted to be validated if there is posibliidades this to work
Within their experiences that they say? Will operate?
Thanks in advance!
Regards!
Esteban =)

Daniel!
Sorry by delay!
Thank you so much for you time for reply.
You have given me a great help to this doubt!
But..using "source group" let me know..
I can´t undertand the really difference between NAT with ACls as you can see at this link: (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093dfc.shtml)
and
this other link, using NAT (from the piont 5), (http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml)
where the NAT is configured under a method different from the previous one..
So.. for this scenario described above, which would you recommend using? I would think that the second is the most indicated truth? What do you think?
Thanks in advance again!!!
Have nice day!
Regards.
Esteban.

Two WLC over the same SUBNET - selection from AP for determinate WLC

Hi
I have the next problem, my company have two WLC (WISM1 - IOS 7.0 and WLC2504 - IOS 7.4), and we have 4 types of APs (1131, 1242, 1040 and 1600), well the WISM 1 manages the old APs 1131, 1040 and 1242, the 2504 manages the 1600, this because the WISM 1 don't support the 1600
Well my question its how i can assigned to APs 1131, 1242 and 1040 to connect to WISM1 and not to 2504 , both are on the same subnet and the Ip its send for DHCP with option 43, others for DNS and apparently some of my APs connected to the 2504, I wish only connect to WISM 1
How i can set priority in the AP for conect to WISM1?, i read the High Availability on the AP, this is enough or should we make any extra settings the WLC
Thanks for the response
Regards

To understand the working of HA kindly study the following link .It will provide you step by step solution to the query
Hi Kashif,
I don't think you understand the nature of this thread. It is IMPOSSIBLE to configure a 2504 & a WiSM-1 for HA (AP SSO).

Domain over IP routed subnets - getting network browsing to work?

Hi, I have a small domain spanned across two different subnets. Each subnet has its own domain controller, and the two networks are linked via IP routing.
Network connectivity between the two subnets is good - replication between the two DCs is happening smoothly, and every workstation can access every other workstation regardless of which subnet they're on.
The problem is that network browsing doesn't seem to work across the subnets. If a user knows the name of the machine they're connecting to, then they can enter that name into Explorer's address bar and it will connect fine. But when they go to "Network"
or "My Network Places", only the machines from their own subnet appear there. When a user goes to "My Network Places" (or just "Network" in Win7's Explorer) then I would like them to see all the machines on both subnets, not just their own subnet.
Both DCs are running Server 2008 R2. What do I need to do to get network/computer browsing to work across the two subnets?

Hi,
Thank you for the post.
Is WINS really necessary?
Yes. NetBIOS resolution across subnets depend on WINS server.
Summary of WINS Benefits
WINS enables the Computer Browser service to collect and distribute browse lists across IP routers.
http://technet.microsoft.com/en-us/library/cc784180(WS.10).aspx
In a multiple subnet environment, make sure WINS is configured properly so that you have the proper NetBIOS name resolution.
http://blogs.technet.com/b/networking/archive/2008/07/25/netbios-browsing-across-subnets-may-fail-after-upgrading-to-windows-server-2008.aspx
If there are more inquiries on this issue, please feel free to let us know.
Regards
Rick Tan
TechNet Community Support

Stream works fine on local subnet but not over web

I am very new to FMS so excuse me if I get terminology messed up.
I followed Tom Green's tutorials and at this point I can publish a live stream which I can view and interact with just fine on my local LAN.
The FMS is NAT'ed to the outside world and I have ports 80 & 1935 open to the server.
When I use a browser from the outside world and put in the servers public address I can see & interact with the FMS start page just fine. I can use the "interactive" tab and supply my live stream name and view the stream just fine.
However when I try to launch the Flashplayer that I built all I see is the controls with moving stipes, No video feed above. I can browse to the flashplayer HTML file on my local LAN and it works fine. Interestingly enough I cannot open the flashplayer HTML file directly on the server either (but I can open the start page application and interact with it).
This seems like a permissions issue to me... any ideas?
Thanks in advance.
Brian

Hi Brian,
Is it possible for you to send the source for the sample flash movie that you built? That might give me a clue as to what could be going wrong.
Thanks
Mamata

IPad 3 not showing up in iTunes (Win7_64) over WiFi

I have an iPad 3 I'm trying to sync over my WLAN. It's running iOS 7.1 and connecting to iTunes 11.2.2.3 on Windows 7 64-bit. Upon launching iTunes, the device will appear in the left navigation pane after about 10 seconds, and will stay there (greyed out with a spinning progress wheel) for about 15-20 seconds before it disappears. I am never able to display the status or contents of the device over a wireless connection.
-USB connections do work and I am able to manage, browse, update and sync the device.
-I have tried connecting over USB and checking/unchecking the "Sync over WiFi" box. That has not solved the problem.
-I have tried establishing custom inbound and outbound Windows Firewall rules to allow all traffic to all programs and ports from the iPad's internal IP (10.10.10.18 on a /8 network), but that hasn't fixed the problem.
-AppleMobileDeviceHelper.exe, AppleMobileDeviceService.exe, iCloudServices.exe, iPodService.exe, iTunesHelper.exe, iTunes.exe and mDNSResponder.exe are all running at the time of attempted (and failed) sync.
-Wireless syncing worked properly while on iOS 5. Really regretting updating to iOS 7 right now. Lesson learned, unlikely to ever update again.
I've tried a number of solutions but as I cannot recall 100% of what I've already tried, I am willing to start at square one to get this resolved. For what it's worth, I'm a 14-year IT professional so you can talk to me about pinging, firewall rules, subnets (iPad and PC running iTunes are on the same subnet), protocols and ports and I will know what you're talking about. Hope that helps speed things along.
Any assistance you can render would be most appreciated.

Wireless Sync
To set up Wi-Fi syncing, connect your iOS device to your computer with the included USB cable.
Click the Device button in the upper-right corner. (If viewing the iTunes Store, click the Library button first.)
If you don't see your device, choose View > Hide Sidebar.
In the Summary tab, select "Sync with this [device] over Wi-Fi."
When the computer and the iOS device are on the same network, the iOS device will appear in iTunes, and you can sync it.
The iOS device will sync automatically when the following conditions are true:
The iOS device is charging.
iTunes is open on the computer.
The iOS device and the computer are on the same Wi-Fi network.
While the iOS device is in the left-hand column of iTunes, you can select the content tabs and configure sync options.
Click Apply or Sync to sync the iOS device.

ConfigMgr Clients connection over direct access.

My test client machine is running Windows 8.1 and connecting to network through Direct Access. I am running SCCM 2012 R2 on Windows Server 2012.
Test Machine: NYWIN8
SCCM Server: SCCM01
Domain: demo.local
I would like to understand how configmgr handles clients connecting through direct access. What all functionality is available for such clients?
On my client machine is see following errors:
FSPSTATEMESSAGE.LOG
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
POLICYAGENT.LOG
Policy
http://SCCM01.demo.local/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 is not available.
DATATRANSFERSERVICE.LOG
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{C9AA0DDC-BD37-442D-A00E-EE7404D47C12}.tmp with error 0x80190194
DTS job {E6FAADEE-F22E-4E89-92EE-C2D9C10C3056} BITS job {9C444FAB-FD3C-4A6B-B8A4-81DA159E4E45} partially completed 0/1 with error 0x80190194 context 5
Software Catalog Update Endpoint
Failed to open portal registry key 'Software\Policies\Microsoft\CCM'. maybe haven't been created yet. Error 0x80070002
WEDMTRACE.LOG
No CCM Identification blob
CAS.LOG
The number of discovered DPs(including Branch DP and Multicast) is 0
SMSCLIUI.LOG
Failed to set DNSSuffix value to the registry.
Are there any issues due to connecting using direct access?

When I try to deploy any software (7-ZIP or Notepad++) to this client I get following error:
The software change returned error code 0x87D00607(-2016410105).
I can deploy same software fine to other machines connecting on LAN.
Server Logs:
Portlctl
PORTALWEB's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
PORTALWEBs http check returned hr=0, bFailed=0
awbsctl
AWEBSVCs http check returned hr=0, bFailed=0
AWEBSVC's previous status was 0 (0 = Online, 1 = Failed, 4 = Undefined)
Client Logs:
CAS
The number of discovered DPs(including Branch DP and Multicast) is 0
CCMEVAL
Client's current MP is http://SCCM01.DEMO.local and is accessible
ClientLocation
Current AD forest name is Demo.local, domain name is Demo.local
Domain joined client is in Intranet
Rotating assigned management point, new management point [1] is: SCCM01.demo.local (7958) with capabilities: <Capabilities SchemaVersion="1.0"><Property Name="SSLState" Value="0"/></Capabilities>
Assigned MP changed from <SCCM01.demo.local> to <SCCM01.demo.local>.
ContentTransferManager
No data since 11/13/2013
CTM job {F6085C09-4C39-489E-A6F6-2C268398B7F2} successfully processed download completion.
DataTransfer
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} failed to download source file
http://SCCM01.demo.local:80/SMS_MP/.sms_pol?WRC10000.SHA256:BE60C5A54E508758261E6EDAE80AB21576A214309B9E1E19EE1D5A96C4508EC4 to destination C:\Windows\CCM\Temp\{22619283-47B1-445A-9262-C1FA54AD0F64}.tmp with error 0x80190194
DTS job {B227AB6E-6D0F-4709-B8C6-AA8B66CBBE2D} BITS job {AE61D01C-E251-45FA-8B2C-2E22DDD91016} partially completed 0/1 with error 0x80190194 context 5
Filebits
BranchCache Is Not Enabled
Failed to check PeerDistribution status. NOT able to do branch cache.
FSPSTATEMESSAGE
Failed in WinHttpSendRequest API, ErrorCode = 0x2ee7
[CCMHTTP] ERROR: URL=HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED
Successfully sent location services HTTP failure message.
InternetProxy
Failed to get proxy for url 'HTTP://SCCM01.demo.local/SMS_FSP/.sms_fsp'. Error 0x87d00215
InventoryAgent
Inventory: 9 Collection Task(s) failed.
SCCLIENT
Event maps to notification type = Application Enforcement Failed (Microsoft.SoftwareCenter.Client.Data.WmiConnectionManager at EventWatcher_EventArrived)
SMSCLIUI
Failed to set DNSSuffix value to the registry.
IPCONFIG /ALL from CLIENT:
Windows IP Configuration
   Host Name . . . . . . . . . . . . : NYWIN8
   Primary Dns Suffix . . . . . . . : demo.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : demo.local
   System Quarantine State . . . . . : Not Restricted
Ethernet adapter vEthernet (Internal):
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-15-5D-01-0B-07
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::d3f:4e51:c648:7b26%26(Preferred)
   Autoconfiguration IPv4 Address. . : 169.254.123.38(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 872420701
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter vEthernet (External):
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter #2
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DE
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9cb5:5132:1f47:e7c6%24(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.1.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 2, 2014 1:27:53 PM
   Lease Expires . . . . . . . . . . : Saturday, January 4, 2014 12:27:55 PM
   Default Gateway . . . . . . . . . : 192.168.1.1
   DHCP Server . . . . . . . . . . . : 192.168.1.1
   DHCPv6 IAID . . . . . . . . . . . : 730113736
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Wireless LAN adapter Local Area Connection* 3:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-DF
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Bluetooth Network Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physical Address. . . . . . . . . : 84-A6-C8-AF-03-E2
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Ethernet adapter Ethernet:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Realtek PCIe FE Family Controller
   Physical Address. . . . . . . . . : E0-DB-55-D2-5E-59
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.home:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : home
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter iphttpsinterface:
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : iphttpsinterface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : fd64:fc00:d17b:1000:e1a7:9cc8:c3c7:d819(Preferred)
   Temporary IPv6 Address. . . . . . : fd64:fc00:d17b:1000:c598:7f17:e286:369d(Preferred)
   Link-local IPv6 Address . . . . . : fe80::e1a7:9cc8:c3c7:d819%10(Preferred)
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 369098752
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-EA-A9-CE-E0-DB-55-D2-5E-59
   NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.{DC7D2C63-1506-49EC-A40F-AA4E56DE4001}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

VOIP over VPN need clarification

Hi,
Recently I have implemented Site-to-Site VPN between ASA and sonic wall firewall.
Problem: I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
Tried below mentioned t’shot steps:
From ASA side we had two subnets (10.20.1.x/24 – Data and 10.20.2.x/24 – Voice ) and one subnet (192.168.x.x/24 ) from sonic wall side as interesting traffic ( lan to lan). When I configured site-to-site configuration on both ends my phase-1 and phase-2 came UP and can able to communicate between each other. (In interesting traffic I created two objects and bind those objects as one object-group for source i.e. ASA side lan subnet and one object for remote-Lan as destination)
My call manager is rest behind ASA and Ip phones needs to communicate from sonic wall side to inside ASA.
I can able to make call from ASA side(inside) Ip phone to sonic wall (inside) side Ip phone and vice versa and it’s ringing, But not able to hear voice. So I created VOIP over VPN configuration and applied appropriate service policy towards outside interface. But still I was not able to hear voice.
So, I done supernetting the data subnet and voice subnet into single network i.e. 10.20.x.x/16 at ASA side and applied the configuration changes (changed ACL, nonat rule, Voice QOS ACL accordingly), and I’m able to hear voice both end and I can communicate properly from ASA inside Ip phone to Sonic wall inside Ip phone and vice versa.
My question: I’m not understanding the logic how this supernetting resolved dead voice issue.
Pls clarify my question I’m bit confused on this.

It's not recommended. Although VPNs guarantee a secure pipe end-to-end, they don't guarantee latency and variations in latency (Jitter).

OD over 2 subnets

Similar Messages

Maybe you are looking for