Overlapping IPs

Similar Messages

• Customer with Overlapping IPs talking to DC

  Hi,
  There is a scenario in which MPLS customers with overlapping IP addresses would like to access a shared resource in the Data Center. How this could be possible in MPLS?
  Best Regards,
  Shahzad.

  [email protected] Guys for your responses.The issue is with the return traffic of customer having overlapping IP addresses.Does anyone have a reference to design and configuration document which would cover this requirement, may be using NAT?Cheers,Ahmed Shahzad Think green - keep it on the screen.This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
  NAT is the usual solution for this. NAT can be done on your PE or on an external device (such as a firewall) that interconnects MPLS domain with the shared services infrastructure. Following white paper on NAT with MPLS will provide you with enough information on how to do VRF-aware NAT:
  http://www.cisco.com/en/US/partner/tech/tk648/tk361/technologies_white_paper09186a0080b40929.shtml
  Atif

• Using VRF-Lite in 6509 as Really Expensive IPS ByPass

  I have an IPS (Intrustion Prevention) unit that is causing me some problems with some of my servers in my ServerFarm. I would like to route most of my to/from ServerFarm traffic through the IPS, but use some policy-based routing with an ACL (preferably, a policy-based ACL) to allow some servers to bypass the IPS.
  So, I thought of taking my Cisco 6509 and making it into a Really Expensive Optical ByPass switch for this small group of servers. The challenge is that the IPS runs strictly at Layer 2. So if I connect the IPS in a loop to the 6509, I must change the MAC addresses on these interfaces on the 6509 so that each address is unique -- as well as assign unique IPs to each of the two interfaces, but the addresses must share the same L3 subnet. Of course, this leads to overlapping addresses on the 6509, which it does not like. So, I want to see if I can try a little VRF-lite to remove the overlapping address problem.
  To accomplish the bypass segment, I take a piece of fiber and just connect two ports together on the 6509, changing the MAC addresses and assigning the "overlapping" IPs (which is "solved" by placing the different ports in different VRFs, on just one port in the Global table and the other port in a standalone VRF). If I can do this without running this piece of fiber, I'd be welcome to the idea.
  I can fire up OSPF on all of my interfaces, raising the cost of the IPS Bypass link, and use the route-maps to try to route the Bypass traffic correctly. Unfortunately, the route-maps are not behaving. The traffic moves across the two links (one with IPS, one without) assymetrically, which isn't what I want.
  I am uploading a diagram that will show a simplified example of what I am doing. Here is my config below. Does anyone have any ideas on what I am doing wrong, or a better way to do this? (I tried a VACL approach, but I could not redirect the traffic properly):
  ip vrf Srv
  description ServerNets
  rd 65000:10
  object-group ip address IPS-Ignore
  host 192.168.20.2
  interface GigabitEthernet1/3
  ip address 192.168.200.1 255.255.255.0
  ip policy route-map ServerNetIngress
  interface GigabitEthernet1/9
  description ServerNets
  no ip address
  ip flow ingress
  interface GigabitEthernet1/9.20
  description PublicServerNet
  encapsulation dot1Q 20
  ip vrf forwarding Srv
  ip address 192.168.20.1 255.255.255.128
  ip flow ingress
  ip policy route-map ServerNetEgress
  interface GigabitEthernet1/15
  description IPS-ByPass-Global
  mac-address 0015.c7c9.c10f
  ip address 192.168.15.73 255.255.255.252
  ip flow ingress
  ip ospf cost 100
  interface GigabitEthernet1/17
  description IPS-ByPass-Srv-VRF
  mac-address 0015.c7c9.c111
  ip vrf forwarding Srv
  ip address 192.168.15.74 255.255.255.252
  ip flow ingress
  ip ospf cost 100
  interface GigabitEthernet1/19
  description IPS-Scrub-Global
  mac-address 0015.c7c9.c113
  ip address 10.0.0.2 255.255.255.252
  ip flow ingress
  interface GigabitEthernet1/21
  description IPS-Scrub-Srv-VRF
  mac-address 0015.c7c9.c115
  ip vrf forwarding Srv
  ip address 10.0.0.1 255.255.255.252
  ip flow ingress
  router ospf 10 vrf Srv
  router-id 192.168.10.1
  log-adjacency-changes
  capability vrf-lite
  network 192.168.0.0 0.0.255.255 area 0
  router ospf 1
  router-id 192.168.0.1
  log-adjacency-changes
  network 192.168.0.0 0.0.255.255 area 0
  ip access-list extended IPS-Bypass
  permit ip addrgroup IPS-Ignore any
  permit ip any addrgroup IPS-Ignore
  route-map ServerNetIngress permit 100
  description ByPassIPS
  match ip address IPS-Bypass
  set global
  set ip next-hop 192.168.15.74 10.0.0.1
  route-map ServerNetEgress permit 100
  description ByPassIPS
  match ip address IPS-Bypass
  set ip vrf Srv next-hop 192.168.15.73 10.0.0.2
  I obfuscated my addresses, so don't let that throw you off too much.
  Clarke Morledge
  College of William and Mary

  Thank you for the suggestion. Just using the "set ip next-hop" in the respective route-map is sufficient and gets the job done. Unfortunately, my problem is more with how the policy-based ACLs (PBACLs) work; i.e. the lines with the object-group syntax in the config. My contact with the TAC tells me that PBACLs are not really supported to do policy-based routing. So because the PBACL is not working correctly all of the time, things don't get matched properly in the route-map for the policy-based route to get correctly applied.
  This is really too bad since the PBACL looks to be a quite handy feature. In my example -- at least in theory -- I should be able to make but one change to the "object-group" in order to properly handle the policy-based routing involving the two different route-maps. Alas, this is not as easy as I hoped for since making changes to the PBACL apparently produces unpredictable results -- and the TAC just tells me that the feature is not supported for what I want to do.

• How to configure ASA5512X DMZ with a Public IP address?

  Hi;
  I hav a ASA5512X firewall with 6 interface, interface 0 has been assigned to a WAN connectivity with ADSL, in which my ISP gave me two static IPs (not a block range of IP), my ISP mapped the Mac address of an interface to a ip address, this is what they called "Dynamice-Static" which is likely you research a mac address of an device on DHCP server, then it always giving you the same ip address.
  Here is the scenario, in order to have the 2nd static IP, I need to give them the mac address of another interface on ASA5512x.  I am thinking to give them the interface mac address of interface #3,  however; the public ip address assigned to interface 0 is a WAN and the public ip address assigned to interface 3 will be on the same subnet from ISP, in this scenario, any problem and limitation, also; can I create a nat to translate the public ip on DMZ to one of the host in inside LAN?

  What are you trying to do? What is the purpose of the second public ip? You can use that guy for any number of things. One to one NAT for one thing or another is most common [mail server, web server, RDP terminal, ect]. All of those would go over the same interface to get out to the internet.
  Dynamic-Static is PAT. One IP address, multiple clients using different ports. Simliar to NAT, but different in how the translation is handled.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.html#wp1078939
  SOOOO To answer what you are asking, just give them the MAC of the Interface 0. You can't have overlapping IPs on the interfaces. Won't work. Also if nothing is plugged into that interface, that IP won't do you any good. You could have a DMZ switch that your ASA and ISP link into, and have that second IP assigned to a device you plug into that DMZ switch. I've had to do that with some VCS servers to get Jabber working on it.

• Extending VRF-lite to 6500??

  Hello,
  I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
  Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
  Raj

  Well,
  first a sample config (not from a 6500, but you should be able to get the idea):
  ip vrf Cust1
  rd 65000:1
  ip vrf Cust2
  rd 65000:2
  interface FastEthernet0/0.100
  encapsulation dot1Q 100
  ip vrf forwarding Cust1
  ip address 10.1.1.1 255.255.255.252
  interface FastEthernet0/0.200
  encapsulation dot1Q 200
  ip vrf forwarding Cust1
  ip address 10.1.2.1 255.255.255.252
  interface FastEthernet0/0.300
  encapsulation dot1Q 300
  ip vrf forwarding Cust2
  ip address 10.20.1.1 255.255.255.252
  interface FastEthernet0/0.333
  encapsulation dot1Q 333
  ip vrf forwarding Cust2
  ip address 10.1.1.1 255.255.255.252
  !On a 6500 you could also have:
  interface vlan 400
  ip vrf forwarding Cust2
  ip address 10.1.123.1 255.255.255.252
  router rip
  address-family ipv4 vrf Cust1
  version 2
  network 10.0.0.0
  no auto-summary
  exit-address-family
  address-family ipv4 vrf Cust2
  version 2
  network 10.0.0.0
  no auto-summary
  exit-address-family
  The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
  In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
  So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
  The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
  Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
  Hope this helps! Please use the rating system.
  Regards, Martin

• Bizarre WiFi Connectivity Issue; Self-Assigned IPs, Static IP Doesn't work

  The short and sweet of the problem: Macs/Apple Devices are pulling self-assigned IP addresses when connecting to a Linksys EA6900/AC1900 router.
  Here’s the detail: I am working at an office with 1 Airport Extreme and 1 Linksys EA6900/AC1900, both are configured for Bridge Mode and both use WPA. DHCP is being handled by a Watchguard XTM5 series firewall.
  When Macs (and often iPhones) connect to the Linksys (on 2.4 or 5Ghz) they get a self-assigned IP address. If you enter a manual address you still do not have any connectivity. However, if you connect to the Extreme you will instantly get an IP address, and if you switch to the Linksys your DHCP address will carry over and you will retain connectivity. This problem does not happen to the Windows machines in the office- they all connect to all base stations without any issue. Total users on the network range from 5 to 20 WiFi users at any given time plus and AppleTV (also affected).
  More info: When there are between 5-10 people in the conference room for a morning meeting the Macs will all revert to self-assigned addresses (even if they were working before). The workaround has been to connect to the Extreme, but there are occasions when this occurs that the Extreme will also not seem to pass the DHCP addresses from the firewall; addresses become self-assigned and you lose all internet. To make matters more odd, this behavior seems to really only affect the network during business hours; after hours the Linksys works pretty much normally and any device can connect without issue.
  Things I’ve done: Run Wireshark and located a number of rogue devices that were handing out overlapping DHCP addresses. Identified machines that were ARP storming and removed them. Expanded the DHCP pool so that we aren’t running out of addresses and confirmed that we had enough by checking the logs.
  More things I’ve done: Used Netspot to check signal strength and channel overlap and isolation. I have mapped the signal strength by location and we have strong signals to the various locations (the Linksys AP is 7 feet from the conference room). I have checked that the firmware is the most recent version.
  I can’t find any logical reason for the Macs (and pretty much only the Macs/Apple devices) to not be picking up DHCP info through the bridge mode devices. I would tell them to get another Extreme but they are going to be deploying a Cisco Meraki system soon and I suspect that this problem will persist since the Linksys was put in place because the last AP displayed the same behavior with the Macs picking up self-assigned IPs. Affected Macs range from 2010 era MBP and Air to 2013 MBP and Air and they are running OSX 10.8 through 10.10.
  As for the history of this network, I just walked into this company and know very little about how well it worked before, but apparently it has always been flaky according to the staff.

  I agree that something isn't right; I am going to cut over DHCP services from the Watchguard to the newly deployed OS X Server tonight and see  if that changes anything.
  On the other hand, faulty DHCP server/client settings doesn't explain why applying a static IP still leaves you with no connectivity. I think that clue is also fairly important but I can't figure out what would be blocking connectivity on a static IP setup.

• Overlapping requests using DTP

  Hello BIGurus,
  I want to delete overlapping requests in the following scenarios using DTP
  1.In Master data Attribute
  2.DSO
  3.Info-cube.
  I am not able to find Deletion of overlapping requests option in the DTP.
  Can you please help me to find out option in DTP to delete overlapping request?

  Hi
  Overlapping request will always delete data based on the same selection condition.
  In your case as the import dates are different for both the requests, it will not delete the previous request.
  You can try selective deletion option if feasible.
  or
  Overlapping will happen only for cubes. Not to DSO (because already we have overwrite option for DSO) so no need to maintain the setting for DSO and also it wonu2019t accept to give the settings.
  We can have the settings to u201Cdelete overlapping request from basic cubeu201D only.
  We can give these settings in 2 ways
  1. In IP level
  Go to IP maintenance screen > go to target tab > click on u201Cautomatic loading of similar/identical request from the info cubeu201D and set the setting as per you convenience
  2. if we want to give the setting in Process chain >
  Select the process type u201Cdelete requestu201D and mention the IPs in the maintain variant screen
  Click on the u201CDeletion selection u201D tab and set the setting as per you convenience
  santosh

• The port range is overlapped with rule X message - SRP521W

  Hello,
  I am having trouble adding a NAT port forwarding rule on my SRP521W. I get the error
  The port range is overlapped with rule X, even though my port ranges are not overlapping.
  I have this rule created (rule 2):
  and am trying to create this rule:
  I get this error
  It seems to be related to the fact that both internal ports are 80, but this should not matter as the internal IP addresses are different. Can someone please explain how I should create rules to allow me to open ports to two different devices, with different IPs, using port 80?
  Many thanks

  Oh wow!  That is an extremely old release.
  I would certainly recommend upgrading straight away.
  Latest release is 1.1.27 and is available via www.cisco.com/go/srp500 - follow the download software link on the right hand side.
  When selecting code, follow the link for SRP520 Models (not SRP520-U)
  You should find that the latest code fixes your issue (and provides more functionality).
  Regards,
  Andy

• Map SMTP port on multiple Public IPs to single private IP.

  Hello,
  we have a need to map smtp on multiple external public IPs to a single Internal IP. We need https,www, and pop3 for the external IP to go to one internal, and smtp to go to a different internal.
  What we'd like to do:
  static (inside,outside) tcp <ip1>.39 80 10.1.1.63 http
  static (inside,outside) tcp <ip1>.39 pop3 10.1.1.63 pop3
  static (inside,outside) tcp <ip1>.39 https 10.1.1.63 https
  static (inside,outside) tcp <ip1>.39 smtp 10.1.1.41 smtp
  static (inside,outside) tcp <ip2>.40 80 10.1.1.64 http
  static (inside,outside) tcp <ip2>.40 pop3 10.1.1.64 pop3
  static (inside,outside) tcp <ip2>.40 https 10.1.1.64 https
  static (inside,outside) tcp <ip2>.40 smtp 10.1.1.41 smtp
  But the PIX cries about overlapping NAT statements.
  We need this because we're an IT outsourcing company and we typically manage our customer's DNS zones. Of course, in every bunch there's an exception and one customer has their DNS hosted elsewhere. We changed the necessary DNS on our side for our customers when we made a mail change (which is close to 100 customers), but when we did this it broke this one-of customer. The DNS hoster for the customer is a little one-man shop and the guy is out of the office for two weeks. What a mess. For some reason their DNS is not using our MX record, so it broke when we made our upgrade.
  Is there any way we can accomplish anythign similar to what we're trying to do? This is a PIX 515E with 7.0(6) Thanks.

  Ok, we found a work-around that wil be fine for now. We added a 2nd IP to the 10.1.1.41 server and just the .39 server to that. So we're only using 1 server for the time being, but that's ok.

• Clients with overlaping content boundaries do not get content

  Hi
  Clients on overlapping content boundaries could not get software updates content. Seems, management point does not return DP information for the client. Is my config wrong?
  The config is as bellow.
  There are boundaries: IP address range (lets say 10.8.0.1 - 10.12.255.254) and IP subnet(let say 10.8.20.0).
  There are boundary groups for content: Boundary Group1, which has IP address range boundary and DP1 as site system(connection speed - SLOW); Boundary Group 2, which has IP subnet boundary and DP2 as site system (Connection speed - Fasts).
  There is software updates deployment targeted to a client (IP 10.8.20.100) with download settings "Download and install, when client is on slow network boundary" and "Do not install when software updates are not available on any preferred DP".
  Software updates content is ON DP1. DP1 is also primary site server (if this is important).
  As I understand, the client (10.8.20.100) should see both DP's as prefered.
  Deployment monitoring shows error - Failed to download updates. Error code 0x87005B4. Description. This Operation Returned because the timeout period has expired.
  In Cas.log on the client I can see:
  Submitted CTM job {AE475526-8EA2-4708-BB17-46C29C8CA9CE} to download Content 7d68d64f-f44f-4d81-9fbb-423c3b362a50.1 under context System 
  Successfully created download  request {FDB9B87D-37AB-4340-9B2F-555B2B7792FC} for content 7d68d64f-f44f-4d81-9fbb-423c3b362a50.1 
  Then after some time:
  Download failed for content 7d68d64f-f44f-4d81-9fbb-423c3b362a50.1 under context System, error 0x800705b4 
  Locationservice.log on the client has "Calling back with empty distribution points list" lines.
  On MP_Location.log on site server i can see
  MP_GetContentDPInfoProtected (UID:7d68d64f-f44f-4d81-9fbb-423c3b362a50,1,Site code,<ServerNameList><ServerName>DP2 FQDN</ServerName></ServerNameList>,SMSUpdate,00000000,domain FQDN,domain FQDN,<ClientLocationInfo
  LocationType="SMSUpdate" DistributeOnDemand="0" UseAzure="0" AllowWUMU="0" UseProtected="1" AllowCaching="0" BranchDPFlags="0" UseInternetDP="0" AllowHTTP="1" AllowSMB="1"
  AllowMulticast="1"><ADSite Name="LT"/><Forest Name="domain FQDN"/><Domain Name="domain FQDN"/><IPAddresses><IPAddress SubnetAddress="10.8.20.0" Address="10.8.20.100"/></IPAddresses></ClientLocationInfo>)

  We have a lot of remote locations. Some of them have local DP's with OSD content.
  The IP range boundary was created first, which covers all remote locations. Then, when somewhere local DP is needed for OSD, IP subnet boundary is crrated. Is that wrong?
  Are you saying, i have to divide that big IP address range boundary and exclude all IPs, wchich are on IP subnet boundaries?
  If i configure deployment to enable clients to use falback source location, they are getting content, as DP1 has "Allow fallback source location for content" checked. But this is not an options, as i need certain client groups (with certain IP
  address ranges) to use diferent DP's for SW updates content.

• Laptop: 95% NTSC TN vs 60% NTSC IPS for my use?

  I'm fairly new to photography, got a G3 in December 2011. Had nothing  but compacts prior. Bought Lightroom 4 and started shooting RAW a year  ago. Upgraded to a G5 last fall and just upgraded to Lightroom 5. I  shoot family and vacation photos, and in particular a lot of photos of  our toddler. I export to JPEG on a shared drive which I stream to a  couple of HDTVs for viewing. I rarely print, and if I do, it's to frame a  photo that came out particularly well at 4x6 or 5x7 or to stick it on  the fridge. In short, it's all personal / hobby, nothing professional /  paid / critical, although I like to do the best job I can with my  limited skill set.
  Historically I've been using my desktop PC w/ 23" 72% NTSC matte IPS  monitor calibrated with Spyder4Pro and it's been fine.  However, life  changes when the baby starts walking, and I no longer have the time to  camp out in the basement developing photos. After getting further and  further behind, I started shopping laptops that I could use as a desktop  replacement as I roam around the house watching my son, and also while  traveling. Based on this, the laptop screen needs to be suitable for  editing, and not rely on an external monitor.
  I was looking at the Sagers with 95% NTSC matte panels. Then they  released a Haswell-based model with IPS screen. I emailed Sager about  color gamut, and it's only 60% NTSC. I thought that may be subpar since  it doesn't even cover sRGB, so I ended up with a model with the 95% TN  screen, which I've calibrated with Sypder4Pro which is stating 91% NTSC.
  The laptop is nice, and has the nicest display of any laptop I've ever  owned. However, vertical angles are still somewhat limited. I'm  wondering how important 95% color gamut is when I don't know at exactly  what angle I'm actually seeing the colors at their most accurate  rendering.  I believe that the slight shift I see within a reasonable  range of viewing angle will probably not create any severe problems when  the finished JPEGs are viewed on the TVs, but I'm wondering if the 60%  NTSC IPS screen would have been a better choice.
  I'm not making fine adjustments to color, I don't even know how to any  real degree. I apply the Huelight Standard G5 profile on import.  I  might tinker with bringing out some blue in the sky on a landscape shot,  or add a touch of vibrance, but that has to do more with the amount of  color, not whether the color is accurate.  I'm not moving tone curves  around and stuff like that. I do adjust white balance, but I don't know  if a reduced gamut would impact my ability to do that. It's more a  matter of warmer vs cooler than whether this shade of blue meets aRGB  specifications.
  I've got a couple weeks of no-questions-asked return window left.  On  one hand, I've spent a lot of time getting all my programs installed and  set up just the way I want, Lightroom is running fast, and an exchange  and re-setup would be a fairly significant hassle.  On the other hand,  I'd like to make the purchase last on the order of 5 years, and I could  justify an extra day or so if there's a compelling reason to do so.
  So, does anyone have an opinion to offer?  For my particular use, does a  cheap IPS panel that doesn't cover sRGB make more sense than a high end  TN panel that almost covers aRGB?  My guess is that I could make either  one work for what I'm doing, and there's probably not enough reason to  switch at this point, but I'd like to hear from those who are more  knowledgeable about it.  Has anyone actually done any editing on a low  gamut IPS monitor and what was your experience?
  Thanks!
  Steve

  PayodPanda wrote:
  The standard panels that we get nowadays generally cover 95-105% of sRGB.
  And there are at least two ways to report this:
  "Percent Area" and "Percent Coverage".The "Percent Area" is simply the area in CIE xy of the display gamut vs the reference gamut, with no consideration of how much of the gamuts actually overlap. This value can be > 100%. The "Percent Coverage" is the overlapping area of the 2 gamuts expressed as a percent of the total area of the reference gamut. The maximum possible value for this is 100%. So when evaluating the spec's, see if you can find out which is used (NEC reports Percent Coverage FWIW).
  Now let's consider these color spaces as triangles, the visible spectrum to the human eye being the largest (refer photo: in this the visible spectrum is a horseshoe shape instead of a triangle (which is how it should be)). The three corners of the triangle are the colours red, green and blue. The ProPhoto is a smaller triangle, adobeRGB inside that, and sRGB the smallest triangle fits inside the adobeRGB space
  These RGB working space are theoretical for one. Built with simple math defining primaries, white point and TRC gamma. You can build them in Photoshop's Color Settings if you wanted to. And ProPhoto RGB has two primaries that fall outside the horseshoe 'gamut' of human vision so we need to be very careful in calling these "colors". If a human can't see them as such, I'm hard pressed to call them colors!
  This is where the display bit depth kicks in. A higher bit depth will be able to show more number of colours on the screen. 8-bit means it can show 2^8 = 256 colours per channel. That gives you 256^3 =  16,777,216 (16.7 million) colours as a combination of the RGB channels.
  Again, this is all theoretical math! Yes, on paper you can define 256^3 =  16,777,216 colors be we can't see anything like this number of colors. It's simply math, not reality. It makes for interesting marketing too. Who would want to buy a display that can divide up numbers to present a spec that works out to 16.7 millon colors when the spec sheet can advertise billions of colors? Despite the fact we can't possibility see or use that?
  The benefits here are encoding, not anything else we can see. The wider the gamut, the higher the precision with more bits. Think of sRGB as a half inflated balloon with 16.7 million dots printed on it. Now you inflate that balloon to twice it's size to suggest ProPhoto RGB. What happens to the distance between the dots? They grow farther apart. The dE values between dots raise with the distance between them. The colorimetric distatnce between the two dots raises. Having more bits simply 'fills in' more data (values) here. It doesn't give us more gamut. Bit depth and gamut are two separate things.
  The point is, be careful expecting more bits (greater encoding precision) to be either useful in terms of what you'll actually be able to see and use. In a wider gamut space, subtle colors you might edit, say the white dress of a bride, will be more difficult to edit with in a wider than narrower bit depth. But more bits doesn't mean more color gamut.
  A high gamut display (in my humble opinion) would only be useful if the display can reproduce a 10-bit colour depth. Then, the higher range will still be divided such that banding won't be discernible by the naked eye in normal circumstances.
  To some degree yes. But keep in mind there's an entire display path! On the Mac, there isn't as yet a full 10-bit path thanks to Apple. We have high bit displays and cards but the application and the OS must support this! That's possible on Windows but not on Mac OS. Having a partial high bit path (say in the panel) is useful and restricts banding but only to a point. I don't know of any wide gamut displays I'd even consider (NEC or Eizo) that don't provide high bit panels.
  Going back to bit depth and gamut and color spaces, a few items:
  It IS true that the wider the granularity in a color space, the harder it is to handle subtle colors. This is why wide gamut displays that can't revert to sRGB (some current LCD technology doesn't allow this.) are not ideal for all work (ideally you need two units). If you purchase a wide gamut display system, you want one that can also emulate sRGB when you are handling subtle color editing.
  The output plays a role as well. There are way, way more colors that can be defined in something like ProPhoto RGB than you could possibly output. But we have to live with a disconnect between the simple shapes of RGB working space and the vastly more complex shapes of output color spaces to the point we're trying to fit round pegs in square holes. To do this, you need a much larger square hole. Simple matrix profiles of RGB working spaces when plotted 3 dimensionally illustrate that they reach their maximum saturation at high luminance levels. The opposite is seen with print (output) color spaces. Printers produce color by adding ink or some colorant, working space profiles are based on building more saturation by adding more light due to the differences in subtractive and additive color models. To counter this, you need a really big RGB working space like ProPhoto RGB again due to the simple size and to fit the round peg in the bigger square hole. Their shapes are simple and predictable. Then there is the issue of very dark colors of intense saturation which do occur in nature and we can capture with many devices. Many of these colors fall outside Adobe RGB (1998) and when you encode into such a space, you clip the colors to the degree that smooth gradations become solid blobs in print, again due to the dissimilar shapes and differences in how the two spaces relate to luminance.
  Lastly, for anyone interested in color gamut in terms of working space and images (capture devices and the scene we photography themselves have a gamut), there is this video:
  Everything you thought you wanted to know about color gamut: A pretty exhaustive 37 minute video examining the color gamut of RGB working spaces, images and output color spaces. All plotted in 2D and 3D to illustrate color gamut.
  High resolution: http://digitaldog.net/files/ColorGamut.mov
  Low Res (YouTube): http://www.youtube.com/watch?v=n0bxSD-Xx-Q

• IPS and Virtual Sensors

  Hello.
  I am looking to put in an IPS. I would like to monitor two segments, but read this in the docs...
  "To avoid definition ordering issues, no conflicts or overlaps are allowed in assignments-you assign interfaces, inline interface pairs, inline VLAN pairs, and VLAN groups to a specific virtual sensor so that no packet is processed by more than one virtual sensor."
  Say I have two virtual sensors and subnets A and B. My question is that packets from segment A will go thru virtual-sensor1, but may (depending on routing) need to pass thru the VLAN pair of virtual-sensor2 to subnet B. Judging from above, this is not possible, since it says the packet can only be seen once. Please advise if I am interpreting the docs correctly.
  Any suggestions or insight is appreciated! Thanks!

  Ah, okay; just to clarify... What they are speaking of is when the packet goes thru the IPS the first time, it stays in one virtual sensor during it's "session" thru it and is should not processed by any other virtual sensor.
  If the packet reenters the IPS on a different interface pair (ie; virtual sensor) then that is OK.
  Thanks for the reply!

• Subnetting different length IPs

  Hi 
  I have a question about subnetting, seems like a simple one but a point I may have missed from my studies, but now in real life networking these questions are popping up. 
  So If I have use the IP address of 192.168.10.0/24, now say I need 2 x /30 p2p links so out subnet those from this IP giving me, 
  192.168.10.0/30
  192.168.10.4/30
  Some time later (days or months) I need a subnet with 6 useable IPs so I am now after a /29, so am I able to proceed from this point and help myself to 192.168.10.8/29.
  And some time later I need another /30 so I now help myself to 192.168.10.16/30
  In cisco I remember learning to subnet an IP  by starting with the highest number of hosts going down. But in real life when you need subnets here and there you may not be able to do that, well you could by using a different IP address but for the sake of keeping IPs similar you may not want to.
  Any help will be much appreciated.

  You can use variable subnets in anyway you want as long as subnets don't overlap with each other.
  Keep in mind that doing that my end up wasting addresses.

• How can I fix left pane text overlap in iCal Day view?

  In "Day" view, the items in the left hand (list) pane in iCal are overlapping, obscuring the bottom 1/3 of each line of text. It is as if the table cells are too close together vertically. How do I fix this?

  Start Firefox in <u>[[Safe Mode]]</u> to check if one of the extensions or if hardware acceleration is causing the problem (switch to the DEFAULT theme: Firefox (Tools) > Add-ons > Appearance/Themes).
  *Don't make any changes on the Safe mode start window.
  *https://support.mozilla.org/kb/Safe+Mode
  Try to disable hardware acceleration.
  *Tools > Options > Advanced > General > Browsing: "Use hardware acceleration when available"
  If disabling hardware acceleration works then check if there is an update available for your graphics display driver.

• Overlap, bookmarker or something like this...

  hi,
  i read a lot of ebooks and i've got this question:
  can i mark a overlap or bookmarker (just like in normal books) in adobe so when i close ebook it will open next time exactly where i finished reading recently?
  i'm new so sorry if this thread repeats...

  Look here:
  http://forums.adobe.com/message/3321356#3321356