Redundant Controller at a remote site

We are implementing a number of WLCs at different sites that are connected by a WAN (site-to-site links). I'd like to use the WLC at site A as the backup WLC for site B and that at site B as the backup for site A.
I've reviewed the documents that I can find on Cisco and the threads in this forum, but haven't found a definitive guide yet - maybe I haven't recognised it.
Can anyone point me in the right direction or provide configuration advice?
Thanks in advance

The only issues with doing that is the fact that the ap's at remote A will obtain the configurations from remote B when wlc A fails. So that means that the users will associate to an ssid and be tunneled back to the other remote site and access the network from there. If this doesn't work for you then maybe having redundant wlc's at each remote site is a better option. One other thing is to configure the ap's in h-reap mode and have all the wlc's centrally located.

Similar Messages

  • Best Practices for Setting up a Windows 2012 R2 STD Domain Controller in a Remote Site

    So I'm looking for an article or writeup similar to the "Adding Domain Controllers in Remote Sites" TechNet article but for Windows Server 2012 STD R2.  Here is my scenario:
    1.  I want to setup the domain controller at Site A where the primary domain controller is located.  The primary domain controller is Windows Server 2008 R2. 
    2.  Once the DC is setup I plan on leaving it on our network for a few days before shipping it to remote Site B for installation
    Other key items:
    1.  The remote Site B will have a different IP range than Site A but will be connected to Site A via a single VPN tunnel.  All the DCs that replicate with each other are on the same domain. 
    2.  The 2012 DC that I setup for Site B (same domain in same forest) will be a DHCP, DNS, and WSUS server all replicating to the primary DC at Site A
    Questions:
    1.  What items can I setup while it's at Site A without effecting or conflicting with the existing network and domain controller?  Can I setup a scope once the DHCP role is added? 
    2.  All of our DCs replicate through Sites and Services, do I have to manually add this to our primary DC for the new DC going to remote Site B?  Or when does this happen automatically when I promote the DC? 
    All and all I'm just looking for a list of Best Practices for 2012 or a Step by Step Guide.  Any help would be appreciated. 

    Hi,
    Thanks for your posting.
    When you install AD DS in the hub or staging site, disconnect the installed domain controller, and then ship the computer to the remote site, you are disconnecting a viable domain controller from the replication topology.
    For more and detail information, please refer to:
    Best Practices for Adding Domain Controllers in Remote Sites
    http://technet.microsoft.com/en-us/library/cc794962(v=ws.10).aspx
    Regards.
    Vivian Wang

  • Adding a Server 2008 R2 Domain Controller at a remote site

    Hello. I have been trying to set up a hot site at a remote location.  The story is long and involved but a few weeks ago it seemed to be finally working.  Our setup is two mirrored 2008 R2 servers at main site, mirrored with Double Take. 
    The hot site is the same except that so far I only had one server working.  The two sites connected via site to site VPN.
    About a week later our primary server basically crashed.  At first it worked but very slowly.  I was on vacation at the time and so I am not sure of the sequence of events, or exactly what errors were presented, but my associate first tried rebooting. 
    It took over 20 minutes to boot and then it said something to the effect that no domain controllers were available (not sure about this message).  He then discovered that the server at the remote site had some fsmo roles assigned to it.  He transferred
    the roles to the primary at the main site and then demoted the remote server to a workstation (but still a domain member).
    After that, rebooting the primary was much faster and everything at the primary site is working again. Now I want to set the remote site up again, but avoid the problem.  The way I originally set up the remote server was to use an IFM file, generated
    from our primary.  This should have made the remote server a catalog server, with DNS (which it did), but as far as I know should not have transferred any fsmo roles.
    The remote server(s) are wanted to be in the same domain as the primary.  They will also be mirrored from the primary (with Double Take).  If we had total failure at the main site, we wish to be able to immediately begin operations at the hot site
    (after a fail over).  I freely admit that I am swimming out of my depth here.  I am not sure that I have selected the correct architecture or used the correct options in setting up the remote servers.  I am looking for information about what
    went wrong, and whether some other setup is more desirable.
    Thanks for any help, Russ
    Russ

    Philippe, thank you for you answers.  I do not understand everything you said but I will address each point as best I can:
    1. "In the remote site do you simply do a dcpromo / add the ADDS's role to make the server a active Domain Controller ?"  Yes, but I use the method described at
    http://technet.microsoft.com/en-us/library/cc753720(v=ws.10).aspx, The GUI method.  At step #8 I specified to use advanced mode so I could use the IFM file.
    2. "In your AD' Site and Service MMC, do you configured the remote site ?"  R do not know what you mean by this. How does one configure the site as 'remote'?
    3. "Do you added that remote server as a Global catalogue ?".  Yes, when I built the IFM file I specified to add the global catalog.
    4. "Do you added the PC in site 1, the IP of those DNS server in them ? (last of course) So the computer in the main site will talk to the remote server in case of a crash."  I am not sure I understand this item.  After the remote server
    was added, all of the members of both domain servers automatically appeared in the DNS of all servers in the domain.  I do not recall if the new items were last, but I expect that they would be.
    I have since reviewed the happenings with my associate and have a little more information.  The order of the problems and the actions taken are:
    1. Our primary (production) system was still working but extremely slow, and he observed that the slowness was caused by a lot of traffic with the remote site.  Rebooting the production server took over 25 minutes and the server to came up saying
    that domain information was not available.  After another 30 minutes or so he discovered that the domain data was now available and the server worked, but still slow.
    2. He did not check to verify that roles were held by the remote server, but he transferred all roles from the remote to the production server using ntdsutil.  I would expect that if the role was not held by the remote, the transfer command would have
    shown that fact.
    3. He then tried to demote the remote server but had an error that it could not be demoted because "the active directory service is missing mandatory configuration information".
    4. He forcefully demoted the remote server.
    5. After rebooting the production server again performance was slightly better but still slow (and the rebood was still very slow).
    6. After some research he removed the remote domain controller's meta data from the production server and then rebooted the production server again.
    At that point reboot was fast (under 5 minutes) and the production system was working at normal speed again.
    All of the above leads me to believe that somehow the FSMO roles got added to, or moved to the remote site when I used the IFM file to create the new domain controller.  However nothing I have read says that this should happen.  I hope someone
    here can give me a better answer as to what caused the problem, as I do not wish to interrupt our production system like this again.
    Thank you, Russ
    PS: Sorry for the delay in getting back to this but some other priorities took me away from it for a week.
    Russ

  • Remote site redundancy IPSEC VPN between 2911 and ASA

    We already have IPSEC VPN connectivity established between sites but would like to introduce some resilience/redundancy at a remote site.
    Site A has an ASA with one internet circuit.
    Site B has a Cisco 2911 with one internet circuit and we have established site-to-site IPSEC VPN connectivity between the 2911 and the ASA.
    Prior to getting the new internet circuit, Site B had a Cisco 877 with an ADSL line which are still available but aren’t currently in use.
    The internet circuit at Site B has dropped a few times recently so we would like to make use of the ADSL circuit (and potentially the 877 router too) as a backup.
    What is the best way of achieving this?
    We thought about running HSRP between the 877 and 2911 routers at Site B and, in the event of a failure of the router or internet circuit, traffic would failover to the 877 and ADSL.
    However, how would Site A detect the failure? Can we simply rely on Dead Peer Detection and list the public IP address of the internet circuit at Site B first with the public IP address used on the ADSL line second in the list on the ASA? What would happen in a failover scenario and, just as important, when service was restored – I’m not sure DPD would handle that aspect correctly?
    I’ve read briefly elsewhere that GRE might be best to use in this scenario – but I can’t use GRE on the ASA. I have an L3 switch behind the ASA which I may be able to make use of? But I don’t want to disrupt the existing IPSEC VPN connectivity already established between the ASA and the 2911.   Can I keep IPSEC between the ASA and 2911 but then run GRE between the L3 switch and the 2911? If so, how would this best be achieved?  And how could I also introduce the 877 and ADSL line into things to achieve the neccessary redundancy?
    Any help/advice would be appreciated!

    Hello,
    I don't think GRE tunnel that you could set up on the switch  behind ASA would be really helpfull. Still site-2-site tunnel you want  to establish between ASA and some routers, but still it is ASA which needs to make decision about which peer to connect to.
    Possible solution would be to do HSRP between both routers on LAN side and with two independent tunnels/crypto maps (one on each of them). On ASA you would need to set up two hosts in set peer. Problem of this solution is that if one router at side B is going to go down and second ADSL line will take over ASA will not do preempt after you main Internet connection is up again. This would happen after ADSL Internet connection will be down.
    Solution to that would be to assign two different public IP addressess on two different interfaces of ASA. Then you attach two crypto maps to both interfaces and by using sla monitor (let's say icmp to main router, if it does not respond then you change routing for remote LAN to second interface) you are selecting which crypto map (with one peer this time) should be used.
    I hope what I wrote makes some sense.

  • VPN Clients cannot access remote site

    Hey there,
    I am pretty new in configuring Cisco devices and now I need some help.
    I have 2 site here:
    site A
    Cisco 891
    external IP: 195.xxx.yyy.zzz
    VPN Gateway for Remote users
    local IP: VLAN10 10.133.10.0 /23
    site B
    Cisco 891
    external IP: 62.xxx.yyy.zzz
    local IP VLAN10 10.133.34.0 /23
    Those two sites are linked together with a Site-to-Site VPN. Accessing files or ressources from one site to the other is working fine while connected to the local LAN.
    I configured VPN connection with Radius auth. VPN clients can connect to Site A, get an IP adress from VPN Pool (172.16.100.2-100) and can access files and servers on site A. But for some reason they cannot access ressources on site B. I already added the site B network to the ACL and when connecting with VPN it shows secured routes to 10.133.10.0 and 10.133.34.0 in the statistics. Same thing for other VPN Tunnels to ERP system.
    What is missing here to make it possible to reach remote sites when connected through VPN? I had a look at the logs but could not find anything important.
    Here is the config of site A
    Building configuration...
    Current configuration : 24257 bytes
    version 15.2
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    hostname Englerstrasse
    boot-start-marker
    boot config usbflash0:CVO-BOOT.CFG
    boot-end-marker
    aaa new-model
    aaa group server radius Radius-AD
    server 10.133.10.5 auth-port 1812 acct-port 1813
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_2 group Radius-AD local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_2 local
    aaa session-id common
    clock timezone Berlin 1 0
    clock summer-time Berlin date Mar 30 2003 2:00 Oct 26 2003 3:00
    crypto pki trustpoint TP-self-signed-27361994
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-27361994
    revocation-check none
    rsakeypair TP-self-signed-27361994
    crypto pki trustpoint test_trustpoint_config_created_for_sdm
    subject-name [email protected]
    revocation-check crl
    crypto pki certificate chain TP-self-signed-27361994
    certificate self-signed 01
      30820227 30820190 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
      2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32373336 31393934 301E170D 31323038 32373038 30343238
      5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
      2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D323733 36313939
      3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B709
      64CE1874 BF812A9F 0B761522 892373B9 10F0BB52 6263DCDB F9877AA3 7BD34E53
      BCFDA45C 2A991777 4DDC7E6B 1FCEE36C B6E35679 C4A18771 9C0F871F 38310234
      2D89A4FF 37B616D8 362B3103 A8A319F2 10A72DC7 490A04AC 7955DF68 32EF9615
      9E1A3B31 2A1AB243 B3ED3E35 F4AAD029 CDB1F941 5E794300 5C5EF8AE 5C890203
      010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304
      18301680 14D0F5E7 D3A9311D 1675AA8F 38F064FC 4D04465E F5301D06 03551D0E
      04160414 D0F5E7D3 A9311D16 75AA8F38 F064FC4D 04465EF5 300D0609 2A864886
      F70D0101 05050003 818100AB 2CD4363A E5ADBFB0 943A38CB AC820801 117B52CC
      20216093 79D1F777 2B3C0062 4301CF73 094B9CA5 805F585E 04CF3301 9B839DEB
      14A334A2 F5A5316F C65EEF21 0B0DF3B5 F4322440 F28B984B E769876D 6EF94895
      C3D5048A A4E2A180 12DF6652 176942F8 58187D7B D37B1F1A 4DDD7AE9 5189F9AF
      AF3EF676 26AD3F31 D368F5
          quit
    crypto pki certificate chain test_trustpoint_config_created_for_sdm
    no ip source-route
    ip auth-proxy max-login-attempts 5
    ip admission max-login-attempts 5
    no ip bootp server
    no ip domain lookup
    ip domain name yourdomain.com
    ip inspect log drop-pkt
    ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
    ip inspect name CCP_MEDIUM ftp
    ip inspect name CCP_MEDIUM h323
    ip inspect name CCP_MEDIUM sip
    ip inspect name CCP_MEDIUM https
    ip inspect name CCP_MEDIUM icmp
    ip inspect name CCP_MEDIUM netshow
    ip inspect name CCP_MEDIUM rcmd
    ip inspect name CCP_MEDIUM realaudio
    ip inspect name CCP_MEDIUM rtsp
    ip inspect name CCP_MEDIUM sqlnet
    ip inspect name CCP_MEDIUM streamworks
    ip inspect name CCP_MEDIUM tftp
    ip inspect name CCP_MEDIUM udp
    ip inspect name CCP_MEDIUM vdolive
    ip inspect name CCP_MEDIUM imap reset
    ip inspect name CCP_MEDIUM smtp
    ip cef
    no ipv6 cef
    appfw policy-name CCP_MEDIUM
      application im aol
        service default action allow alarm
        service text-chat action allow alarm
        server permit name login.oscar.aol.com
        server permit name toc.oscar.aol.com
        server permit name oam-d09a.blue.aol.com
        audit-trail on
      application im msn
        service default action allow alarm
        service text-chat action allow alarm
        server permit name messenger.hotmail.com
        server permit name gateway.messenger.hotmail.com
        server permit name webmessenger.msn.com
        audit-trail on
      application http
        strict-http action allow alarm
        port-misuse im action reset alarm
        port-misuse p2p action reset alarm
        port-misuse tunneling action allow alarm
      application im yahoo
        service default action allow alarm
        service text-chat action allow alarm
        server permit name scs.msg.yahoo.com
        server permit name scsa.msg.yahoo.com
        server permit name scsb.msg.yahoo.com
        server permit name scsc.msg.yahoo.com
        server permit name scsd.msg.yahoo.com
        server permit name cs16.msg.dcn.yahoo.com
        server permit name cs19.msg.dcn.yahoo.com
        server permit name cs42.msg.dcn.yahoo.com
        server permit name cs53.msg.dcn.yahoo.com
        server permit name cs54.msg.dcn.yahoo.com
        server permit name ads1.vip.scd.yahoo.com
        server permit name radio1.launch.vip.dal.yahoo.com
        server permit name in1.msg.vip.re2.yahoo.com
        server permit name data1.my.vip.sc5.yahoo.com
        server permit name address1.pim.vip.mud.yahoo.com
        server permit name edit.messenger.yahoo.com
        server permit name messenger.yahoo.com
        server permit name http.pager.yahoo.com
        server permit name privacy.yahoo.com
        server permit name csa.yahoo.com
        server permit name csb.yahoo.com
        server permit name csc.yahoo.com
        audit-trail on
    parameter-map type inspect global
    log dropped-packets enable
    multilink bundle-name authenticated
    redundancy
    ip tcp synwait-time 10
    class-map match-any CCP-Transactional-1
    match dscp af21
    match dscp af22
    match dscp af23
    class-map match-any CCP-Voice-1
    match dscp ef
    class-map match-any sdm_p2p_kazaa
    match protocol fasttrack
    match protocol kazaa2
    class-map match-any CCP-Routing-1
    match dscp cs6
    class-map match-any sdm_p2p_edonkey
    match protocol edonkey
    class-map match-any CCP-Signaling-1
    match dscp cs3
    match dscp af31
    class-map match-any sdm_p2p_gnutella
    match protocol gnutella
    class-map match-any CCP-Management-1
    match dscp cs2
    class-map match-any sdm_p2p_bittorrent
    match protocol bittorrent
    policy-map sdm-qos-test-123
    class class-default
    policy-map sdmappfwp2p_CCP_MEDIUM
    class sdm_p2p_edonkey
    class sdm_p2p_gnutella
    class sdm_p2p_kazaa
    class sdm_p2p_bittorrent
    policy-map CCP-QoS-Policy-1
    class sdm_p2p_edonkey
    class sdm_p2p_gnutella
    class sdm_p2p_kazaa
    class sdm_p2p_bittorrent
    class CCP-Voice-1
      priority percent 33
    class CCP-Signaling-1
      bandwidth percent 5
    class CCP-Routing-1
      bandwidth percent 5
    class CCP-Management-1
      bandwidth percent 5
    class CCP-Transactional-1
      bandwidth percent 5
    class class-default
      fair-queue
      random-detect
    crypto ctcp port 10000
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key REMOVED address 62.20.xxx.yyy 
    crypto isakmp key REMOVED address 195.243.xxx.yyy
    crypto isakmp key REMOVED address 195.243.xxx.yyy
    crypto isakmp key REMOVED address 83.140.xxx.yyy  
    crypto isakmp client configuration group VPN_local
    key REMOVED
    dns 10.133.10.5 10.133.10.7
    wins 10.133.10.7
    domain domain.de
    pool SDM_POOL_2
    acl 115
    crypto isakmp profile ciscocp-ike-profile-1
       match identity group VPN_local
       client authentication list ciscocp_vpn_xauth_ml_2
       isakmp authorization list ciscocp_vpn_group_ml_2
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac
    crypto ipsec profile CiscoCP_Profile1
    set transform-set ESP-3DES-SHA11
    set isakmp-profile ciscocp-ike-profile-1
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to62.20.xxx.xxx
    set peer 62.20.xxx.xxx
    set transform-set ESP-3DES-SHA
    match address 105
    crypto map SDM_CMAP_1 2 ipsec-isakmp
    description Tunnel to195.243.xxx.xxx
    set peer 195.243.xxx.xxx
    set transform-set ESP-3DES-SHA4
    match address 107
    crypto map SDM_CMAP_1 3 ipsec-isakmp
    description Tunnel to83.140.xxx.xxx
    set peer 83.140.xxx.xxx
    set transform-set ESP-DES-SHA1
    match address 118
    interface Loopback2
    ip address 192.168.10.1 255.255.254.0
    interface Null0
    no ip unreachables
    interface FastEthernet0
    switchport mode trunk
    no ip address
    spanning-tree portfast
    interface FastEthernet1
    no ip address
    spanning-tree portfast
    interface FastEthernet2
    no ip address
    spanning-tree portfast
    interface FastEthernet3
    no ip address
    spanning-tree portfast
    interface FastEthernet4
    description Internal LAN
    switchport access vlan 10
    switchport trunk native vlan 10
    no ip address
    spanning-tree portfast
    interface FastEthernet5
    no ip address
    spanning-tree portfast
    interface FastEthernet6
    no ip address
    spanning-tree portfast
    interface FastEthernet7
    no ip address
    spanning-tree portfast
    interface FastEthernet8
    description $FW_OUTSIDE$$ETH-WAN$
    ip address 62.153.xxx.xxx 255.255.255.248
    ip access-group 113 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect CCP_MEDIUM out
    no ip virtual-reassembly in
    ip verify unicast reverse-path
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    service-policy input sdmappfwp2p_CCP_MEDIUM
    service-policy output CCP-QoS-Policy-1
    interface Virtual-Template1 type tunnel
    ip unnumbered FastEthernet8
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CiscoCP_Profile1
    interface GigabitEthernet0
    no ip address
    shutdown
    duplex auto
    speed auto
    interface Vlan1
    no ip address
    interface Vlan10
    description $FW_INSIDE$
    ip address 10.133.10.1 255.255.254.0
    ip access-group 112 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip flow ingress
    ip nat inside
    ip virtual-reassembly in
    interface Async1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    encapsulation slip
    ip local pool SDM_POOL_1 192.168.10.101 192.168.10.200
    ip local pool VPN_Pool 192.168.20.2 192.168.20.100
    ip local pool SDM_POOL_2 172.16.100.2 172.16.100.100
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip forward-protocol nd
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet8 overload
    ip route 0.0.0.0 0.0.0.0 62.153.xxx.xxx
    ip access-list extended VPN1
    remark VPN_Haberstrasse
    remark CCP_ACL Category=4
    permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    ip radius source-interface Vlan10
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 10.10.10.0 0.0.0.7
    access-list 23 remark CCP_ACL Category=17
    access-list 23 permit 195.243.xxx.xxx
    access-list 23 permit 10.133.10.0 0.0.1.255
    access-list 23 permit 10.10.10.0 0.0.0.7
    access-list 100 remark CCP_ACL Category=4
    access-list 100 permit ip 10.133.10.0 0.0.1.255 any
    access-list 101 remark CCP_ACL Category=16
    access-list 101 permit udp any eq bootps any eq bootpc
    access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny   ip host 255.255.255.255 any
    access-list 101 deny   ip any any
    access-list 102 remark auto generated by CCP firewall configuration
    access-list 102 remark CCP_ACL Category=1
    access-list 102 deny   ip 10.10.10.0 0.0.0.7 any
    access-list 102 permit icmp any host 62.153.xxx.xxx echo-reply
    access-list 102 permit icmp any host 62.153.xxx.xxx time-exceeded
    access-list 102 permit icmp any host 62.153.xxx.xxx unreachable
    access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 102 deny   ip host 255.255.255.255 any
    access-list 102 deny   ip host 0.0.0.0 any
    access-list 102 deny   ip any any log
    access-list 103 remark auto generated by CCP firewall configuration
    access-list 103 remark CCP_ACL Category=1
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
    access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
    access-list 103 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
    access-list 103 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
    access-list 103 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
    access-list 103 remark IPSec Rule
    access-list 103 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
    access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
    access-list 103 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
    access-list 103 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
    access-list 103 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
    access-list 103 permit udp any host 62.153.xxx.xxx eq non500-isakmp
    access-list 103 permit udp any host 62.153.xxx.xxx eq isakmp
    access-list 103 permit esp any host 62.153.xxx.xxx
    access-list 103 permit ahp any host 62.153.xxx.xxx
    access-list 103 permit udp host 194.25.0.60 eq domain any
    access-list 103 permit udp host 194.25.0.68 eq domain any
    access-list 103 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
    access-list 103 deny   ip 10.10.10.0 0.0.0.7 any
    access-list 103 permit icmp any host 62.153.xxx.xxx echo-reply
    access-list 103 permit icmp any host 62.153.xxx.xxx time-exceeded
    access-list 103 permit icmp any host 62.153.xxx.xxx unreachable
    access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 103 deny   ip host 255.255.255.255 any
    access-list 103 deny   ip host 0.0.0.0 any
    access-list 103 deny   ip any any log
    access-list 104 remark CCP_ACL Category=4
    access-list 104 permit ip 10.133.10.0 0.0.1.255 any
    access-list 105 remark CCP_ACL Category=4
    access-list 105 remark IPSec Rule
    access-list 105 permit ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
    access-list 106 remark CCP_ACL Category=2
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 10.133.10.0 0.0.1.255 10.133.20.0 0.0.0.255
    access-list 106 permit ip 10.10.10.0 0.0.0.7 any
    access-list 106 permit ip 10.133.10.0 0.0.1.255 any
    access-list 107 remark CCP_ACL Category=4
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 10.133.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    access-list 108 remark Auto generated by SDM Management Access feature
    access-list 108 remark CCP_ACL Category=1
    access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq telnet
    access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 22
    access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq www
    access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq 443
    access-list 108 permit tcp 10.133.10.0 0.0.1.255 host 10.133.10.1 eq cmd
    access-list 108 deny   tcp any host 10.133.10.1 eq telnet
    access-list 108 deny   tcp any host 10.133.10.1 eq 22
    access-list 108 deny   tcp any host 10.133.10.1 eq www
    access-list 108 deny   tcp any host 10.133.10.1 eq 443
    access-list 108 deny   tcp any host 10.133.10.1 eq cmd
    access-list 108 deny   udp any host 10.133.10.1 eq snmp
    access-list 108 permit ip any any
    access-list 109 remark CCP_ACL Category=1
    access-list 109 permit ip 10.133.10.0 0.0.1.255 any
    access-list 109 permit ip 10.10.10.0 0.0.0.7 any
    access-list 109 permit ip 192.168.10.0 0.0.1.255 any
    access-list 110 remark CCP_ACL Category=1
    access-list 110 permit ip host 195.243.xxx.xxx any
    access-list 110 permit ip host 84.44.xxx.xxx any
    access-list 110 permit ip 10.133.10.0 0.0.1.255 any
    access-list 110 permit ip 10.10.10.0 0.0.0.7 any
    access-list 110 permit ip 192.168.10.0 0.0.1.255 any
    access-list 111 remark CCP_ACL Category=4
    access-list 111 permit ip 10.133.10.0 0.0.1.255 any
    access-list 112 remark CCP_ACL Category=1
    access-list 112 permit udp host 10.133.10.5 eq 1812 any
    access-list 112 permit udp host 10.133.10.5 eq 1813 any
    access-list 112 permit udp any host 10.133.10.1 eq non500-isakmp
    access-list 112 permit udp any host 10.133.10.1 eq isakmp
    access-list 112 permit esp any host 10.133.10.1
    access-list 112 permit ahp any host 10.133.10.1
    access-list 112 permit udp host 10.133.10.5 eq 1645 host 10.133.10.1
    access-list 112 permit udp host 10.133.10.5 eq 1646 host 10.133.10.1
    access-list 112 remark auto generated by CCP firewall configuration
    access-list 112 permit udp host 10.133.10.5 eq 1812 host 10.133.10.1
    access-list 112 permit udp host 10.133.10.5 eq 1813 host 10.133.10.1
    access-list 112 permit udp host 10.133.10.7 eq domain any
    access-list 112 permit udp host 10.133.10.5 eq domain any
    access-list 112 deny   ip 62.153.xxx.xxx 0.0.0.7 any
    access-list 112 deny   ip 10.10.10.0 0.0.0.7 any
    access-list 112 deny   ip host 255.255.255.255 any
    access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 112 permit ip any any
    access-list 113 remark CCP_ACL Category=1
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 10.133.34.0 0.0.1.255 192.168.10.0 0.0.1.255
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 10.60.16.0 0.0.0.255 192.168.10.0 0.0.1.255
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 10.60.16.0 0.0.0.255 10.133.10.0 0.0.1.255
    access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq non500-isakmp
    access-list 113 permit udp host 83.140.100.4 host 62.153.xxx.xxx eq isakmp
    access-list 113 permit esp host 83.140.100.4 host 62.153.xxx.xxx
    access-list 113 permit ahp host 83.140.100.4 host 62.153.xxx.xxx
    access-list 113 permit ip host 195.243.xxx.xxx host 62.153.xxx.xxx
    access-list 113 permit ip host 84.44.xxx.xxx host 62.153.xxx.xxx
    access-list 113 remark auto generated by CCP firewall configuration
    access-list 113 permit udp host 194.25.0.60 eq domain any
    access-list 113 permit udp host 194.25.0.68 eq domain any
    access-list 113 permit udp host 194.25.0.68 eq domain host 62.153.xxx.xxx
    access-list 113 permit udp host 194.25.0.60 eq domain host 62.153.xxx.xxx
    access-list 113 permit udp any host 62.153.xxx.xxx eq non500-isakmp
    access-list 113 permit udp any host 62.153.xxx.xxx eq isakmp
    access-list 113 permit esp any host 62.153.xxx.xxx
    access-list 113 permit ahp any host 62.153.xxx.xxx
    access-list 113 permit ahp host 195.243.xxx.xxx host 62.153.xxx.xxx
    access-list 113 permit esp host 195.243.xxx.xxx host 62.153.xxx.xxx
    access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq isakmp
    access-list 113 permit udp host 195.243.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 10.133.34.0 0.0.1.255 10.133.10.0 0.0.1.255
    access-list 113 permit ahp host 62.20.xxx.xxx host 62.153.xxx.xxx
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 192.168.10.0 0.0.1.255 10.133.10.0 0.0.1.255
    access-list 113 permit esp host 62.20.xxx.xxx host 62.153.xxx.xxx
    access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq isakmp
    access-list 113 permit udp host 62.20.xxx.xxx host 62.153.xxx.xxx eq non500-isakmp
    access-list 113 remark IPSec Rule
    access-list 113 permit ip 10.133.20.0 0.0.0.255 10.133.10.0 0.0.1.255
    access-list 113 remark Pop3
    access-list 113 permit tcp host 82.127.xxx.xxx eq 8080 host 62.153.xxx.xxx
    access-list 113 remark Pop3
    access-list 113 permit tcp any eq pop3 host 62.153.xxx.xxx
    access-list 113 remark SMTP
    access-list 113 permit tcp any eq 465 host 62.153.xxx.xxx
    access-list 113 remark IMAP
    access-list 113 permit tcp any eq 587 host 62.153.xxx.xxx
    access-list 113 deny   ip 10.133.10.0 0.0.1.255 any
    access-list 113 deny   ip 10.10.10.0 0.0.0.7 any
    access-list 113 permit icmp any host 62.153.xxx.xxx echo-reply
    access-list 113 permit icmp any host 62.153.xxx.xxx time-exceeded
    access-list 113 permit icmp any host 62.153.xxx.xxx unreachable
    access-list 113 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 113 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 113 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 113 deny   ip host 255.255.255.255 any
    access-list 113 deny   ip host 0.0.0.0 any
    access-list 113 deny   ip any any log
    access-list 114 remark auto generated by CCP firewall configuration
    access-list 114 remark CCP_ACL Category=1
    access-list 114 deny   ip 10.133.10.0 0.0.1.255 any
    access-list 114 deny   ip 10.10.10.0 0.0.0.7 any
    access-list 114 permit icmp any any echo-reply
    access-list 114 permit icmp any any time-exceeded
    access-list 114 permit icmp any any unreachable
    access-list 114 deny   ip 10.0.0.0 0.255.255.255 any
    access-list 114 deny   ip 172.16.0.0 0.15.255.255 any
    access-list 114 deny   ip 192.168.0.0 0.0.255.255 any
    access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
    access-list 114 deny   ip host 255.255.255.255 any
    access-list 114 deny   ip host 0.0.0.0 any
    access-list 114 deny   ip any any log
    access-list 115 remark VPN_Sub
    access-list 115 remark CCP_ACL Category=5
    access-list 115 permit ip 10.133.10.0 0.0.1.255 172.16.0.0 0.0.255.255
    access-list 115 permit ip 10.133.34.0 0.0.1.255 172.16.0.0 0.0.255.255
    access-list 115 permit ip 10.133.20.0 0.0.0.255 any
    access-list 116 remark CCP_ACL Category=4
    access-list 116 remark IPSec Rule
    access-list 116 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    access-list 117 remark CCP_ACL Category=4
    access-list 117 remark IPSec Rule
    access-list 117 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    access-list 118 remark CCP_ACL Category=4
    access-list 118 remark IPSec Rule
    access-list 118 permit ip 10.133.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    access-list 118 remark IPSec Rule
    access-list 118 permit ip 192.168.10.0 0.0.1.255 10.60.16.0 0.0.0.255
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 106
    control-plane
    mgcp profile default
    line con 0
    transport output telnet
    line 1
    modem InOut
    speed 115200
    flowcontrol hardware
    line aux 0
    transport output telnet
    line vty 0 4
    session-timeout 45
    access-class 110 in
    transport input telnet ssh
    line vty 5 15
    access-class 109 in
    transport input telnet ssh
    scheduler interval 500
    end

    The crypto ACL for the site to site vpn should also include the vpn client pool, otherwise, traffic from the vpn client does not match the interesting traffic for the site to site vpn.
    On Site A:
    should include "access-list 107 permit ip 172.16.100.0 0.0.0.255 10.133.34.0 0.0.1.255"
    You should also remove the following line as the pool is incorrect:
    access-list 107 permit ip 192.168.10.0 0.0.1.255 10.133.34.0 0.0.1.255
    On Site B:
    should include: permit ip 10.133.34.0 0.0.1.255 172.16.100.0 0.0.0.255"
    NAT exemption on site B should also be configured with deny on the above ACL.

  • One WLC for Headquarter and Remote Site

    Hi
    I have a question about the WLC remote deployment.
    We have the following design at the moment:
    Headquarter
    - Network 192.168.49.0 /24
    - WLC 4402 Version 4.2.61.0
    -- 3 x LAP1252
    -- Layer 3 LWAPP
    -- SSID wep
    -- SSID wpa
    - Windows PDC with Active Directory, DHCP Server and local Data Storage
    - ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
    Remote Site
    - Network 192.168.50.0 /24
    - 2 x LAP1252
    -- SSID wep
    -- SSID wpa
    - Windows PDC with Active Directory, DHCP Server and local Data Storage
    - ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
    Connection between Headquarter and Remote Site
    - 2 Mbit ADSL
    The problem is, that the wireless clients on the remote site get an ip address out of the headquarter DHCP Range 192.168.49.0 /24. The users on the remote site
    most of the time only use the local data server in the remote office. With the actual design the hole traffic is switched over the 2 Mbit ADSL connection the the
    WLC in the headquarter and back to the remote site. That works but it is not that performant.
    The problem could be solved with HREAP, but what I think is, that it is not possible to have the same SSID at headquarter and remote site with different VLANs.
    How can I achieve, that the clients on the remote site connect to the same SSID (wep or wpa), get an ip address from the remote site DHCP server (192.168.50.0)
    and the traffic is switched localy.
    I hope you understand what the problem is.
    Thanks in advance for your help!

    Yes, putting the remote AP's in HREAP mode will allow the same WLANs to be available on the AP's but the traffic would be locally switched at the AP instead of being tunneled back to the controller. After you put the AP in HREAP mode you then would configure which VLAN you want traffic for each WLAN to be dumped onto for that AP.

  • Remote site to site VPN user cannot access LAN resources

    Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned.
    What do I need to do to fix this?
    version 15.1
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname SFGallery
    boot-start-marker
    boot-end-marker
    no logging buffered
    aaa new-model
    aaa authentication login default local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authentication login ciscocp_vpn_xauth_ml_2 local
    aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local
    aaa authorization exec default local
    aaa authorization network ciscocp_vpn_group_ml_1 local
    aaa authorization network ciscocp_vpn_group_ml_2 local
    aaa session-id common
    clock timezone PCTime -7 0
    clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
    no ipv6 cef
    ip source-route
    ip cef
    ip dhcp excluded-address 172.16.0.1 172.16.3.99
    ip dhcp excluded-address 172.16.3.200 172.16.3.254
    ip dhcp pool SFGallery172
    import all
    network 172.16.0.0 255.255.252.0
    domain-name xxxxxxxxxxxx
    dns-server 10.10.10.10
    default-router 10.10.10.94
    netbios-name-server 10.10.10.10
    ip domain name gpgallery.com
    ip name-server 10.10.10.10
    ip name-server 8.8.8.8
    ip name-server 8.8.4.4
    ip name-server 10.10.10.80
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    crypto pki trustpoint test_trustpoint_config_created_for_sdm
    subject-name [email protected]
    revocation-check crl
    crypto pki trustpoint SFGallery_Certificate
    enrollment selfsigned
    serial-number none
    ip-address none
    revocation-check crl
    rsakeypair SFGallery_Certificate_RSAKey 512
    crypto pki certificate chain test_trustpoint_config_created_for_sdm
    crypto pki certificate chain SFGallery_Certificate
    certificate self-signed 01
    xxxxxx
    quit
    license udi pid CISCO2911/K9 sn FTX1542AKJ3
    license boot module c2900 technology-package securityk9
    license boot module c2900 technology-package datak9
    hw-module sm 1
    object-group network Corp
    172.16.4.0 255.255.252.0
    10.10.10.128 255.255.255.224
    object-group network SFGallery
    172.16.0.0 255.255.252.0
    10.10.10.0 255.255.255.128
    object-group network NY
    10.10.10.160 255.255.255.224
    172.16.16.0 255.255.252.0
    object-group network GPAll
    group-object SFGallery
    group-object NY
    group-object Corp
    username xxx
    username xxx
    username xxx
    username xxx
    redundancy
    no ip ftp passive
    ip ssh version 1
    class-map type inspect match-all CCP_SSLVPN
    match access-group name CCP_IP
    policy-map type inspect ccp-sslvpn-pol
    class type inspect CCP_SSLVPN
    pass
    zone security sslvpn-zone
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key TempVPN1# address xx.xx.xx.xx
    crypto isakmp client configuration group SFGallery
    key Peters2011
    dns 10.10.10.10 10.10.10.80
    wins 10.10.10.10 10.10.10.80
    domain gpgallery.com
    pool SDM_POOL_1
    acl 111
    save-password
    split-dns gpgallery.com
    max-users 25
    max-logins 3
    netmask 255.255.252.0
    banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C
    crypto isakmp profile ciscocp-ike-profile-1
    match identity group SFGallery
    client authentication list ciscocp_vpn_xauth_ml_3
    isakmp authorization list ciscocp_vpn_group_ml_2
    client configuration address respond
    virtual-template 3
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
    crypto ipsec profile CiscoCP_Profile1
    set security-association idle-time 43200
    set transform-set ESP-3DES-SHA3
    set isakmp-profile ciscocp-ike-profile-1
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel toxx.xx.xx.xx
    set peer xx.xx.xx.xx
    set transform-set ESP-3DES-SHA1
    match address 107
    reverse-route
    interface Loopback1
    ip address 192.168.5.1 255.255.255.0
    interface Embedded-Service-Engine0/0
    no ip address
    shutdown
    interface GigabitEthernet0/0
    description T1 Cybermesa$ETH-WAN$
    ip address xx.xx.xx.xx 255.255.255.240
    ip access-group 105 in
    ip nat outside
    ip virtual-reassembly in
    duplex auto
    speed auto
    crypto map SDM_CMAP_1
    interface GigabitEthernet0/1
    description LANOverloadNet$ETH-WAN$
    no ip address
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface GigabitEthernet0/2
    description LAN$ETH-LAN$
    ip address 10.10.10.2 255.255.255.128
    ip access-group 100 in
    ip nat inside
    ip virtual-reassembly in
    duplex auto
    speed auto
    interface FastEthernet0/0/0
    ip address 192.168.100.1 255.255.255.0
    ip access-group ReplicationIN out
    duplex auto
    speed auto
    interface GigabitEthernet1/0
    description $ETH-LAN$
    ip address 172.16.0.1 255.255.252.0
    ip nat inside
    ip virtual-reassembly in
    interface GigabitEthernet1/1
    description Internal switch interface connected to EtherSwitch Service Module
    no ip address
    interface Virtual-Template1 type tunnel
    ip unnumbered Loopback1
    interface Virtual-Template2
    ip unnumbered Loopback1
    zone-member security sslvpn-zone
    interface Virtual-Template3 type tunnel
    ip unnumbered GigabitEthernet0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile CiscoCP_Profile1
    interface Vlan1
    no ip address
    ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
    ip forward-protocol nd
    ip http server
    ip http access-class 1
    ip http authentication local
    no ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip flow-top-talkers
    top 10
    sort-by bytes
    cache-timeout 60000
    ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
    ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
    ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable
    ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable
    ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable
    ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable
    ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
    ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable
    ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
    ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable
    ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable
    ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable
    ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
    ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable
    ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable
    ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable
    ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable
    ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
    ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable
    ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
    ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent
    ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent
    ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
    ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent
    ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent
    ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent
    ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
    ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent
    ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent
    ip access-list extended CCP_IP
    remark CCP_ACL Category=128
    permit ip any any
    ip access-list extended ReplicationIN
    remark CCP_ACL Category=1
    permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    deny   ip any any
    ip access-list extended ReplicationOUT
    remark CCP_ACL Category=1
    deny   ip any any
    no logging trap
    logging 10.10.10.107
    access-list 1 permit 192.168.1.2
    access-list 1 remark CCP_ACL Category=1
    access-list 1 permit 72.216.51.56 0.0.0.7
    access-list 1 permit 172.16.0.0 0.0.3.255
    access-list 1 permit 172.16.4.0 0.0.3.255
    access-list 1 permit 10.10.10.128 0.0.0.31
    access-list 1 remark Auto generated by SDM Management Access feature
    access-list 1 permit xx.xx.xx.xx 0.0.0.15
    access-list 1 permit 10.10.10.0 0.0.0.127
    access-list 100 remark Auto generated by SDM Management Access feature
    access-list 100 remark CCP_ACL Category=1
    access-list 100 permit tcp object-group GPAll object-group NY eq www
    access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2
    access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2
    access-list 100 permit ip any host 10.10.10.2
    access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet
    access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
    access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
    access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
    access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22
    access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
    access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
    access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
    access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www
    access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
    access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
    access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
    access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443
    access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
    access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
    access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
    access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd
    access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
    access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
    access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
    access-list 100 deny   tcp any host 10.10.10.2 eq telnet
    access-list 100 deny   tcp any host 10.10.10.2 eq 22
    access-list 100 deny   tcp any host 10.10.10.2 eq www
    access-list 100 deny   tcp any host 10.10.10.2 eq 443
    access-list 100 deny   tcp any host 10.10.10.2 eq cmd
    access-list 100 deny   udp any host 10.10.10.2 eq snmp
    access-list 100 permit udp any eq domain host 10.10.10.2
    access-list 100 permit udp host 10.10.10.80 eq domain any
    access-list 100 permit udp host 10.10.10.10 eq domain any
    access-list 100 permit ip any any
    access-list 101 remark Auto generated by SDM Management Access feature
    access-list 101 remark CCP_ACL Category=1
    access-list 101 permit ip 72.216.51.56 0.0.0.7 any
    access-list 101 permit ip 172.16.0.0 0.0.3.255 any
    access-list 101 permit ip 172.16.4.0 0.0.3.255 any
    access-list 101 permit ip 10.10.10.128 0.0.0.31 any
    access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any
    access-list 101 permit ip host 192.168.1.2 any
    access-list 101 permit ip 10.10.10.0 0.0.0.127 any
    access-list 102 remark Auto generated by SDM Management Access feature
    access-list 102 remark CCP_ACL Category=1
    access-list 102 permit ip 72.216.51.56 0.0.0.7 any
    access-list 102 permit ip 172.16.0.0 0.0.3.255 any
    access-list 102 permit ip 172.16.4.0 0.0.3.255 any
    access-list 102 permit ip 10.10.10.128 0.0.0.31 any
    access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any
    access-list 102 permit ip host 192.168.1.2 any
    access-list 102 permit ip 10.10.10.0 0.0.0.127 any
    access-list 103 remark Auto generated by SDM Management Access feature
    access-list 103 remark CCP_ACL Category=1
    access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
    access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
    access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
    access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
    access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
    access-list 103 deny   tcp any host 172.16.0.1 eq telnet
    access-list 103 deny   tcp any host 172.16.0.1 eq 22
    access-list 103 deny   tcp any host 172.16.0.1 eq www
    access-list 103 deny   tcp any host 172.16.0.1 eq 443
    access-list 103 deny   tcp any host 172.16.0.1 eq cmd
    access-list 103 deny   udp any host 172.16.0.1 eq snmp
    access-list 103 permit ip any any
    access-list 104 remark CCP_ACL Category=4
    access-list 104 remark IPSec Rule
    access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
    access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
    access-list 105 remark Auto generated by SDM Management Access feature
    access-list 105 remark CCP_ACL Category=1
    access-list 105 remark IPSec Rule
    access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31
    access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 105 remark IPSec Rule
    access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255
    access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet
    access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet
    access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet
    access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22
    access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22
    access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22
    access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www
    access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www
    access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www
    access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443
    access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443
    access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443
    access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd
    access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd
    access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd
    access-list 105 deny   tcp any host xx.xx.xx.xx eq telnet
    access-list 105 deny   tcp any host xx.xx.xx.xx eq 22
    access-list 105 deny   tcp any host xx.xx.xx.xx eq www
    access-list 105 deny   tcp any host xx.xx.xx.xx eq 443
    access-list 105 deny   tcp any host xx.xx.xx.xx eq cmd
    access-list 105 deny   udp any host xx.xx.xx.xx eq snmp
    access-list 105 permit tcp any host xx.xx.xx.xx eq 443
    access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
    access-list 105 permit udp any eq domain host xx.xx.xx.xx
    access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx
    access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx
    access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp
    access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp
    access-list 105 remark IPSec Rule
    access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
    access-list 105 permit ip any any
    access-list 106 remark CCP_ACL Category=2
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
    access-list 106 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
    access-list 106 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 106 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    access-list 106 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
    access-list 106 remark IPSec Rule
    access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
    access-list 106 permit ip 10.10.10.0 0.0.0.255 any
    access-list 107 remark CCP_ACL Category=4
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
    access-list 107 remark IPSec Rule
    access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
    access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 107 remark IPSec Rule
    access-list 107 deny   ip 172.16.0.0 0.0.255.255 host 10.10.10.177
    access-list 108 remark CCP_ACL Category=2
    access-list 108 remark IPSec Rule
    access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
    access-list 108 permit ip 70.56.215.0 0.0.0.255 any
    access-list 109 remark CCP_ACL Category=2
    access-list 109 remark IPSec Rule
    access-list 109 deny   ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31
    access-list 109 remark IPSec Rule
    access-list 109 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
    access-list 109 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    access-list 109 remark IPSec Rule
    access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31
    access-list 109 deny   ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
    access-list 109 deny   ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255
    access-list 109 deny   ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255
    access-list 109 permit ip 172.16.0.0 0.0.255.255 any
    access-list 111 remark CCP_ACL Category=4
    access-list 111 permit ip 10.10.10.0 0.0.0.127 any
    access-list 111 permit ip 10.10.10.128 0.0.0.31 any
    access-list 111 permit ip 172.16.0.0 0.0.3.255 any
    access-list 111 permit ip 172.16.4.0 0.0.3.255 any
    access-list 111 permit ip 10.10.10.160 0.0.0.31 any
    route-map SDM_RMAP_4 permit 1
    match ip address 109
    route-map SDM_RMAP_1 permit 1
    match ip address 106
    route-map SDM_RMAP_2 permit 1
    match ip address 108
    snmp-server community public RO
    snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
    snmp-server enable traps vrrp
    snmp-server enable traps transceiver all
    snmp-server enable traps ds1
    snmp-server enable traps call-home message-send-fail server-fail
    snmp-server enable traps tty
    snmp-server enable traps eigrp
    snmp-server enable traps ospf state-change
    snmp-server enable traps ospf errors
    snmp-server enable traps ospf retransmit
    snmp-server enable traps ospf lsa
    snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
    snmp-server enable traps ospf cisco-specific state-change shamlink interface
    snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
    snmp-server enable traps ospf cisco-specific errors
    snmp-server enable traps ospf cisco-specific retransmit
    snmp-server enable traps ospf cisco-specific lsa
    snmp-server enable traps license
    snmp-server enable traps envmon
    snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
    snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
    snmp-server enable traps flash insertion removal
    snmp-server enable traps c3g
    snmp-server enable traps ds3
    snmp-server enable traps adslline
    snmp-server enable traps vdsl2line
    snmp-server enable traps icsudsu
    snmp-server enable traps isdn call-information
    snmp-server enable traps isdn layer2
    snmp-server enable traps isdn chan-not-avail
    snmp-server enable traps isdn ietf
    snmp-server enable traps ds0-busyout
    snmp-server enable traps ds1-loopback
    snmp-server enable traps energywise
    snmp-server enable traps vstack
    snmp-server enable traps mac-notification
    snmp-server enable traps bgp
    snmp-server enable traps isis
    snmp-server enable traps rf
    snmp-server enable traps aaa_server
    snmp-server enable traps atm subif
    snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
    snmp-server enable traps memory bufferpeak
    snmp-server enable traps cnpd
    snmp-server enable traps config-copy
    snmp-server enable traps config
    snmp-server enable traps config-ctid
    snmp-server enable traps entity
    snmp-server enable traps fru-ctrl
    snmp-server enable traps resource-policy
    snmp-server enable traps event-manager
    snmp-server enable traps frame-relay multilink bundle-mismatch
    snmp-server enable traps frame-relay
    snmp-server enable traps frame-relay subif
    snmp-server enable traps hsrp
    snmp-server enable traps ipmulticast
    snmp-server enable traps msdp
    snmp-server enable traps mvpn
    snmp-server enable traps nhrp nhs
    snmp-server enable traps nhrp nhc
    snmp-server enable traps nhrp nhp
    snmp-server enable traps nhrp quota-exceeded
    snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
    snmp-server enable traps pppoe
    snmp-server enable traps cpu threshold
    snmp-server enable traps rsvp
    snmp-server enable traps syslog
    snmp-server enable traps l2tun session
    snmp-server enable traps l2tun pseudowire status
    snmp-server enable traps vtp
    snmp-server enable traps ipsla
    snmp-server enable traps bfd
    snmp-server enable traps firewall serverstatus
    snmp-server enable traps isakmp policy add
    snmp-server enable traps isakmp policy delete
    snmp-server enable traps isakmp tunnel start
    snmp-server enable traps isakmp tunnel stop
    snmp-server enable traps ipsec cryptomap add
    snmp-server enable traps ipsec cryptomap delete
    snmp-server enable traps ipsec cryptomap attach
    snmp-server enable traps ipsec cryptomap detach
    snmp-server enable traps ipsec tunnel start
    snmp-server enable traps ipsec tunnel stop
    snmp-server enable traps ipsec too-many-sas
    snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
    snmp-server host 10.10.10.107 public
    radius-server host 10.10.10.10 key HelloSFGal1#
    control-plane
    banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
    line con 0
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    line 67
    no activation-character
    no exec
    transport preferred none
    transport input all
    transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
    stopbits 1
    flowcontrol software
    line vty 0 4
    access-class 102 in
    transport input telnet
    line vty 5 15
    access-class 101 in
    transport input telnet
    scheduler allocate 20000 1000
    end

    Thanks so much, Herbert.
    As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml
    I would delete these lines:
    no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable
    no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable
    no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable
    no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable
    no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable
    and replace with these
    ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
    ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable
    ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
    ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable
    ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable
    Then add:
    access-list 150 deny   ip host 10.10.10.95 10.10.10.160 0.0.0.31
    access-list 150 deny   ip host 10.10.10.95 172.16.8.0 0.0.3.255
    access-list 150 deny   ip host 10.10.10.130 10.10.10.160 0.0.0.31
    access-list 150 deny   ip host 10.10.10.130 172.16.8.0 0.0.3.255
    access-list 150 permit ip host 10.10.10.95 any
    access-list 150 permit ip host 10.10.10.130 any
    route-map nonat permit 10
    match ip address 150

  • Best pracices for setting up Domain controller for our remote European offices

    Hi,,
    We have about 17 remote site across Europe (HQ in UK), I want to start revoking the offices local DC's and host them in a couple of Cloud servers in Germany with local NAS boxes for file storage. I will have MPLS network between the offices to the Cloud
    DC.
    Now what would be the best practices and tips for this situation in respect to the DC's. How can I prioritize the remote offices to use the Cloud DC/DNS and not our DC at our HQ in the UK. Would it be better to have a sub-domain created (europe.company.co.uk)
    for the other offices.
    Any suggestions on this setup for the DC

    Hiya,
    on the conceptual level. The reason for having local DC's, is that if the local sites internet line is offline, people are still able to authenticate and access local resources. From that point of view, you might as well just run with your HQ DC's only. Note:
    the cloud does offer availability on their services, that might not be matched by your HQ in terms of double internet lines.
    That said.
    The DNS server of the clients as well as the sites & services of Active Directory. Your clients will use the nearest domain controller available from sites and services information.
    Managing Intersite Replication
    http://technet.microsoft.com/en-us/library/cc794799%28v=ws.10%29.aspx

  • Deploying multiple WLANs at a remote site

    At Site-A where the WLC4200 & DHCP server reside, we have the following subnets:
    - (vlan10) 10.10.10.0
    - (vlan11) 10.10.11.0
    Each VLAN corresponds to a dynamic interface on the WLC ("Int-10" & "Int-11") which is assigned to their own respective WLAN. Works fine.
    At remote Site-B where we have a 1242 (HREAP), we have the following subnets:
    (vlan100) 10.20.14.0
    (vlan101) 10.20.15.0
    If I want to assign vlan100 & vlan101 to their own respective local WLANs, will I need to create vlans 100 & 101 (define subnets 20.14 & 20.15 on my Site-A layer-3 switch) at Site-A?
    I ultimately want to create 2 WLANs at the remote site, one for voice (w/ QOS enabled) and one for data. The problem I keep running into is, the remote wireless clients authenticate but are unable to get a DHCP address.

    You need not create sepearate VLANs 100 and 101 on the site-A. Make sure the DHCP server is reachable. Ensure that IP helper pointing to your DHCP server is configured on the router at the remote site so that DHCP broadcast is from your client is forwarded to DHCP server. Refer http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40hreap.html for more information.

  • Best wireless deployment at Remote Sites - designe

    Dears,
    I have many remote sites with Hub and Spoke topology, and I have Cisco wireless controller 5508 on our HQ serve the wireless network at HQ (approximate 25 Aps)
    The business need to deploy the wireless on RSs for public customer (not for employees).
    I have concerns about security if we going to terminate the SSID - for public- at Remote sites toward HQ over WAN connections (viruses, malware, sniffing … etc.) to control it using our Cisco wlc even if I terminate the vlan represented this SSID toward our firewall (on dedicated DMZ), and congestion will happen since this SSID will be used by the public (Non-employees persons).
    Please your kind suggestion.
    Thanks in advance

    Hi,
    For you scenario.
    Below deployment will work
    http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html

  • WiSM - Managing AP's at remote sites

    A quick wireless newbie question - I'm trying to sort out the design details using a WiSM. I have a new site and have budgeted a pair of 6513's with WiSM's. There are 9 branch offices that are going to be connected via 2821 routers over CSME and they need to provide Guest and Private wireless access. Do the remote sites need a WLAN controller module for the 2800? Or, can they still tunnel back to the WiSM for central management? What components are needed to achive "unified" wireless at the branch offices?
    Thanks,
    Greg

    you can centrally contorl your LAP's from the WiSM. You can even use regualer LAP at those sites if you wish. The one problem that you can run into, is if the WAN drops, you will lose wireless at those sites. The way to get around that is to get LAP that support REAP/HREAP, and run them in local switching mode. This will allow the wireless to stay up, if the WAN drops, for local subnets only. Obviously any subnet that is across the WAN is unaccesable.
    If you keep them in centralized switching mode, everything tunnels back to the controller, both corporate WLAN's and the guest, will go down if the WAN drops.

  • AP on remote site not showing up on WLC (edit)

    Hi,
    The AP at remote site A retrieve IP address from the FW.
    From the WLC, i able to ping the IP address of the AP at remote site.
    Only that on WLC, the AP at remote site not associated with the WLC.
    What could be the possible reason?

    hi all,
    below is WLC sysinfo:
    show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.5.102.0
    Bootloader Version............................... 1.0.18
    Field Recovery Image Version..................... 1.0.0
    Firmware Version................................. PIC 16.0
    Build Type....................................... DATA + WPS
    System Name...................................... WLC_NittoDenko
    System Location..................................
    System Contact...................................
    System ObjectID.................................. 1.3.6.1.4.1.9.1.1279
    IP Address....................................... 10.154.101.104
    Last Reset....................................... Power on reset
    System Up Time................................... 4 days 3 hrs 36 mins 53 sec
    System Timezone Location.........................
    System Stats Realtime Interval................... 5
    System Stats Normal Interval..................... 180
    --More-- or (q)uit
    Configured Country............................... MY  - Malaysia
    Operating Environment............................ Commercial (0 to 40 C)
    Internal Temp Alarm Limits....................... 0 to 65 C
    Internal Temperature............................. +22 C
    External Temperature............................. +27 C
    Fan Status....................................... 3600 rpm
    State of 802.11b Network......................... Enabled
    State of 802.11a Network......................... Enabled
    Number of WLANs.................................. 1
    Number of Active Clients......................... 0
    Burned-in MAC Address............................ 24:E9:B3:46:FC:A0
    Maximum number of APs supported.................. 5
    =========
    for AP not yet, i need to go to remote site to

  • File does not exist on remote site, yet it does

    I have been trying to understand how Dreamweaver handles remote files in CS5.
    My server is setup as a remote server and a test server.
    I open the remote file, it offers to get dependencies, so I click yes.
    I click on Live view, then it tries to show me the following url
    http://my_site.com/public_html/path/to/my/file/file.php
    It should not put public_html in the path, and I did not specify this in my site setup. My root setting is /.
    Anyway, If I change the url manually, then it shows correctly. Then it offers to discover dunamically linked files, which I agree to.
    Now it tells me that 'Dynamically-related files could not be resolved because the site definition is not correct for this server'
    If I try to open one of the files that it has discovered, I am told that it is not on the disk, so would I like to 'get it', so I agree.
    Finally, I am told that 'Get operation failed since linked-file.php does not exist on remote site'
    I suspect that this is all to do with my site definition, but I fiddled with the settings and can't resolve this. I think that the whole problem goes back to Dreamweaver's insistance on putting public_html in the path, but I can't stop it doing so.
    Any suggestions?
    Thanks
    ian

    Hi,
    Well, yes I did manage to fix the dynamically linked resources issue. As mentioned above, I did need to mention public_html in my Root Directory setting in server setup (silly of me).
    I had tried this at first, but it didn't work, as I had the server set as a test server and not a remote server, anyway, i now have it set as both and all is well.
    Except that, the first issue that mentioned is still with me: namely, dreamweaver mentions the public_html in the url path when on live view, which is not correct and I don't know where it is inferring this from. I can change it manually, but this doesn't seem right to me. Am I still missing a setting?
    In anwer to the questions:
    1) My setting (now) in the Root Directory setting in DW is: /public_html/
    2) My actual path on the server (that i mention in php scripts) is: /home/login_name/public_html//path/to/my/file/file.php
    [In the advanced settings of DW site setup on the Local Info page I have set Links relative to Document option, although it does not seem to make a difference when I change it to Site Root.]
    Any suggestions appreciated.
    Thanks
    Ian

  • Attendant line status at remote site

    we have a centralized 4.1.3 call manager with remote site using mpls. we set up the attendant application for the receptionist at the remote site and everything worked as expected. The next day, she no longer could see the line status.
    I've tried it from the main site and it works fine. We've tried restarting the services.
    Does anyone know what might have happened?
    thanks
    Rob

    problem turned out to be the windows xp firewall running on the receptionist pc. when it was turned off, line status worked.
    solution is to add the acclient program as an exception in the firewall settings
    Rob

  • How to restore a remote site after a crash?

    I have read the site management FAQ and it mentions to restore your files you can go to your remote site and load back to your local site.
    Could anyone offer some help to my situation?
    I suffered a hard drive failure, I'm running windows xp, dwcs4 and the site is hosted. I have reinstalled windows and dw. The site was created as per all the tutorials and I managed to save a copy of the site folder but not as per the saving instructions in the FAQ. I just have a root folder with all the pages in.
    Could someone point me to a tutorial or how to?
    Thanks in advance
    Jim

    "I managed to save a copy of the site folder but not as per the saving instructions in the FAQ. I just have a root folder with all the pages in."
    You lost me here. Not sure what you mean.
    Create a new site definition for local and remote sites, connect to your remote site then click Get. That's all you need to do.

Maybe you are looking for

  • Making 4:3 look good for both 4:3 and 16:9 screens

    Hi, Up until this point I have lived my life in a pleasant 4:3 world. I shot 4:3 footage, edited 4:3 in FCP, sent 4:3 to DVDSP, checked my work on a 4:3 television, and mailed 4:3 DVDs to my customers. My understanding from playing around with a frie

  • Need help in installing Snow Leopard without DVD drive

    Hi, I have a White Macbook 2008 model with 2.1 ghz processor and 1 GB Ram. The dvd rom is not working in my machine. It spits out the dvd's 99 out of 100 times. I need to upgrade from 10.5.8 to 10.6. Apple has sent me a single disk to install snow le

  • Invisible program

    I am writing a program that currently calls a shell program. This program doesn't need input from the user so I would not like the window to pop up. Is there anyway to run a program without showing the window?

  • New ideas for pacman features

    I'd like to start a discussion about pacman and some features I would like to see in it. If I compile something with srcpac instead of installing with pacman, it would be nice if pacman remembered that I did so and recompiled the package next time I

  • How to clear Preferred Read setting

    Hi, I hope someone can advise me how to remove the Preferred Read setting in ASM 11.2.0.3? I'm trying to set an empty string, but it gives me an error. Thanks! SQL> alter system set asm_preferred_read_failure_groups='' sid='+ASM3'; alter system set a