Static configuration

Similar Messages

• DACL with static IP configuration

  Hi,
  I want to restrict client communication based on dACLs for some Endpoint-Groups with MAB. Most of the clients are configured with DHCP, for these clients everything working fine. But there are also clients with static IP configuration and here is the problem. ISE does not know the ip address of the static configured client, so the 'source any' statement of the dACL can not be replaced with the client IP.
  How is it possible to let ISE learn the static addresses and get this working?
  ISE is on v1.2, IOS on switch is on 15.02.SE1
  Thanks, Florian

  I am not very much sure but can you try this and check (instead of any any just giving your network address)
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_sw_cnfg.html
  Define Local (Default) ACLs on the Switch
  Enable these functions on older switches (with IOS releases earlier than 12.2(55)SE) to ensure Cisco ISE is able to perform the dynamic ACL updates required for authentication and authorization.
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-DEFAULT
    remark DHCP
    permit udp any eq bootpc any eq bootps
    remark DNS
    permit udp any any eq domain
    remark Ping
    permit icmp any any
    remark Ping
    permit icmp any any
    remark PXE / TFTP
    permit udp any any eq tftp
    remark Allow HTTP/S to ISE and WebAuth portal
    permit tcp any host <Cisco_ISE_IP_address> eq www
    permit tcp any host <Cisco_ISE_IP_address> eq 443
    permit tcp any host <Cisco_ISE_IP_address> eq 8443
    remark Drop all the rest
    deny   ip any any log
  ! The ACL to allow URL-redirection for WebAuth
  ip access-list extended ACL-WEBAUTH-REDIRECT
  deny   ip any host <Cisco_ISE_IP_address>
  permit ip any any

• Configuring static DHCP

  Is it possible using the router as a DHCP server with a static configuration.
  I.e. same IP for the same user

  Make a dhcp pool mapping only one mac address.
  Look example below.
  ip dhcp pool statichost
  host 192.168.1.1 255.255.255.0
  hardware-address 0010.a3fd.2f9f
  client-name something
  domain-name test.com
  default-router 192.168.1.254
  dns-server 192.168.1.10
  lease 1 0

• Configuring MPLS VPN using static routing

  Hi,
  I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

  You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
  1) Creating the LIB
  This thing lies in having LDP neighborship netween two peers and you have Label bindings.
  This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
  2) Creating the LFIB
  Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
  as a next hop, those Label bindings get installed in the LFIB.
  So considering the above two points, we have to be careful in static routes
  only for interfaces like Ethernet (Multiaccess Segments).
  As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
  GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
  Now you may observe that when you give a static route only pointing to an Ethernet interface,
  you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
  Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
  GLean and you would have a Valid Cached Adjacency.
  So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
  For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
  ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
  Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
  running MPLS.
  And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
  So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
  HTH-Cheers,
  Swaroop

• Configure static PAT for port range

  Hi,
  could someone help with this:
  we have an ASA 5510 version 8.2 and ASDM 6.4. we want to configure a static PAT for a range of TCP and UDP port. in the nat configuration window we have just to enter one port ( range are note accepted).
  Thanks,

  Hi,
  In software levels 8.2 and below the only option is to generate a separate configurations for each port. This is easiest achieved through the CLI and using some text editor to help generate the possibly large configurations.
  On ASA software 8.3 and above (where NAT format was completely redone) you have the option to use a single "nat" command to configure Static PAT for a continuous range of ports.
  So your option is to either generate a separate "static" configuration for each port or upgrade the software to a newer one to be able to do Static PAT for a range of ports.
  Naturally the update involves rewriting the current NAT configuratins into a new format even though booting to newer software usually converts the configurations automatically but with varying success.
  - Jouni

• Sharing static members between Swing application and Web application

  Hi,
  if someone has done this please help:
  I have created 3 classes:
  Mainclass using JFrame which is used as host class for DBConnectionManager class,
  and ConfigBean class used for storing static configuration parameters:
       static public String strUser = "";
  static public String strPassword = "";
  static public String strDB = "";
  static public int nMaxConn = 0;
  static public String strPoolName = "";
  static public boolean bConnected = false;
  static public int nCurrentUsers = 0;
  static public DBConnectionManager manager = null;
       public DBConnectionManager getDBManager()
  return this.manager;
  public void setDBManager(DBConnectionManager manager)
  this.manager = manager;
  DBConnectionManager class uses static instance to see if this is only class created by client users.
  Only static member in this class is getInstance member function for startig manager:
       static synchronized public DBConnectionManager getInstance()
  if (instance == null)
  instance = new DBConnectionManager();
  return instance;
  In Mainclass I also created non static DBConnectionManager class for manipluation with host administrator.
  Then I created web application layout in Tomcat 4 and used index.jsp:
  <%@ page import="java.sql.*,java.io.*" %>
  <jsp:useBean id="cfgbean" class="webvobapli.ConfigBean" scope="application" />
  <%!
  webvobapli.DBConnectionManager db = null;
  String strMessage = "";
  Statement stmt1;
  ResultSet rset1;
  String strQuery = "select count(*) from cards";
  %>
  <html>
  <%
       try
            db = cfgbean.getDBManager();
            if(db==null)
                 strMessage = "Error";
            else
                 Connection con = db.getConnection("central2");
                 if(con != null)
                      stmt1 = con.createStatement();
                      rset1 = stmt1.executeQuery(strQuery);
                      rset1.next();
                      strMessage = rset1.getString(1);
                 else
                      strMessage = "NULL";
       catch(Exception e)
            strMessage = e.toString();
  %>
  <p>Message = <%=strMessage%></p>
  </html>
  Question: why db = cfgbean.getDBManager(); returns null if I created instance of DBConnectionManager
  class in Mainclass and assigned it to ConfigBean as static instance before running web application.
  Shouldn't all java programs share static memory area?
  Beast Regards
  Branislav Cavlin

  Question: why db = cfgbean.getDBManager(); returns null if I created >>instance of DBConnectionManager
  class in Mainclass and assigned it to ConfigBean as static instance >>before running web application.
  Shouldn't all java programs share static memory area?You say you create the db objects BEFORE you run the web application - now I could be misunderstanding what you are saying, but does this not involve two JVM's (one to create initial db objects, which then exits, then second JVM fires you app server/servlet container) - which would explain why a null object is being returned.

• How to set and static ip_address for a Suse Linux box

  Hi.
  I've done the following to set an static ip address for my Suse 9 Linux box:
  - Take not of inet address value from ifconfig command. ie: (172.17.2.14)
  - Change this value in /etc/hosts for my linux box.
  Since Suse is configure by default to use DHCP for assigning dinamic ip_addresses i'm not sure whether will lastly be set as a static address. I've rebooted my box and it seems to be OK.
  Thanks in advance ...!

  /etc/hosts is not configuration file for ethernet interfaces.
  Configuration files for ethernet interfaces are stored in /etc/sysconfig/network directory.
  For example if you have eth0 device then configuretion for this device is stored in /etc/sysconfig/network/ifcfg-eth0 file.
  Important directives:
  DEVICE - interface (eth0)
  IPADDR - IP address of interface
  NETMASK - netmask
  BOOTPROTO - "static" for static configuration, dhcp for dynamic configuration via dhcp
  ONBOOT - activating interface during boot (yes/no) (yes - of course :-) )
  GATEWAY - default gateway
  So for example you want setup static IP (192.168.10.1 / 255.255.225.0) for eth0 interface.
  Edit the /etc/sysconfig/network/ifcfg-eth0 file and your configuration should be:
  DEVICE=eth0
  IPADDR=192.168.10.1
  NETMASK=255.255.255.0
  BOOTPROTO=static
  ONBOOT=yesThen you simply restart the nework using:
  /etc/init.d/network restartOR
  /sbin/ifdown eth0
  /sbinf/ifup eth0 OR
  ifconfig eth0 down
  ifconfig eth0 up

• How do I configure ISP native IPv6 connectivity?

  Hi!
  I'm a network engineer for SECOM, an ISP in Southeastern Colorado. We will be making native IPv6 connectivity available to residential subscribers soon, and I've been tasked with verifying support for our IPv6 platform on home router products.
  I have an AirPort Extreme purchased new in November of '09 that is running version 7.5.1, which I believe is completely current.
  Under the IPv6 tab in my Advanced settings, I have the following configuration:
  IPv6 Mode: Router
  Block incoming IPv6 connections: NOT checked
  Configure IPv6: Manually
  WAN IPv6 Address: fdXX:XXXX:XXXX:a000::2
  WAN IPv6 Prefix Length: 64
  IPv6 Default Route: fdXX:XXXX:XXXX:a000::1
  LAN IPv6 Address: fdXX:XXXX:XXXX:c000::1
  (As you can see, I'm using ULA's for testing purposes, and I've replaced the global bits with X's for security.)
  The problem is, if I plug a host into one of the LAN ports and assign it an address from the same /64 subnet (e.g. fdXX:XXXX:XXXX:c000::2), the host can't ping the Airport's assigned LAN address.
  It can ping:
  * the Airport's link-local IPv6 address, and
  * the Airport's IPv4 192.168.x.x address
  Also (and I'm gratified that this part is working), my CE router can ping the Airport's WAN IPv6 address!
  So my question is, is there something in the IPv6 configuration I'm misunderstanding? Has anyone else gotten native statically-configured IPv6 working on the AirPort Extreme?
  Thanks very much in advance,
  John E. / SECOM
  P.S. - I have verified with a packet capture that the AirPort extreme is not responding at all for the configured LAN IPv6 address; i.e., the ICMPv6 neighbor solicitation goes unanswered.
  P.P.S. - I have tried a Windows 7 host, a Windows XP host, and an IPv6-certified multitester from JDSU. All exhibit the same symptoms.

  I have follow your instruction to connect to my ISP as it shows the following message:
  Serial connection established.
  using interface sppp0
  connect: sppp0 <--> /dev/ttya
  local IP address xxxxxxxx
  remote IP address 1.1.1.1
  But when I ping www.sun.com, it shows:
  www.sun.com unknown.
  I start Mozilla and it said www.sun.com not found etc...
  What has gone wrong?
  Do I have to configure some files such as:
  /etc/resolv.conf
  /etc/hosts
  /etc/hostname ?
  or any other steps that can help me to connect to the internet?
  Thanks...

• OVS 3.2.1: Configuring a bridge?

  I've statically configured bridging on eth0 following the example in Chapter 8.2.5. Network Bridge, of the Red Hat Enterprise Linux 6 Deployment Guide...
  [root@xen3 network-scripts]# cat ifcfg-eth0
  # Intel Corporation 82541PI Gigabit Ethernet Controller
  DEVICE=eth0
  BOOTPROTO=none
  HWADDR=00:0E:0C:81:57:8B
  ONBOOT=yes
  BRIDGE=br0
  [root@xen3 network-scripts]# cat ifcfg-br0
  DEVICE=br0
  TYPE=bridge
  ONBOOT=yes
  BOOTPROTO=static
  IPADDR=192.168.0.5
  NETMASK=255.255.255.0
  NETWORK=192.168.0.0...but, when I restart the host's network interfaces, the init.d script creates the bridge without configuring the IP interface and then complains:
  [root@xen3 ~]# brctl show
  bridge name     bridge id          STP enabled     interfaces
  [root@xen3 ~]# /etc/init.d/network restart
  Shutting down interface eth0:  bridge br0 does not exist!
                                                             [  OK  ]
  Shutting down interface eth2:                              [  OK  ]
  Shutting down loopback interface:                          [  OK  ]
  Bringing up loopback interface:                            [  OK  ]
  Bringing up interface br0:  Device br0 does not seem to be present, delaying initialization.
                                                             [FAILED]
  Bringing up interface eth0:                                [  OK  ]
  Bringing up interface eth2:                                [  OK  ]
  [root@xen3 ~]# brctl show
  bridge name     bridge id          STP enabled     interfaces
  br0          8000.000e0c81578b     no          eth0
  [root@xen3 ~]# ifconfig -a
  bond0     Link encap:Ethernet  HWaddr 00:00:00:00:00:00 
            BROADCAST MASTER MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
  br0       Link encap:Ethernet  HWaddr 00:0E:0C:81:57:8B 
            BROADCAST MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
  eth0      Link encap:Ethernet  HWaddr 00:0E:0C:81:57:8B 
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:2012590 errors:0 dropped:76054 overruns:0 frame:0
            TX packets:129928 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:1113821773 (1.0 GiB)  TX bytes:9818937 (9.3 MiB)
  eth1      Link encap:Ethernet  HWaddr 00:30:48:83:7E:14 
            BROADCAST MULTICAST  MTU:1500  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
            Interrupt:18
  eth2      Link encap:Ethernet  HWaddr 00:30:48:83:7E:15 
            inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:50 errors:0 dropped:0 overruns:0 frame:0
            TX packets:45 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:4902 (4.7 KiB)  TX bytes:6342 (6.1 KiB)
            Interrupt:19
  [root@xen3 network-scripts]# ping 192.168.0.5
  connect: Network is unreachableHave I overlooked something in the configuration files (i.e., /etc/sysconfigu/network-scripts/ifcfg-X)?
  Eric Pretorious
  Truckee, CA

  epretorious wrote:
  Have I overlooked something in the configuration files (i.e., /etc/sysconfigu/network-scripts/ifcfg-X)?It would seem that the configuration is correct: If I delete the bridge and start fresh...
  [root@xen3 network-scripts]# brctl delbr br0
  [root@xen3 network-scripts]# brctl show
  bridge name     bridge id          STP enabled     interfaces
  [root@xen3 network-scripts]# /etc/init.d/network restart
  Shutting down interface eth0:  bridge br0 does not exist!
                                                             [  OK  ]
  Shutting down interface eth2:                              [  OK  ]
  Shutting down loopback interface:                          [  OK  ]
  Bringing up loopback interface:                            [  OK  ]
  Bringing up interface br0:  Device br0 does not seem to be present, delaying initialization.
                                                             [FAILED]
  Bringing up interface eth0:                                [  OK  ]
  Bringing up interface eth2:                                [  OK  ]
  [root@xen3 network-scripts]# brctl show
  bridge name     bridge id          STP enabled     interfaces
  br0          8000.000e0c81578b     no          eth0
  [root@xen3 network-scripts]# ifconfig
  eth0      Link encap:Ethernet  HWaddr 00:0E:0C:81:57:8B 
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:2015317 errors:0 dropped:76054 overruns:0 frame:0
            TX packets:129936 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:1114206970 (1.0 GiB)  TX bytes:9819445 (9.3 MiB)
  eth2      Link encap:Ethernet  HWaddr 00:30:48:83:7E:15 
            inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:92 errors:0 dropped:0 overruns:0 frame:0
            TX packets:83 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:41060 (40.0 KiB)  TX bytes:9902 (9.6 KiB)
            Interrupt:19
  lo        Link encap:Local Loopback 
            inet addr:127.0.0.1  Mask:255.0.0.0
            UP LOOPBACK RUNNING  MTU:16436  Metric:1
            RX packets:483 errors:0 dropped:0 overruns:0 frame:0
            TX packets:483 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:89320 (87.2 KiB)  TX bytes:89320 (87.2 KiB)...and then use the ifup command, the bridge is correctly created/configured:
  [root@xen3 network-scripts]# ifup br0
  [root@xen3 network-scripts]# ifconfig
  br0       Link encap:Ethernet  HWaddr 00:0E:0C:81:57:8B 
            inet addr:192.168.0.5  Bcast:192.168.0.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:1 errors:0 dropped:1 overruns:0 frame:0
            TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:96 (96.0 b)  TX bytes:210 (210.0 b)
  eth0      Link encap:Ethernet  HWaddr 00:0E:0C:81:57:8B 
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:2015350 errors:0 dropped:76054 overruns:0 frame:0
            TX packets:129942 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:1114210906 (1.0 GiB)  TX bytes:9819701 (9.3 MiB)
  eth2      Link encap:Ethernet  HWaddr 00:30:48:83:7E:15 
            inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:165 errors:0 dropped:0 overruns:0 frame:0
            TX packets:134 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:1000
            RX bytes:80138 (78.2 KiB)  TX bytes:16624 (16.2 KiB)
            Interrupt:19
  lo        Link encap:Local Loopback 
            inet addr:127.0.0.1  Mask:255.0.0.0
            UP LOOPBACK RUNNING  MTU:16436  Metric:1
            RX packets:483 errors:0 dropped:0 overruns:0 frame:0
            TX packets:483 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0
            RX bytes:89320 (87.2 KiB)  TX bytes:89320 (87.2 KiB)Ideas? Suggestions?

• Logging with jdk1.4 - how to add a handler using configuration file

  Hi, all
  I am playing around with java.util.logging in jdk1.4. In particular, I am using a properties file for configuration. However, one thing I couldn't do is to assign a handler, such as the ConsoleHandler, to the com.xyz.foo logger. Everything for the root logger works just fine. Here's the file I use
  handlers= java.util.logging.FileHandler
  .level= INFO
  java.util.logging.FileHandler.pattern = jdk14.log
  java.util.logging.FileHandler.limit = 50000
  java.util.logging.FileHandler.count = 1
  java.util.logging.FileHandler.formatter = java.util.logging.XMLFormatter
  java.util.logging.ConsoleHandler.level = INFO
  java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
  com.xyz.foo.level = WARNING
  com.xyz.foo.handlers = java.util.logging.ConsoleHandler
  Nothing comes out on the console and everything from the com.xyz.foo logger is logged to jdk14.log file.
  Can any one tell me why the last line has no effect?
  Thanks much!

  Logger configuration files are grossly misunderstood due in large part to extremely poor documentation (some of the worst I have ever seen for the Java platform). The LogManager class uses logger configuration files to do three things:
  1. Load porperties into a private Properties object that application programmers can subsequently access using the getProperty(String name) method in LogManager.
  2. Those properties (or else the documented defaults) are then used to configure the root logger as well as the "global" handlers that are used by the root logger
  3. Finally, whenever a logger is created the Properties object is checked to see if a key exists for the logger name + ".limit". If so, then the logger is assigned that level.
  Notice that nowhere in here does it say that a programmatically created logger is configured. In your case, you must invoke getProperty("com.xyz.foo.handlers"), parse the property value (which is a bit tricky if there is more than one handler class name), load and instantiate the handler class, and invoke addHandler. Great huh? I'm in the middle of a indepth study of logger configuration, and I can tell you for sure the static configuration using configuration files is an order of magnitude harder than dynamic configuration. It offers the advantage of field service engineers being able to change the logger configuration, but at a very significant cost.

• Set Static IP address on Mac clients

  Hi,
  I'm trying to change the IP address on a mac client at startup time to a different value and to be Static type. I need to do it via the command line. I've researched and found out that 'networksetup -setmanual ...' and 'ipconfig set en0 MANUAL ...' would do it, but the 'networksetup' command is not available unless I have ARD installed and 'ipconfig' is not recommended for use other than testing and debug.
  Another option I was looking at is editing /Library/Preferences/SystemConfiguration/preferences.plist and then doing 'changeip ...' command.
  Do you know if there are any other commands that will allow me to change an ip address via the command line, set it to Static/Manual and preferably do it without a reboot?
  Thank you

  Hi Sergey,
  when I use static IP in my jwc_properties.ini it is never picked up, it still uses DHCP. The part where I have configured IP looks like this:
  # Whether static configuration or DHCP server is used do get IP address. Possible values: dhcp,static
  ip.method = static
  # IP address,used with static IP configuration only
  ip.addr = 10.143.144.97
  # Network mask,used with static IP configuration only
  ip.netmask = 255.255.252.0
  # Network gateway,used with static IP configuration only
  ip.gateway = 10.143.144.1
  # DNS server,used with static IP configuration only
  ip.dns =
  # MAC address
  mac.addr =

• Dynamic configuration information

  I can call getConfigDescriptionRegistry.getConfigDescriptions or one of the other methods to get the configuration descriptions for an thing-type. If I wanted to modify these at runtime, and provide my own configuration provider, can I do this? I'm not sure what happens deeper in the system - I assume that only 1 provider can respond to any uri? Or maybe not - if so, how is this managed?
  I have two needs -:
  1) To be able to add some configuration options into a parameters [options] array. These are only derived at runtime and are system/network dependant, so can't go in the XML.
  2) To be able to add additional parameters to the configuration. Again, these are derived at runtime depending on how a device is configured (for example).
  I can easily create my own provider and completely avoid using the XML provider, but I'd kind of like to be able to lever off the existing infrastructure and just add to/modify the static configuration rather than have to reimplement everything...
  I guess I could (probably!?!) use getConfigDescriptionRegistry.getConfigDescriptions to get the static data, and then create my own provider that appends my data and modified the data that needs to be changed? I would guess it needs a different uri, although I suspect that this might then break something else when the system tries to link thing-types to the configuration provider? This seems a little messy though so maybe there's a better way?
  Are there any pointers on how this might be achieved? I'm thinking it might be easier to do it all in my own config provider which is what I'm currently doing (mostly for test and concepts), but I want to work out the best way for a the final implementation...
  Cheers
  Chris

  Kai Kreuzer wrote on Wed, 22 July 2015 10:44
  Which leaves us with Chris' problem that he would like to offer options specific to a certain device at a specific moment. The use case with the WLAN SSIDs is actually also such a case, so I guess sooner or later we need to address this.
  Where do we go with this one? It's my next target to hit
  So, if we don't want to link this to things (and I totally agree with the rationale), then we need an alternative. Currently, we have configDescriptions to describe the configuration options, but the 'other side' of the interface (the actual setting of the config) is done differently for different classes (I think that's true). For example, in the thingHandler, we have the handleConfigurationUpdate method - maybe in the channelHandler there's a similar method (I've not checked) - I don't know what other classes use the configDescriptions (rules I think?) but I guess every implementation is different?
  Why aren't there standard interfaces for handling the various configuration related functions. We could have had (eg) ...
  // Handle the updates of any configuration
  interface ConfigConsumer() {
  void handleConfigurationUpdate(Map<String, Object>);
  // Handle dynamic configuration updates
  interface ConfigDescriptionUpdate() {
  List<ParameterOption> getOptions(String parameterId, Locale locale);
  A thingHandler, or ruleHandler, or whatever wants to implement configuration implements these interfaces. Then, all configuration, both description, dynamic changes, and handling of changes, could all go through a central provider (and even REST interface!).
  As far as implementation (and looking specifically at things here - other implementations would be similar): For registration, when the thingHandler is created, a check could be made to see if it implements this/these interfaces, then to register this handler with the configDescriptionProvider (along with it's UID). When the config descriptions are updated, the configDescriptionRegistry can request the updates from the handler if there's one registered.
  One thing I'm unsure of here is the use of the UID. For things/channels etc, it seems a good idea to include the thingUID as it makes it a simple lookup in the configProvider (and if you didn't use the thingUID, I'm not sure how you'd link it). However, will all implementations of configDescriptions have a UID - eg I think I read rules will use the same config services - will they have a UID?
  I realise I've probably confused matters by suggesting a common interface for handling of config changes as well as just covering the issue at hand, but I thought I'd mention it since it does in some ways seem a shame to have a common config description provider, but no common way of handling configuration updates/changes etc... Anyway, I hope that didn't confuse matters (too much!) - we could ignore the handleConfigurationUpdate side, and just look at the ConfigDescriptionUpdate, which is the current issue at hand...
  What do you think? I've not thought this through in massive detail, but if you think this is workable, I'd be happy to look at the ConfigDescriptionUpdate impementation further...
  Chris

• Client-side handler: static config?

  I would like to provide a client-side JAX-RPC handler that would
  be invoked without any modification to existing client code.
  The idea is that user's would only need to modify a config file
  (something like the web-services.xml file, but on the client-
  side) to use our handler.
  We are already doing this in axis (uses a client-side deployment
  descriptor: client_deploy.wsdd), but based on another thread
  ("Client Handler Chain - help ??"), it looks like there is
  currently no equivalent in WLS?
  Are there plans to add the ability to statically configure
  client-side handlers in WLS via some sort of client-side config
  file/descriptor, or is the programmatic method of modifying
  the HandlerRegistry in the client code the only way?
  Any help/ideas would be greatly appreciated!
  --Terry

  In 7.0, you can do this in a handler:
  import weblogic.webservice.binding.soap.HttpClientBinding;
  String url = http://my/new/address/;
  sslAdapter = null; //only needed for ssl
  Binding binding = new HttpClientBinding( url, sslAdapter );
  context.setProperty( WLMessageContext.BINDING_PROP,
  binding );
  HTHs
  -manoj
  http://manojc.com
  "William Cassidy" <[email protected]> wrote in message
  news:[email protected]...
  >
  Is there a similar way to set the endPointAddress.
  "manoj cheenath" <[email protected]> wrote:
  Ok, I will add this as a feature request.
  If you are ok with using WLS internal APIs (This APIs may change in
  the future), try this:
  weblogic.webservice.Operation operation
  =
  ((weblogic.webservice.WLMessageContext)messageContext).getOperation();
  >>
  weblogic.webservice.Port port = operation.getPort();
  String endPointAddress = port.getAddress();
  regards,
  -manoj
  "Terry Martin" <[email protected]> wrote in message
  news:[email protected]...
  Manoj, thanks for the response.
  We'd definitely like to see a client side dd at some point, but
  can work with the API's for now. Thanks much for adding this as
  a feature request.
  On another subject:
  I need to determine the target/endpoint URL from my client-side
  request handler. Again, this was something we were able to do in
  axis, but is currently not part of the JAX-RPC standard (JSR101).
  I could be missing something, but haven't seen any way of
  determining the target URL given only the SOAPMessageContext.
  The only way seems to be if it were passed as a "standard"
  property in the SOAPMessageContext (this is one way it is done
  in axis).
  I imagine this will someday be standardized in JAX-RPC (I can
  think of many uses for this feature, other than our own). In the
  meantime, could you also add this as a feature request for WLS?
  Thanks again,
  -Terry
  "manoj cheenath" <[email protected]> wrote:
  True. In WLS 7.0 there are no client side dd in which you can specify
  the handler chain. We did not comeup with ourown client side dd,
  hopeing that JSR109 will define the dd.
  It is quite easy to register the handlers through APIs. Let us know
  if
  that will not help you.
  I will add client side dd as a feature requst for the next release.
  regards,
  -manoj
  "Terry Martin" <[email protected]> wrote in message
  news:[email protected]...
  I would like to provide a client-side JAX-RPC handler that would
  be invoked without any modification to existing client code.
  The idea is that user's would only need to modify a config file
  (something like the web-services.xml file, but on the client-
  side) to use our handler.
  We are already doing this in axis (uses a client-side deployment
  descriptor: client_deploy.wsdd), but based on another thread
  ("Client Handler Chain - help ??"), it looks like there is
  currently no equivalent in WLS?
  Are there plans to add the ability to statically configure
  client-side handlers in WLS via some sort of client-side config
  file/descriptor, or is the programmatic method of modifying
  the HandlerRegistry in the client code the only way?
  Any help/ideas would be greatly appreciated!
  --Terry

• Static Policy NAT in VPN conflicts with Static NAT

  I have a situation where I need to create a site-to-site VPN between an ASA 5505 using IOS 7.2 and a Sonicwall NSA4500. The problem arises in that the LAN behind the Cisco ASA has the same subnet as a currently existing VPN created on the Sonicwall. Since the Sonicwall can't have two VPNs both going to the same subnet, the solution is to use policy NAT on the ASA so that to the Sonicwall, the new VPN appears to have a different subnet.
  The current subnet behind the ASA is 192.168.10.0/24 (The Sonicwall already has a VPN created to a different client with that same subnet). I am trying to translate that to 192.168.24.0/24. The peer LAN (behind the Sonicwall) is 10.159.0.0/24. The pertinent configuration of the ASA is:
  interface Vlan1
  ip address 192.168.10.1 255.255.255.0
  access-list outside_1_cryptomap extended permit ip 192.168.24.0 255.255.255.0 10.159.0.0 255.255.255.0
  access-list VPN extended permit ip 192.168.10.0 255.255.255.0 10.159.0.0 255.255.255.0
  static (inside,outside) 192.168.24.0 access-list VPN
  crypto map outside_map 1 match address outside_1_cryptomap
  In addition to this, there are other static NAT statements and their associated ACLs that allow certain traffic through the firewall to the server, e.g.:
  static (inside,outside) tcp interface smtp SERVER smtp netmask 255.255.255.255
  The problem is this: When I enter the static policy NAT statement, I get the message "Warning: real-address conflict with existing static" and then it refers to each of the static NAT statements that translate the outside address to the server. I thought about this, and it seemed to me that the problem was that the policy NAT statement needed to be the first NAT statement (it is last) so that it would be handled first and all traffic destined for the VPN tunnel to the Sonicwall (destination 10.159.0.0/24) would be correctly handled. If I left it as the last statement, then the other static NAT statements would prevent some traffic destined for the 10.159.0.0/24 network from being correctly routed through the VPN.
  So I tried first to move my policy NAT statement up in the ASDM GUI. However, moving that statement was not permitted. Then I tried deleting the five static NAT statements that point to the server (one example is above) and then recreating them, hoping that would then move the policy NAT statement to the top. This also failed.
  What am I missing?

  Hi,
  To be honest it should work in the way I mentioned. I am not sure why it would change the order of the NAT configurations. I have run into this situation on some ASA firewalls running the older software (older than 8.2) and the reordering of the configurations has always worked.
  So I am not sure are we looking at some bug or what the problem is.
  I was wondering if one solution would be to configure all of the Static NAT / Static PAT as Static Policy NAT/PAT
  I have gotten a bit rusty on the older (8.2 and older) NAT configuration format as over 90% of our customer firewalls are running 8.3+ software.
  I was thinking of this kind of "static" configuration for the existing Static PAT configurations if you want to try
  access-list STATICPAT-SMTP permit tcp host eq smtp any
  static (inside,outside) tcp interface smtp access-list STATICPAT-SMTP
  access-list STATICPAT-HTTPS permit tcp host eq https any
  static (inside,outside) tcp interface https access-list STATICPAT-HTTPS
  access-list STATICPAT-RDP permit tcp host eq 3389 any
  static (inside,outside) tcp interface 3389 access-list STATICPAT-RDP
  access-list STATICPAT-TCP4125 permit tcp host eq 4125 any
  static (inside,outside) tcp interface 4125 access-list STATICPAT-TCP4125
  access-list STATICPAT-POP3 permit tcp host eq pop3 any
  static (inside,outside) tcp interface pop3 access-list STATICPAT-POP3
  Naturally you would add the Static Policy NAT for the VPN first.
  Again I have to say that I am not 100% sure if this was is the correct format maybe you can test it with a single service that has a Static PAT. For example the Static PAT for RDP (TCP/3389). First entering the Static Policy NAT then removing the Static PAT and then entering the Static Policy PAT.
  Remember that you should be able to test the translations with the "packet-tracer" command
  For example
  packet-tracer input outside tcp 1.1.1.1 12345
  - Jouni

• Configuring a 1230 AP as a "Local Radius Authenticator"

  Configuring a 1230 AP as a "Local Radius Authenticator"
  CCO-URL: Configuring an Access Point as a Local Authenticator
  http://www.cisco.com/en/US/partner/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080184a9b.html
  this is the minimal config, i think:
  AP# configure terminal
  AP(config)# radius-server local
  AP(config-radsrv)# nas 1.1.1.1 key 111
  AP(config-radsrv)# group clerks
  AP(config-radsrv-group)# vlan 2
  AP(config-radsrv-group)# ssid batman
  AP(config-radsrv-group)# reauthentication time 1800
  AP(config-radsrv-group)# lockout count 2 time 600
  AP(config-radsrv-group)# exit
  AP(config-radsrv)# user jsmith password twain74 group clerks
  AP(config-radsrv)# end
  whereas 1.1.1.1 is the IP of the AP himself ?
  is there a must for additional config commands like this:
  radius-server host 1.1.1.1 auth-port 1812 acct-port 1813 key 111
  aaa group server radius rad_eap
  server 1.1.1.1 auth-port 1812 acct-port 1813
  aaa group server radius rad_admin
  server 1.1.1.1 auth-port 1812 acct-port 1813
  all attempts didn't work
  "station <MAC> authentication failed"
  is there anything else nessecary ???

  You seem to be missing the following commands;
  authentication network-eap eap_methods
  authentication key-management cckm optional
  The following commands are useful for diagnosis;
  • Show radius local statistics
  • show interface dot11Radio 0 aaa client
  • Debug dot11 aaa dot1x state
  • Debug dot11 mgmt interface
  Local authentication is designed as a fall-back service for when the primary RADIUS server fails. We not encourage the use of Local authentication as a replacement for a radius server.
  * With an ACS you get Authentication, Authorization and Accounting. With Local authentication you only get Authentication.
  * ACS scales, supports external user-databases, supports multiple authentication types, supports database backup and replication, etc, etc... Local authentication supports a maximum of 50 users, internal static configuration only, and LEAP only.
  Following is an IOS configuration, that I have tested, and works on an AP1200 (should work on an 1100 too, I just haven’t tested it);
  · This configuration enables a single AP to do local authentication. No WDS is included for fast roaming.
  · This configuration can be cut-and-pasted into an AP that has been write-erased (blank config), and it will configure all the parameters to allow a client to LEAP authenticate to it (even if no Ethernet cable is connected to it)
  · Replace usernames/passwords with your own usernames/passwords
  · Replace ip-addresseswith the APs IP address
  · I added DHCP configuration so you can connect to a stand-alone AP with your DHCP-enabled laptop (with a profile that matches the test APs SSID and LEAP settings).
  conf t
  host loc-auth-ap-name
  enable secret cisco
  no ip domain-lookup
  line vty 0 4
  password cisco
  exec-timeout 0 0
  login
  int bvi 1
  ip address 10.11.12.13 255.255.255.0
  Interface dot11 0
  no ssid tsunami
  encryption mode ciphers ckip-cmic
  ssid test-loc-auth
  authentication network-eap eap_methods
  authentication key-management cckm optional
  ip dhcp excluded-address 10.11.12.13
  ip dhcp pool temp
  network 10.11.12.0 255.255.255.0
  interface BVI1
  ip address 10.11.12.13 255.255.255.0
  no ip route-cache
  aaa new-model
  aaa group server radius rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  server 10.11.12.13 auth-port 1812 acct-port 1646
  aaa authentication login eap_methods group rad_eap
  ! add a real AAA server (with auth-port 1645) before
  ! the following statement if you are configuring a
  ! fallback authentication service instead of a
  ! standalone service
  radius-server host 10.11.12.13 auth-port 1812 acct-port 1646 key 0 l0cal-key-secret
  radius-server deadtime 10
  dot11 holdoff-time 1
  ip radius source-interface BVI1
  radius-server local
  nas 10.11.12.13 key 0 l0cal-key-secret
  user testuser password 0 testuser-key-secret
  exit
  exit
  wri