Traffic route

Similar Messages

• Drive+ Traffic Routing

  Hi,
  I've been using Android phones with Google Maps for several years and recently switched to WP8.1 with Here Drive+ for navigation. I'm in the USA, New York City metro area, and find the route selection based on traffic not good. From what I see on the map, the actual traffic (yellow/red lines) does seem to be accurate as far as I can tell, but the routing seems to ignore it. I find I can't rely on it to give me the best route to get to my destination based on current traffic conditions. I also find the ETA to be incorrect by 15-30 minutes where Google Maps was much closer to actual time.
  As an example, yesterday, I had two route choices, one was more miles with no traffic and a second was less miles with heavy traffic. There are smart signs on the road showing the drive time to the George Washington Bridge from a point. One route was a 15 minute drive the other was a 54 minute drive. Radio news traffic confirmed what the signs said. 
  I could see on Drive+ that the green, yellow, red lines seemed to match the conditions on the road sign and where I could see traffic flow. Drive+ selected the heavy traffic route, I seleted the light traffic route. Drive+ kept trying to re-route me on the heavy traffic road via u-turns and connecting roads. It showed my time to my destination as 4:11PM. As I continued on my route, it finally showed me on this route and changed the ETA to 3:50PM. It should have routed me using a shorter drive time from the start.
  The app needs to better handle traffic conditions for route selection as this seems to be typical.

  Thanks. The thread you linked was based on a re-route for a current trip. For me, even the initial route is selected had a longer ETA. It should have based the initial trip on traffic.
  I think what might be happening is it selects the trip based on distance, then adds traffic rather than using traffic to compute the route.
  Re-routing a current trip is something that Google only recently added as well.

• Slow TCP performance for traffic routed by ACE module

  Hi,
  the customer uses two ACE20 modules in active-standby mode. The ACE load-balances servers correctly. But there is a problem with communication between servers in the different ACE contexts. When the customer uses FTP from one server in one context to the other server in other context the throughput through ACE is about 23 Mbps. It is routed traffic in ACE:-(  See:
  server1: / #ftp server2
  Connected to server2.cent.priv.
  220 server2.cent.priv FTP server (Version 4.2 Wed Apr 2 15:38:27 CDT 2008) ready.
  Name (server2:root):
  331 Password required for root.
  Password:
  230 User root logged in.
  ftp> bin
  200 Type set to I.
  ftp> put "|dd if=/dev/zero bs=32k count=5000 " /dev/null
  200 PORT command successful.
  150 Opening data connection for /dev/null.
  5000+0 records in.
  5000+0 records out.
  226 Transfer complete.
  163840000 bytes sent in 6.612 seconds (2.42e+04 Kbytes/s)
  local: |dd if=/dev/zero bs=32k count=5000  remote: /dev/null
  ftp>
  The output from show resource usage doesn't show any drops:
  conc-connections              0          0     800000    1600000          0
    mgmt-connections             10         54      10000      20000          0
    proxy-connections             0          0     104858     209716          0
    xlates                        0          0     104858     209716          0
    bandwidth                     0      46228   50000000  225000000          0
      throughput                  0       1155   50000000  100000000          0
      mgmt-traffic rate           0      45073          0  125000000          0
    connections rate              0          9     100000     200000          0
    ssl-connections rate          0          0        500       1000          0
    mac-miss rate                 0          0        200        400          0
    inspect-conn rate             0          0        600       1200          0
    acl-memory                 7064       7064    7082352   14168883          0
    sticky                        6          6     419430          0          0
    regexp                       47         47     104858     209715          0
    syslog buffer            794624     794624     418816     431104          0
    syslog rate                   0         31      10000      20000          0
  There is parameter map configured with rebalance persistant for cookie insertion in the context.
  Do you know how can I increase performance for TCP traffic which is not load-balanced, but routed by ACE? Thank you very much.
  Roman

  Default inactivity timeouts used by ACE are
  icmp 2sec
  tcp 3600sec
  udp 120sec
  With your config you will change inactivity for every protocol to 7500sec.If you want to change TCP timeout to 7500sec and keep the
  other inactivity timeouts as they are now use following
  parameter-map type connection GLOBAL-TCP
  set timeout inactivity 600
  parameter-map type connection GLOBAL-UDP
  set timeout inactivity 120
  parameter-map type connection GLOBAL-ICMP
  set timeout inactivity 2
  class-map match-all ALL-TCP
  match port tcp any
  class-map match-all ALL-UDP
  match port tcp any
  class-map match-all ALL-ICMP
  match port tcp any
  policy-map multi-match TIMEOUTS
  class ALL-TCP
  connection advanced GLOBAL-TCP
  class ALL-UDP
  connection advanced GLOBAL-UDP
  class ALL-TCP
  connection advanced GLOBAL-ICMP
  and apply service-policy TIMEOUTS globally
  Syed Iftekhar Ahmed

• Unknown network traffic / router traffic monitoring

  So I got a new PC with windows 7 on it, and I installed this gadget that monitors network traffic, and it shows a lot of traffic that my local PC isn't showing, so I am thinking there is something running on the LAN that I can't see. I was looking to find a live, better program to monitor the actiontec router, for traffic. anyone know of anything that can maybe show me who is using all the bandwidth on my network?
  i have found software for Linksys, but nothing for the Actiontec.
  Thanks,
  Quasimodem
  Fios in Florida
  Solved!
  Go to Solution.

  Keep in mind that when looking at Wireshark (sniffer) software there are different types of traffic:
  Unicast
  Broadcast
  Multicast
  Unicast is traffic between two devices.  You will see the traffic between the PC with wireshark and another device on your local network such as a printer, another PC or the Router.  You should not see traffic between another PC and the Internet for example.  Using a phone as an example some calls you and the conversation is between you and the person on the other end of the phone.  This is unicast traffic.  Using defaults of the actiontec, IP address seen will be 192.168.1.1 for the router and 192.168.1.2-99 for devices on your network.  If you have the TV service, 192.168.1.100-1xx is used for the cable boxes.
  Broadcast traffic is traffic sent to all devices.  Its not directed toward a particular PC but rather usually looking for information.  In a sniffer trace you will see broadcast traffic. Going back to the phone example, someone makes an announcement on an overhead intercom system that is broadcast traffic.  Broadcast traffic will be seen as 192.168.255.255
  Multicast traffic is traffic from one device for many devices.  Usually used in video feeds.   Using the phone system as an example someone wishes to tell a group of people something so instead of calling each person up and telling them each person who wants the information joins a conference bridge.  Anyone is allowed to listen but only those that wish to get the information receive it.  Generally how multicast works.  Multicast traffic will be seen as IP address 224.x.x.x or something of the sorts where the address will be 2xx.x.x.x.  
  I hope this makes sense.  Probably more information than you needed but at least it will help you understand what wireshark is telling you.

• How to start a loop back proxy in Windows Phone 8 and have all app and internet traffic routed via it

  I want to develop a proxy in windows phone 8 that will handle all data traffic emanating from phone(i.e. browser and Apps). The following procedures were carried out
  a) Edited the Wifi settings http proxy and port to the loop back proxy running in the phone(i.e. 127.0.0.1) and the port in which we brought up the loop back proxy
  b) We browsed pages and no request landed on the loop back proxy in the phone
  Loop back proxy in phone is built using StreamSocketListener 
  Another observation is that:
  If we edit Wifi settings http proxy and port to a http/https proxy running on server then when we browse pages from windows phone we are getting the requests to server. Why is this difference?
  Is there a limitation to run http/https proxy on mobile phone as loop back proxy.
  But there are apps in the market for windows phone that behaves as HTTP proxy like 
  http://www.windowsphone.com/en-us/store/app/smartproxy/75da629b-c0f3-4999-86a3-9559181d1299
  Any help on the same would be appreciated

  Hi,
  Thanks for your reply and we have used StreamSocketListener waiting on a port and ip is given as loopback.The same settings are done for Wifi access point but when we browse any page in IE the requests are not landing on to the loop back proxy.Any idea on
  the same would be highly appreciated

• WLAN internet traffic routing

  Hi,
  I have a 5508 controller.
  The controller is located at the HQ while we have couple of small remote offices that will have AP's connected to the controller.
  I would like the wireless users at the remote offices to connect to the AP and send internet traffic out directly from the AP instead of all that data going back and forth between the office and HQ.
  I just want management traffic between the AP and the controller. I am sure I would need a autonomous AP instead of a lightweight but what settings do i set on the autonomous to acheive this type of setup?
  Thanks in advance

  you can do this with a lightweight AP if you use the Flexmode or H-REAP mode. basically this mode turns the access point
  into a lightweight managed autonomous AP. The caveat is that when an AP is in H-REAP mode some authentication methods aren't supported if it loses connection to the controller. Depending on the firmware version on your controller you need to maintain a 150ms round-trip time.
  In H-reap mode you need to specify native VLAN for the AP, and then the VLAN for each of the H-REAP/locally switched SSID's
  and you will need to configure the SSID's for local-switching.
  See the guides below for reference and configuration assistance.
  Cisco H-REAP Design and Deployment Guide
  http://www.cisco.com/en/US/partner/products/ps10315/products_tech_note09186a0080736123.shtml
  Cisco H-REAP Modes of Operation Configuration Example
  http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
  Hope this helps

• Understanding 5505 firewall-site to site and internet traffic

  Hi,
  My question is mutli-faceted. I apologize for the lengthy intro here but i think the info is necessary to understand where I am headed in this.
  I am new to the cisco 5505. I have had very limited exposure to a 5510 that was preset. I have managed to make modifications to it here and there, but dont completely understand how it was put together. I learn by watching, listening, and gleaning what I can from others. I have had no formal training in CLI, but I have learned some of the commands. I know enough to be dangerous, but I respect my limitations.
  That being said, I have been charged with setting up a 5505 at a remote site. I need to accomplish several things.  Our ultimate goal is to use this device as a site to site with the 5510 at the corporate office. However, I need to accomplish this in baby steps, test, test real users and then maybe convert in full. Where I could outsource this in its entirety, that would preclude me from learning so I can address this in the future on my own.
  We need to have this in place by the end of February 2013.
  Currently the remote site is connected via a very slow (by todays standards) T1 line on a MPLS. Stable. Works, but slow. All internet traffic as well as work traffic is routed through that connection. We have added a 50mb cable connection (with static ips) to the office. First we want to set up the 5505 so that it can be used as follows:
  1, Internet traffic can be routed out through this device and all other "work" traffic routed through the MPLS.
  2, Test using this connection as a route out to the internet AND use it as a site to site VPN connection to the home office. (or anyconnect vpn)
            I need to be able to have users in both environments. IE, some still using step 1 and some starting to use and test step 2.
  3, long term, use this as the main connection per number 2, but add the IP address so that if the cable connection drops, the office can access internet via the VoIP T1 line as a life line.
  In all cases, I dont want internet going through the home office as it currently is traveling.
  I have done a lot of searching but so far have come up empty with answers.
  Question 1:     (This one probalby shows my ignorance the worst) - in using the 5505 firewall, will it segregate normal internet traffic from the VPN traffic when used by the workstation? Using the Gui, I didnt see where this was necessarily happening. Do I need to use CLI language (and what) to make this happen? Or is that a basic function that happens during the setup of the firewall using the GUI. Do I need to do some sort of "split tunneling"?
  Question 2:     Do I use this device as the Default gateway for both step 1 and 2/3) for normal use and then change the gateway on the Pcs to the VoIP network during emergency use,(that would bypass the firewall though or is there a way to have it route to that router if there is no connection through the Outside port? Or as long as I have some access to the device, can I make a change remotely to help accomplish this failsafe?
  Question 3:     We have 25 Anyconnect VPN licenses. Should we use these and not the Static site to site, if so, why or why not? They dont need to be used at all.
  Question 4:     In setting up the VoIP line for backup, would using that on the "DMZ" connection help in making this viable so that the device could still ultimately control the internet traffic?
  Question 5:     In setting up the VPN connections, unless i am getting the two methods confused, I will need the 5505 to hand out IP addresses for the vpn connection. I see in using a class c schema that i can use 92.168.0.0 to 192.168.255.0. So for instance, I could use 101.1.20.0 for the inside network Vpn addresses?? I need to stay away from 192.168.0.0 networks as we use that in our normal structure.
  Reasons for setting this up:
  Slow speeds over the T1.
  increasing demand for Skype, Video conferencing etc that the T1 pipe couldnt adequately handle
  Lack of backup pathways for downed connections - ie, backhoe chopping through wire at a construction site).
  I read through the Getting started guides on both the 5510 and the 5505 and feel I can likely get the site to site setup (I have a list of all the Ip addresses i need for inside networks and outside networks etc.
  additional notes:
  I have to email ATT anytime I want a change made on the MPLS router, so doing as little to that as possible would be good.
  I will be onsite for testing at the end of February  and will have direct access to the home office via other methods to work on the asa5510 if any additional work needs to be done on it once i am onsite.
  Thanks for taking the time to read through all of this. please forgive my lack of knowledge...
  Dave

  Thanks for getting back to me and so quickly!
  1) I am not sure if I understand the “ACL” portion of your question, but this is how I want to access info via the VPN tunnel:
  192.168.D.0 inside(NJ) to outside 5505 - 12.175.X.X to outside 5510 - 12.200.X.X to inside network (HQ)192.168.X.0. Routes are needed to find subnets 192.168.A.0, 192.168.B.0 and 192.168.C.0. The default gateway to those subnets right now is: 192.168.X.XX4 inside of HQ. This would be so that the NJ office could find resources of the other offices if needed. This will change as we wean off the MPLS. Inside the ASA 5505, the IP addresses are 192.168.D.0 for data, 10.X.X.0 for the Phone system. All other traffic would be sent out through the internet. Phone system uses the XOcomm conection to route phone traffic.
  2) I did some reading on SLA. Thanks for pointing that out. For purposes of learning here, I am showing this as 12.175.XXX.XXX for Comcast and 12.200.XXX.XXX for XO comm.
  4) I guess I would use an Outside 2 as that makes sense, in description, I would label them “ComCast” for outside 1 and “XOcomm” for outside 2.
  5) I am still not sure I understand this part. Are additional IP addresses needed for the Site to site VPN to talk to the local hosts, or will it use the IP addresses assigned by the local server?
  Next Steps
  1-         Configure the ASA5510 for the 5505 connection
  2-         Configure the ASA5505 for the 5510 connection
  3-         Configure SLA for Comcast and XOcomm outside connections
  4-         For this I need help….I think this is from step 1, but I need help to configure the internet to be segregated via my question from #1. Have I given enough information to do so? Please advise on ACL entries, and route statements needed so that NJ can talk to all the offices when using this connection, not just the Headquarters.
  Thanks
  dave

• How can i split Client Network traffic and My exchange traffic with two differnet ip address?

  Hello Everyone
  sorry for my bad English and also my bad explaine
  here is my network looks like
  all the client on one subnet and network is 192.168.0.0
  i have Dsl router that connect to Tmg server
  i have Tmg with two NIC
  1-192.168.0.4
  2- 2 Public Ip address
  i want to do this
  i want to split user's traffic and my exchange traffic
  i mean i want to route user's traffic with one public ip addresss
  and my exchange server's traffic with another public address
  but when i add additional ip address at Tmg or create new NIC card
  all of my traffic route with one public ip Address what should i do?

  Hi Uhan,
  You need to use ENAT fuction on TMG to achive this
  On the External NIC assing the Second IP as Additionl IP address (VIP)
  Create a network Rule to NAT traffice From Exchange server IP address to the required Public IP which you need the E NAT.
  Ensure you are creating rule only from Exchange server IP and not all INternal.
  Look at the below Doc you step by step config
  http://www.isaserver.org/articles-tutorials/configuration-general/Configuring-One-to-One-NAT-TMG-2010.html

• Ip in the same subnet gets routed Why?

  Hi
  In windows 2008 server R2, it is connecting to production network through the teamed network adapter.Ip of the teamed adapter is 10.157.86.31 255.255.255.0 and its gateway is 10.157.86.1
  And the server is getting backed up with the backup interface configured with 10.128.141.64 255.255.248.0 in one of the nic in the server connected to the NAS Drive with the ip address 10.128.141.28 .The backup was happening perfectly as the backup is a non-routed
  network.
  Once the motherboard of the server is changed, suddenly the backup stopped worked failing in authentication to the NAS drive because in NAS Drive authentication is setup based on the ip addresses of the servers connected to the NAS Drive.
  What I have found is that even though the server's backup ip address is not changed , still the NAS drive ip 10.128.141.28 is reached via another network gateway 10.157.86.31 even though the NAS DRive is connected in the same subnet.
  Since the NAS DRive is reached by the server through the ip address of the gateway 10.157.86.31, the authentication fails with the NAS drive because it expects the ip address to be as 10.128.141.64
  how to force the traffic to the ip 10.128.141.28 to initiate through the nic 10.128.141.64 ?
  Any suggestions please
  Below is the answer for the problem ; already implemented and backup is working
  But needed the clarification
  Below is the solution too:
  In spite of rebuild of the server from scratch by freshly installing the operating system , the backup vlan is not connected.So I decided to connect the cable coming from the switch port to the unused nic port of the server and it solved the issue by reconfiguring
  the ip address to the new nic port.
  But needed one clarification here:
  Before swapping the cable to spare nic the picture is below
  Highlighted above is the nic connected to the backup vlan through which no communication happens.
  So decided to swap the cable from lan1 (backup) which is a separate nic to the spare nic available in the server which is higlighted below
  After configuring the backup ip address to the new spare nic also resulted in the traffic routed the production vlan which should not be the case.And moreover my observation from the above screeshot , why swapping the cable from the lan1(non-teamed adapter)
  is showing that lan4 (teamed adapter)as disconnected .
  And moreover , currently the setup is working as below with the backup traffic happening through the backup vlan when it is configured in the above manner
  Thanks & Regards S.Swaminathan Live & let others live!!!

  Did you set the interface binding order correctly or to match the previous server?
  DNS: Valid network interfaces should precede invalid interfaces in the binding order
  http://technet.microsoft.com/en-us/library/dd391967(v=WS.10).aspx
  Modify the protocol bindings and network provider order
  http://technet.microsoft.com/en-us/library/cc732472(v=WS.10).aspx
  An incorrect IP address is returned when you ping a server by using its NetBIOS name in Windows Server 2008 or in Windows Server 2008 R2
  http://support2.microsoft.com/kb/981953
  You can view your current binding order by using this script, but please note, that I haven't tried this script, yet:
  Show NIC Binding Order
  http://gallery.technet.microsoft.com/scriptcenter/Get-NIC-Binding-Order-a2dc8087
  Also, prior to setting up the teams, make sure that the NIC is set to obtain IP automatically and not have a static entry on it. I've seen this cause problems in the past.
  If you have any unused NICs, such as Local Area Connection 2, don't just unplug them. You must disable them, otherwise they will try to register the APIPA in DNS and that will cause problems.
  Make sure that the correct DNS are on the interfaces that you need to use, too.
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Access to Internet Routing Entries

  Hi!
  I know that list of structures ire_t contains routing information of host. But where is the head of this list? What is it's name? Maybe somebody knows. My idea is to get IRE list's head and find entry that contains default gateway.
  One thing else: I've noticed that default gateway aren't tied to any interface in Solaris operating system.
  How can I realize which interface my default route goes through?
  Thank you for any help.
  Andrey

  As you do not have a router, you can use RRAS to achieve that. The first thing is to make the traffic routed to internet.
  Ping and Tracert can be helpful. 
  The second part would be the DNS resolution. You can configure your internal DNS servers to have your ISP DNS servers as forwarders and make your domain-joined servers / computers point only to your internal DNS servers as primary and secondary DNS servers.
  This posting is provided AS IS with no warranties or guarantees , and confers no rights.
  Ahmed MALEK
  My Website Link
  My Linkedin Profile
  My MVP Profile

• My laptop is connected to company LAN on wire and I have another active wifi connection provided by a router. Can I use the wifi connection for mozilla connection and the wired for everything else? I'm on Win7.

  I have 2 simultaneous active connections:
  no1: wired connection to company lan; private IP 172.19..
  no2: wireless connection to unrestricted traffic router; private IP: 192.168...
  my question: can I use the wireless connection for mozilla traffic and the wired for everything else?
  I'm on Windows7 Prof, all security updates installed.

  Go to Control Panel > Network and Internet > Network and Sharing Center >
  Click Change adapter settings from left panel > Open the network connection you want to change the DNS servers for by right click and select Properties > Select
  Internet Protocol Version 4 (TCP/IPv4) and click Properties button > Choose the
  Use the following DNS server addresses > enter the IP address for a
  Preferred DNS server as well as an Alternate DNS server.
  Primary DNS: 8.8.8.8
  Secondary DNS: 8.8.4.4
  This IP belongs to Google public DNS.
  Note: Wired connections are usually labeled as Ethernet, while wireless ones are usually labeled as
  Wi-Fi or Wireless Network Connection.
  Uncheck Internet Protocol version 6
  Mark as Answer if it's worked. Thanks. Balamurugan_Subramaniyan

• BGP Conditional Route Filtering

  Hi All,
  I have router with 2 Connection.
  1) IP Transit from Tier 2 Provider
  2) IX - Local Internet Exchange for local peering
  I'm receiving full internet route nearly 500k+ entries. I also have few local peering through IX connection to local telco. Now that , Im receiving more specific route from IP Transit link compared to local peering . Eg
  Local Peer A( ASN YYYY)  send route : a.a.0.0/16
  IP Transit send route : a.a.1.0/24
  With this , My traffic to a.a.1.0/24 end up routed over IP transit link. But we need the traffic routed via IX Peering, since its direct peering and have low latency and high bandwidth capacity. 
  Im thinking, to filter AS-PATH YYYY from IP Transit link, so that anyy traffic to ASN YYYY will now routed over local IX Peering. But, this will cause traffic get dropped if My Port to IX or Peering Partner Port to IX is went down.  The traffic then should routed over IP transit link if local peering is down. Meaning to say , AS-Path filtering should be removed if local peering to that ASN is down.
  Any Idea how to accomplish this ?

  Hello
  You dont say if this is just one router with two perrings or two routers with ibgp between them each with a isp peering?
  However i for outbound traffic you can use  either Weight or local Prefeance path selection for your local traffic to be go over your selected link.
  For inbound As-Path prepending would be apllcable I think
  Outbound:
  Weight (Is locally significant - Just one router)
  access-list 10 permit x.x.x.x y.y.y.y
  route-map Weight permit 10
  match ip address 1
  set weight 400000
  route-map Weight permit 99
  router bgp xx
  neigbour x.x.x.x route-map Weight out (to ebgp perring for your prefered choice path)
  or
  route-map Local-Pref permit 10 ( for IBGP routers)
  match ip address 1
  set local-preferance 200
  route-map Local-Pref permit 99
  router bgp xx
  neigbour x.x.x.x route-map Local-Pref in (to ebgp perring for your prefered choice path)
  Inbound
  AS=PAth prepend
  route-map AS-Path permit 10
  match ip address 10
  set as-path prepend ASN ASN ASN
  route-map AS-Path permit 99
  router bgp xx
  neigbour x.x.x.x route-map AS-Path out ( to the least preffered ISP)
  res
  Paul

• Waas traffic interseption with ace

  i will use ACE for waas traffic interception and i need help in:
  1. if i used ace so there is no need to wccp for traffic interception Right?
  2.if i used ace should i make 3 vlans vlan10 for clints(face wan) vlan12 for waes & vlan11 for datacenter
  make in 6500 interface vlan10 and give it ip 10.1.1.1 should i give interface vlan10 in ACE 10.1.1.1 (the same ip in 6500& ace) is taht logical to give same interafce vlan ip in two devices or will taht generate duplicated ip error
  3.if it right can i make static route in ACE to 6500 interface vlan10"ip route 0.0.0.0 0.0.0.0 10.1.1.1"?
  4.when i define access-list in ace to define traffic which could be routed through ACE if I deny certain network (permit only network that i wand to redirect to WAEs)will the other traffic routed through 6500 to core) i will use "transparent" in server farm & no ip normal. in other words can i consider access-list in ACE like access-list i'm using in wccp.
  5.the topology i have 2 6500 and i will install 2 ACE (1 ACE in each 6500) and i will attach 1 WAE in each 6500 switch one vlan for WAEs and i will make server farm and allocate 2 WAEs in it and i will define server farm in 2 ACEs and make default route in to ACEs to interface vlan 10.1.1.1 in this way will ACE load balance btween 2 WAEs and traffic interception work well or not?
  and finally i'm sorry for these many questions but i think i will find the answers.

  Usama,
  Here are the answers to your questions:
  1. Correct.
  2. You would not configure the same IP address on the ACE and MSFC. As far as how the VLANs should be configured, that somewhat depends on your deployment. What you have described would be common if you are deploying ACE in bridged mode. In routed mode, you can deploy ACE in a one-arm configuration.
  3. Yes.
  4. ACE does not pass traffic by default. You must explicitly permit the traffic you want to pass. Said differently, if you do not permit the traffic in your ACL, it will be dropped.
  5. If you are using a single context in ACE, they will be active/passive (i.e. only one ACE module will handle traffic at any given point in time). The configuration will automatically be synchronized between the active and passive modules.
  How are you planning to get traffic to the ACE module?
  Zach

• External ip adress at the server network interface behind the router

  Hello to all!
  I am installing MacOSX Snow Leopard Server and using it behind my AirPort router as a mail and web server. I was setup Airport at the NAT section with 'Enable default host at' option and all services workning well, but one thing that i want to understand is the 'network interfaces' at the 'Server admin' of Leopard Server. There is listed only internal ip adress (10.0.1.2) that use the my server, but there is no my static external ip adress. Is it correct ? Or i should manualy also to add a external ip adress which is now actually used with my AirPort router?
  If i should, so how do it correctly, using virtual interfaces at the network section or somewhere else?

  So, with any Airport routers i can't to route my public static IP adress to the MacOSX Server machine? I need another router device for this, am i right?
  Your Airport uses your public static IP address.
  Your Airport is typically then configured to port-forward inbound traffic along to your server at your own private static IP address via NAT. The mechanism known as port-forwarding is (once it is configured) how traffic routing to your public static IP address gets routed to your private static IP address.
  In general (and unless something like NAT is involved), there's only one host box active at one IP address at a time.
  I am not sure, but i think that at the server network interface i should has a public static IP adress, but with this configuration i can't see it.
  If you would so kind as to tell me what particular part(s) of [this article|http://labs.hoffmanlabs.com/node/275] are confusing and why, and I'll see if I can address the confusion and to update the article.

• Ironport not forwarding HTTPS traffic

  We have recently been trying to setup a BYOD wireless network and the wireless Clients that join this network have their traffic routed directly to an Ironport S370 (Ver7.1.4-053) as we do not want the BYOD users to have to configure their proxy settings.
  We have created an Identity which matches the Subnet given to BYOD devices with no authentication and then an Access Policy for filtering, all this works as long as the traffic is HTTP, as soon as you try to access anything using HTTPS then the Ironport seems to drop the traffic as it never hits the firewall and the page cannot be displayed.
  Any domained clients which have the Ironport address as their proxy work fine.
  The Ironport is not set to bypass any addresses in bypass settings.
  I am sure there must be a simple answer as to why HTTPS traffic is not being forwarded and any pointers as to why this is would be gretly appreciated.
  Many thanks,
  Neil.

  Hi Igor and Neil,
  As per AsyncOS 7.5 documentation, HTTPS proxy needs to be enabled to process HTTPS traffic in transparent mode.
  following is the extract from the doco.
  " When the Web Proxy is configured in transparent mode, you must enable the HTTPS Proxy if the appliance receives HTTPS traffic. When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests "
  If you do not want to decrypt HTTPS traffic, you can enable HTTPS proxy in pass-through mode.
  Thanks,
  Wipula.