Traffic to Site?

Similar Messages

• Unable to pass traffic between sites

  I've read through dozens of posts and so far have had no luck getting any of the suggestions to work - combined with many of these posts being multiple years old...so I'm going to try posting something current and see if I get anywhere.
  Scenario:
  Site A - Cisco ASA 5510 running 8.4(4)1 with two interface connections to a Cisco ME 6500 (which I do not manage), one for internet and one for a MPLS connection.
  Site B – connecting to an unknown switch which is connected to the MPLS network.
  Site C – Cisco ASA 5505 running 7.2(3) with one connection to an unknown switch (which I do not manage) for internet access.
  Site A to Site B traffic flows between the two without issue.
  Site A to Site C is a site-to-site VPN connection. Traffic flows between the two without issue.
  The main issue I’m having is that Site B cannot talk to Site C and vice versa. Also my client VPN connections to Site A cannot get to Site B or Site C.
  My first question is; is this even possible? (I sure expected it to be). And if so, what the heck am I doing wrong???
  I’ve included a config from Site A which is where I’m guessing the problem is. Any insight is appreciated.

  "I'm not following what you mean by that."
  Your Site "A" and "B" connected through MPLS cloud and they are not connected through vpn-connection, right?  I assume that your site "B" cannot communicate to site "C", therefore you must permit site-B's subnet traffic transit between site "A" and site "C" i.e. Site-B should have access to "C", right ?
  "I may be misunderstanding, but isn't that what this is: "route MPLS 10.17.0.0 255.255.0.0 10.17.250.2 1"."
  Great 10.17.0.0/16 route meant for site "B", that is fine, you wouldn't need an additional one.
  "You completely lost me there :)"
  I presume that your Site "B" and "C" does not have direct MPLS connection, therefore Site "A" becomes a transit path for site "B" and "C".   You allow site-B's transit through the vpn-tunnel between site "A" and "C".  Your site "C" assumes that subnet belong to site "B" is directly connected at site "A" but in reality it connects via a MPLS cloud and one last thing is that a route needed at site-B to push site-C's traffic to Site "A", a static route would do that.
  As you would permit site-B's traffic to pass through vpn-tunnel site "A" and "C", in other words your "A" become a hub for traffic flowing between site "B" and "C".
  "Should the route be applied to the inside or the outside interface?"
  Outside.  Your tunnel terminated on the outside interface, right? If so then it must point to outside's default-gateway address.
  object network SiteB-network
   subnet 10.17.2.0 255.255.255.0
  this would allow you to access site-c subnet when you are remote-in to Site-A.
  nat (outside,outside) source static VPN-pool VPN-pool destination static SiteC-network SiteC-network
  this is to allow Site-B to access site-C subnet via the tunnel between site A and C.
  nat (MPLS,outside) source static SiteB-network SiteB-network destination static SiteC-network SiteC-network
  object network inside-network
   subnet 192.168.1.0 255.255.255.0
  nat (inside,outside) source static inside-network inside-network destination static SiteC-network SiteC-network
  access-list outside_cryptomap extended permit ip object inside-network object SiteC-network
  this is allow Site-B to access site-C subnet via the tunnel between site A and C.
  access-list outside_cryptomap extended permit ip object SiteB-network object SiteC-network 
  Thanks
  Rizwan Rafeek

• ConfigMgr 2012 - Expected compression ratio for upstream traffic - Secondary site to Primary

  What compression ratio should we expect for upstream traffic (I guess mostly specific to inventory) from a ConfigMgr 2012 secondary site to a primary? We are debating between secondary site and DP for some sites with slow network links.
  We are concerned about SQL replication even working with a secondary site on some of the slower link sites (e.g. 512K)
  Thank you.

  It doesn't, I just wanted to get the full picture since you mentioned you were debating between secondary sites vs. dp's.  In my personal experience I've seen customers who want to do a Primary and Secondary when they only have a few hundred PC's and
  2 locations (which often is overkill depending on bandwidth and other factors).  Just wanted to make sure I had all info first.
  I'll try to find some exact numbers for you, I don't have any handy unfortunately.  In the meantime, here's this page in case you haven't seen it yet.  It is pretty handy and has some links to other, potentially useful pages.
  http://technet.microsoft.com/en-us/library/gg712701.aspx
  I can tell you from past experience the delta's that SCCM 2012 does for inventory are pretty low impact, but again, I don't have any exact numbers or ranges.  I do apologize I don't have exactly what you're needing handy.  I'll reply back if I
  can dig them up.

• Inter site email Traffic when site tunnel drops

  I have 3 sites, let me call Site1 , site2 and site3. where Site 1 is holding the primary mx record for receiving the
  emails from external world.
  Problem is when tunnel breaks between site1 and site3 all emails to be delivered to site3 are stuck in site1 itself,Expected
  to use alternate way that's is from site1 to site2 and from site2 to site3 where the tunnels are up in running and delivery the emails.

  You could try setting cost for routing emails
  http://technet.microsoft.com/en-us/library/cc794882(v=ws.10).aspx
  http://technet.microsoft.com/en-in/library/cc757117(v=ws.10).aspx
  http://technet.microsoft.com/en-us/library/bb123696%28v=exchg.150%29.aspx

• How to use OraSession for a high-traffic IIS/ASP site

  Guys,
  I am running into scalability issues with our production web server. The ASP requests queued keeps growing to crash the IIS eventually atleast once a day. We don't have any custom COM components and we believe database is not the bottleneck.
  We are using one OraSession object in the Application scope as follows:
  <OBJECT RUNAT="Server" SCOPE="Application" ID="OraSession" PROGID="OracleInProcServer.XOraSession"></OBJECT>
  Sub Application_OnStart
  OraSession.CreateDatabasePool 1, 120, 600, "TEST", "scott/tiger", 0
  End Sub
  We are calling OraSession.GetDatabaseFromPool(9000) whenever we need a database connection. I believe this object since it runs on single thread is unable to handle too much load.
  What's the best way of using OraSession/OraServer/OraDatabase objects for a high-traffic web site? The documentation doesn't have enough information. One interesting statement was that "Calling openDatabase method and attaching multiple user sessions(OraDatabase) after an OraServer object is created is useful with IIS like n-tier distributed environments" What does this mean?
  I appreciate any help.
  Thanks
  Krishna

  Hi iLac,
  I'm not sure what you meant by reverse engineering the browser's interactions with the site, but anything you can do within a browser you can feasibly do through scripts without resorting to a GUI. I'll mention a few tools that will help you out and briefly describe how you can use them to achieve what you want, although a bit more of a specific question may help. Anywhoo...
  First up I'd recommend Firebug for Firefox. A great tool that will let you visually inspect different elements of a rendered page in your browser to see the source code underneath. It also allows you to edit the page so you can test form input. (For example changing a Post to Get request to see the syntax.
  Next is "Live HTML Headers" which is also an addon for Firefox. Setting it to record and then clicking on a link will log all interaction between your browser and the website (eg. cookies, browser/system info, redirects etc.). You can really see what is going on behind the scenes.
  Finally you are going to want to use cURL which is a command line tool in the Terminal. Here is a like to a tutorial which will cover what you need [[http://curl.haxx.se/docs/httpscripting.html]] Basically cURL can interact with websites and download the source code for you (you will have to spoof cookies, and all other session info which could be a little difficult depending on the site, if you have to log in etc.).
  And that is about it. Using those three resources you can get anything off the web you can get with a browser. You just need to write an applescript to run the right cURL commands and extract the info from the HTML.
  If you have any other questions or need clarification or more help feel free to ask. Perhaps with a bit more detail on what exactly you are trying to achieve. My experience comes from auto updating homemade sports pools.
  Good Luck.

• Cisco ASA 5505 Cannot ping local traffic and local hosts cannot get out

  I have, what I believe to be, a simple issue - I must be missing something.
  Site to Site VPN with Cisco ASA's. VPN is up, and remote hosts can ping the inside int of ASA (10.51.253.209).
  There is a PC (10.51.253.210) plugged into e0/1.
  I know the PC is configured correctly with Windows firewall tuned off.
  The PC cannot get to the ouside world, and the ASA cannot ping 10.51.253.210.
  I have seen this before, and I deleted VLAN 1, recreated it, and I could ping the local host without issue.
  Basically, the VPN is up and running but PC 10.51.253.210 cannot get out.
  Any ideas? Sanitized Config is below. Thanks !
  ASA Version 7.2(4)
  hostname *****
  domain-name *****
  enable password N7FecZuSHJlVZC2P encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif Inside
  security-level 100
  ip address 10.51.253.209 255.255.255.248
  interface Vlan2
  nameif Outside
  security-level 0
  ip address ***** 255.255.255.248
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  ftp mode passive
  dns server-group DefaultDNS
  domain-name *****
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
  access-list No_NAT extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.7.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.10.250
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.200
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.1.3.9
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.14
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.15
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 host 10.10.10.16
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.1.9.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 10.10.9.0 255.255.255.0
  access-list Outside_VPN extended permit ip 10.51.253.208 255.255.255.248 ***** 255.255.255.240
  pager lines 24
  mtu Outside 1500
  mtu Inside
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any Outside
  no asdm history enable
  arp timeout 14400
  global (Outside) 1 interface
  nat (Inside) 0 access-list No_NAT
  route Outside 0.0.0.0 0.0.0.0 ***** 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication ssh console LOCAL
  http server enable
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set DPS_Set esp-3des esp-md5-hmac
  crypto map DPS_Map 10 match address Outside_VPN
  crypto map DPS_Map 10 set peer *****
  crypto map DPS_Map 10 set transform-set *****
  crypto map DPS_Map interface Outside
  crypto isakmp enable Outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash md5
  group 2
  lifetime 28800
  crypto isakmp policy 65535
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 60
  console timeout 0
  management-access Inside
  username test password P4ttSyrm33SV8TYp encrypted
  tunnel-group ***** type ipsec-l2l
  tunnel-group ***** ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:8d0adca63eab6c6c738cc4ab432f609d
  : end
  1500

  Hi Martin,
  Which way you are trying. Sending traffic via site to site is not working or traffic which you generate to outside world is not working?
  But you say ASA connected interface to PC itself is not pinging that is strange. But try setting up the specific rules for the outgoing connection and check. Instead of not having any ACL.
  If it is outside world the you may need to check on the NAT rules which is not correct.
  If it is site to site then you may need to check few other things.
  Please do rate for the helpful posts.
  By
  Karthik

• ASA 5505 Site-to-Site VPN to remote dmz access

  I don't have a ton of experience with ASA firewalls, but I've searched everywhere and I can't seem to find a solution to this.
  I have 2 sites connected by a Site-to-Site VPN with ASAs (5540 on Site 1, 5505 on Site 2). I'm using ASDM.
  Lets call:
  Site 1 LAN: 192.168.1.0
  Site 2 LAN: 192.168.2.0
  Site 2 DMZ: 172.16.2.0
  Traffic from Site 1 to Site 2 is perfect moving across the LANs. My workstation (192.168.1.10) can ping anything in site 2s LAN (192.168.2.0/24).
  Recently, I added a UniFi WAP device to Site 2 DMZ. Since I want to be able to manage this DMZ WAP from the LAN with a management server, I created a network object in Site 2s ASA. I called this object DMZ_WAP. IP address 172.16.2.2. I checked the box for "Add Automatic Address Translation Rules" and configured Type to "Static" and Translated Addr to "192.168.2.8." Source interface DMZ to Any destination interface. This of course created 2 "Network Object" NAT rules.
  I then created a DMZ incoming rule that says Source: DMZ_WAP, Destination: net_site1_lan (this object was of course created for the site to site vpn), allow all IP traffic. I created an Outside incoming rule that says net_site1_lan can access DMZ_WAP.
  Awesome, I can now ping 192.168.2.8 from anywhere within Site 2. The problem is... I can't ping 192.168.2.8 from my workstation in site 1 (192.168.1.10). If I run Packet Tracer (interface dmz, packet type TCP, source 172.16.2.2 port "echo", destination 192.168.1.10 port "echo") everything turns up green checkmark, the packet is allowed. So why do I have no contact?
  I apologize, as I realize ASDM isnt what most of you probably use. But anyone have any ideas? Been researching this for about 4 hours now, perhaps I'm barking up the wrong tree.
  Thanks,
  Garrick

  Here's my sanitized config. Any help would be greatly appreciated. Again, the point is simply to make the object SITE2_DMZ_WAP that is off of the "dmz" interface talk with SITE1 over the site to site VPN. I can't let any other traffic through except this one IP. I currently have it NATd.
  ASA Version 8.4(1)
  no names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.21.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address -OMITTED- 255.255.255.248
  interface Vlan3
  no forward interface Vlan1
  nameif dmz
  security-level 50
  ip address 172.16.21.1 255.255.255.0
  interface Ethernet0/0
  description Outside WAN1 port
  switchport access vlan 2
  interface Ethernet0/1
  description Inside LAN port
  interface Ethernet0/2
  description Inside LAN port
  interface Ethernet0/3
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/4
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/5
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/6
  description Outside DMZ port
  switchport access vlan 3
  interface Ethernet0/7
  description Outside DMZ port
  switchport access vlan 3
  boot system disk0:/asa841-k8.bin
  ftp mode passive
  clock timezone
  clock summer-time PDT recurring
  dns server-group DefaultDNS
  domain-name -OMITTED-
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network net_SITE1_lan
  subnet 192.168.1.0 255.255.255.0
  object network net_SITE2_lan
  subnet 192.168.21.0 255.255.255.0
  object network net_SITE1_dmz
  subnet 172.16.1.0 255.255.255.0
  object network net_SITE2_dmz
  subnet 172.16.21.0 255.255.255.0
  object network SITE2_DMZ_WAP
  host 172.16.21.2
  object network 192.168.21.8
  host 192.168.21.8
  description FOR SITE2 WAP
  access-list inside_access_in extended permit ip object net_SITE2_lan any
  access-list inside_access_in extended deny tcp any any eq smtp
  access-list outside_cryptomap extended permit ip object net_SITE2_lan object net_SITE1_lan
  pager lines 24
  logging enable
  logging buffer-size 16384
  logging buffered notifications
  logging asdm notifications
  no logging message 106015
  no logging message 313001
  no logging message 313008
  no logging message 106023
  no logging message 710003
  no logging message 106100
  no logging message 302015
  no logging message 302014
  no logging message 302013
  no logging message 302018
  no logging message 302017
  no logging message 302016
  no logging message 302021
  no logging message 302020
  flow-export destination inside 192.168.1.35 2055
  flow-export template timeout-rate 1
  flow-export delay flow-create 15
  mtu inside 1500
  mtu outside 1500
  mtu dmz 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-643.bin
  no asdm history enable
  arp timeout 14400
  nat (inside,outside) source static net_SITE2_lan net_SITE2_lan destination static net_SITE1_lan net_SITE1_lan
  object network obj_any
  nat (inside,outside) dynamic interface
  object network SITE2_DMZ_WAP
  nat (dmz,any) static 192.168.21.8
  nat (inside,outside) after-auto source dynamic any interface
  nat (dmz,outside) after-auto source dynamic any interface
  access-group inside_access_in in interface inside
  route outside 0.0.0.0 0.0.0.0 162.227.34.22 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  aaa authentication telnet console LOCAL
  aaa authentication serial console LOCAL
  aaa authorization exec LOCAL
  http server enable
  http server idle-timeout 60
  http 192.168.0.0 255.255.0.0 inside
  http 0.0.0.0 0.0.0.0 outside
  snmp-server host inside 192.168.1.35 community ***** version 2c
  no snmp-server location
  no snmp-server contact
  snmp-server community *****
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto map CMAP_OUTSIDE 1 match address outside_cryptomap
  crypto map CMAP_OUTSIDE 1 set peer -PEER OMITTED-
  crypto map CMAP_OUTSIDE 1 set ikev1 transform-set ESP-AES-128-SHA
  crypto map CMAP_OUTSIDE 1 set reverse-route
  crypto map CMAP_OUTSIDE interface outside
  crypto ikev1 enable outside
  crypto ikev1 policy 30
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  telnet timeout 5
  ssh 192.168.0.0 255.255.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outside
  ssh timeout 60
  ssh version 2
  console timeout 60
  management-access inside
  dhcpd dns 8.8.8.8 8.8.4.4
  dhcpd dns 192.168.2.2 192.168.1.6 interface inside
  dhcpd lease 34000 interface inside
  dhcpd domain -DOMAIN OMITTED- interface inside
  dhcpd update dns both interface inside
  dhcpd address 172.16.21.100-172.16.21.200 dmz
  dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
  dhcpd lease 34000 interface dmz
  dhcpd enable dmz
  priority-queue outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ntp server -NTP SERVERS OMITTED-
  ntp server -NTP SERVERS OMITTED-
  webvpn
  group-policy GroupPolicy1 internal
  group-policy GroupPolicy1 attributes
  vpn-tunnel-protocol ikev1
  username -OMITTED- password -OMITTED- encrypted privilege 15
  tunnel-group -IP OMITTED- type ipsec-l2l
  tunnel-group -IP OMITTED- general-attributes
  default-group-policy GroupPolicy1
  tunnel-group -IP OMITTED- ipsec-attributes
  ikev1 pre-shared-key *****
  isakmp keepalive threshold 10 retry 5
  class-map netflow-export-class
  match any
  class-map inspection_default
  match default-inspection-traffic
  class-map QoS_RDP
  match access-list QoS_RDP_Server_Branch
  class-map QoS_EA
  match port tcp eq 2000
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
    policy-map global_policy
  class inspection_default
    inspect dns
    inspect ftp
    inspect http
    inspect icmp
    inspect icmp error
    inspect ils
    inspect ip-options
    inspect ipsec-pass-thru
    inspect pptp
    inspect rsh
    inspect rtsp
    inspect sip 
    inspect snmp
    inspect xdmcp
  class netflow-export-class
    flow-export event-type all destination 192.168.1.35
  class QoS_RDP
    priority
  class QoS_EA
    priority
  service-policy global_policy global
  prompt hostname context
  call-home
  profile CiscoTAC-1
    no active
    destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
    destination address email [email protected]
    destination transport-method http
    subscribe-to-alert-group diagnostic
    subscribe-to-alert-group environment
    subscribe-to-alert-group inventory periodic monthly
    subscribe-to-alert-group configuration periodic monthly
    subscribe-to-alert-group telemetry periodic daily
  Logoff

• Load Balance guest Internet access via two different DMZ zones at two sites

  Hi Sir,
  My customer has the following unified wireless guest access requirement:
  - There are 2 internet links and dmz zones at two different locations, Site A and Site B
  - Data centre is at Site A
  - WiSM is proposed to be installed at the Cat 6500 in Site A
  - Lightweight AP are distributed across Site A, Site B and other branches
  - Only one anchor WLC is proposed at Site A, DMZ zone to provide guest internet access
  My customer would like to load balance the guest via the two internet link at Site A and Site B but with the same SSID across all locations. Can it be done since only one anchor at Site A? How about puttting another anchor WLC at Site B, DMZ zone? But how can i establish two EoIP tunnel to two different anchor WLC from a single WiSM?
  Thanks for your help
  Delon

  You can... but you can't control where the traffic will flow. The wlc will determine which DMZ wlc it will use. The wlc will load balance, but traffic in site A might go to site B. I currently have deployed that senerio in multiple client installations....

• Spikes on network during software distribution or site Migration eventhough throttling enabled

  Hello,
  Maybe I am missing something here, but why am I getting Large Network traffic during site migration from sccm 2007 to 2012 and software distribution to Dps even when I have enabled Bandwidth throttling for the site/dps.  Networking is trying to throttle
  back the bandwidth, but said it is dynamic.  Anyway to make this port a specific port?
  Thanks,
  Mark

  Are you referring to the RPC traffic? If so, it uses the default dynamic RPC port range. That range can be shortened but that's an adjustment on operating system level and not in ConfigMgr.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• QOS on WAN traffic

  Can anyone help on this below configuration
  Platinum (According to real time class)   
  Voice RTP
  Gold (40% of remaining)
  Voice signalling
  Citrix
  Video conferencing
  Silver (20% of remaining)
  Notes
  Internet browsing
  Bronze (10% of remaining)
  SNMP
  TFTP   
  Best effort   
  Other   

  Ed,
  That is right. QOS and bandwidth profile functionality is for outbound traffic and traffic over VPN, and using QOS you should be able to limit bandwidth for outbound traffic and traffic over Site-to-Site VPN.
  Thanks,
  Nitin

• Redundant link between two core sites with MPLS

  Hi,
  we have 50+ sites connected via MPLS. (see diagram)
  Out core sites are SITE A (primary) & SITE B (secondary). These core sites are connected via a ptp link.
  Both sites connect to the MPLS cloud via their own routers and all sites can reach SITE A & SITE B.
  Now, if I pull the cable on SITE A's MPLS router, nothing can reach SITE A as expected.
  Is it possible to get all of the MPLS sites to reach SITE A via SITE B's MPLS router and PtP link (and vice versa if SITE B's MPLS router went down)
  Basically, redundancy if one of the MPLS routers went down at one of the core sites?

  Hi,
  yes, it's clearer now.
  So what I'd think about would be running OSPF between the MPLS router and L3 switch on each site.
  You would redistribute BGP prefixes to OSPF then.
  And also configure a default route on the L3 switch pointing to the other L3 switch over the ptp line.
  Plus keep the static routes for the other core site prefixes pointing to the other L3 switch over the ptp line.
  That way:
  1) Under normal conditions the L3 switch in site A will use a static route over ptp line (better AD than OSFP) to reach site B and vice versa.
  2) In a case of MPLS router A failure:
  The outging traffic from Site A would be routed via the ptp line to the L3 switch in site B (due to the default route). The L3 switch in site B will know the routes to the remote MPLS sites (received via OSPF from MPLS router B).
  The incoming traffic will be received on the MPLS router B (due to prefixes for site A advertised from B with worse BGP attributes - but no prefixes advertised to MPLS from A). The MPLS router in Site B will use its static routes to forward the traffic to the L3 switch in site B. And the L3 switch will use its static routes for site A prefixes to forward the traffic over the ptp line.
  Analogic routing will be applied in a case of MPLS router failure in site B.
  3) In a case of the ptp line going Down:
  The static routes should disapper from the routing tables on both L3 switches.
  But they should still get the routes to the other core site received from OSPF (redistributed from BGP).
  4) So the only problematic case might be the ptp line failing but the L3 switch interface remaining Up.
  You might need to get either some tracking (not sure if available on L3 switches) or dynamic routing involved to overcome this.
  Either running OSPF between the L3 switches  or even runnig EIGRP to route the site A and B prefixes only possibly?
  But I'm not sure if this wouldn't bring too much complexity to the design?
  Best regards,
  Milan

• Trustsec Mac Encryption Between Sites

  Hi,
  See attached - might make question more clear
  we have a layer 2 connection between sites using a local provider for the link. On the remote side is a 3750-X and on the Main Campus side is a 2960. The link is connected via a VLAN. The VLAN interface exists on the Main Campus 5548, core switch
  From What I understand, Trustsec cannot be configured on a logical interface but, if we were to configure the logical interfaces as a physical interfaces could we encrypt traffic between the 5548 and the 3750-X?
  Even though it would also have to traverse through the 2960 as well?
  And traverse the Layer 2 WAN link?
  Any other suggestions for accomplishing this?
  Thank you, Pat

  No, it is not supported on the 2960 series.  Also, if you want to encrypt traffic between sites, a better solution is to use IPsec tunnel, but you need a firewall or a router in each location.
  It doesn't have to be anything expensive if you don't need a lot of bandwidth.
  I use these and they work really well.
  have a look:
  http://www.amazon.com/Juniper-SSG-5-SB-Security-Services-Gateway/dp/B000IZDN88
  HTH

• Multiple WAN site redundancy design review (dark fiber, p2p, DMVPN)

  I'm re-designing a couple of wan sites.  I'm using EIGRP over both some leased dark fiber and p2p provider connections.  The attached (pdf) physical topology says it all, I'm thinking of using ip sla to track and inject routes over prefered connections, but really just looking for feed back if someone is interested in taking a look. 
  I've bought 2 2951's with es3g-16-p modules so I can build svi's and do hsrp between the paths, building redundancy between the 3 available paths back to our enterprise core (1Gbps, 40Mbps, 50Mbps).
  multiple vlans at both sites...
  e.g.: (wan site1 (vlan 10-15), want site2 (vlan 16-20))
  Thoughts and thanks?

  hi there
  not sure why you need to use DMVPN if it all internal same internal network unless you need to have all the traffic between sites to be encrypted
  anyway in general i would say of use the direct link to reach the directly connected networks per site
  example using site one 100M link to reach DC and WAN
  and use site2 50M local link to reach WAN as primary path and use the site1-site2 fibre to reach DC as primary path for site2 this could archive a good load sharing and reduce the load on the link between site1 and site2
  IP SLA in a topology like your for sure can very helpful to improve failover time and make the routing more topology aware
  hope this helps

• Hub disconnects when I access certain sites

  My infinity home hub has started outing (green flashing light) when I access certain websites with webstreaming content. What does that mean? What can I do about it?

  Someone else reported that on a Hong Kong traffic cam site. The only soulution I could see was to replace the Homehub with something else.
  If you found this post helpful, please click on the star on the left
  If not, I'll try again

• OT - Viewing third party's website traffic info?

  I suppose this is really OT.
  Obviously if we have our own site we can monitor very
  specific details of users, however does any way exist to see
  general information (eg traffic volume / site hits, etc) on third
  party sites which we have no control over or involvement with?
  Thanks for your help
  and best wishes over the festive season

  This is a multi-part message in MIME format.
  --------------080706000302070400070702
  Content-Type: text/plain; charset=ISO-8859-1; format=flowed
  Content-Transfer-Encoding: 7bit
  Taxed Mind wrote:
  > Thanks Kim, this looks like just the thing, as does
  SpamTrap, when I eventually get ro?nd to looking at it more in
  depth, I think I will have good use for it.
  would attached work? Its called a rountuit.
  Phillip M. Jones, CET |LIFE MEMBER: VPEA ETA-I, NESDA, ISCET,
  Sterling
  616 Liberty Street |Who's Who. PHONE:276-632-5045,
  FAX:276-632-0868
  Martinsville Va 24112 |[email protected], ICQ11269732, AIM
  pjonescet
  If it's "fixed", don't "break it"!
  mailto:[email protected]
  <
  http://www.kimbanet.com/~pjones/default.htm>
  <
  http://www.kimbanet.com/~pjones/90th_Birthday/index.htm>
  <
  http://www.kimbanet.com/~pjones/Fulcher/default.html>
  <
  http://www.kimbanet.com/~pjones/Harris/default.htm>
  <
  http://www.kimbanet.com/~pjones/Jones/default.htm>
  <
  http://www.vpea.org>
  --------------080706000302070400070702
  Content-Type: image/gif;
  name="Rountuit.gif"
  Content-Transfer-Encoding: base64
  Content-Disposition: inline;
  filename="Rountuit.gif"
  R0lGODlhUABQAMQAAIVTAICAQM3NgAAAQMDAwP//////////////////////////////////
  /////////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  ACH5BAEAAAQALAAAAABQAFAAAAX/4COOZGmeaKqubOuiQSzP82vfLq3vNe7fvKAw8Cumhsig
  cflIOpVM4HPKi7aoWKj1lO3utiavmAYWjc9kK3oti7LfRCMcXpzPf3Y6Ln+38e0vf3k5gn0r
  hYOHiIYwi4BHjowlkYlhlJJml48kmpsjnZI0AqOkpaYCMac8qqmmraewqGmZMrJJAwG2Mbg6
  ugG8vri+QrxtnzPDQcI0xcjMqc/JPM1xtNBOyzPU1zLA0U/Ux87Yuc+95sHl5Gk7A+4Dwe/u
  6t076fS7u+/x8jrW9ubG1TunjVs+UQGrNBFyT+BBhAXx/SI4EMqQhrUSZoyI0eBEIf8oPtxY
  0eHHjhK3/7FjqDElQI4tUa4MglLmvZotZ66KmfMmz4gWWQIlOZLoyZ8ldQAICTGpS5FHh3pU
  KWPpQppIi0qM6lRmVaYmt/ka224qVKoxrF7sKapUO29Sn/KwevWl061DiuGM+1WcXa2tsOnN
  +nEH3bpngwAYRWyeUbE503LCynfG4reQ43oNcBgxM3lotYF2jPldadI0OnsGJUY1azaqV7+m
  Elv27Ce1bd8eklv3bsWKfjvpDVa44SvGeRNKDnw589R+nkOXIp0znurEVUjPHlw4dxbGvyOf
  DUB8INbmqV9Kv4dS+TKQCr2H333OfPrjYbPHj6b8fvyTTeHffwCmMOCBBxao4ASCKIQAADs=
  --------------080706000302070400070702--