WLC Virtual interface listening on ports 25 and 110

Similar Messages

• WLC Virtual Interface config for a public SSL cert for Web Authentication

  I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
  In the document "Generate CSR for Third−Party Certificates and
  Download Chained Certificates to the WLC"
  Document ID: 109597 it states the following
  "Note: It is important that you provide the correct Common Name. Ensure that the host name that is
  used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
  entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
  you make the change to the VIP interface, you must reboot the system in order for this change to take
  effect.
  Here are my questions.
  1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
  2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

  Hi,
  1) You can change that if you want. Normally it is non-Public and non-routable in your network.
  2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
  Regards
  Dhiresh
  ** Please rate helpful posts**

• Why virtual interfaces added to ManagementOS not visible to Cluster service?

  Hello All, 
  I"m starting this new thread since the one before is answered by our friend Udo. My problem in short is following. Diagram will be enough to explain what I'm trying to achieve. I've setup this lab to learn Hyper-V clustering with 2 nodes. It is Hyper-V
  server 2012. Both nodes have 3x physical NIcs, 1 in each node is dedicated to managing the Node. Rest of the two are used to create a NIC team. Atop of that NIC team, a virtual switch is created with -AllowManagementOS
  $False. Next I created and added following virtual interfaces to host partition, and plugged them into virtual switch created atop of teamed interface. These virtual interfaces should serve the purpose of various networks available. 
  For SAN i'm running a Linux VM which has iSCSI target server and clustering service has no problem with that. All tests pass ok.
  The problem is......when those virtual interfaces added to hosts; do not appear as available networks
  to cluster service; instead it only shows the management NIC as the available network to leverage. 
  This is making it difficult to understand how to setup a cluster of 2x Hyper-V Server nodes. Can someone help please?
  Regards,
  Shahzad.

  Shahzad,
  I've read this thread a couple of times and I don't think I'm clear on the exact question you're asking.
  When the clustering service goes out to look for "Networks", what it does is scan the IP addresses on each node. Every time it finds an IP in a unique subnet, that subnet is listed as a network. It can't see virtual switches and doesn't care about
  virtual vs. teamed vs. physical adapters or anything like that. It's just looking at IP addresses. This is why I'm confused when you say, "it won't show virtual interfaces available as networks". "Networks" in this context are IP subnets.
  I'm not aware of any context where a singular interface would be treated like a network.
  If you've got virtual adapters attached to the management operating system
  and have assigned IPs to them, the cluster should have discovered those networks. If you have multiple adapters on the same node using IPs in the same subnet, that network will only appear once and the cluster service will only use
  one adapter from that subnet on that node. The one it picked will be visible on the "Network Connections" tab at the bottom of Failover Cluster Manager when you're on the Networks section.
  Eric Siron Altaro Hyper-V Blog
  I am an independent blog contributor, not an Altaro employee. I am solely responsible for the content of my posts.
  "Every relationship you have is in worse shape than you think."
  Hello Eric and friends, 
  Eric, much appreciated about your interest about the issue and yes I agree with you when you said... "When the clustering service goes out to look for "Networks",
  what it does is scan the IP addresses on each node. Every time it finds an IP in a unique subnet, that subnet is listed as a network. It can't see virtual switches and doesn't care about virtual vs. teamed vs. physical adapters or anything like that. It's
  just looking at IP addresses. This is why I'm confused when you say, "it won't show virtual interfaces available as networks". "Networks" in this context are IP subnets. I'm not aware of any context where a singular interface would be treated
  like a network."
  By networks I meant to say subnets. Let me explain what I've configured so far:
  Node 1 & Node 2 installed with 3x NICs. All 3 NICs/node plugged into same switch. 
  Node1:  131.107.0.50/24
  Node2:  131.107l.0.150/24
  A Core Domain controller VM running on Node 1:   131.107.0.200/24 
  A JUMPBOX (WS 2012 R2 Std.) VM running on Node 1: 131.107.0.100/24
  A Linux SAN VM running on Node 2: 10.1.1.100/8 
  I planed to configured following networks:
  (1) Cluster traffic:  10.0.0.50/24     (IP given to virtual interface for Cluster traffic in Node1)
       Cluster traffic:  10.0.0.150/24   (IP given to virtual interface for Cluster traffic in Node2)
  (2) SAN traffic:      10.1.1.50/8      (IP given to virtual interfce for SAN traffic in Node1)  
       SAN traffic:      10.1.1.150/8    (IP given to virtual interfce for SAN traffic in Node2)
  Note: Cluster service has no problem accessing the SAN VM (10.1.1.100) over this network, it validates SAN settings and comes back OK. This is an indication that virtual interface is
  working fine. 
  (3) Migration traffic:   172.168.0.50/8     (IP given to virtual interfce for
  Migration traffic in Node1) 
       Migration traffic:   172.168.0.150/8    (IP given to virtual interfce for
  Migration  traffic in Node2)
  All these networks (virtual interfaces) are made available through two virtual switches which are configured EXACTLY identical on both Node1/Node2.
  Now after finishing the cluster validation steps (which comes all OK), when create cluster wizard starts, it only shows one network; i.e. network of physical Layer 2 switch i.e. 131.107.0.0/24.
  I wonder why it won't show IPs of other networks (10.0.0.0/8, 10.1.1.0/8 and  172.168.0.0/8)
  Regards,
  Shahzad

• Virtual Interfaces

  So I have had different apps make virtual interfaces such as en2 and en3 on my mac. Is there a way to remove these entirely?

  Uninstall the applications. If you've done that already then simply delete them in Network preferences.

• AP Manager interface and Virtual Interface

  What do each of these interfaces do on the 526 WMAC? I am not sure I understand the functionality and did not find the answer to this in the documentation.
  Thanks

  Well from a WLC, the management is used to access and manage the wlc. It is also used for communication with the mobility group. AP-Manager is the interface the wlc and the ap's use and the virtual interface is used by internal dhcp, mobility group, webauth, etc. The virtual interface is not routable in your network, it is mainly used by the wlc's for various features.
  Here is from a Cisco Doc:
  The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA server. If the service port is in use, the management interface must be on a different subnet than the service port.
  The AP-Manager interface is used as the source IP address for all Layer 3 communications between the controller and the lightweight access points. The AP-Manager must have a unique IP address and should be on the same subnet as the management interface.
  The virtual gateway interface is used to support mobility management, DHCP relay, and embedded Layer 3 security, like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. If multiple controllers are configured in a mobility group, the virtual interface must be the same on all controllers for seamless roaming.
  The service-port interface is mapped only to the physical service port. The service port interface must have an IP address on a different subnet from the management and AP-Manager interfaces. A default-gateway cannot be assigned to the service-port interface, but static routes can be defined through the controller command-line interface for remote network access to the service port.

• Is it possible to create a virtual TCP port and send data to it?

  Is it possible to create a virtual TCP port and send data to it?
  My application is this:   I am reading a constant stream of waveform data from a device via a LabVIEW VI set and I need to get that streaming data to a .NET application.  I can poll a TCP port in .NET easily so is there a way I can create a virtual TCP port in LabVIEW and send the data there?

  Have a look at the example called simple data server and simple data client and see what you can get from that. I'm not really familiar with TCP myself.
  Joe.
  "NOTHING IS EVER EASY"

• What's listening on port 454 and 455 in Azure? Warning flagged by security scan

  We are about to go live with an Azure Website and, as a precaution, did a security scan on the IP address that has been allocated to us.
  There were a number of low severity warnings listed which we're not too worried about, however the scan did flag that something appears to be listening on port 454 and 455, and supports TLS1.0.
  RESULTS:
  Available non CBC cipher Server's choice SSL version
  RC4-SHA DES-CBC3-SHA TLSv1
  Does anyone know what this is? I can't find it obviously listed anywhere. If it's not necessary, can I switch it off? And if it is necessary, can I set it to require a more secure protocol?
  We're hosted in the "Australia East" datacentre, in case that's relevant.
  Crossposted to Stack Overflow here:
  http://stackoverflow.com/questions/27807505/whats-listening-on-port-454-and-455-in-azure-warning-flagged-by-security-scan

  Hello Michael,
  These ports are used for internal communication in Azure Websites infrastructure. They are not site specific and you cannot turn them off. It is safe to ignore them.
  Thanks,
  Petr

• WLC 2106 ports and vlans

  I am connecting a 2106 to our small network.  If I set a specific port on the 2106 for the "guest interface" and wire that port directly to the DMZ is it still necessary to define a VLan?  Does defining the ports separate the traffic?
  What I am thinking is leaving all (except the guest wireless) of the interfaces on port 1, wiring that to our normal network and setting up radius authent.  All of the network traffic then goes out through the normal firewall interface.
  Then setup the guest interface to go to "port 4" on the 2106.  Run a wire fom "port 4" to a NIC dedicated to the DMZ.
  Note:  The "nics" listed above are actually PNics on separate VSwitches in VSphere.
  Thanks,
  Bob

  Thanks for your help!
  It looks as if I need to read up some more on the use of this unit.  It was dropped in my lap by a third party so I am kind of faking it.  Any other suggestions would not hurt my feelings:
  Internal network is 192.168.5.x, guest wireless is  172.16.1.x.  At this point I am going to have all interfaces go to "port 1" except the guest wireless which will go to "port 4".
  I will plug "port 1" into my regular switch and "port 4" into a DMZ switch.
  From what I gather I will have to give the "port 4" traffic an exclusive "VLan indentifier", change the Vsphere switch to include that VLan, etc.
  Thanks again,
  Bob

• IChat File Transfer port issue (can't listen to port 5190 and 7777)

  Greentings ladies and gentlemen,
  I need help opening port 5190 and 7777 for ichat server file transfers. As for now, my situation can be described as below:
  (1)I have a ichat server in a mac mini(2010, newest model as for today) running a fully updated version of MACOSX SERVER 10.6 inside a lab in my university.
  (2)As for the ichat server itself, text, voice, video between 2 or more persons are all working great. As for clients the latest version of ichat and pidgin(text only) are being used. The only problem is the lack of file transfer between ichat clients.
  (3)The server is behind a router (YAMAHA RTX 1200). I am 100% sure that the router is correctly configured to allow packets in and out of the port 5190 and 7777, among the other necessary ports. All the other ports are open and working correctly. I also manually disabled the firewall of a windows7 laptop and tested packet transfers on both ports and both worked fine.
  (4)As I said before, the server is inside my university lab. I made sure that all ports between 1023~65535 are open in the univesity gateway/backbone network.
  Bellow are firewall(IPFW) settings before flushing (tried configuring using both GUI and CUI, and both returned the same results)
  sudo ipfw l
  Password:
  00001 allow udp from any 626 to any dst-port 626
  01000 allow ip from any to any via lo0
  01010 allow udp from any to any dst-port 5190
  01030 allow tcp from any to any dst-port 5190
  12300 allow tcp from any to any established
  12301 allow tcp from any to any out
  12302 allow tcp from any to any dst-port 22
  12302 allow udp from any to any dst-port 22
  12303 allow udp from any to any out keep-state
  12304 allow tcp from any to any dst-port 53 out keep-state
  12304 allow udp from any to any dst-port 53 out keep-state
  12305 allow udp from any to any in frag
  12306 allow tcp from any to any dst-port 311
  12307 allow tcp from any to any dst-port 625
  12308 allow icmp from any to any icmptypes 8
  12309 allow icmp from any to any icmptypes 0
  12310 allow igmp from any to any
  12311 allow tcp from any to any dst-port 5190
  12311 allow udp from any to any dst-port 5190
  12312 allow tcp from any to any dst-port 5222
  12313 allow tcp from any to any dst-port 5223
  12314 allow tcp from any to any dst-port 5269
  12315 allow udp from any to any dst-port 5297,5678
  12316 allow tcp from any to any dst-port 5298
  12316 allow udp from any to any dst-port 5298
  12317 allow udp from any to any dst-port 16384-16403
  12318 allow udp from any to any dst-port 5060
  12319 allow tcp from any to any dst-port 7777
  12320 allow tcp from any to any dst-port 8008
  12321 allow tcp from any to any dst-port 8443
  65535 allow ip from any to any
  And after flushing
  sudo ipfw l
  Password:
  65535 allow ip from any to any
  In either case ports that are being listened are listed below.
  netstat -na | grep LIST
  tcp46 0 0 *.5269 . LISTEN
  tcp46 0 0 *.5223 . LISTEN
  tcp46 0 0 *.5222 . LISTEN
  tcp4 0 0 127.0.0.1.5347 . LISTEN
  tcp46 0 0 *.5900 . LISTEN
  tcp4 0 0 *.88 . LISTEN
  tcp6 0 0 *.88 . LISTEN
  tcp4 0 0 *.311 . LISTEN
  tcp4 0 0 192.168.2.96.53 . LISTEN
  tcp4 0 0 *.3659 . LISTEN
  tcp4 0 0 *.106 . LISTEN
  tcp4 0 0 *.3659 . LISTEN
  tcp4 0 0 *.106 . LISTEN
  tcp4 0 0 127.0.0.1.54 . LISTEN
  tcp4 0 0 127.0.0.1.53 . LISTEN
  tcp4 0 0 *.749 . LISTEN
  tcp4 0 0 *.389 . LISTEN
  tcp6 0 0 *.389 . LISTEN
  tcp4 0 0 *.22 . LISTEN
  tcp6 0 0 *.22 . LISTEN
  tcp4 0 0 *.548 . LISTEN
  tcp6 0 0 *.548 . LISTEN
  tcp4 0 0 *.625 . LISTEN
  tcp4 0 0 127.0.0.1.631 . LISTEN
  tcp6 0 0 ::1.631 . LISTEN
  As you can see my firewall settings are not being reflected on the actual server firewall.
  Is there any way I could just force the server into listening the port?
  If necessary I can post screenshots of every ichat server/firewall configuration tab from the Server Admin GUI.
  Thanks in advance for any help/support.

  First off, realize there is no association between your firewall rules and netstat.
  Just because your firewall is letting traffic in that does not mean it will appear in your netstat.
  netstat -a will show you a list of ports that are in use - i.e. there is some process listening to (or writing to) that port. That is independent of whether the firewall permits the traffic (e.g. the firewall could well allow traffic in on 5190, but unless there's a process listening to 5190 you won't see it in the netstat).
  Secondly, IIRC iChat file transfers are client-to-client therefore it might not be your server, or your server's firewall or your server's network that's the issue - the client will need to have a firewall configured to allow incoming traffic from other iChat clients.
  Does that help shed some light on things? (it isn't clear whether your post is referring to the server or the client side of things).

• ISE and WLC dynamic interface group assignment ?

  I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
  Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
  TIA

  I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
  This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
  Edit:
  Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

• WLAN Controller learning IP/MAC on wrong virtual interface

  Hello
  I believe since I upgraded my WiSM to 7.0.250.0 is it learning a MAC address on the wrong virtual interface.
  The setup:
  - a Linux server with 2 virtual interfaces, both use the same MAC address, one is the gateway of VLAN 116 and one is the gateway of VLAN 240
  - a WiSM with several virtual interfaces, including one in 116 and one in 240
  Here the arp table with the problem:
      MAC Address        IP Address     Port   VLAN   Type
  00:50:56:BD:32:92   172.16.240.9     29     240    Host
  00:1E:4A:FA:87:8B   172.16.102.12    29     0      Permanent
  00:1E:4A:FA:50:0B   172.16.102.13    29     0      Permanent
  00:1E:4A:FA:81:2B   172.16.102.14    29     0      Permanent
  00:50:56:BD:32:92   172.16.116.9     29     240    Host
  00:1D:E0:31:55:23   172.16.116.185   29     116    Client
  58:94:6B:68:50:E8   172.16.118.201   29     116    Client
  1C:B0:94:B7:38:08   172.16.118.234   29     116    Client
  And here after I made a PING from the controller to the listed ip address:
      MAC Address        IP Address     Port   VLAN   Type
  00:50:56:BD:32:92   172.16.240.9     29     240    Host
  00:1E:4A:FA:87:8B   172.16.102.12    29     0      Permanent
  00:1E:4A:FA:50:0B   172.16.102.13    29     0      Permanent
  00:1E:4A:FA:81:2B   172.16.102.14    29     0      Permanent
  00:50:56:BD:32:92   172.16.116.9     29     116    Host
  00:1D:E0:31:55:23   172.16.116.185   29     116    Client
  38:E7:D8:D3:7C:FA   172.16.118.92    29     116    Client
  58:94:6B:68:50:E8   172.16.118.201   29     116    Client
  1C:B0:94:B7:38:08   172.16.118.234   29     116    Client
  18:AF:61:12:E9:FB   192.168.1.59     29     117    Client
  Has anybody else the same problem?
  The host 172.16.116.9 is also the configured DHCP server on VLAN 116.
  Is there a way to statically configure this IP address on that VLAN? Because it causes every few days a service outage on that VLAN (which is bound to an SSID).

  Yup, I'd say still valid. Seeing as it is the gateway, if it had different mac addresses per interface, it might still work.
  No, clients in the same subnet can communicate, but it is not recommended to 'bridge' wired and wireless with a WLC. The WLC doesn't like to bridge the communication by default, though there are work arounds.
   I might also say that as it uses the same MAC address for both virtual interfaces L2 is going to be messed up as each time there were an ARP the entry would change.
  Take a look and see if you can manually change the mac for one of the interfaces and test again.
  HTH,
  Steve

• Clarification regarding WLC 's interfaces

  Hi Netpros,
  I am about to deploy WLC and LWAPP solution. I have only done Autonomous set up in the past and so would appreciated some clarification regardig the below points:
  1.- switch port connected to LWAPP access points must be an access port (not trunk) correct ?
  2.- switch port connected to WLC 44+ must be a trunk (assuming I need to map SSID to different vlans) correct ?
  3.- WLC 44+ port can only be connected to a gigabit port .. so I can't change its speed in order to connect it to a fastethernet port .. correct ?
  4.- What exactly is Management interface, service port, AP manager ..etc so many names I am getting confused.
  5.- What is layer 2 and layer 3 mode .. I am also confused here.
  6.- If I want all my LWAPP access points on vlan 10 (for argument sake) .. which WLC's interface do I need to place on vlan 10 in order for the access points to register ? I want to have LWAPP and WLC on the same vlan but with so many inteface names I don't know which one I have to use (AP manager ? perhaps )
  7.- If I want SSID 1 (vlan 11), SSID 2 (VLAN 22). How do I configure the WLC interfaces (which one do I need to use .. create ..?) so that clients using SSID 1 can communicate on its respective VLAN 11
  8.- Microsoft IAS and PEAP .. do I need to set up every access point as radius client ? or do I only need to configure the WLC as radius client .. and if so which WLC interface's IP address do I need to use on the radius server (IAS)
  I apologize for so many questions and really appreciate your feedback which - as always - I am sure will make things clear.
  Cheers,

  1.- switch port connected to LWAPP access points must be an access port (not trunk) correct ?
  (A) Correct, Cisco recommends no more then 70 or so APs per VLAN. You can do more then 70 and in fact put all of your APs in the same VLAN. But if the controller ever goes dark it could take a bit longer for the APs to join.
  2.- switch port connected to WLC 44+ must be a trunk (assuming I need to map SSID to different vlans) correct ?
  (A) Yup yup. You can truck the switch or Echannel it and use LAG on the controller.
  3.- WLC 44+ port can only be connected to a gigabit port .. so I can't change its speed in order to connect it to a fastethernet port .. correct ?
  (A) Yup yup. again. GIG only. Wont connect otherwise.
  4.- What exactly is Management interface, service port, AP manager ..etc so many names I am getting confused.
  (A)
  Manager is the IP address you will use to manage the controller. Its the way the controller see's the world.
  AP Manger is used for the APs to phone home to. This interface is not pingable. Nothing special with this interface.
  Service Port ... think about out of service management for the WLC. Suppose you lose network connection to the WLC manager interface. You can jack right into the service port. I have also put this on the network before so you can still access the WLC remotely.
  5.- What is layer 2 and layer 3 mode .. I am also confused here.
  (A)
  Layer 2 --- Think about deploying your entire WLAN on one subet. So your APs and WLC are all in the same subnet.
  Layer 3 -- This is used when you have your APs on other subnets ect..
  You can actually console into the LWAPP ap during the join process. you will see the AP send a 255.255.255.255. This is a join attempt by the AP to find a controller on its subnet.
  6.- If I want all my LWAPP access points on vlan 10 (for argument sake) .. which WLC's interface do I need to place on vlan 10 in order for the access points to register ? I want to have LWAPP and WLC on the same vlan but with so many inteface names I don't know which one I have to use (AP manager ? perhaps )
  (A) The beauty of the WLC is you dont have to have the APs on the same VLAN as the controller, unless u are layer 2. The access layer teh APs are on just need to be routable to the AP interface.
  7.- If I want SSID 1 (vlan 11), SSID 2 (VLAN 22). How do I configure the WLC interfaces (which one do I need to use .. create ..?) so that clients using SSID 1 can communicate on its respective VLAN 11
  (A)
  You map the SSID to VLAN under the WLANs tab. You Create the wired side info (VLANS) under the controller tab
  8.- Microsoft IAS and PEAP .. do I need to set up every access point as radius client ? or do I only need to configure the WLC as radius client .. and if so which WLC interface's IP address do I need to use on the radius server (IAS)
  (A) Advantage of the WLC, you use the WLC as the client to a Raduis server. The management address..
  I apologize for so many questions and really appreciate your feedback which - as always - I am sure will make things clear.
  Cheers,

• CSS- traffic orignating from real server + Virtual interface

  Hi all,
  I am designing a solution at the moment, in which I shall have 2 servers behind a pair of CSS & their default gateway will be the Virtual Interface ip address of CSS.
  Is there any problem forseen in traffic getting initiated from the server to any other subnet in the network and the return traffic to the server.
  Servers shall connect to a pair of 3750 being used as L2 in stack .
  The Stacked 3750's shall be placed below the CSS pair & the CSS pair shall further connects to a single 6509 upstream....
  Each 3750-L2 connects single port to each CSS
  (3750-L2-1 to CSS1 &
  3750-L2-2 to CSS 2)
  Both CSS connect to the SINGLE 6509 on diff blades. for better redundency.
  The CSS shall not be connected to each other directly.
  Both 3750-L2 connect to each other as well
  IIS-1---L2_Sw1---CSS1---6509---Othr_Subent
  IIS-1---L2_Sw2---CSS2---6509---Othr_Subent
  Note: I shall have VIP/Virtual Interface config on my CSS's.
  Appreciate validation and recomendations on this design.
  Many Thanks,
  gagan

  Hi Gilles,
  Many thanks for the confirmation.
  Request verification on the below as well~
  1. With the above scenario; I do not require any group (NAT) configuration, either for my servers initiating traffic for going out or for clients hitting the VIP to reach servers. The client & server shall be in diff VLAN?s of course.
  2. With VIP & Virtual Interface configuration & couple of server VLAN's below on server side, I should be able to use both the gigabit interfaces on the 11503 to connect up and down stream as TRUNK. I mean to ask Virtual intf. & VIP has no problems working on the same TRUNK interface?
  3. I understand that Fate sharing and critical service helps full failover (client & server side).
  As an upstream router or L3 switch fails or the upstream connecting gigabit interface on CSS fails, the failover happens.
  Will the same be applicable to downstream L2 switch & CSS interface failure? If any of these on the downstream fails will the CSS failover to the standby unit.
  I think this above should work, just need confirmation coz I have not done this before.
  Thanks a lot again,
  Gagan

• How to set a different listener on port 465 for SMTPS?

  The idea is being able to manage both plain and secure SMTP while reconfiguring all clients for SMTPS.
  How would you go about this?
  I have
  - created new Ip interface + listener
  - created SMTP authentication profile
  - created a new policy that requires TLS / SMTP Authentication
  I am unable to send mail and I don't receive clear messages as to why it isn't working.

  AFAIK, ironport only support TLS (which is port 587) and if you try to enable 465 just to accomodate SSL (for those that using old broken MUA) it won't work.

• Listener ( lsnrctl ) - stop and start just one instance

  Hey all. I hava a Oracle 9.2 installed over a Linux Red Hat 4.0 64 bits server.
  Some Virtual Machines will connect in some databases installed in my Oracle server. My listener has one instance for each database like this:
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (GLOBAL_DBNAME = VM01)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM01)
  (SID_DESC =
  (GLOBAL_DBNAME = VM02)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM02)
  (SID_DESC =
  (GLOBAL_DBNAME = VM03)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM03)
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(KEY = VM01))
  (ADDRESS = (PROTOCOL = IPC)(KEY = VM02))
  (ADDRESS = (PROTOCOL = IPC)(KEY = VM03))
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1521))
  And my tnsnames:
  VM03 =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1521))
  (CONNECT_DATA =
  (SERVICE_NAME = VM03)
  VM02 =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1521))
  (CONNECT_DATA =
  (SID = VM02)
  VM01 =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1521))
  (CONNECT_DATA =
  (SERVICE_NAME = VM01)
  I need to start and stop just one instance (VM01 or VM02 or VM03). I really can't stop all instances when I need to stop just one. And more if i have to create another instance i will have to stop the listener... and i can't because other people are using your instance...
  Do you know how to help me?
  Thanksssssss

  You still use listener.ora, just create 3 listeners, one for each instance:
  listener.ora:
  LISTENER_VM01 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(HOST = lab2)(KEY = VM01))
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1521))
  SID_LIST_LISTENER_VM01 =
  (SID_LIST =
  (SID_DESC =
  (GLOBAL_DBNAME = VM01)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM01)
  LISTENER_VM02 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(HOST = lab2)(KEY = VM02))
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1522))
  SID_LIST_LISTENER_VM02 =
  (SID_LIST =
  (SID_DESC =
  (GLOBAL_DBNAME = VM02)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM02)
  LISTENER_VM03 =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS_LIST =
  (ADDRESS = (PROTOCOL = IPC)(HOST = lab2)(KEY = VM03))
  (ADDRESS = (PROTOCOL = TCP)(HOST = lab2)(PORT = 1523))
  SID_LIST_LISTENER_VM03 =
  (SID_LIST =
  (SID_DESC =
  (GLOBAL_DBNAME = VM03)
  (ORACLE_HOME = /opt/oracle/product/9.2.0)
  (SID_NAME = VM03)
  Then, when you need to stop the connections to only one instance, you stop the corresponding listener:
  lsnrctl stop listener_vm02
  lsnrctl start listener_vm02
  For each instance you need to configure the parameter local_listener:
  sys@VM01> alter system set local_listener=listener_vm01;
  sys@VM02> alter system set local_listener=listener_vm02;
  sys@VM03> alter system set local_listener=listener_vm03;
  And register in tnsnames.ora:
  listener_vm01=
  (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=lab2)(PORT=1521)))
  listener_vm02=
  (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=lab2)(PORT=1522)))
  listener_vm03=
  (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=lab2)(PORT=1523)))
  It's a recommended configuration for the flexibility it provides,it requires a different port for each listener, but you don't need to edit the listener.ora file each time you need to stop the connectivity to only one instance.