Workaround ACL limitation WiSM
Hi all,
ACLS configured on WiSM got a limitation of 64 lines.If I have FWSM on the same chassis, are there anyway to offload the ACL function to FWSM ?This will enable more than 64 lines ACL.If thats not possible,what is the workaround?Cannot summarise any existing statements :(
thanks,
Janesha
HW/Software Specs
WCS ver5.0.56.2
2 6 Firewall Module WS-SVC-FWM-1
7 2 Supervisor Engine 720 (Active) WS-SUP720-3B
8 2 Supervisor Engine 720 (Hot) WS-SUP720-3B
10 10 WiSM WLAN Service Module WS-SVC-WISM-1-K9
11 10 WiSM WLAN Service Module WS-SVC-WISM-1-K9
Thanks for pointing that out.Did not realise that i was in the wrong forum.
I think I will try wireless forum first which I should have done in the first place!!!
Similar Messages
-
Is there a way to import ACL into WiSM
I was
trying to find an easier way to import ACL's into WiSM or WCS .
Any thoughts ?From where?
From another WLC/WiSM? Yes you can (as long as you have the same firmware versions).
From another appliance? I don't think so. -
XCOPY folder with ACL - limited user
Hi there,
I created another post
Here, but i think that's the wrong place for it. Apologies for double posting.
I am trying to get one of my "limited user" to run a batch file which creates a folder from a template folder. Template folder has specific ACLs. but the user attempting to run it recieves "Access
is denied"
batch content:
xcopy "\\server\templatefolder" "\\server\newfolder\" /O /X /E/ H /K
The user running this batch is a limited user (Domain user but not part of the Local admin group)
Windows 7 x64bit
UAC is turned on
Software
Restriction Policy is in place but this particular batch file is allowed to run
Apparently "/O" what triggers "Access is Denied". Any idea what permissions the user needs in order to run with "/O"? Adding the user to administrators, domain admin group is out of the question.
I tried changing the ownership of the template folder to that user, no go.
Thank you,Hi,
First I would like to know if the issue is denied in copy files from the source folder, or copy files to the target folder.
To confirm you can give the user full control on target folder and try again.
And if "Apparently /O what triggers Access is Denied" means
you have already confirmed that it is the source folder, what's the current user permission?
I think it is easy for testing - create a test user with same permission as the "limited user", give it 1 permission at a time to find our the exact missing one.
/O means "Copies file ownership and ACL information" so I think "Read permission" is needed. "Read attributes" may also be needed. I'll go and do a test as well.
If you have any feedback on our support, please send to [email protected] -
Workarounds of 32K-limitation in jdbc:kprb needed!
Hello ALL.
Can you help me with solution of workarounds the limitation in jdbc:kprb(internal driver) for stored java?
I try to put large string more than 32K into LONG field type using internal driver and Java Stored Procedure.
And I get the error: "Data size bigger than max size for this type"
I get this error in oracle 9.2.0.1.
But it works in oracle 10.2.0.1.
=========================================================
Here is the example:
import oracle.sql.CLOB;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
import java.io.Reader;
import java.io.CharArrayReader;
import oracle.jdbc.pool.OracleDataSource;
public class LongTest {
public static void insertLong(String source, int counts)
throws Exception {
Connection conn = DriverManager.getConnection("jdbc:default:connection:");
StringBuffer stringBuffer = new StringBuffer();
for (int i = 0; i < counts; i++) {
stringBuffer.append(source);
Reader reader = new CharArrayReader(stringBuffer.toString().toCharArray());
// String st = stringBuffer.toString();
PreparedStatement pst = null;
try {
pst = conn.prepareStatement("insert into TEST_LONG (ldata) values (?)");
pst.setCharacterStream(1, reader, stringBuffer.length());
// pst.setString(1, st);
pst.execute();
} finally {
if (pst != null) {pst.close();}
=========================================================
Here is table:
create table test_long (ldata long)
=========================================================
Here is the procedure:
create or replace procedure long_test (p_source varchar2, p_counts number) as
language java
name 'LongTest.insertLong(java.lang.String, int)';
=========================================================
Here is the test block:
begin
LONG_TEST('q', 33000);
end;
=========================================================
Thanx!Please, help me with solution...
Is it possible use oci driver from Java Stored Procedures? And how?
Thanx -
IPv6 ACL host limitation also for private network?
Hello,
I'm using a cisco WS-C3750G-24TS-1U 12.2(44)SE5. I know the IPv6 ACL limitations for this hardware
However, I think that private network(fc00::/7) should not be the case. In my case, I'm using EUI addresses.
switchcore(config-ipv6-acl)#permit tcp any host 2001:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
switchcore(config-ipv6-acl)#permit tcp any host 3FFF:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
switchcore(config-ipv6-acl)#permit tcp any host fdc8:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
% Host address FDC8::222:64FF:FEC2:1F5A can not be supported
% ACE can not be added
% Failed to modify access list
switchcore(config-ipv6-acl)#permit tcp any host fc00:0:0:0:222:64ff:fec2:1f5a eq www sequence 20
% Host address FC00::222:64FF:FEC2:1F5A can not be supported
% ACE can not be added
% Failed to add access list
Is IOS right?Hum... yes, you are right. I missed this point. Thanks.
Anyway, "Private Network" would fit very well in this list
–aggregatable global unicast addresses
–link local addresses -
How many ASA 5520 ACL limit.
Hello all,
i want to understand ASA 5520 ACL limitation as max ACEs .
in FWSM case is following link "rule limits" section.
http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/specs_f.pdf
but in ASA case, I cant find this information.
where is this limitation in CCO?
thanks.Balaji
The right way is to quantify the ACE limit and not ACL limit as a single ACL can have many entries in it.
Have a look at the link below for FWSM:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/specs_f.html#wpxref93963
Also look at the link below. Look at the Q&A for "Can you increase memory in order to store more Access Control Lists (ACLs)?". It also discusses a feature called "ACL optimization", which was released in FWSM OS Version 4.0.
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml
To view the total number of rules available, the default values, current rule allocation, and the absolute maximum number of rules you can allocate per feature, enter the following command:
hostname(config)# show resource rule
Regards,
RP -
How long can be URL in Go to URL when calling SSRS report?
Hi
I am facing issues when calling a report using go to URL. I have 6 cascading multiple value parameter in one of my report and from this I am calling another report by passing all these parameters using java script in go to URL option. Since I am passing
all these multiple value parameter my report URL is exceeding up to 5000 to 7000 characters long. This is not working at all as max characters in URL are allowed to be 2048.
Is there any work around to pass all these multiple value parameter using go to URL option?
I thought of using Go to report instead but our business is not allowing to this.
Thanks!
BhushanHi Bhushan,
As you may know, Microsoft Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters. Internet Explorer also has a maximum path length of 2,048 characters. This limit applies to both POST request and GET request URLs.
For more details, please see:
Maximum URL length is 2,083 characters in Internet Explorer
I am afraid it is a limitation in IE, so I would suggest you ask the questions to IE forum:
http://social.technet.microsoft.com/Forums/ie/en-US/home?category=internetexplorer threads to seek further assistance. There are many IE experts who may help workaround the limitation.
Thank you for your understanding.
Regards,
Katherine Xiong
Katherine Xiong
TechNet Community Support -
Hi,
LV 8.2.1 Error 66 or 1379 occured at open Application Reference. A LV 8.2.1
Using:
Application access an other LV application on an remote PC with Vi-Server Technology. (Based on MS OS Windows XP SP2 with all patches ...)
With LabVIEW 8.2.1 it is not possible (exactly: with one PC it works, with other PCs, (identical regarding configuration of LabVIEW-Components), the described errors occured ...
There is no problem with LV 7.1.1. ( If the VI-Server Configuration of the .exe will be done within the .ini -File...)
The differences between LV 7.1.1 are in the .ini-File of the application regarding the the access-List property.
Error 66 occures if ther is no entry in the access-List property.-> OK.
Error 1379 occures if i will use the copy of the LV .ini-File acl-property with allowed access from all clients (*) or special clients defined with IP-Adress ... -> BUG
The same behaviour is described in 2 threads in the discussion forum ..., but in my application/configuration the workaround acl.configuration: "allow access from all clients" will work only with one PC ?
So what is the solution ?
At this moment i gol back to LV 7.1.1, but this is surely not the solution ....
Thanks for help ....Hi!
I have also found following discusion in the forum.
But the the problem for Error 1379 lies in LabVIEW 8.2.1 and VI Server.
This is a know Bug. This Bug should be fixed in a future version.
The problem is that the IP address in the could not be resolved into a machine name.
Workaround:
This program works in 7.1 so the only option right now is to use 7.1 instead of 8.2.1.
Plamen
Message Edited by Support on 10-31-2007 08:59 AM
National Instruments Germany
Application Engineer -
I cannot connect to the WiFi at my library using iPad 2 64 GB 3G.
I have an iPad 2 64GB with 3G (Verizon). This is my only computer. I only have a regular cell phone, not an iPhone or smart phone. I don't have an iPod either. The only way I access the Internet is through 3G. Not being computer savvy, I thought this would be the easiest method. Are there many others out there like me? Things seemed to be more geared toward WiFi. I guess the 3G was meant only for people on the go who could not access WiFi, such as in a moving car? Just using 3G seems to have many limitations I did not realize. For example, the only reason I had to go to the library to try to connect to their WiFi was because I could not install an update to Skype. When I tried to install the update using 3G, I got a message saying it was over 20 MB and had to be done via WiFi, which I do not have. I connected to the WiFi at my local library, but I kept getting message that I could not connect to Internet. It's weird, because it did show I was connected to the library WiFi in General settings. It is a bit frustrating to have to go to a hotspot to download anything that is 20MB or larger. I would get WiFi, but I don't want to buy a laptop or desktop. I was told that a wireless router has to be first set up with a laptop or desktop and not an iPad. Another limitation is I can't use Facetime with 3G. I can't print using airprint on 3G. I also read that using 3G uses up the battery faster. Downloading a rented film from iTunes would eat up too much of my data plan using 3G. (And it is probably over 20 MB again.) I still haven't been able update to iOS 5.0 because I don't have another computer to connect to iTunes. WiFi seems to be cheaper if you you are a heavy user. I only get 20 MB a month for $20. Verizon charges 20 bucks for home Internet connection, but it is unlimited data usage. Sometimes I exhaust my data so quickly, I have to add more data before the month has ended. That gets expensive. So, my main question was about the public WiFi problem, but I also wanted to detail some of the limitations of using an iPad 2 as your sole computer using 3G. I was able to connect to the Apple store WiFi when I tested it out a while back, so I know it can be done using my iPad. Any hints on how to workaround the limitations of using 3G would also be appreciated. Thanks.
Thanks for the quick response. No, I did not get any error messages or any terms-of-usage screen. The employee I told my problem to was not computer savvy either. She just suggested I move to different spots w/in the library to see if that would make a difference. It didn't. When I connected to the library WiFi it did change the Verizon 3G that is usually in the upper left corner to iPad with two to three emanating arcs. I may have to go to the library in the next town. I was able to connect to theirs in the past when I had to download something greater than 20 MB. Unless I really want it, I will probably not even try to download something more than 20 MB due to the hassle. Yeah, I may have been better off getting a normal desktop or laptop and getting WiFi at home. To do that now would mean having my iPad 2 and a desktop computer, which I feel is extravagant. (I know there are a lot of big spenders out there who got the iPad as additional gadget for fun. This is a rich country.) A Verizon rep told me I couldn't set up a WiFi router at home just using an iPad. So it seems like a person who just uses 3G is limited to surfing the net (not even much YouTube because it eats a lot of data) and using email. I read about an app that helps print wirelessly using 3G, but a reviewer said you had to be an engineer to get it done right. BTW, I like the Steelers. I'm old enough to remember Franco Harris and that blond guy whose name escapes me back in the '70s. Since I live in North Jersey I feel I have to support the Giants. But I know football about as well as computers.
-
Re: (forte-users) Using IN in a direct SQLstatement.
Hi,
What does the string in myType look like? You should
be careful with ' and \ as they are used by Forte. I
suggest you post a sample of the myType's value.
Regards,
Peter Sham.
--- Rumen Georgiev <[email protected]> wrote:
Hi folks,
I have a problem when executing direct SELECT
statement against Oracle 7.4, something like that:
SQL SELECT ..... INTO .... FROM ..... WHERE .....
AND
TYPE IN :myType ON SESSION .......
myType is TextData containing a list of possible
values separated by commas. myType is set at run
time.
When executed through SQL*Plus the result is O.K..
When executed through Forte it doesn't return
anything. It seems that eigther Forte or Oracle
disregards the commas and treats myType as it will
with =,>,<. What makes me think so is that when
myType
holds single value it works. It fails as soon as I
concatenate one more value from the list. Same
happens
when using cursor. I didn't try it with DBSession
methods but I assume the result will be the same. I
can't use EXECUTE EMMEDIATE because I expect result
set(INTO). So far the only way I can think of is a
WHILE loop for every single value from the list.
Any ideas,comments or workarounds?
Thank's in advance.
Rumen
For the archives, go to:
http://lists.sageit.com/forte-users and use
the login: forte and the password: archive. To
unsubscribe, send in a new
email the word: 'Unsubscribe' to:
[email protected]
=====rumen, peter,
Database placeholder substitution is only available for atomic value,
ie. myType can only be CI, or NG, or MS.
There are many ways to workaround this limitation, such as defining
your select statement to contain the IN clause before doing the DBprepare.
hope this helps,
linh ...
-----Original Message-----
From: Peter Sham [mailto:[email protected]]
Sent: Tuesday, October 12, 1999 5:57 PM
To: Rumen Georgiev; [email protected]
Subject: Re: (forte-users) Using IN in a direct SQL statement.
Hi,
Maybe try this:
myType.setValue('(\'CI\',\'NG\',\'MS\')');
Regards,
Peter Sham.
--- Rumen Georgiev <[email protected]> wrote:
Peter,
I tried a couple of things to no avail. The simplest
one is like this:
myType.SetValue('\'CI\',\'NG\',\'MS\'');
It works if I do
myType.SetValue('\'CI\'');
Same is valid if myType is declared as a String.
Hi,
What does the string in myType look like? Youshould
be careful with ' and \ as they are used by Forte. I
suggest you post a sample of the myType's value.
Regards,
Peter Sham.
--- Rumen Georgiev <[email protected]> wrote:
Hi folks,
I have a problem when executing direct SELECT
statement against Oracle 7.4, something like that:
SQL SELECT ..... INTO .... FROM ..... WHERE .....
AND
TYPE IN :myType ON SESSION .......
myType is TextData containing a list of possible
values separated by commas. myType is set at run
time.
When executed through SQL*Plus the result is O.K..
When executed through Forte it doesn't return
anything. It seems that eigther Forte or Oracle
disregards the commas and treats myType as it will
with =,>,<. What makes me think so is that when
myType
holds single value it works. It fails as soon as I
concatenate one more value from the list. Same
happens
when using cursor. I didn't try it with DBSession
methods but I assume the result will be the same.I
can't use EXECUTE EMMEDIATE because I expectresult
set(INTO). So far the only way I can think of is a
WHILE loop for every single value from the list.
Any ideas,comments or workarounds?
Thank's in advance.
Rumen__________________________________________________
For the archives, go to:
http://lists.sageit.com/forte-users and use
the login: forte and the password: archive. To
unsubscribe, send in a new
email the word: 'Unsubscribe' to:
[email protected]
=====
For the archives, go to: http://lists.sageit.com/forte-users and use
the login: forte and the password: archive. To unsubscribe,
send in a new
email the word: 'Unsubscribe' to: [email protected] -
Is there away to stop the port from reauthenticating when a device fails to open. I am trying to set up low-impact mode on a wired network. And I have some WYSE terminals that I don't want to authenticate to the network so I would like them to fail open with an ACL limiting their access. However the switch continues to try and authenticate the device even after it has failed authentication. This is causing my logs on ISE to be full of bogus authentication failures. Is there a way to limit thoses errors or the the switchport from trying to reauthenticate? Below is the switchport config.
switchport access vlan 33
switchport mode access
switchport voice vlan 233
ip access-group ACL-DEFAULT in
authentication event fail retry 1 action next-method
authentication event server dead action authorize vlan 33
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfastHi Nicolas,
You can configure a Restricted VLAN using the command "authentication event fail action authorize vlan (number)" and limit the access for that vlan using ACLs.
You can refer to
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_58_se/configuration/guide/sw8021x.html#wp1179086 for more info.
HTH,
Regards,
Kush -
i want to do EAP authentication (802.1x) authentication by the client installed on Virtual machine. i want to by pass EAP authentication(802.1x) on Host machine, because i wanted to test it on the client in VM not on the host machine. for wifi it works fine because i can have a USB wifi NIC which connects to VM directly and the authentication goes fine as host machine NIC does not come into the picture at all.
but in Case of wired VM NIC has to go via Host NIC.Hello,
I managed to do that with a VM and a host, both authenticating in wired, behind a phone. The host would receive an ACL limiting its traffic to just internet and the VM could access the internal network. (do not ask to discuss the use case).
The considerations were that :
both host and VM would need to be on the same dynamically assigned VLAN, as 2960/3750 do not support two DATA domain hosts in different vlans (3850 apparently supports or will support it), so I had to have 802.1X both on host and in VM.
the VSwitch in VMworkstation had to be in bridge mode.
authentication mode multiauth had to be enabled in the interface in order to cope with multiple authenticated sessions behind the same interface.
What is exactly your question?
Gustavo -
Modify WavesetResult in a custom adapter
Hello,
I have a custom adapter which extends the standard LDAP one.
In the realUpdate method I do some custom processing to effectively update the cn (naming attribute) to workaround this limitation of the standard LDAP adapter:
protected void realUpdate (WSUser user, WavesetResult result) throws WavesetException {
super.realUpdate(user, result);
// some custom processing here
what I'd like now is to get rid of the information message saying "Attribute 'firstname' maps to 'cn' on {2}. Modifying naming attribute 'cn' is not supported. 'cn' not updated." Since the cn is actually modified. I've seen that it is stored in the "result" object (result.getResults().toString() shows it in the trace)
I tried several things:
- result.remove* methods => java.util.ConcurrentModificationException !
- result = new WavesetException(); => no effect, the message still appears after the "Save" button is clicked...
of course I tried these things at the end of the custom method, not before the super.realUpdate() call ;-)
I'm running out of ideas there. Can someone help me?
Thanks.Do you thoroughly understand the reason why the adapter refuses to modify the CN attribute?
If so, redefine the following method in the adapter:
protected boolean addAttributes(LDAPObject ldapObject, WSUser user, String operation, WavesetResult result) -
Hello,
When booting from SAN in UCS, what's the best practice when creating the Storage Groups in the disk array?
For instance, VMware: is it best-practice to have one storage group for each ESXi and add its own ESXi Boot LUN (id=0) plus the VM datastore LUNs needed?
Do other environments (Linnux, Windows, Hyoer-V) have anything special in these terms with which to take care of?
Thanks,It's a security issue. Because the LUN ID can be changed easily on the host, you could essentiall clobber the wrong LUN if your server admin mistakenly changed the LUN ID. Also, once a host is booted up, it will be able to see & access every LUN within the storage group regardless of LUN ID. The significance of the LUN ID matches the host only impacts a host trying to SAN boot.
The two main forms of security enforced in Storage is Zoning and Masking.
Zoning - done on the storage switch, acts like an ACL limiting the scope of what a zone's members can see. A zone will normally only contain one host and the target WWNs. **Who can I see**
Masking - done on the storage array limits "what" LUNs a host has access to. This is done in the form of Storage groups. **What can I access**.
Circumventing either poses a great risk at data corruption/destruction since various operating systems can only read their native file systems. Ex. If you had all your hosts in one storage group (ESX, Windows etc) and tried to only separate them by a LUN ID, a simple 1-digit change of the boot target LUN ID on the initiator could cause a host to not read the filesystem and potentially right a new signature to the risk - overwritting your existing data. Windows can't read a linux partition and vice-versa.
Follow these best practices and your data will be much safer & secure.
Regards,
Robert -
How to use CMP with Inheritance?
I've a thorny problem with 2 EJBs which I hope I can use CMP for persistence.
I'm supposed to implement a web-based forum and I'm thinking of using a ForumThread entity bean and a ForumReply entity bean to store the postings/messages in the forum.
A ForumReply, according to OO design, is the same as a ForumThread (which is the first message of a topic) except that they've a parent thread/reply. So I thought of using Inheritance with the ForumThread as the parent (base) class and ForumReply as the sub (derived) class.
But it seems that CMP in EJB 2.0 does not support this relationship as yet. Is there any way to workaround this limitation without having to remodel the relationship? What should I do in such a situation? Anyone care to share how he overcome this?
It's not quite possible to give up inheritance in OO design simply because EJB 2.0 CMP doesn't support it right? We end up creating bad softwar design.
So do I have to go back to using Bean Managed Persistence in this case?I hate CMP. Why don't you use JDO or Hibernate?
Anyway, if you want to do it with CMP, here is your solution: http://www.theserverside.com/resources/article.jsp?l=EJBInheritance
Maybe you are looking for
-
HT2500 How do I copy multiple e-mail addresses from an e-mail to a new e-mail?
How do I copy multiple e-mail addresses from an e-mail to a new e-mail in the Mail program on MacBook Pro. Received an e-mail with multiple recipients, and need to send a new e-mail to the list.
-
Client isolation and the Bonjour gateway on WLC 7.4.1
Hi, I am considering upgrading our 5508 WLCs to version 7.4.1 to take advantage of the Bonjour gateway. What I want to do is allow clients on our guest wireless network to access things like the Apple TV in our conference rooms. My intention would be
-
Hi to all I was just wondering if it is necessary to close TCP/IP connection after an error(e.g connection lost) had occured. Is it ok if I just reopen another connection to the same IP and port without closing the existing connection(that connection
-
Hi expert i am doing MIgo for STO Po, while doing Migo i am getting error 'Excise Balse value is Zero regard nabil
-
I am using a MacBook Pro and the new message indicator has stopped tracking correctly. For example, I have read all the messages in the inbox and the new message indicator still says that I have 5 new messages. Other times I have a new message and it