Does the new UCS hardware change anything ?Can we bundle 2 NICs somehow to get interface redundancy ?If still not possible to configure that in ACS 5 itself:Can it enentually be done on the "hardware" level within the appliance firmware (UCS BIOS) ?(RHEL would provide NIC bonding,,, unfortunately its not accessable from ACS5 CLI)
View 6 RepliesI currently have a Cisco ACS 3415 appliance with 5.4. Coming from the ACS 4.2 world, I'm have a bit of a struggle creating the following and I was hoping if I could be shown clear steps I can duplicate the rest.
I want to creat a group ie: AIRTEMP with access time from 7:00am to 5:00pm and add 2 users to the group.
Users access our site using a vpn client connecting to a ASA5550. The ASA and the ACS already communicate with each other.
The ACS 5.4 user guide has me bouncing all over different page.
how to configure LAN teaming in Cisco ACS 1121. My requirement is to have virtual IP in the server with two physical IPs in the available 2 interface in the server.
View 1 Replies View RelatedI cannot import certificate from CA (Certificate Authority). When I attempt to install the certificate to CSACS SE 4.2, the following error occurs during installation: "Unsupported private key file format".
View 7 Replies View RelatedIs it possible to have Dual NIC on ACS v5.2 such as teaming or any else??
I am thinking of connecting the two NIC on the CSACS-1121-K9 appliance to two switches on the same network, but wondering if it will be possible or not.
I have an ACS applicance that had a version 5.1 and i did an upgrade to 5.3 with latest patch.For some reason, the runtime process got stuck in (reinitializing and restarting) state.i did the recommended action to perform ACS stop and ACS start and even hard reset of the appliance, but it did not cut itThis process turned out to be a bug and it should have been fixed in version 5.3, but it has not i guess
i know that acs reset-config will solve the issue, but i have a problem here , the license file will be deleted as well with the config and i cannot find a way to export the license and then import it into the reseted config ACS hardware. Unfortunately, the license file is not saved anywhere in the company and i cannot affort to lose it.how to export the license from the applicance (CSACS-1120)?
We upgraded a CSACS-1121 from ACS 5.2 to ACS 5.4 with CLI Application upgrade ACS_5.4.0.46.0a.tar.gz FTP After ACS reboot, services never start... After 15 hours, we always get same message:
ACS/admin# show application status acs
Application initializing...
Status is not yet available.
Please check again in a minute.
We installed patch 5-4-0-46-2.tar.gpg but we got same issue for 2 hours ...What could I do?
I'm trying to join a band new CSACS-1120 to our active directory without success. The process in it self should be pretty straigh forward, but so far no luck.
I've configured the relevant info under "Users and Identity Stores > External Identity Stores > Active Directory.
Active Directory Domain Name: xxx.com
Username/Password : domain administrator account
When I test connection I get a info dialog "This machine is currently connected to domain xxx.com".After which I try to save changes which gives a reply ""This System Failure occurred: {0}. Your changes have not been saved. Click OK to return to the list page."
I've noticed that in the system log "show logging system tail" that I get a exception as soon as I enter the AD configuration page and subsequently every time I perform a action on that section.
Why the AD join keeps on failing and what the debug exception I'm getting means?
We have 2 CSACS 1121 with Cisco ACS 5.2.0.26.10 The primary server manages 20000+ authentications per day. Its memory utilization increases everyday. It is now at 83% , there a limit?,What will happen when memory utilization reach this limit?,What can we do to purge memory utilization? (reboot, service restart.
View 11 Replies View RelatedIs it possible to upgrade the CSACS-1121-UP-K9 to be a non upgrade part? We were going to upgrade from a Windows 4.x to the above Appliance (version 5.x) but there is now a reason to keep the old Windows version running therefore we cannot give the new Appliance the old ACS's licenses?!So we should have (with hindsight) bought a fresh version of the ACS 5.x rather than an upgrade.
View 1 Replies View RelatedI have a Cisco 1841,c1841-ipbase-mz.124-20.T4.bin, with 2x HWIC-1ADSL-M.I have managed to bond 2x DSL with PPP multlink with the config below and traffic is being sent equally across both DSL circuits. However if i disconnect either of the DSL cables connectivity fails. I was expecting connectivity to continue to work just over the one circuit. [code]
View 1 Replies View RelatedWe are bonding two LLU DSL lines using MLP. Our LLU provider supports MLP bonding and we have a few other customers working well on Cisco 1841s, although not such high sync speed lines as this problem site.
So the lines work well with no interface errors and sync speeds are very good and evenly matched between the two lines (approx 14Mbps downstream). It's all good - it's great in fact except that it just doesn't work properly! By that I mean we're not seeing the downstream throughput we'd expect. We actually get the downstream throughput of less than a single DSL line, so about 12Mbps. Upstream bonded throughput is fine and in line with the sync speeds.
Both circuits are 'active' in the PPP multilink bundle and I see 3 sessions on our core LNS Cisco 7301 (c7301-boot-mz.124-2.T.bin) - i.e. 2x circuits + 1x bundle. We've checked the circuits individually and 'actual' throughput (using NetPerf software) is similar for both lines and in line with the sync speeds.
We are seeing quite high CPU (50%) on the Cisco 1841 (c1841-ipbasek9-mz.124-24.T1.bin) at the customer premesis, but having tested a Cisco 2951 on the customer premesis with two new HWIC-1ADSL-M cards, this is not the cause. The 2951 ran at 5% CPU whilst we experienced the same problem.
We've checked the setup of both Cisco CPE and LNS with our LLU provider and they are happy with the MLP config. They themselves have been able to bond two similarly sync'd Annex-M DSL lines and get 25Mbps throughput on a 1841.
I work for an ISP and we are currently bonding 5x 6Mb ADSL connections for use as a wireless backhaul. We are currently using a Cisco 3725 and bonding the links via MLPPP. This set up is working fine except that we are not getting the full 30Mb on the download side. We are seeing more like 18 to 20. I am wondering if we can acheive the full speed with our current set up or will we need something different to get the job done.
View 1 Replies View RelatedI have one Dell Optiplex 390 (windows 7 64 bit), which is having one PCI slot and 3 PCIe slots.The built in NIC cards doesn't support network teaming. I require 2 team in my system. Do you know any PCIe card with network teaming facility?
View 1 Replies View RelatedI have a server windows 2008 that I would like to have a nic teaming configuration, the server has two nics, each nic is connected to a different switch. One is connected to cisco 2960 and the other is connected to cisco 2950. I have read here in forums about nic teaming but using the same switch. I have not found using different switch. Is this possible?
View 1 Replies View RelatedI have windows servers connected on cisco switch 4500 series. Issue is when server NIC configure with Teaming, some times servers gets not reachable, and after restarting the servers it gets reachable. Is 4500 series switch support the teaming software?
View 3 Replies View RelatedI have a problem upgrading an appliance CSACS 1121 from version 5.1 to 5.2 because restore DVD has image of 5.1 not 5.2 and in cisco.com appears only two files 5.2-0-26-1.tar.gpg and ACS_v5.2.0.26.iso, the first image is a patch and the second I'm not sure if is image for version 5.2, in case if appropriate which would be the correct commands to perform the upgrade using CLI.
View 4 Replies View RelatedEven without Open vSwitch, and using the stock, Linux bonding module with 802.3ad mode I had the same problem.
From what I have read about bonding, it seems like if you bond (for example) 2x 1Gbit Ethernet connections on two servers (ie so both have two ports bonded), then if using something like 802.3ad, a file transfer should utilize both ports, and you should see a throughput of 2 Gbit/s. So this would be an increase in throughput and bandwidth, right?
But, what I generally see, is for any single TCP connection, only one port is ever utilized at a time.So for example if I'm SCPing a large file from server1 to server2, I generally see that the scp session is only using one interface, at 1 Gbit/s. I can then also run a second SCP session which will use the second port, and also move at 1 Gbit/s.
This would be increasing the bandwidth, but not the throughput, correct?Which of these behaviors is what I should be seeing with 802.3ad? I guess it depends on the hashing method? Is there a hashing method which will allow a single connection to be spread over two interfaces, allowing 2Gbit/s transfers?
I have a Cisco 6500 router at my POP site and I have a Cisco 2811 at the tail site. I have to bond 3 city to city T1s to make a 4.5Mg pipe between the 2 ends. How do I configure the routers to make this happen? This is a configuration example for a single T1:
POP end on 6500:
interface Serial1/0/1:0
ip address 10.125.1.1 255.255.255.248
Tail site on 2811:
interface Serial0/2/0
ip address 10.125.1.6 255.255.255.248
I have two switches (sanitized configs attached) and I am trying to bond int gi0/1 and gi0/2 between the two. Then I need int gi0/3 back to the main LAN switches. These are new Vlans created 982 and 983 for these switches. Question #1: do the configurations look correct? I haven't placed any laptops on the interfaces to test interconnectivity yet but I am wondering if it will work with no default routes.
The admin team needs these switches at location A for setup then they will be moved to Location B. The only thing that sucks for me is that the network admin before me created gateway interfaces for all the local Vlans on a main router as sub interfaces. For example, for these two subnets, I need to create subinterfaces below (at location A), which is why a gave the Vlan on the switches, ip addresses.
interface GigabitEthernet0/0.982
encapsulation dot1Q 982
ip address 10.98.2.1 255.255.255.0
ip flow ingress
no cdp enable
service-policy input mark-mplsqos-in
interface GigabitEthernet0/0.983
encapsulation dot1Q 983
ip address 10.98.3.1 255.255.255.0
ip flow ingress
no cdp enable
service-policy input mark-mplsqos-in
When I move the subnet to location B, I will also move the gateway. These two switches will be used mainly for a VMWare and HyperVisor environment so Vlan 982 is for VMA network and Vlan 983 is for management. The admin tells me the software needs to tag the packets, I am not sure if I care as the switches should handle that also.
I am scanning the documentation for CPI 1.2, trying to get it to use CSACS 5.3 for my authentication/Authorization. The docs say to create a TACACS Shell Profile, and add the TACACS A/V Pairs as needed... . nowhere could I find a listing of AV Pairs I can use to grant authorization. I did see that what ever pairs I did use, I must keep the menu chain in tact..
View 6 Replies View RelatedI have a project in an industrial environment which requires high speed wireless connectivity between 6 buildings,one central and five remotes.The maximum distance from the central building is 100 meters (take o look at the attachment diagram).I'm thinking of using the 1252a-n or 1262a-n access point to act as a bridge (root mode) at the central building with 3 omni antennas AIR-ANT5160V-R (6dbi) or 1 omni antenna AIR-ANTNV-R (4dbi).For the remote buildings i'm thinking of using 1252a-n or 1262a-n in work group bridge mode with 1 directional antenna AIR-ANT5160NP-R (6dbi).My questions are:
-Has anybody implemented a similar scenario,point to multipoint bridging with channel bonding at 5Ghz?
-How reliable will be the use of 1252 ap in bridge mode?
-The expected total bandwidth/throughput will be 300/150mbps,so theoritical every bridge will have 60/30mbps available bandwidth/throughput?
-Which antenna model do you suggest fot the central building?
we have currently a configuration with 3 bonded (link aggregation) channels, each delivering 1 Gb/s uplink, providing a total of 3 Gb/s uplink. Due to a recent network upgrade, we can now add more channels to the same group in order to have a total of 9 Gb/s uplink, meaning that we should bond toegether 9 channels. When we tried to change the old configuration in order to include six new channels to the bondend group we noticed 2 things: one channel was left in standby (blinking orange led),no increase in the uplink bandwidth semmed to happen,By looking around it looks like the channel group is limited to a maximum of 8 channels [*].
View 2 Replies View RelatedI am working with a strange problem at the minute with HP's NIC Teaming with Transmision Load Balancing.We have a HP blade system the Server is connected to 2 cisco 3020's and then those 2 switches are connected to a 3750 Stack consisting of 2 Members.
Theres an LACP ether channel consisting of 4 Gigabit Ethernet Ports to each 3020 from the 3750 Stack.They both have exactly the same configuration and all ports are up and the channel looks healthy.
When setting the Preference order on the server if I set the NIC connected to the 1st Cisco 3020 as primary i.e. Tx/Rx then everything is fine.If I set the NIC Connected to the 2nd Cisco 3020 as primary then all seems fine i.e. I can ping it, it can access services outside its own vlan and the internet. It cannot however ping anything connected to the same subnet and VLAN on the 3750 Stack.
Doing a packet capture on a server connected to the VLAN on the 3750 stack I can see the Echo Requests coming in and the server sending an echo Reply but the echo reply never gets back to the server with the teamed NICs.
I did a Layer 2 traceroute and all looked fine, all the MAC Tables were good.I thought maybe it was a layer 2 loop causing the problems but I have checked and re-checked STP and can't find any problems. STP has picked up one intentional loop and blocked it.
I've raised a ticket with HP to see if they can point me in the right direction but I don't think it is a problem with there Drivers. It definately seems like a networking problem.
Is it possible to deploy the CSS11501 in one arm design to loadbalance the authentication traffic Radius across CSACS servers which is on UDP 1645 or 1812 port, is it required to configure the NAT or not, if yes how can define the shared secret in the CSS. also tell me how to configure the keepalive for udp traffic in this scenario other then default icmp keep alive
View 2 Replies View RelatedWe have a Power Edge T310, sporting two Broadcom 5716C LOM's. We also have a Power Connect 5524 switch. Good opportunity to team the two network connections using 'Link Aggregation (802.3ad)'. Downloaded the most recent management software off the Broad com site. Installed BACS 3 on the Power Edge, running Windows SBS 2011, which has Windows Server 2008 r2 x64 as it's base.
Started BACS and tried to configure teaming. But there's no teaming-section in BACS. I removed, restarted the server and re-installed the Broad com software, but still no teaming section? How do I solve this?
Having a design where an IBM bladecenter has two Nexus 4001i switches and each switch is connected to a Nexus 5k vPC pair, is it possible to configure active-active nic teaming on the hosts (blades) considering that the Nexus 4k switches are unaware of each other and blade has one connection to each 4k over either emulex or qlogic 10G CNA?
View 1 Replies View RelatedNeed clarification on the VPC with 5k and 2248 Fabric Extenders. My question is can each fabric extender uplink to two different 5ks, and at the same time, have servers connected to two both fabric extenders with a VPC.So basically, the server NIC will team with two different fabric extenders, and each fabric extender will connect to two different 5k's.
View 3 Replies View RelatedAm looking into using stacking and NIC teaming to create redunancy for user access to servers. What I am thinking is getting 2 SG500-28 switchs and configuring them in a stack that appears as one logical switch. Now on the servers I would configure 2 NICs to be a team so they appear as 1 logical interface, perferably in an active/active configuration using LACP. In this NIC team take 1 team member to switch A and the other to switch B, so each team member is on seperate switches.
Givent the scenario:
1) Will that work with the 500 series switchs? Reason for the switches is their price point is perfect for my client.
2) Besides the stack link will there also need to be a LAG between the switches or does the stack link do data traffic also?
I have a 2911 with a Vwic2 T1 card on the remote end going to a 7206 with a PA-MC-TE1, basically 8 T1 cards. Anyway I will be ordering two point to point T1 lines and since I want it to look like 3 Meg I was thinking of bonding them. Is that still the best way to set this up? If so any concerns about setup?
View 2 Replies View RelatedI'm trying to test such 802.1x wired environment:windows xp sp3 as supplicant windows NPS as radius server 2960 as authenticator latest anyconnect (3.1.01065) + nam and standalone profile editor.I have a question: What is the difference between protected identity pattern and unprotected identity pattern (set in nam profile editor)? As I understand documentation PEAP-MSCHAPv2 is a tunneled method and it uses un- protected identity pattern to protect user's identity during phase 0. But if I use any fake identity here (anonymous, anonymous@[domain], etc) access is rejected (Access-Reject in switch debugs). I have to use exacly the same pattern in unprotected identity pattern as in protected identity pattern ([username] or [username]@[domain]) to gain access, regardless of authenticaton mode (same in machine only, user only authentication).
View 1 Replies View RelatedI have a new Cisco Secure ACS 5.2 on a VM. We want to use it to for administrative access to our Cisco equipment with TACACS+. I am trying to map user permissions to different groups of devices based on active directory group membership, however it is not working.
I am using an LDAP (configured for secure authentication) external identity store. On the directory organization tab, I have confirmed the accuracy of the subject and group search base and the test configuration button shows that it's finding > 100 users and >100 groups.
On the directory groups page I have entered the groups according to the required format. cn=groupname1,ou=groups,dc=abc,dc=com
I have a rule based result selection under group mapping. I have two rules in the format below.
Conditon
LDAP:Externalgroups groupname1
Result
Identitygroup1
I have the default group set to a identity group named other. My problem is, no matter what user attempts to authenticate, the Default rule is applied, and the user is put into the other identity group.This occurs when I log on as a groupname1 user, groupname2 user, or as user that is not a member of either of those groups. LDAP authentication works and the user is able to logon to the device.
We are using ACS 5.2 and we are trying to create a Microsoft Active Directory (AD) Identity Store. We have a user to be used in the Active Directory creation General page and we would like to know how the test communication / ACS to AD communication takes place.
Our user is a predefined user in AD and has admin rights, but the password expires every 60 days. Will this affect the communication between AD and ACS 5.2 at everytime the entered user's password expires?