Design VPN recommendation

Similar Questions

• SSL VPN recommendation without encryption RC4

  Hello

  Actually I m using Annyconnect in ASA with SSL RC4 Cipher Suites taken care of, vulnerability it is recommended to use without RC4 encryption.

  The question is, there is a document illustrating the best practices or recommendations to do?, I Don t know if it has an impact in this change, or if it is supported in the code.

  Concerning

  Ricardo

  Ricardo,

  Recommendations:

  http://www.Cisco.com/Web/about/security/intelligence/nextgen_crypto.html#15

  The impact is usually double that:

  -All clients/browsers will support new encryption algorithms

  -What level of computational overhead will be presented.

  ASA side it is a cryptographic chip that is quite effective at handling in general crypto.

  If your clients support address allowing DHE based ciphers.

  I don't think there is a big best practices doc avilable, need a little more on the environment.

  M.

• NTP - MS vs recommended VMware

  All, I realized a design which recommends VMs source their time from an ESX host using tools and the ESXi server from an external time source NTP. It is directed by VMware best practices and design is disputed that Microsoft recommends time source VM of the hierarchy of the AD (and not the ESX host).

  In any way to the advantages/disadvantages and criteria for the implementation a way or the other?

  Assuming that MS is correct is there additional impact if the domain controller is a virtual machine?

  Similarly, is a network switch suitbale for NTP source physics?

  Thank you

  For domain controllers, it is logical, but for the Member of the domain, I n ' think we need to synchronize the time with the external source.

  Please read page 37 of this guide. www.vmware.com/pdf/Perfbestpractices_vSphere5_. 0.pdf

  "NOTE from the version included in ESXi 5.0, VMware Tools synchronization option is a suitable
  choice. Versions prior to 5.0 ESXi were not the same level of accuracy and do not set the
  time to comments when he's ahead of time to host. »

• DMVPN with invalid SPI recovery / DPD

  Dear Experts,

  I'm evaluating a networks of average design company DMVPN Phase 2 scope, trying to optimize the time of receovery after a failure and restoration of a DMVPN counterpart.

  1. I just spent through a PDF of Cisco Live at a workshop of 2011 named "Advanced Concepts of DMVPN - BRK 4052".

  It is said (without further explanation) that the invalid SPI recovery feature is not useful with DMVPN.

  Can anyone explain, why?

  2 DMVPN involves the use of the Tunnel (TP) Protection. I read the reviews that say that you can not use Dead Peer Detection (DPD) as well as the TP.

  Unlike these reviews, Cisco DMVPN V1.1 design guide recommends a configuration container:

  ISAKMP crypto keepalive 10

  That means, I have to use DPD, but without "periodicals" KeepAlive? If so, could you explain?

  Thank you very much!

  Dear Sebastian,

  1 SPI recovery means essentially that the answering router must meet the same initiator VPN router if the SPI was invalid, the response of the intervener would be an 'invalid' error to the initiator VPN.

  Why it is not recommended for DMVPN?

  Well, according to the previous description of SPI, imagine if someone upsets your router with rogue applications! with the resumption of active SPI, it means that your router would need to respond to all messages which he received with the message "Invalid Error", which basically means--> attack (Denial of Service Attack) back--> high CPU processing on your router.

  http://www.Cisco.com/en/us/docs/iOS/12_3t/12_3t2/feature/guide/gt_ispir.html#wp1045200

  How is it that relates to DMVPN?

  Well! DMVPN is mainly deployed with large number of rays! and even if no one attacks you! your rays can attack you

  2. I don't think that having periodic KeepAlive is what we hear in the comments on demand or periodic KeepAlive is not really effect DMVPN.

  I don't know what are the comments you've read, but I think you can use DPD! There have been some incompatabilites filed for tunnel KeepAlive, but as far as I know, nothing major was filed against ISAKMP KeepAlive.

  HTH!

  AMatahen

• DMVPN versus MPLS

  Hello world

  An interesting question for the community.

  If a router is configured with a DMVPN (or simply a VPN) tunnel and at the same time has an ethernet MPLS even remote desktop connection which route is a priority and why?

  Thank you

  Tom

  Hello

  the link I provided above described the idea how this is possible, if you are looking for the MPLS cloud and cloud DMVPN using EIGRP, then I suggest you do the following

  in each router configure two EIGRP (AS) autonomous systems to be used on MPLS and the other to be used on DMVPN and follow the recommendations below

  -to advertise networks in each AS EIGRP that should be available through (assuming that the same networks will be announced on both)

  -do not redistribute between these two EIGRP AS

  -use EIGRP offset-list of roads through the DMVPN tunnel interface make which the metric is higher and less preferred see below link to eigrp offset-list configuration

  http://www.Cisco.com/en/us/Tech/tk365/technologies_tech_note09186a00800c2d96.shtml#modifycompositemetric

  -You can use other methods other than delay llike ofset-list

  for the other config design and recommendations please refer to the example of design in the previous post

  If have any question just after her here

  HTH

  pls note the useful messages

• Satellite Pro A120 frozen until Vista Runing mainly

  Hello, all the

  Am a new user of Satellite A120 a few months...
  It worked great for a few months, but now it freezes just upward while I work... Frostbite and processor system starts to make noise (ATMOSPHERIC pressure)
  I have reinstall the entire operating system but no Prob still the same vain

  So I install Xp it works fine...
  But what is with Windows Vista as designed and recommended for Vista then why it is not working well on it?

  I tried to disable Core Processing option in the BIOS that did not help me
  Kindly any suggestion or anyone else having this prob?

  You have reinstalled OS supplied via Toshiba recovery DVD?
  Have you noticed this behavior with own OS preinstalled or later after the installation of some additional software?

• CD of XP crashed, scratched, have my authentication code, can I download XP Home

  My system broke down and I tried to reinstall from the CD which was at the end, but he was told to wait. I waited all night, but it has not ended. My CD has a small scratch.

  If possible, I would like to download XP Home from a site using my other machine, transfer on USB and try to reload from the download. IS THIS POSSIBLE PLEASE? The license is genuine and I have the authorization code.

  JKNL

  you are right - it was a typo - and I have come back from the pub! X 86 is mentioned - also when checking for viruses, it relates to SYSTEM32

  That makes things a lot easier. When you access the driver download page for your particular laptop simply develop the content of each. Install only those listed as "recommended". If there is more than one driver in a particular category designated as recommended select the driver with the most recent release date.

  There are a few drivers such as the BIOS which is optional. Unless you are having problems with your current driver, I do not recommend that you download the update. It might be better if you would connect the laptop via an Ethernet cable while installing the drivers instead of using a flash, even if a flash drive works. As stated in my previous post, when the choice of the method to download, choose your browser unless you already have. NetFramework 1.0 or later installed.

  Please select an answer here and mark this thread as a response. It is not on the points. This is to help others find the answer to their question easier.

  If you want more help back post. Make sure you have your data backed up before installing the chipset drivers or bios if you choose to install the same.

  I do not vote for me I'm not here for points. If this post helps you, vote. Visit my forum @ http://repairbotsonline.com/

• Cisco VCS and composition to an IP address

  I have a question about the composition of address Ip and VCS. In the Administrator's guide, he says that VCS determines that an IP address that will be called if it is:

  -is the IP of a locally registered endpoint

  -Beach one of the subzone of address membership rules is the responsibility of intellectual property

  The second point is that of interest. As part of the way in which it is presented, I take this means that if a subarea membership rule has a range of IP addresses that includes the address of a non-registered endpoint then VCS will still attempt to place the call to the endpoint not registered regardless of the setting "Calls for unknown IP addresses" (under the numbering plan). For example,.

  Assume the end point has (EP - A) is enrolled in a VCS control that is configured to use the mode indirectly for "calls to unknown IP addresses. The idea here is that there is a highway of VCS. Suppose that there is an end point (EP - B) on the internal network that EP - A wants to call. EP - B is behind the firewall, but it does is not registered in the VCS - C. Finally, suppose the SCV - C has a subarea (let's call it "Internal-Unregistered") with a membership of 10.10.10.0/24 rule.

  Now, if the address IP of EP - B is 10.10.10.10 and EP - A dials by IP, will be the call successfully established? Based on the Administrator's guide, the VCS will see the EP - B IP as "known." The Administrator's guide does, really, that the call would be placed. I'm stuck sorta messaging RAS, since EP - B would not be exchanging messages with the VCS - C RAS.

  I also wonder about calls from unregistered endpoint. EP - B could call EP - A directly. I don't want to support this behavior in the design (I recommend rather using the numbering of the URI. I am considering set up the Alias of relief on the VCS - C to channel calls from unknown devices to an attendant on the MCU. Regardless, what I was asking is the following:

  If I have a membership rule subarea as above and EP - B sends a message of call setup to the VCS - C, the VCS - C would still see the call as coming from the default Zone of the local area? The reason I wonder is because of the way the Administrator's guide defines "known IP addresses.

  Thanks in advance.

  Kind regards

  Bill

  Hi Bill,

  to answer your question about the first scenario (where EP at dials the address IP of the EP B), VCS would attempt to place the call if there is a rule of type search 'AnyIPAddress' for the local area on the VCS - C (and assuming that the previously mentioned subzone containing 10.10.10.0/24 exists). VCS would be in this case send a message of CONFIGURATION H225 EP B.

  For the second scenario, where EP B contains the IP of the EP, EP B would send that an INSTALLATION H225 EP EP a. message would then for the message INSTALLATION with an INSTALLATION containing a reason 'routeCallToGatekeeper", instructing EP B to dial the address IP of VCS instead, since the VCS want to be included in the call, signaling path.

  To answer your last question, with regard to the area in which a call of an endpoint not registered (when the IP address of endpoint belongs to a subnet-type subfield) comes on, the answer is that the appeal turns on the default Zone. Calls will be local area if the call comes from a real end point recorded.

  I hope this helps.

  -Andreas

• Move from 5.1 to 5.2.2

  We undertake this update soon, and I would like an estimate of the time that it will take to upgrade the DMM application.  I already felt the time to the DMP in the entire system, and I know that they must be upgraded before the DMM.  I would like to know if the content and presentations in the DMM will be available after the upgrade, or if we have to rebuild everything.  We also have a video portal that is thus upgraded device.

  If someone can tell me what changes we will see through the versions, I understand that as well.  I'm going to help coordinators in our campus to make the transition, and we do not have a test environment, so I plan on a week of downtime for the system.

  Thank you

  Mike sellers

  Program Manager

  Multimedia communications

  Lone Star College System

  Michael, your content and the presentation would not be affected with this upgrade. Its only when you're using an .iso image full which dries the configuration. Regarding your question on the new features in section 5.2.2, here's what follows

  Changes of Cisco digital signs to point 5.2.2

  Digital multimedia player of Cisco G 4310

  New DMP 4310 G endpoints are the latest model of our versatile family of Cisco digital media readers. This new model introduced many hardware and software features that could include former DMP models. See http://cisco.com/go/dms/dmp/datasheets.

  Support of Cisco Medianet

  DMP 4310 G endpoints in the 5.2.2 version supports some Cisco Medianet technologies. These PGD know and can broadcast their own product type and model, the software version and - in some cases - physical location. In turn, they can receive their IP address, assignment of VLAN and parameters of configuration network automatically, waiting for you to your DMM server registration. From this version, the DMP does not support service discovery via DHCP or autoregistration to your DMM server.

  Assistant Digital Media Design best practices

  5.2.2 digital media designer introduced a "best practices" assistant This function analyzes your choice of presentation design and recommend ways to optimize your designs for the DMP compatibility and performance.

  Improved collection and management to digital signs

  Digital signs (formerly DMM - DSM) 5.2.2 presents an improved user interface for the collection and management of the DMP. In addition, it can detect if Cisco LCD Professional series of flat screens are enabled or disabled.

  Digital Media Player remote control button remapping

  Digital Media Player Device Manager 5.2.2 introduced features to remap the assignments button for a DMP remote function.

  Resume deployments interrupted DMS - CD

  Cisco DMS (DMS - CD) content distribution introduced a feature to turn off the automatic resumption of interrupted deployments. By disabling these, you can force the DMS - CD to retrieve dynamic assets several times even if their file names and URI are not changed. And, in doing so, cause you your DMP to have and use the most recent active revisions known for DMS - CD.

  RTP streaming

  This version introduces support for RTP streaming when the DMP model is G 4310

• Campus Solution 9.0 indicator Prompt SQL View Table service

  People,

  Hello. I'm creating 9.0 Solution on a University Campus. I work on the indicator of Service and face the question below:

  Set Up AWAR > definition > Service indicator > indicator Service Table in the page 'Service indicator of reasons', the quick table of page Department field has no data to pop up. There is no task to set up the data for the table quickly. I checked the component, recording, and his prompt table as below:

  Name of the component: SERVICE_IND_CD_TBL. GBL

  Registration: SRVC_IN_RSN_TBL

  His fields of records DEPTID guest at your table: SCC_DEPT_TBL_VW it is view SQL.

  The SQL view is below:

  Select Sql % (SCRTY_SEL_DEPTKEY, OPR, DEPT), Dept. DESCR, DEPT. DESCRSHORT

  Since Sql % (SCRTY_DEPT_FROM)

  Where Sql % (SCRTY_WHERE_DEPT)

  And Dept. EFF_STATUS = "A";

  I run the SQL mode above to SQL >, an error pops up: "error at line 1: ORA-00911: invalid character.»

  I have test the SQL view partially as below:

  SQL > select * from % Sql (SCRTY_DEPT_FROM);

  The same error pops up: error at line 1: ORA-00911: invalid character.

  I checked the application designer, SCRTY_DEPT_FROM and SCRTY_WHERE_DEPT are not record and not on the ground. I don't understand this kind of SQL view. My questions are:

  First of all, where is the table for the variable min. in the SQL view above?

  Second, what is the % (Sql) function in the SQL view above?

  Third, how the SQL above to see work?

  Thanks in advance.

  Since you have already opened this definition in the App Designer, my recommendation would be as follows:

  Reopen the file and view the sql code. Right-click and select solve meta-sql (because that's what the sql % is used for, meta-sql). You can then see what is that PeopleSoft uses.

  I think, looking at your mistake is that % Sql (SCRTY_DEPT_FROM) should become: table % (SCRTY_DEPT_FROM)

  As for your other question, SCRTY_DEPT_FROM a SQL object which can be opened in the designer of the App like SQL.

  I think I answered all your questions in my answer and I hope this helps.

• esxi Network Setup 4 and esxi 5.5 the same

  Hello

  We have a customer with the following network configuration (see picture). They run ESXi and vCenter 4.0.

  We have added a new separate system with ESXi and vCenter 5.5 and to set up the network, the same.

  My question is this service console, I can't to be able to set this up, it's that are not part of ESXi 5.5?

  If you see the other image, I configured 2 one for management and one for vMotion VMkernel Port, they will be on the same network.

  Would that be correct?

  I don't mind not the network adapters are not connected again... and another thing must use active active alle 4 cards?

  Old configuration

  

  New configuration

  

  Since the release of vSphere 5, he didn't there no Service Console more... the management can be performed via VMkernel port with active management traffic.

  About vmnic design, my recommendation is:

  vSwitch0:

  For vMotion PortGroup - vmnic0 Active and standby vmnic3

  PortGroup management - vmnic3 Active and standby vmnic0

  vSwitch1:

  PortGroup for VMS - vmnic1 Active and active vmnic2

• Muse moving around objects when published or previewed

  This has been driving me crazy. I've seen a lot of posts on this topic, but without real answers here! I also spent hours in a chat room with a specialist of the Muse who had virtually nothing to say to help me with this problem. Muse continues to loose my pages when I publish them. Boxes to move, spacing gets screwed up. I can't take more. I sent support Muse twice but no response. I have messaged also a REP here, also unanswered.

  Here are some screenshots to show you what is happening:

  IN MUSE:

  Screenshot by Lightshot

  CHROME:

  http://prntscr.com/6l87r9

  IT. IS. AT THE WHEEL. NEM NUTS. What is the problem here? Help, please!

  I guess that this response did not help?

  Zak Williamson 3 days there are

  It seems that you solved the problem? Or is there a layout problem that I do not notice?

  The most common cause of differences in page layout is the differences in text layout engines and fonts between browsers and versions of browsers and devices.

  The exact height of text frames are drawn in Muse design compared to the height of the actual text in the frame is important. Exactly how (and if) the objects overlap or one containing entirely in Muse design is important. Finally, how items are grouped in Muse Design effects view how the HTML is generated and can be a tool to control how your pages respond to differences in presentation between the browsers and devices.

  Given your specific Visual design, some recommendations will reduce the probability of change:

  (1) be sure text frames are drawn larger than the text they contain, so that no dotted line appears in the text blocks (which is an indicator of the minimum height for the text block set). If a line of minimum height appears, then if the text is slightly shorter when placed in the browser which will result in the block of text shrink in height and below things moving upward and/or things that contain also shrink in height.

  (2) grouping use to create horizontal bands to your image buttons. Grouping in this way causes fluctuations in height or the position of the objects entirely above the band grouped to move all of the Strip facing upwards or downwards. Without such grouping that muse is biased towards the creation of columns such as something above to change the height only impact the position of the elements of (approximately) directly below.

  (3) be sure that header text frames do not overlap your buttons. If they do, they can move either vertically when no content above moves or they may change position without also changing the elements below them.

  None of these answers is really specific to the Muse. When you work on the web text is online and how it sets out will vary from a browser. The structure of the generated (or hand coded) HTML needs to be informed as to how you want things to react when these changes occur. Muse does its best to automatically do the right thing, but cannot in all situations and not done as well as the information contained in the provided schema. If there is overlap involuntary or minimum text frame heights game, the layout is more likely to not respond as expected/desired when occur variations of page layout.

  -Zak

  Zak Williamson

  Senior scientist

  Adobe Muse

• Double firewall, config VPN design question?

  All,

  I'm looking to implement a design of double firewall with different suppliers, i.e. Cisco at the front and another seller behind that. The Cisco ASA will manage the ends of the VPN. It's a design recommended to us.

  The reason was the front towards the firewall (cisco) will block most of the noise, and then the second firwall will make inspection of the IPS etc. Apparently, this is also done incase there are vulnerabilities with the first provider. The DMZ interface will in fact come the second firewall.

  I am currently working, what if all remote users terminate their VPN at the edge of the ASAs, what is the best way have to move towards the second firwall, then again on the internet so we can apply the policy to users / and inspection?

  There are no facilities on the front to ASAs IPS inspection, just a bog without visibility L7 stock Firewall (as this responsibility will lie with the second firewall).

  Looking for information so that I can start looking...

  The MCV is a great place to start.

  http://www.Cisco.com/en/us/solutions/ns340/ns414/ns742/ns1128/landing_iEdge.html

• VPN design tips

  I usually deal with issues of LAN/WAN, but have very little experience with the design of the VPN. I would like to know if I have the right idea or if there is a better solution to target.

  Scenario:

  There is a staff with two remote offices. Remote offices have 10 to 20 people each with little or no planned growth and different firewall solutions. HQ has 40-50 people anticipating exceptional growth and a PIX 515E. The manager would like to remote offices and remote access VPN site to site VPN for the traveler. His biggest concern is the speed through the site to site tunnels.

  My solution:

  Place a hub routers of the 800 series with sets of features VPN and firewalls and VPN 3005 behind the PIX to HQ in remote controls.

  This seems sufficient? Other recommendations?

  No I don't think so. This should be good only for the 515.

• What is the recommended for this kind of application design patterns

  Hi all

  I'm working on a project that should look like a Tablet PC application, shown in the attached photo.

  The larger window on the right side should change according to which key has been pressed in the left vertical bar.

  My question is, how can I implement such behavior or is it a design recommended for this model?

  My first idea was to about tabs but this means that all controls and indicators are needed in the main vi who would make my code confusing if it grows.

  Thank you for your answers

  Benjamin

  Take a look at the architecture of this plugin here.