ACE Module Context Up to 8 Chain Groups

Hi
I have and ACE with 8 chain groups, each with 8 certificates, what I need to do if I need another certificate?
This because the information in the document
The ACE supports the following certificate chain group capabilities:
•A chain group can contain up to eight certificate chains.
•Each context on the ACE can contain up to eight chain groups.
•The maximum size of a chain group is 16 KB.
thanks for your help.

I do not need to match a specific URL. The application on the server does however. The server admin reports that connection is being refused as there is no URL included to match.
When setting this up as a one-arm config with source NAT everything works fine. Unfortunately, it is a requirement of the application that the client IP remain intact.

Similar Messages

  • Reuse of context in ACE module

    Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
    The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
    Since I haven't decided the ip addresses to be used, they are just xx in the config below.
    The changes I want to implement are in bold.  Will this work for me?
    probe http WEBGUI_D2
    description Probe for http mot webgui
    interval 10
    passdetect interval 10
    passdetect count 1
    request method get url /D2/auth/login.aspx
    expect status 200 302
    header User-Agent header-value "IDENTITY"
    rserver host cwi003
    description content server logon
    ip address 10.163.22.27
    inservice
    rserver host cwi004
    description content server logon
    ip address 10.163.22.28
    inservice
    rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
    rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
    serverfarm host SF_LOGON_D2
    probe WEBGUI_D2
    rserver cwi003 80
       inservice
    rserver cwi004 80
       inservice
    serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
       inservice
    rserver cwi504 80
       inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
    timeout 20
    replicate sticky
    serverfarm SF_LOGON_D2
    serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON_D2
    3 match virtual-address 10.163.22.13 any
    class-map match-all VS_LOGON2_D2
    3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB
    class class-default
       sticky-serverfarm STICKYGROUP1
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 5 vlan 1240
    class VS_LOGON2_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 6 vlan 1240
    interface vlan 1240
    description Client_server
    ip address 10.163.22.11 255.255.255.0
    peer ip address 10.163.22.12 255.255.255.0
    access-group input INBOUND
    nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    service-policy input PM_ONE_ARM_MULTI_MATCH
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.163.22.1
    BR
    Geir

    Thanks for your reply.
    Hope I understand you correct.  This sould be the config I need to paste into the existing context.
    rserver host cwi503
      description content server logon 2
      ip address 10.163.22.23
      inservice
    rserver host cwi504
      description content server logon 2
      ip address 10.163.22.24
      inservice
    serverfarm host SF_LOGON2_D2
      probe WEBGUI_D2
      rserver cwi503 80
        inservice
      rserver cwi504 80
        inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
       timeout 20
       replicate sticky
       serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON2_D2
       3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB2
      class class-default
        sticky-serverfarm STICKYGROUP2
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
      class VS_LOGON2_D2
        loadbalance vip inservice
        loadbalance policy PM_ONE_ARM_LB2
        nat dynamic 6 vlan 1240
    interface vlan 1240
      nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    Br
    Geir

  • Question in regard to management VLAN for each Context in ACE module

    Dear Pros,
    I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
    1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
    2) If it does require that, what IP address should I used for default route in each context.
    I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
    Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
    Any suggestions or if you can point me to location as always will be greatly apprecaited.
    Thanks and best regards.
    Raman Azizian

    Hi,
    you have several options to choose from.
    1. Use Admin context for management
    You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
    + Easy and straightforward
    - snmp and syslog are using the ip from each individual context and not the management IP
    2. Use a Large subnet and assign an IP address in each context for management.
    You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
    + each context has its own managment address
    - static routes need to be added
    3. Use your client-side ip address (or BVI) as management address.
    You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
    + no static routes needed
    - inline management
    Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
    If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
    HTH,
    Dario

  • Ssh access into virtual context on the ACE module A(2.2)

    Hello,
    I tried to configure:
    Admin(conf)#context test
    Admin(conf-context)#ssh key rsa1 1024
    but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
    Thank you

    Here's a link on how to configure it.
    https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
    Hope that helps.

  • Load Balancing on ACE Modules

    hi,
    Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
    Regards.

    You can have 1 context active on one ACE and the other context active on the other ACE.
    If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
    Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
    If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
    Easier to implement and troubleshoot.
    Gilles.

  • Configuring FT on ACE Modules

    Hi,
    I am trying to configure FT on ACE modules, with the following commands
    ft interface vlan 20
      ip address 172.16.20.1 255.255.255.252
      peer ip address 172.16.20.2 255.255.255.252
      no shutdown
    ft peer 1
      heartbeat interval 300
      heartbeat count 10
      ft-interface vlan 20
    ft group 1
      peer 1
      priority 150
      associate-context Admin
      inservice
    The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

    Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
    ft interface vlan 212
      ip address 172.31.1.221 255.255.255.252
      peer ip address 172.31.1.222 255.255.255.252
      no shutdown
    ft peer 1
      heartbeat interval 300
      heartbeat count 20
      ft-interface vlan 212
    ft group 2
      peer 1
      priority 50
      peer priority 150
      associate-context Admin
      inservice
    HQ-ACE1/Admin# sh int
    vlan212 is up, administratively up
      Hardware type is VLAN
      MAC address is 00:23:5e:25:72:f1
      Mode : routed
      IP address is 172.31.1.221 netmask is 255.255.255.252
      FT status is standby
      Description:not set
      MTU: 1500 bytes
      Last cleared: never
      Last Changed: Tue Sep  6 12:46:06 2011
      No of transitions: 1
      Alias IP address not set
      Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
      Assigned from the Supervisor, up on Supervisor
         8654909 unicast packets input, 735611030 bytes
         1151150 multicast, 161 broadcast
         0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
         13020418 unicast packets output, 1672055521 bytes
         0 multicast, 163 broadcast
         0 output errors, 0 ignored

  • Configuring ACE Module for Redundancy

    Hi Sir,
    I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
    Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
    ft group 1
    peer 1
    priority 110
    peer priority 105
    associate-context Admin
    inservice
    ft group 2
    peer 1
    priority 110
    peer priority 105
    associate-context ace-context1
    inservice
    ft group 3
    peer 1
    priority 105
    peer priority 110
    associate-context ace-context2
    inservice
    ft group 4
    peer 1
    priority 105
    peer priority 110
    associate-context ace-context3
    inservice
    Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
    Thank you.
    B.Rgds,
    Lim TS

    Hi Gilles,
    I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
    I noticed a few things:
    (1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
    (2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
    (3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
    One issue I encountered in one of the user contexts is as follows:
    ace1/ace-context-1# sh run int
    Generating configuration....
    interface vlan 950
    description *** Client-Facing VLAN ***
    ip address 10.1.35.5 255.255.255.0
    alias 10.1.35.4 255.255.255.0
    peer ip address 10.1.35.6 255.255.255.0
    access-group input ACL_VL950_IN
    service-policy input REMOTE_MGMT
    service-policy input MY_LB
    no shutdown
    interface vlan 951
    description *** Connection to Real Servers ***
    ip address 10.1.36.2 255.255.255.0
    alias 10.1.36.1 255.255.255.0
    peer ip address 10.1.36.3 255.255.255.0
    access-group input ACL_VL951_IN
    service-policy input NAT_REAL
    no shutdown
    This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
    Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

  • ACE Module

    Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
    ACE1/10.0.0.0_Network# sho run
    Generating configuration....
    access-list ALL line 8 extended permit ip any any
    rserver host CE-565-1
    ip address 10.0.2.83
    inservice
    serverfarm host Content_Engine_SF
    rserver CE-565-1
    inservice
    class-map match-all Content_Engine_VIP
    2 match virtual-address 10.0.18.101 any
    class-map type management match-any Remote_Management
    2 match protocol http any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    policy-map type management first-match rmt_mgt_policy
    class Remote_Management
    permit
    policy-map type loadbalance first-match Content_Engine_VIP-l7slb
    class class-default
    serverfarm Content_Engine_SF
    policy-map multi-match int18
    class Content_Engine_VIP
    loadbalance vip inservice
    loadbalance policy Content_Engine_VIP-l7slb
    loadbalance vip icmp-reply active
    access-group input ALL
    interface vlan 3
    description Server_Side
    ip address 10.0.3.240 255.255.254.0
    mac-sticky enable
    no shutdown
    interface vlan 18
    description Client Side Network
    ip address 10.0.18.251 255.255.255.0
    mac-sticky enable
    service-policy input int18
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.0.18.1
    if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.

    If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
    1. Use NAT to ensure the return traffice makes it back to ACE.
    2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
    3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827

  • ACE module rservers multiple routed hops away

    Hi all, deploying a ACE module in a cat6k. Just want to figure out, can I add to a serverfarm, rservers which are multiple routed hops away from the ACE or the cat6k in which it is deployed. please look at the attached diagrams. I have my servers at two subnets, and I want to add all 5 servers to the same server farm and load balance between them
    Is this possible, if any what are the caveats ?
    Thanks all

    Hi,
    You can do this, but ypu have to use client-NAT to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server.
    The following extract from a configuration shows the basic principle:
    rserver host master
    ip address 10.199.95.2
    inservice
    rserver host slave
    ip address 10.199.38.68
    inservice
    serverfarm host FARM-web2-Master
    description Serverfarm Master
    probe PROBE-web2
    rserver master
    inservice
    serverfarm host FARM-web2-Slave
    description Serverfarm Slave
    probe PROBE-web2
    rserver slave
    inservice
    class-map match-any L4VIPCLASS
    2 match virtual-address 10.199.80.12 tcp eq www
    3 match virtual-address 10.199.80.12 tcp eq https
    policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
    class REMOTE-ACCESS
    permit
    policy-map type loadbalance first-match LB-POLICY
    class class-default
    serverfarm FARM-web2-Master backup FARM-web2-Slave
    policy-map multi-match L4POLICY
    class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy LB-POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise
    nat dynamic 1 vlan 384
    service-policy input L4POLICY
    interface vlan 383
    description ACE-web2-Clientside
    ip address 10.199.80.13 255.255.255.248
    alias 10.199.80.12 255.255.255.248
    peer ip address 10.199.80.14 255.255.255.248
    access-group input ACL-IN
    access-group output PERMIT-ALL
    no shutdown
    interface vlan 384
    description ACE-web2-Serverside
    ip address 10.199.80.18 255.255.255.240
    alias 10.199.80.17 255.255.255.240
    peer ip address 10.199.80.19 255.255.255.240
    access-group input PERMIT-ALL
    access-group output PERMIT-ALL
    nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.199.80.9
    ip route 10.199.95.2 255.255.255.255 10.199.80.21
    ip route 10.199.38.68 255.255.255.255 10.199.80.21
    HTH
    Cathy

  • Want to know about ACE module in 6509 : load-balancing concept

    Hi,
    I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
    In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
    I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
    I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
    1) what is difference between CSM or any other product load-balancer and ACE module :
    Gone through site as well , but not getting proper answer or comparison.
    1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
    2) If suppose i go for configuring different IP address with all server IP :
    How do i achieve it ?
    3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
    4) will the load-balancing happens based on destination based or session based ?
    Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?

    Hello,
    1) what is  difference between CSM or any other product load-balancer and ACE  module :
    There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
    One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
    ACE serise has specific hardware chip for supporting SSL termination but some others do not.
    For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
    The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
    Let me try clarifying your other questions.
    3)  what is Virtual IP concept in ACE because i do not have and other ACE  module then why do i need virtual IP ?
    4) will the load-balancing happens  based on destination based or session based ?
    I think I'd better to put 3) and 4) first.
    Virtual ip  address (VIP) is the address to which client accesses.
    VIP is tied with a  serverfarm or serverfarms, in a serverfarm one or multiple rservers can  be configured.
    "serverfarm" is a group of "rservers".
    "rserver" means  real-server that has an ip address and processes transactions.
    When a client  accesses to the VIP, ACE picks up a rserver according to algorithm.
    If you configure a  VIP that is tied with a serverfarm where only one rsever is  configured, client accesses to the virtual ip address are
    all forwarded to  the rserver.
    If you configure a  VIP that is tied with a serverfarm where multiple rsevers are  configured,  client accesses to the virtual ip address are
    balanced among  those rservers.
    If you configure  multiple VIPs, client accesses to those VIPs are forwareded to  corresponding rservers according to configuration.
    1)  I have some of the server configured with clustering and getting one  virtual IP, In this case , will ACE work ?
    ACE load-balances connections to configured rservers.
    If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
    sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
    2) If suppose i go for  configuring different IP address with all server IP :
    How do i  achieve it ?
    You can configure those ip addresses as rserver ip address.
    Multiple rservers are tied into a group, "serverfarm".
    I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
    Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
    This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
    Above is just an overveiw. ACE gives you granular control not mentioned above.
    I can provide more specific information if you tell me details of what you are trying to archive with ACE.
    Regards,
    Kimihito.

  • C6513 Ace Module Pair not syncing

    Hi,
    I have a failover pair of Ace Modules that have stopped syncing - Active not syncing with Standby. I have checked the config and it seems that recent additions of contexts in the Admin Context to resource groups and fault tolerant additions of ft groups have not synced across to the standby unit. All other config checks out as okay.
    Can anyone point me in a good direction to restart the sync?
    Thanks
    Adrian

    Adrian-
      To see the error - login to the context that isn't syncing and issue "show ft config-error"
      Scripts and SSL keys/certs are not synced over, they will cause an FT sync error.  If that was what happened, then upload the files to the context, then toggle "ft auto-sync running-config" on the active context and it will re-try the sync.
      If the issue was not key/cert or script related, get a TAC case open, it is extremely likely there is a bug involved.
    Regards,
    Chris

  • A problem with ACL in the class-map on the ACE module

                      Hi all,
    I configured the following on the ACE module:
    object-group network test
      host 192.168.1.21
      host 192.168.1.22
      host 192.168.1.23
    object-group service port
      tcp eq www
      tcp eq 8080
    access-list T line 8 extended permit object-group port object-group test any
    I tried to configure a class-map for matching this ACL:
    ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
    ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
    Error: Cannot associate acl having object-group ACEs in class-map.
    So couldn't I  configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
    Thank you
    Roman

    Hi Roman,
    I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
    Regards
    Daniel

  • How to Virtual IP configuration in ACE module?

    Hi,
    I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
    I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
    Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
    Regards,
    Rachit.

    Hi Rachit,
    Here is a basic configuration example:
    access-list Allow_Access line 10 extended permit ip any any
    rserver host test
      ip address 10.198.16.98
      inservice
    rserver host test2
      ip address 10.198.16.93
      inservice
    serverfarm host test
      rserver test 80
        inservice
      rserver test2 80
        inservice
    sticky http-cookie test group2
      cookie insert
      serverfarm test
    class-map match-all VIP
      2 match virtual-address 10.198.16.122 tcp eq www
      policy-map type loadbalance first-match test
      class class-default
        sticky-serverfarm group1
    policy-map multi-match clients
      class VIP
        loadbalance vip inservice
        loadbalance policy test
        loadbalance vip icmp-reply active
        nat dynamic 1 vlan 112
    interface vlan 112
      ip address 10.198.16.91 255.255.255.192
      access-group input Allow_Access
      nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
      service-policy input NSS_MGMT
      service-policy input clients
      no shutdown
    ip route 0.0.0.0 0.0.0.0 10.198.16.65
    Here is the configuration guide:
    http://tools.cisco.com/squish/101AD
    Cesar R

  • Ace module in bridged mode with client nat

    Could someone confirm whatever a NAT is supported for ACE-20 module, please?
    Let me to explain technical details.
    I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
    if the configuration below is correct. ACE module should be configured in bridge mode with two
    vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
    NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
    "policy-map type loadbalance"
    Could you check two parts of configs and advise me if the ACE config is
    properly converted from CSM and will be working in the same way (especialy for NAT).
    Thank you in advance.
    CSM config
    =======
    vlan 36 client
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
      gateway 10.36.3.1
    vlan 436 server
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    sticky 30 netmask 255.255.255.255 address source timeout 60
    probe SHAREPOINT tcp
      interval 30
      failed 120
      open 3
      port 80
    probe WEBMAIL-443 tcp
      interval 5
      failed 60
      open 2
      port 443
    serverfarm WEBMAIL-443
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 443
       inservice
      real 10.36.3.102 443
       inservice
      probe WEBMAIL-443
    serverfarm WEBMAIL-80
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 80
       inservice
      real 10.36.3.102 80
       inservice
      probe SHAREPOINT
    vserver WEBMAIL-443
      virtual 10.36.3.100 tcp https
      serverfarm WEBMAIL-443
      sticky 60 group 30
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver WEBMAIL-80
      virtual 10.36.3.100 tcp www
      serverfarm WEBMAIL-80
      replicate csrp connection
      persistent rebalance
      inservice
    ACE config
    =======
    probe tcp WEBMAIL-443
      interval 5
      open 2
      passdetect interval 60
      port 443
    probe tcp SHAREPOINT
      interval 30
      open 3
      passdetect interval 120
      port 80
    serverfarm host WEBMAIL-443
      predictor leastconns
      probe WEBMAIL-443
      rserver 10-36-3-101 443
        inservice
      rserver 10-36-3-102 443
        inservice
    serverfarm host WEBMAIL-80
      predictor leastconns
      probe SHAREPOINT
      rserver 10-36-3-101 80
        inservice
      rserver 10-36-3-102 80
        inservice
    class-map match-all WEBMAIL-80
      match virtual-address 10.36.3.100 tcp eq www
    class-map match-all WEBMAIL-443
      match virtual-address 10.36.3.100 tcp eq https
    sticky ip-netmask 255.255.255.255 address source 30
      serverfarm WEBMAIL-443
      replicate sticky
      timeout 60
    policy-map type loadbalance first-match WEBMAIL-80
      class class-default
        serverfarm WEBMAIL-80
        nat dynamic 1025 vlan 436 serverfarm primary
    policy-map type loadbalance first-match WEBMAIL-443
      class class-default
        sticky-serverfarm 30
        nat dynamic 1025 vlan 436 serverfarm primary
    parameter-map type http HTTP_ADV_OPT
      persistence-rebalance
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    interface vlan 36
      bridge-group 36
      service-policy input IFVLAN36-POLICY
      mac-sticky enable
      no shutdown
    interface vlan 436
      bridge-group 36
      nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
      no shutdown
    interface bvi 36
      ip address 10.36.3.3 255.255.255.0
      peer ip address 10.36.3.4 255.255.255.0
      no shutdown

    Hello F.Makarenko-
      You will want to use PAT while you do nat, so change the natpool configuration to this:
       nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
      You also need to apply the nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
    If you are going to build out a lot of classes, you can instead do source nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class class-default
        nat dynamic 1025 vlan 436
    Regards,
    Chris Higgins

  • ACE Module Radius with ACS 4.2

    Hi,
    I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
    John...

    You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
    Following steps (On tacacs server) will make it work
    1. Select your user
    2. goto tacas+ settings
    3. Select " shell (exec)" checkbox
    4. Select "custom attributes" checkbox
    5. Type your context and role information in custom attrib box, using following format
    shell:*
    for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
    shell:Admin*Admin default-domain
    Hope it helps
    Syed

Maybe you are looking for

  • How do I edit in PDF using Acrobat X?

    I am using Acrobat X.  There are lines from the scanner on my pdf document.  I tried highlighting but the highlighted area does not delete when I push the delete button.  I tried edit thinking I could select Cut but only Copy is active.  I am somewha

  • 10.1.2 opmnctl startall hanging

    I have a server with a couple of OAS installs (TEST and DEVL) and they usually co-exist peacefully but on occasion, like now, my one app server won't start. The last time I had this issue I had to shutdown all app environments (also have some 11i EBS

  • I have a ipad2 but doesnt exist facetime icon. how can i install it?

    i tried to reinstall ios few times but still no facetime icon. really wired and fed up with...

  • Can I configure JDBC Sender to process the RFC response message?

    Dear All, We're working on an integration scenario of synchronous messaging from database to RFC. Is there any way to update or insert the record(s) onto the source database according to the BAPI response? Any inputs are welcome. Many thanks for your

  • Mutating Trigger.

    Hi all. I am trying to get around the mutating trigger error when having a trigger on a table that updates the same table. What I have done so far is: 1. create a package that will store the :new values. 2. I then use a BEFORE trigger to populate the