No interface BVI ?
Hi,
I have a situation with a Waas 574. Software Versione 4.4.3.
This is my first waas experience. I've reinstalled the flash image and software in raid disks and now I have a brand new waas.At the end of the installation process I configured the interface gigabit ethernet 1/0 to register with central manager. Via central manager I enable the virtual blade choosing the gigabit ethernet 1/0 as bridge but the configuration result "partially configured" and I can't start the vb. After some searches I know that I must create a BVI interface.. but I can't do this because via cli I don't have the commands to do that and via central manager I receive the error "Bridge Configurations are not supported on this Hardware or Software combination."
Can someone explain that?
TIA!
Hi TIA,
Can you confirm whether /vbspace partition is created in the disk after the device reload?
Steps to enable the WAE for using virtual blade.
1) From the WAAS Central Manager, choose Manage Devices.
2) Click Edit icon next to the WAE that you are about to configure
3)Choose Admin >License Management. The License Management screen will appear. Check Virtual-Blade, then press Submit.
4)Choose Admin > Virtualization > General Settings. The General Settings window appears. Check Enable Virtualization, then press Submit. You will be prompted to confirm that you want to modify general settings, and by doing so will cause the WAE to reboot.
5)The WAE will reload twice. This is required to allocate resources for the Virtual blade. After the reload, verify that the WAE is ready to support Virtualization by using the following two CLI commands. Confirm that the /vbspace GUEST device exists with the show disk details command, and confirm that the virtual blade resources are available by issuing the show virtual-blade command.
WAE#sh disks details
Mounted file systems:
MOUNT POINT TYPE DEVICE SIZE INUSE FREE USE%
/sw internal /dev/sda1 991MB 855MB 136MB 86%
/swstore internal /dev/sda2 991MB 851MB 140MB 85%
/state internal /dev/sda3 7935MB 197MB 7738MB 2%
/local/local1 SYSFS /dev/sda6 22318MB 644MB 21674MB 2%
/vbspace GUEST /dev/data1/vbsp 213723MB 9333MB 204390MB 4%
.../local1/spool PRINTSPOOL /dev/data1/spool 991MB 32MB 959MB 3%
WAE#sh virtual-blade
Regards,
Bala.R
Similar Messages
-
Hi,
Can anyone explain me about when using BVI interfaces?? Or if someone have an article about this topic.
thanks and regards,A BVI interface is used when you want to bridge between some interfaces but route from this group of interfaces to other interfaces. This is the same concept of VLAN interfaces on the 3550 (or above):
bridge 10 protocol ieee
bridge 10 route IP
interface ethernet0
bridge-group 10
interface ethernet1
bridge-group 10
interface ethernet2
ip address 10.1.1.1 255.255.255.0
interface bvi 10
ip address 10.2.1.1 255.255.255.0
In the example above interfaces ethernet0 & 1 are bridged so all connected devices share the same broadcast domain. To allow routing from this interface a BVI is created for the Bridge-group (in this case 10), this is then the Layer-3 interface for devices connected to Ethernet0 & 1. If a device on ethernet0 wants to talk to a device on ethernet1 it is bridged (the 2 devices are in the same IP network). If a device on Ethernet0 want to talk to a device on Ethernet2 it is routed by the BVI interface.
There is some documentatoin on CCO but I couldn't be bothered searching for it... Have a search for IRB
HTH
Andy -
Under IOS 12.1(13)E, one can view the detailed interface counter using the command, for example :
show counter interface gigabitEthernet 10/7
It comes up with detailed counters in hexadecimal format. I need to know, if there is way, to clear these counters.
Thanks,
Nadeemzeus#clear counters ?
Async Async interface
BVI Bridge-Group Virtual Interface
CTunnel CTunnel interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Line Terminal line
Loopback Loopback interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Lex Lex interface -
Greetings. I am attempting to configure my Cisco 831 router to VPN connect to another server. I have been given IOS commands in order to create the connection, however there is one command that does not seem to be valid with my router and I was hoping someone could help me interpret it. The command is:
interface fa0/0
the comment beside this command says: "Assumed as inside interface" and this appears later as:
interface fa0/1
with the description "Assumed as Public Internet interface"
however, when I look at the available commands in interface mode, none resemble "fa0", here are the commands for interface:
router(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
CDMA-Ix CDMA Ix interface
CTunnel CTunnel interface
Dialer Dialer interface
Ethernet IEEE 802.3
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface
MFR Multilink Frame Relay bundle interface
Multilink Multilink-group interface
Null Null interface
Tunnel Tunnel interface
Vif PGM Multicast Host interface
Virtual-PPP Virtual PPP interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
range interface range command
any ideas?Paresh, thanks, however it seems "0" is an invalid fastEthernet choice (even though typing "?" says:
<0-4> FastEthernet interface number
Why is 0 invalid?
Also, the command I was told to use is the following:
interface fa0/1 # Assumed as Public Internet interface
ip address ##.##.###.### 255.255.255.x #Customer public interface
I removed the ip address numbers in this post for my own security, however the .x was exactly as the instructions said to use. I replaced this with 255.255.255.0 (as that is my subnet mask, and that's what I figured they were asking for), however I get the following message:
IP addresses may not be configured on L2 links.
what does that mean? (and thanks again for the help). -
BVI - What is it and what are its uses?
BVI - What is that and what are its uses?
Ranji,
A BVI is in fact quite similar to an SVI (interface Vlan). You can define a software bridging between various ports of a router, similar to switching between various ports on a switch. If the ports on a switch belong to the same VLAN and the switch is capable of multilayer switching, you can create an interface Vlan for that VLAN and allow the hosts in that VLAN to use the IP address of the interface Vlan as their default gateway.
The same goes for interface BVI - Bridged Virtual Interface. When configuring software bridging, you define a group of interfaces that are bridged - the router performs bridging (i.e. software-based switching) of frames between all member ports of a bridge group, in essence forming a single broadcast domain - an IP subnet. If the devices in the common bridge group want to access other IP networks, they need a gateway, so you create an associated interface BVI that is also a part of the bridge group, and devices in the bridge group then use the IP address of the BVI interface as their gateway.
For exampe, imagine a router with two FastEthernet interfaces:
bridge irb!interface FastEthernet0/0 no ip address no shutdown bridge-group 1!interface FastEthernet0/1 no ip address no shutdown bridge-group 1!interface BVI1 ip address 10.0.0.1 255.255.255.0 no shutdown!bridge 1 route ip
This configuration would make your router to basically behave as a 2-port "switch" on its Fa0/0 and Fa0/1 interfaces, and devices connected to these ports would use the 10.0.0.1 as their default gateway to other networks.
You rarely configure bridging exactly this way these days, as switches are orders of magnitude faster and have way more ports. Still, there are situations where you need to bridge two interfaces, taking packets out of frames of one technology and putting them into frames of a different technology, without routing them, just repackaging but still carrying them between interfaces. This is often done in, say, DSL if the router is configured to act in bridge mode - take IP packets coming to Ethernet interface and simply repackage them into PPP or ATM+AAL5 cells on the DSL WAN port (and vice versa).
Best regards,
Peter -
Loopback interface on catalyset switches
Hello,
I need to know if I can configure loopback interfaces on L2 switches (2950) and if yes , in which IOS
Thanks
MoamenHello,
for admin, I need to create loopback interface and use it as the admin IP to reach the switch
I know that the admin ip configured under interface vlan1
but I'm asking because I have a switch that has the int loopback in his menu when using
conf t# int ?
I can found loopback , but I can't configured it
switch(config)#interface ?
Async Async interface
BVI Bridge-Group Virtual Interface
Dialer Dialer interface
FastEthernet FastEthernet IEEE 802.3
Group-Async Async Group interface
Lex Lex interface
Loopback Loopback interface<<<<<
Multilink Multilink-group interface
Null Null interface
Port-channel Ethernet Channel of interfaces
Tunnel Tunnel interface
Virtual-Template Virtual Template interface
Virtual-TokenRing Virtual TokenRing
Vlan Catalyst Vlans
range interface range command
System image file is "flash:c2950-i6q4l2-mz.121-22.EA3"
but when I'm trying to configure it the switch refused
Thanks & BR
Moamen -
Hello,
Is there a way or simple solution to terminate a bunch of "plain" L2TPv3 pseudowires to a BVI, to have a sort of VPLS? (VPLS/MPLS is not an option in my setup).
My deal is to have a distributed L2 architecture (I have a protocol that works only on L2), and it must traverse a non-ethernet IP based network. (traffic is quite low - max 1 mbps)
It can easily done with a simple linux box, terminating l2tpv3 tunnels to a bridge interface, but I would like to do that on a cisco device.
A very dirty solution can be to have a set of sub-interfaces (with xconnect) and a cable to another interface on the same router, having sub-interfaces terminated on a BVI.
Something like that:
GigaEthernet 0/0 is cabled to GigaEthernet 0/1
interface Giga 0/0.1301
encap dot1q 1301
xconnect 10.10.13.1 1301 pw-class pw1301
interface gig 0/0.1302
encap dot1q 1302
xconnect 10.10.13.2 1302 pw-class pw1302
interface gig 0/1.1301
encap dot1q 1301
bridge-group 1
interface gig 0/1.1302
encap dot1q 1302
bridge-group 1
bridge 1 protocol ieee
bridge 1 route ip
interface BVI 1
ip address 192.168.1.254 255.255.255.0
Is there a simple way to accomplish that?
thanks in advance,
stefanoI cannot implement this type of configuration with a 3945 router...it's a shame...I really need this config for a site.
-
ACE- From one real server to another VIP
Hi,
I have a problem with ACE;
We have multiple serverfarms configured in the ACE module based on the application and different VIPs related to it. We are running the ACE in bridging mode. Now the requirement is from one serverfarm real server wants communicate to the VIP of the second serverfarm...Is this possible..???? Wil some NATing help in this situation. Below is the configuration.
======================
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
access-list LAN_Traffic remark For all IP Traffic
access-list LAN_Traffic line 10 extended permit ip any any
access-list LAN_Traffic line 20 extended permit icmp any any
probe http PORTAL_HTTP
passdetect interval 20
passdetect count 2
request method get url http://portal
expect status 0 600
probe http RMS_HTTP
request method get url /_wmcs
expect status 0 600
rserver host PORTAL1
ip address 172.22.11.241
inservice
rserver host PORTAL2
ip address 172.22.11.243
rserver host QGLRSPW1
inservice
rserver host RMS01
ip address 172.22.10.12
inservice
rserver host RMS02
ip address 172.22.10.8
inservice
serverfarm host PORTAL
failaction purge
probe PORTAL_HTTP
rserver PORTAL1
inservice
rserver PORTAL2
inservice
serverfarm host RMS
failaction purge
probe RMS_HTTP
rserver RMS01
inservice
rserver RMS02
inservice
class-map match-any PORTAL
2 match virtual-address 172.22.10.166 tcp any
class-map match-any RMS
2 match virtual-address 172.22.10.52 tcp eq www
3 match virtual-address 172.22.10.52 tcp eq https
policy-map type loadbalance first-match RMS-POLICY
class class-default
serverfarm RMS
policy-map type loadbalance first-match PORTAL-POLICY
class class-default
serverfarm PORTAL
policy-map multi-match SFARM-LB-POLICY
class RMS
loadbalance vip inservice
loadbalance policy RMS-POLICY
loadbalance vip icmp-reply active
class PORTAL
loadbalance vip inservice
loadbalance policy PORTAL-POLICY
loadbalance vip icmp-reply active
interface vlan 800
description ACE Client Interface
bridge-group 1
mac-sticky enable
service-policy input SFARM-LB-POLICY
no shutdown
interface vlan 898
description ACE Server Interface
bridge-group 1
mac-sticky enable
no shutdown
interface bvi 1
ip address 172.22.11.151 255.255.252.0
alias 172.22.11.153 255.255.252.0
peer ip address 172.22.11.152 255.255.252.0
description Bridge Group for 800 and 898 Interfaces
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.8.17
===================================
Pleae help..Thanks in advanceHello!
Well yes it would work. BUT...you have to change your config a bit. First you need to apply your accesslist to both interfaces, or the ACE will reject it, because it is acting as a firewall by default. And second you have to apply the policymap to both interfaces as well or you put the policymap globally on the ACE. -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
Configuration issue on 1231G AP
Hi,
I configured one vlan and trying to authenticate it through radius server.My objective is when a internal users want to connect through this SSID they just put username and password and authenticate through Radius server. Another vlan is getting authenticated through mac address that i need to manually put in AP.
Can any one please tell me where i ma making mistake.
Thanks
SaurabhHi Surabh,
bridge irb
You need to create dot11 ssid
vlan x
vlan y
then under interface radio 0/1 create subinterfaces
create encapsulation
bridge group command
similarly create on gi 0 sub interfaces
create encapsulation
bridge group command
Bridge route ip
interface bvi ip address
ip default gateway
connect AP to switch port configured as trunk
check your aaa commands
radius server shared secret command is required
https://supportforums.cisco.com/docs/DOC-14496
check this document link
and that should help you
-Srini -
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
ThanksHi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again. -
ACE20 Module with Exchange 2010 Configuration
Hello all,
I have deployed the following configuration for Exchange 2010, if all services are up on the two servers it functions good but if a service goes down on one server (especially outlook) some clients are disconnected (stickiness) ...
Stickiness is needed for all services by ip source sticky and by coockies for OWA.
Because all services are on the same server (ip address) the configured sticky causes problems !!! when a service is down the ACE usually forwards requests to it !!!! Any help please.
Configuration :
XXXXX-ACE1/CTXT-EXCHANGE(config)# do sh run
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
access-list EXCH-LB line 10 extended permit ip any any
probe http HTTP-GET
interval 10
passdetect interval 10
request method get url /iisstart.htm
expect status 200 202
probe icmp PING
interval 3
probe tcp abport
port 7575
interval 2
faildetect 2
passdetect interval 10
passdetect count 1
connection term forced
probe tcp epmap
port 135
interval 2
faildetect 2
passdetect interval 10
passdetect count 1
connection term forced
probe tcp http
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe http http-probe
interval 60
passdetect interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
expect status 400 404
probe tcp https
port 443
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe http https-probe
interval 60
passdetect interval 60
passdetect count 2
request method get url /owa/auth/login.aspx
expect status 400 404
probe tcp imap
port 143
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp imaps
port 993
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe udp ipsec
port 500
interval 2
passdetect interval 2
passdetect count 1
probe icmp ping
interval 2
passdetect interval 2
passdetect count 1
probe tcp pop3
port 110
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp pop3s
port 995
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp rpcport
port 7576
interval 2
faildetect 2
passdetect interval 10
passdetect count 5
connection term forced
probe tcp smtp
port 25
interval 2
passdetect interval 2
passdetect count 1
connection term forced
rserver host CAS1
ip address 172.22.101.74
inservice
rserver host CAS2
ip address 172.22.101.76
inservice
rserver host HUB1
ip address 172.22.101.75
inservice
rserver host HUB2
ip address 172.22.101.77
inservice
rserver redirect RPC-REDIRECT
rserver redirect SSLREDIRECT
webhost-redirection https://mail.tunisiana.com/owa 302
inservice
serverfarm host CAS-Outlook
probe PING
probe abport
probe epmap
probe rpcport
fail-on-all
rserver CAS1 135
inservice
rserver CAS1 7575
inservice
rserver CAS1 7576
inservice
rserver CAS2 135
inservice
rserver CAS2 7575
inservice
rserver CAS2 7576
inservice
serverfarm host CAS-http
probe HTTP-GET
probe PING
rserver CAS1 80
inservice
rserver CAS2 80
inservice
serverfarm host CAS-https
probe https
probe ping
rserver CAS1 443
inservice
rserver CAS2 443
inservice
serverfarm host CAS-imap
probe PING
probe imap
rserver CAS1 143
inservice
rserver CAS2 143
inservice
serverfarm host CAS-imaps
probe imaps
probe ping
rserver CAS1 993
inservice
rserver CAS2 993
inservice
serverfarm host CAS-ipsec
probe ipsec
probe ping
rserver CAS1
inservice
rserver CAS2
inservice
serverfarm host CAS-pop3
probe ping
probe pop3
rserver CAS1 110
inservice
rserver CAS2 110
inservice
serverfarm host CAS-pop3s
probe ping
probe pop3s
rserver CAS1 995
inservice
rserver CAS2 995
inservice
serverfarm host CAS-smtp
probe ping
probe smtp
fail-on-all
rserver CAS1 25
inservice
rserver CAS2 25
inservice
serverfarm host HUB
probe ping
probe smtp
rserver HUB1
inservice
rserver HUB2
inservice
serverfarm redirect RPC-REDIRECT
serverfarm redirect SSLREDIRECT
rserver SSLREDIRECT
inservice
parameter-map type http STICKY
persistence-rebalance
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
sticky ip-netmask 255.255.255.255 address source HUB-ST
timeout 30
replicate sticky
serverfarm HUB
sticky ip-netmask 255.255.255.255 address source CAS-http-ST
timeout 30
replicate sticky
serverfarm CAS-http
sticky ip-netmask 255.255.255.255 address source CAS-https-ST
timeout 30
replicate sticky
serverfarm CAS-https
sticky ip-netmask 255.255.255.255 address source CAS-imap-ST
timeout 30
replicate sticky
serverfarm CAS-imap
sticky ip-netmask 255.255.255.255 address source CAS-imaps-ST
timeout 30
replicate sticky
serverfarm CAS-imaps
sticky ip-netmask 255.255.255.255 address source CAS-smtp-ST
timeout 30
replicate sticky
serverfarm CAS-smtp
sticky ip-netmask 255.255.255.255 address source CAS-pop3-ST
timeout 30
replicate sticky
serverfarm CAS-pop3
sticky ip-netmask 255.255.255.255 address source CAS-pop3s-ST
timeout 30
replicate sticky
serverfarm CAS-pop3s
sticky ip-netmask 255.255.255.255 address source CAS-ipsec-ST
timeout 30
replicate sticky
serverfarm CAS-ipsec
sticky ip-netmask 255.255.255.255 address source CAS-Outlook-ST
timeout 30
replicate sticky
serverfarm CAS-Outlook
sticky http-cookie sessionid exchange-sticky-sessionid-grp
timeout 20
serverfarm CAS-http
sticky http-cookie cookie OWA-STICKY
cookie insert browser-expire
timeout 60
replicate sticky
serverfarm CAS-http
sticky http-header Authorization CAS-RPC-HTTP
serverfarm CAS-http
class-map match-any CAS-OUTL-MAPI-VIP
2 match virtual-address 172.22.101.69 tcp any
class-map match-any CAS-Outlook-VIP
2 match virtual-address 172.22.101.69 tcp eq 135
3 match virtual-address 172.22.101.69 tcp eq 7575
4 match virtual-address 172.22.101.69 tcp eq 7576
class-map match-any CAS-http-VIP
2 match virtual-address 172.22.101.69 tcp eq www
class-map match-any CAS-https-VIP
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-any CAS-imap-VIP
2 match virtual-address 172.22.101.69 tcp eq 143
class-map match-any CAS-imaps-VIP
2 match virtual-address 172.22.101.69 tcp eq 993
class-map match-any CAS-ipsec-VIP
2 match virtual-address 172.22.101.69 udp eq 500
class-map match-any CAS-pop3-VIP
2 match virtual-address 172.22.101.69 tcp eq pop3
class-map match-any CAS-pop3s-VIP
2 match virtual-address 172.22.101.69 tcp eq 995
class-map match-any CAS-smtp-VIP
2 match virtual-address 172.22.101.69 tcp eq smtp
class-map match-all CAS_SERVERS
2 match source-address 172.22.101.64 255.255.255.192
class-map match-any HUB-VIP
2 match virtual-address 172.22.101.80 any
class-map match-all HUB_SERVERS
2 match source-address 172.22.101.64 255.255.255.192
class-map match-all OWA-OUTLOOKANYWHERE-SSL
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-all OWA-SSL-CM
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-all OWAREDIRECT
2 match virtual-address 172.22.101.69 tcp eq www
class-map type management match-any REMOTE-MGT
201 match protocol snmp any
202 match protocol http any
203 match protocol https any
204 match protocol icmp any
205 match protocol ssh any
206 match protocol telnet any
policy-map type management first-match REMOTE-MGT
class REMOTE-MGT
permit
policy-map type loadbalance first-match CAS-Outlook-policy
class class-default
sticky-serverfarm CAS-Outlook-ST
policy-map type loadbalance first-match CAS-http-policy
class class-default
sticky-serverfarm CAS-http-ST
policy-map type loadbalance first-match CAS-https-policy
class class-default
sticky-serverfarm CAS-https-ST
policy-map type loadbalance first-match CAS-imap-policy
class class-default
sticky-serverfarm CAS-imap-ST
policy-map type loadbalance first-match CAS-imaps-policy
class class-default
sticky-serverfarm CAS-imaps-ST
policy-map type loadbalance first-match CAS-ipsec-policy
class class-default
serverfarm CAS-ipsec
policy-map type loadbalance first-match CAS-pop3-policy
class class-default
sticky-serverfarm CAS-pop3-ST
policy-map type loadbalance first-match CAS-pop3s-policy
class class-default
sticky-serverfarm CAS-pop3s-ST
policy-map type loadbalance first-match CAS-smtp-policy
class class-default
serverfarm CAS-smtp
policy-map type loadbalance first-match HUB-policy
class class-default
serverfarm HUB
policy-map type loadbalance first-match OWA-OUTLOOKANYWHERE
match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
policy-map type loadbalance first-match OWA-SSL-PM
class class-default
sticky-serverfarm OWA-STICKY
policy-map type loadbalance http first-match SSLREDIRECT
class class-default
serverfarm SSLREDIRECT
policy-map multi-match CAS-Outlook-POLICY-MAP
class CAS-Outlook-VIP
loadbalance vip inservice
loadbalance policy CAS-Outlook-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-http-POLICY-MAP
class CAS-http-VIP
loadbalance vip inservice
loadbalance policy CAS-http-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-https-POLICY-MAP
class CAS-https-VIP
loadbalance vip inservice
loadbalance policy CAS-https-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-imap-POLICY-MAP
class CAS-imap-VIP
loadbalance vip inservice
loadbalance policy CAS-imap-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-imaps-POLICY-MAP
class CAS-imaps-VIP
loadbalance vip inservice
loadbalance policy CAS-imaps-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-ipsec-POLICY-MAP
class CAS-ipsec-VIP
loadbalance vip inservice
loadbalance policy CAS-ipsec-policy
loadbalance vip icmp-reply
policy-map multi-match CAS-pop3-POLICY-MAP
class CAS-pop3-VIP
loadbalance vip inservice
loadbalance policy CAS-pop3-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-pop3s-POLICY-MAP
class CAS-pop3s-VIP
loadbalance vip inservice
loadbalance policy CAS-pop3s-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-smtp-POLICY-MAP
class CAS-smtp-VIP
loadbalance vip inservice
loadbalance policy CAS-smtp-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match EXCH-POLICY
class CAS-imap-VIP
loadbalance vip inservice
loadbalance policy CAS-imap-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-imaps-VIP
loadbalance vip inservice
loadbalance policy CAS-imaps-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-pop3-VIP
loadbalance vip inservice
loadbalance policy CAS-pop3-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-pop3s-VIP
loadbalance vip inservice
loadbalance policy CAS-pop3s-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-smtp-VIP
loadbalance vip inservice
loadbalance policy CAS-smtp-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-http-VIP
loadbalance vip inservice
loadbalance policy CAS-http-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-https-VIP
loadbalance vip inservice
loadbalance policy CAS-https-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
class CAS-OUTL-MAPI-VIP
loadbalance vip inservice
loadbalance policy CAS-Outlook-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
policy-map multi-match HUB-POLICY-MAP
class HUB-VIP
loadbalance vip inservice
loadbalance policy HUB-policy
loadbalance vip icmp-reply
connection advanced-options TCP_IDLE_30min
interface vlan 52
description #### vlan client side EXCHANGE ####
bridge-group 1
access-group input BPDU-Allow
access-group input EXCH-LB
service-policy input REMOTE-MGT
service-policy input HUB-POLICY-MAP
service-policy input EXCH-POLICY
no shutdown
interface vlan 54
description #### vlan client side ACE_EXCHANGE ####
bridge-group 1
access-group input BPDU-Allow
access-group input EXCH-LB
service-policy input REMOTE-MGT
service-policy input HUB-POLICY-MAP
service-policy input EXCH-POLICY
no shutdown
interface bvi 1
ip address 172.22.101.123 255.255.255.192
peer ip address 172.22.101.122 255.255.255.192
description EXCHANGE-Bridged-vlans
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.101.126
Best RegardsThank you for your email. I am out of the office until March 25th, I will have limited access to my e-mail during this period.
In my absence, please feel free to contact Mr Akram Allani : [email protected]
Thank you for your understanding.
Best regards,
Youssef Boukari -
Hello Experts
We got a small setup with 6 standalone AP model 1142. DHCP server is Windows 2003, all were working fine but lately we noticed that AP cannot provide IP address to users, this happens to all AP now. on checking we didnt find any issue with DHCP Server and configuration on AP nothing was changed. if I connect the users via network cable it gets the ip address. Any assistance in identifying the issue
cheers
CPHello Cisco,
As per your query i can suggest you the following steps-
Assigning an IP Address Using the CLI
When you connect the wireless device to the wired LAN, the wireless device links to the network using a bridge virtual interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the wireless device's Ethernet and radio ports, the network uses the BVI.
When you assign an IP address to the wireless device using the CLI, you must assign the address to the BVI. Beginning in privileged EXEC mode, follow these steps to assign an IP address to the wireless device's BVI:
Step 1 configure terminal
Enter global configuration mode.
Step 2 interface bvi1
Enter interface configuration mode for the BVI.
Step 3 ip address address mask
Assign an IP address and address mask to the BVI.
Note If you are connected to the wireless device using a Telnet session, you lose your connection to the wireless device when you assign a new IP address to the BVI. If you need to continue configuring the wireless device using Telnet, use the new IP address to open another Telnet session to the wireless device.
Hope this will help you. -
I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
inservice
rserver RS_WEB2
inservice
rserver RS_WEB3
inservice
rserver RS_WEB4
inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
loadbalance vip inservice
loadbalance policy HTTP
loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
loadbalance vip inservice
loadbalance policy HTTPS
loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
FrancescoHi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal -
Server-conn reuse!!!
We have 4 Bluecoats with ACE 4710 to load balance. The ACE is used in Bridge mode.We are using URL hashing.
We were facing internet slowness , we were waiting about 15 secs to get responds on the internet browsers when opening any url ,even the requests were reaching the Bluecoats after 15 secs.
we opened cisco TAC and Cisco engineer asked us to add ""Server-conn reuse"" under the http parameters and this solves the slowness and now the response is very good
But we got another issue after adding this command . Now every 3 or 4 URL requests , the browser asking for authentication. we are using Single sign on with Bluecoats. the authentication even appear with in the same website in the same IE page.
as test we remove the added command " Server-conn reuse " and now the authentication page is not coming but we are facing the slowness again.
I saw in the forums a command to check the reuse , the output from this command as below
BC-LB1/BlueCoat# show np 1 me-stats "-socm -v" | i [uU][sS][eE]
Reuse retrieve link update conn invalid 0 0
Reuse retrieve link update conn not on r 0 0
Reuse retrieve success but conn invalid: 1979 0
Reuse retrieve miss: 7219215 0
Reuse conns retrieved: 22304174 0below the sh run and sh version
BC-LB1/BlueCoat# show ver
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 1985-2011 by Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
Software
loader: Version 0.95.1
system: Version A4(2.1a) [build 3.0(0)A4(2.1a) adbuild_21:41:15-2011/07/21_/auto/adbure_nightly4/renumber/rel_a4_2_1_throttle/R
EL_3_0_0_A4_2_1A]
system image file: (hd0,1)/c4710ace-t1k9-mz.A4_2_1a.bin
Device Manager version 4.2 (0) 20110629:0926
installed license: no feature license is installed
Hardware
cpu info:
Motherboard:
number of cpu(s): 2
Daughtercard:
number of cpu(s): 16
memory info:
total: 6226372 kB, free: 4391668 kB
shared: 0 kB, buffers: 20060 kB, cached 0 kB
cf info:
filesystem: /dev/hdb2
total: 861668 kB, used: 550688 kB, available: 267208 kB
last boot reason: Unknown
configuration register: 0x1
BC-LB1 kernel uptime is 27 days 19 hours 3 minute(s) 14 second(s)
BC-LB1/BlueCoat# sho run
Generating configuration....
logging timestamp
logging trap 5
logging buffered 7
access-list HTTPMontor line 8 extended permit tcp host 193.188.163.194 any eq www
access-list HTTPMontor line 16 extended permit tcp any eq www host 193.188.163.194
access-list ICMP line 5 extended permit icmp any any
access-list ICMP line 10 extended permit ip any any
probe http BC_80
description *** Probe for WWW health monitoring ***
port 80
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
receive 3
request method head
expect status 200 401
open 1
probe icmp ICMP_PROBE1
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
receive 3
rserver host KOC-BC-1
ip address 10.100.210.205
inservice
rserver host KOC-BC-2
ip address 10.100.210.206
inservice
rserver host KOC-BC-3
ip address 10.100.210.207
inservice
rserver host KOC-BC-4
ip address 10.100.210.208
inservice
serverfarm host BC_SF
description * BlueCoat server farm
predictor hash header Host
probe ICMP_PROBE1
rserver KOC-BC-1
inservice
rserver KOC-BC-2
inservice
rserver KOC-BC-3
inservice
rserver KOC-BC-4
inservice
serverfarm host BC_SF_none_http
probe ICMP_PROBE1
rserver KOC-BC-1
inservice
rserver KOC-BC-2
inservice
rserver KOC-BC-3
inservice
rserver KOC-BC-4
inservice
serverfarm host TOPHITsFarm
rserver KOC-BC-4
inservice
parameter-map type http pm_http
case-insensitive
persistence-rebalance
set header-maxparse-length 8192
length-exceed continue
parsing non-strict
sticky ip-netmask 255.255.255.0 address source IPSourceSticky
timeout 480
timeout activeconns
serverfarm BC_SF
sticky ip-netmask 255.255.255.0 address source IPSourceSticky_none_http
timeout 480
replicate sticky
serverfarm BC_SF_none_http
class-map match-all BC_VIP
2 match virtual-address 10.100.210.209 tcp eq www
class-map match-all BC_VIP8080
2 match virtual-address 10.100.210.209 tcp eq 8080
class-map match-all BC_VIPftp20
2 match virtual-address 10.100.210.209 tcp eq ftp-data
class-map match-all BC_VIPftp21
2 match virtual-address 10.100.210.209 tcp eq ftp
class-map match-all BC_VIPhttps
2 match virtual-address 10.100.210.209 tcp eq https
class-map type http loadbalance match-any Class-All
2 match source-address 0.0.0.0 0.0.0.0
class-map type http loadbalance match-any NBK
2 match http url /WOLWebUI/*
class-map type http loadbalance match-any TOPHITS
10 match http header Host header-value ".*youtube.com"
20 match http header Host header-value ".*athenaonline.com"
class-map type management match-any mgmt-cm
2 match protocol http source-address 193.188.163.194 255.255.255.255
3 match protocol icmp source-address 193.188.163.194 255.255.255.255
4 match protocol https source-address 193.188.163.194 255.255.255.255
5 match protocol ssh source-address 193.188.163.194 255.255.255.255
6 match protocol telnet source-address 193.188.163.194 255.255.255.255
7 match protocol http source-address 193.188.163.193 255.255.255.255
8 match protocol https source-address 193.188.163.193 255.255.255.255
9 match protocol icmp source-address 193.188.163.193 255.255.255.255
10 match protocol ssh source-address 193.188.163.193 255.255.255.255
11 match protocol telnet source-address 193.188.163.193 255.255.255.255
12 match protocol snmp source-address 10.1.206.20 255.255.255.255
policy-map type management first-match mgmt-pm
class mgmt-cm
permit
policy-map type loadbalance first-match BC_VIP-l7slb
class class-default
serverfarm BC_SF
policy-map type loadbalance first-match BC_VIP8080-l7slb
class class-default
serverfarm BC_SF
policy-map type loadbalance first-match BC_VIPftp20-l7slb
class class-default
sticky-serverfarm IPSourceSticky
policy-map type loadbalance first-match BC_VIPftp21-l7slb
class class-default
serverfarm BC_SF_none_http
policy-map type loadbalance first-match BC_VIPhttps-l7slb
class class-default
sticky-serverfarm IPSourceSticky_none_http
policy-map multi-match int209
class BC_VIP
loadbalance vip inservice
loadbalance policy BC_VIP-l7slb
loadbalance vip icmp-reply active
appl-parameter http advanced-options pm_http
class BC_VIPhttps
loadbalance vip inservice
loadbalance policy BC_VIPhttps-l7slb
loadbalance vip icmp-reply active
class BC_VIPftp21
loadbalance vip inservice
loadbalance policy BC_VIPftp21-l7slb
loadbalance vip icmp-reply active
inspect ftp
class BC_VIP8080
loadbalance vip inservice
loadbalance policy BC_VIP-l7slb
loadbalance vip icmp-reply active
appl-parameter http advanced-options pm_http
interface vlan 210
description " Web client side"
bridge-group 125
mac-sticky enable
access-group input ICMP
access-group output ICMP
service-policy input mgmt-pm
service-policy input int209
no shutdown
interface vlan 211
description "BC server side"
bridge-group 125
mac-sticky enable
access-group input ICMP
access-group output ICMP
no shutdown
interface bvi 125
ip address 10.100.210.214 255.255.255.0
alias 10.100.210.15 255.255.255.0
peer ip address 10.100.210.216 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.210.1
Maybe you are looking for
-
Character / Input corruption after session lock
One of our larger customers has the following setup: Windows 2008 R2 Active Directory with 2x DC at a datacentre and 1x DC in their head office, 3x RDS servers in a DNS RR terminal server farm and a DC acting as a gateway server. The end user access
-
How can I get my instant message icon to open? Seems to be stuck.
I wrote several instant messages this morning on my AirMac. No problem. Went back to read and respond to new IM, but IM icon will not open. If the IM comes in when I am on the computer, I can read it in the upper right hand corner of my MacBook Air b
-
STANDA MOTOR AND BUILDING AN EXECUTABLE APPLICATION
Hello, I have some problem to build a executable file from the main labview program. For other applications and devices i don't have any problems (i build executable files and use them on other computer without any problems). But with this stepper mo
-
Cropping issues in Camera Raw 8.3
Lately I've been having problems with the crop drop down meny - it's just not there anymore. The button itself is there but no drop down. Photoshop 14.1.2 20130923.r.427 Camera Raw 8.3 Hilfe!
-
Hi, on 10g R2, Win server 2003, I have this error : Corrupt Block Found TSN = 2, TSNAME = SYSAUX RFN = 3, BLK = 36473, RDBA = 12619385 OBJN = 150506, OBJD = 150506, OBJECT = MGMT_METRICS_RAW_PK, SUBOBJECT = SEGMENT