One armed VIP and FTP

Similar Messages

• CSS 11503 One-arm Design and Server Default Gateway

  Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
  Thanks!
  Tom

  Hi Tom,
  If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
  You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
  Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
  I hope you find this helpful. Thanks!
  Regards,
  Jose Quesada.

• CSS one-armed-config and SMTP reverse lookup problems?

  I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
  If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
  If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
  Is this a valid concern?

  The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
  In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
  http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

• Meaning of one-arm setup and src nat

  I've worked previously on CSS platform and recall deploying one-arm mode, which simply meant connecting the appliance via single physical trunk link.
  In terms of the ace some docos and ANM seem to suggest that one-arm requires src nat, if true why is that unless one-arm now translates to one-vlan?.
  btw i know about asymetric routing and src nat, but what i'm failing to get is how that relates to one-arm.
  thanks

  Hello Ajaz,
  generally the convention is to call one arm those setups where both client and servers, for a certain loadbalanced service (so VIP), belong to the same VLAN, see for example how it's defined here:
  http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples
  not sure whether the definition has changed over time, I would guess that it can be intended in the physical sense (single link) so as you do, or in the logical sense, where 2 VLANs would represent 2 arms even if the physical connectivity is provided through just one link. From my experience, in the LB field the logical interpretation is prevalent.
  Thanks,
  Francesco

• One armed bandit and one port to another

  I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
  http://www.cisco.com/warp/public/117/one_armed_bandit.html
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  active
  group Servers2
  vip address 26.19.98.45
  add destination service oldwww:443
  css-n1-1(config)# group Servers2
  css-n1-1(config-group[Servers2])# active
  %% An active source group with that address already exists

  The port number of the vip does not have to to be the same as the real server.
  You can set the port you want for the real server with the 'port' command under the service definition.
  This is true for one-armed or any other type of setup.
  The problem in your config is that you can't create 2 groups using the same vip ip address.
  So, simply configure all your servers under one group.
  ie:
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  add destination service oldwww:443
  active
  Gilles.

• Virtualisation and One Arm mode

  Hi All ,
  Is it possible to make one context and one arm mode and rest in normal
  -parvees

  Yes, no restriction. 1-arm mode is just placing the VIP in server's subnet and using source NAT for clients.

• Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921

  Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
  Thanks

  if you want to do DNAT, you have to it a content rule.
  The vip will be nated to the service address.
  Then you need a group to nat the client ip.
  Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
  Gilles.

• ACE One Arm Mode vs Routed Mode

  Gents,
  When is it required to use the One Arm Mode and one do I use the routed mode? Actually I am confused and would really like to know the pros and cons of each?
  Regards,
  Hesham                  

  Hi Hesham,
  When you do not want to change the physical topology of your network then you usually go with ONE ARM mode.
  Such as default gateway on server, IP addressing on servers. In this case client can access the server directly as well.
  Its a flat network topology where your VIP and servers are in the same network ( VLAN ).
  You use routed mode when you want to segregate the servers in seperate vlan and don't want to allow client to access it directly.
  Client and VIP in same VLAN >>> ACE >>>>>> Server VLAN ( In this case we usually point the default gateway to ACE)
  hope it helps.
  regards,
  Ajay Kumar

• 4710 in one-armed mode

  is it possible to preserve the clients originating IP address somewhere while using the 4710 in one armed mode?  I have a situation where the client source ip is needed, and I am deciding between one-armed mode and inline.  I'd like to use one-armed, so that only load balanced traffic traverses the load balancer, but I haven't seen an example where that can be done without  loosing the clients src address.

  Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:
  action-list type modify http name
    header insert both Host header-value %is:%ps
  Then apply the action-list to your loadbalance policy-map.
  Take a look at the url below for futher information:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842
  But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?
  If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.
  hth
  /Ulrich

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• Sniffer Trace on ACE w/VACLs and One-Arm Design

  Wow...that was a mouthful of a title!
  Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
  client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
  The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
  interface GigabitEthernet x/xx
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  switchport capture
  switchport capture allowed vlan 3002
  no ip address
  no cdp enable
  Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
  bc

  This can be done by setting up a monitor session on the Sup, with the
  TenGig/1 as SPAN
  source, and a trunk port as SPAN destination.
  For example, if the ACE is in slot X, the configuration would be:
  monitor session 10 source interface TeX/1
  monitor session 10 destination interface Giy/z
  The configuration for this port would be:
  int giy/z
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  Syed Iftekhar Ahmed

• ACE in one-arm model. VIP on Client Side, servers in other vlan

  Hello All
  i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
  i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
  the servers are in vlan 503 (10.12.3.0/24)
  it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
  the configuration is the next:
  MSFC:
  svclc module 1 vlan-group 1,2,
  svclc vlan-group 1 503,900-902
  svclc vlan-group 2 511
  interface Vlan503
  description OSS_&_Otros
  ip address 10.12.3.253 255.255.255.0
  standby 10 ip 10.12.3.254
  standby 10 priority 150
  standby 10 preempt delay minimum 305
  interface Vlan900
  description MSF_<->_ACE
  ip address 10.0.9.126 255.255.255.192
  end
  access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
  access-list 101 deny ip any any
  route-map From_Server_OSS_to_ACE permit 10
  match ip address 101
  set ip next-hop 10.0.9.125
  ACE_1/admin#
  ip route 0.0.0.0 0.0.0.0 10.0.9.126
  context OSS
  allocate-interface vlan 511
  allocate-interface vlan 900
  allocate-interface vlan 902
  member Max20
  ACE_1/OSS# sh run
  Generating configuration....
  access-list EVERYONE line 10 extended permit ip any any
  access-list EVERYONE line 20 extended permit icmp any any
  rserver host OSS_FES_1
  description OSS_Front_End_Server_1
  ip address 10.12.3.140
  inservice
  rserver host OSS_FES_2
  description OSS_Front_End_Server_2
  ip address 10.12.3.150
  inservice
  serverfarm host SERVER_farm_OSS
  rserver OSS_FES_1
  inservice
  rserver OSS_FES_2
  inservice
  class-map match-all VIP-OSS
  2 match virtual-address 10.0.9.66 any
  policy-map type loadbalance first-match OSS-LB-POLICY
  class class-default
  serverfarm SERVER_farm_OSS
  policy-map multi-match OSS-POLICY-MAP
  class VIP-OSS
  loadbalance vip inservice
  loadbalance policy OSS-LB-POLICY
  loadbalance vip icmp-reply
  interface vlan 900
  description Clients-side
  ip address 10.0.9.125 255.255.255.192
  access-group input EVERYONE
  access-group output EVERYONE
  service-policy input OSS-POLICY-MAP
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.9.126
  maybe a i need to allocate the vlan 503 in OSS Context, any advice?
  Thanks in advace,
  Gianni From Chile

  Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
  This is how one-armed mode works.
  ACE_1/OSS# sh run
  Generating configuration....
  access-list EVERYONE line 10 extended permit ip any any
  access-list EVERYONE line 20 extended permit icmp any any
  rserver host OSS_FES_1
  description OSS_Front_End_Server_1
  ip address 10.12.3.140
  inservice
  rserver host OSS_FES_2
  description OSS_Front_End_Server_2
  ip address 10.12.3.150
  inservice
  serverfarm host SERVER_farm_OSS
  rserver OSS_FES_1
  inservice
  rserver OSS_FES_2
  inservice
  class-map match-all VIP-OSS
  2 match virtual-address 10.0.9.66 any
  policy-map type loadbalance first-match OSS-LB-POLICY
  class class-default
  serverfarm SERVER_farm_OSS
  policy-map multi-match OSS-POLICY-MAP
  class VIP-OSS
  loadbalance vip inservice
  loadbalance policy OSS-LB-POLICY
  loadbalance vip icmp-reply
  nat dynamic 10 vlan 900
  interface vlan 900
  description Clients-side
  ip address 10.0.9.125 255.255.255.192
  nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
  access-group input EVERYONE
  access-group output EVERYONE
  service-policy input OSS-POLICY-MAP
  no shutdown

• CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

  With Reference to the following CCO documentation;
  1). "How to Configure the CSS to Load Balance Using 1 Interface"
  In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
  2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
  In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
  Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
  (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
  (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
  Method a)
  1.Configure the Real Server's gateway to Router's Gateway
  2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
  3.Configure VIP(non-shared) redundancy for the VIP on the CSS
  4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
  Method b)
  1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
  2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
  3. Configure VIP(non-shared) redundancy for the VIP on the CSS

  if you use method a) (server gateway is the router) you need the CSS to nat
  the source ip address of the client in order to force the server to send traffic back to the CSS.
  The issue then is that the server does not see the IP address of real client.
  The server only see connections with source IP address = CSS ip address.
  With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
  You have a performance issue because the traffic will cross 2 times the one-armed interface.
  If this is a new design, it is strongly recommended not to use one-armed setup.
  Regards,
  Gilles.

• Cannot ping VIP in One-Arm mode

  Hello.
  I can ping the ip addresses of the vlan and access via management, the real-servers are Active along with the VIP service (ie. show service-policy) but I cannot ping the VIP interface and traces do not show any traffic hitting it because the 6500 the ACE (vc4710ace-mz.A1_8_0a) is connecting to has no ARP entry for the VIP.
  It's in One-Arm mode; one gig-link to core, vlan 141.
  I've attached the config.
  Anyone got any ideas what I'm missing, please?

  Hi,
  the default gateway of your servers is the upstream router.
  Have a look at following link: http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  Nevermind the picture, it should look more like this: http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Using_an_Existing_Chained_Certificate_and_Key_in_One_Arm_Mode_Configuration_Example
  HTH,
  Dario

• Please verify the CSS and SCA configuration for one-armed transparent mode

  I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
  I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
  Thanks,
  ** connectivity ********
  <client>----<router>----<CSS>---<SCA>,<Server>
  - client=7.7.7.100
  - router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
  - SCA=11.11.11.100, connect to VLAN3 of CSS
  - server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
  ** configuration *********
  CSS11050# sh run
  !Generated on 01/01/2079 00:00:47
  !Active version: ap0500105
  configure
  !*************************** GLOBAL ***************************
  acl enable
  ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
  ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
  ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
  !************************* INTERFACE *************************
  interface e2
  bridge vlan 2
  interface e3
  bridge vlan 3
  interface e4
  bridge vlan 4
  interface e5
  bridge vlan 4
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 9.9.9.2 255.255.255.0
  circuit VLAN2
  ip address 8.8.8.2 255.255.255.0
  circuit VLAN3
  ip address 11.11.11.1 255.255.255.0
  circuit VLAN4
  ip address 10.147.153.1 255.255.255.0
  !************************** SERVICE **************************
  service ING_SVC_12
  protocol tcp
  ip address 10.147.153.12
  active
  service ING_SVC_15
  protocol tcp
  ip address 10.147.153.15
  active
  service ING_SVC_SCA
  port 443
  protocol tcp
  ip address 11.11.11.100
  type transparent-cache
  no cache-bypass
  active
  service upstream
  ip address 8.8.8.3
  type transparent-cache
  active
  !*************************** OWNER ***************************
  owner ING_OWNER
  content cnt_443
  add service ING_SVC_SCA
  protocol tcp
  port 443
  vip address 9.9.9.1
  active
  content cnt_80
  add service ING_SVC_12
  add service ING_SVC_15
  protocol tcp
  port 80
  url "/*"
  vip address 9.9.9.1
  active
  content cnt_81
  add service ING_SVC_12
  add service ING_SVC_15
  vip address 9.9.9.1
  protocol tcp
  port 81
  url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
  active
  !**************************** ACL ****************************
  acl 1
  clause 10 permit any any destination any
  apply circuit-(VLAN1)
  acl 2
  clause 10 permit any any destination any
  apply circuit-(VLAN2)
  acl 3
  clause 10 permit any any destination any
  apply circuit-(VLAN3)
  acl 4
  clause 10 permit any any destination any
  apply circuit-(VLAN4)
  ING_SCA# sh run
  # Cisco SCA Device Configuration File
  # Written: Sun Feb 6 01:12:54 2106 MST
  # Inxcfg: version 4.1 build 200211151311
  # Device Type: CSS-SCA
  # Device Id: S/N 11aca8
  # Device OS: MaxOS version 4.1.0 build 200211151311 by reading
  ### Mode ###
  mode one-port
  ### Interfaces ###
  interface network
  auto
  end
  interface server
  auto
  end
  ### Device ###
  ip address 11.11.11.100 netmask 255.255.255.0
  hostname ING_SCA
  timezone "MST7MDT"
  ### Password ###
  password idle-timeout 15
  ### SNTP ###
  sntp interval 86400
  ### Static Routes ###
  ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
  ### RIP ###
  no rip
  ### DNS ###
  no ip name-server
  no ip domain-name
  ### Telnet ###
  telnet enable
  ### Web Management ###
  web-mgmt port 80
  no web-mgmt enable
  ### SNMP Subsystem ###
  no snmp
  ### SSL Subsystem ###
  ssl
  server ING create
  ip address 9.9.9.1
  localport 443
  remoteport 81
  key default
  cert default
  secpolicy default
  sslv2 enable
  sslv3 enable
  tlsv1 enable
  session-cache size 20480
  session-cache timeout 300
  session-cache enable
  no clientauth enable
  clientauth verifydepth 1
  clientauth error cert-other-error fail
  clientauth error cert-not-provided fail
  clientauth error cert-has-expired fail
  clientauth error cert-not-yet-valid fail
  clientauth error cert-has-invalid-ca fail
  clientauth error cert-has-signature-failure fail
  clientauth error cert-revoked fail
  sharedcipher error failhtml
  ephemeral error failhtml
  no httpheader client-cert
  no httpheader server-cert
  no httpheader session
  no httpheader pre-filter
  httpheader prefix "SSL"
  ephrsa
  keepalive frequency 5
  keepalive maxfailure 3
  no keepalive enable
  end
  end

  the problem is the routing.
  You need a route for the client pointing to the SCA like this
  ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
  This is so the reply from the server to the client goes back to the SCA first
  for encryption.
  Gilles.