ACE 4710 VIP
I am not able to access the web server throught the vip. Your help will be greatly appreciated. Below is my configuration on the ACE.
Server:
resource-class RS_web
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A1_8_0a.bin
hostname ACE1
interface gigabitEthernet 1/1
description Client Connectivity on VLAN 100
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
description Server Connectivity on VLAN 10
switchport access vlan 10
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
class-map type management match-any remote_access
context VC_web
allocate-interface vlan 10
allocate-interface vlan 100
member RS_web
username admin password 5 xxx role Admin domain default-domain
username www password 5 xxx role Admin domain default-domain
ssh key rsa 1024 force
Virtual:
logging enable
logging console 7
logging trap 7
logging history 7
logging monitor 7
access-list ALL line 8 extended permit ip any any
rserver host RS_web1
description content server web-one
ip address 10.2.0.99
inservice
serverfarm host SF_web
predictor hash header Accept
rserver RS_web1 80
inservice
class-map type management match-any VC_web_Remote
description VC Web Remote Access
2 match protocol telnet any
3 match protocol https any
5 match protocol ssh any
6 match protocol icmp any
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www
policy-map type management first-match VC_web_MGMT_ALLOW_POLICY
class VC_web_Remote
permit
policy-map type loadbalance first-match PM_LB
class class-default
serverfarm SF_web
policy-map multi-match PM_multi_match
class VS_web
loadbalance vip inservice
loadbalance policy PM_LB
interface vlan 1
description Server Connectivity on VLAN 10
ip address 10.2.0.101 255.255.252.0
nat-pool 1 10.2.0.200 10.2.0.204 netmask 255.255.252.0
no shutdown
interface vlan 100
ip address 10.1.0.101 255.255.252.0
service-policy input VC_web_MGMT_ALLOW_POLICY
service-policy input PM_multi_match
no shutdown
ip route 0.0.0.0 0.0.0.0 10.1.0.1
username admin password 5 xxxx role Admin domain default-domain
logging enable
logging console 7
logging trap 7
logging history 7
logging monitor 7
access-list ALL line 8 extended permit ip any any
rserver host RS_web1
description content server web-one
ip address 10.2.0.99
inservice
serverfarm host SF_web
predictor hash header Accept
rserver RS_web1 80
inservice
class-map type management match-any VC_web_Remote
description VC Web Remote Access
2 match protocol telnet any
3 match protocol https any
5 match protocol ssh any
6 match protocol icmp any
class-map match-all VS_web
2 match virtual-address 10.1.0.99 255.255.252.0 tcp eq www
policy-map type management first-match VC_web_MGMT_ALLOW_POLICY
class VC_web_Remote
permit
policy-map type loadbalance first-match PM_LB
I've changed my VIP to a /32, and I can't still access the web server. Here my show service-policy detail result.
Policy-map : PM_multi_match
Status : ACTIVE
Description: -
Interface: vlan 1 100
service-policy: PM_multi_match
class: VS_web
VIP Address: Protocol: Port:
10.1.0.99 tcp eq 80
loadbalance:
L7 loadbalance policy: PM_LB
VIP ICMP Reply : DISABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : PM_LB
class/match : class-default
LB action :
primary serverfarm: SF_web
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
compression:
bytes_in : 0
bytes_out : 0
Similar Messages
-
ACE 4710 VIP not pingable even with "always" selected.
Hello, I have a somewhat complicated setup in order to allow one particular VIP to answer for the same serverfarm on two different ports (this was a previous question here.) Here is the scrubbed config below. The setup works, but the issue is that the VIP does not reply to pings. We use both the servers and the vip for monitoring internally. It is still operational on the ports it is balancing, but no setting for ping seems to work (Active, Primary, or Always.) What am I doing wrong here? The other sites I use stickys with respond for their VIPs. I'm assuming this one does not due to the more complicated policy map.
probe http HTML-Site-Up_200
description This probe is to verify HTTP operation via site-up.html check
port 80
interval 5
faildetect 2
passdetect interval 10
request method get url /site-up.html
expect status 200 200
open 2
probe icmp ICMP-Ping
interval 5
faildetect 2
passdetect interval 10
probe tcp RAW-TCP-81
port 81
interval 10
faildetect 2
passdetect interval 20
connection term forced
open 1
rserver host psc-us-EQUIPprd1
description EQUIP Prod, server 1
ip address 10.1.1.84
inservice
rserver host psc-us-EQUIPprd2
description EQUIP Prod, server 2
ip address 10.1.1.85
inservice
serverfarm host EQUIPPROD
description EQUIP Prod Server Pool
predictor leastconns
probe HTML-Site-Up_200
probe ICMP-Ping
probe RAW-TCP-81
rserver psc-us-EQUIPprd1
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2
probe ICMP-Ping
probe HTML-Site-Up_200
probe RAW-TCP-81
inservice
serverfarm host EQUIPPROD-CUSTOMER-81
description EQUIP Customer Site Server Pool, port 81
predictor leastconns
probe RAW-TCP-81
rserver psc-us-EQUIPprd1 81
probe RAW-TCP-81
inservice
rserver psc-us-EQUIPprd2 81
probe RAW-TCP-81
inservice
sticky ip-netmask 255.255.255.255 address source Sticky_EQUIPPROD
timeout 180
replicate sticky
serverfarm EQUIPPROD
class-map type http loadbalance match-all EQUIP_81_Redirect
2 match http header Host header-value ".*equiponline.com"
class-map type http loadbalance match-all EQUIP_81_Redirect_Full
2 match http header Host header-value ".*www.equiponline.com"
class-map match-all VIP-EQUIPPROD
2 match virtual-address 10.1.1.97 any
policy-map type loadbalance first-match VIP-EQUIPPROD-l7slb
class EQUIP_81_Redirect
serverfarm EQUIPPROD-CUSTOMER-81
class EQUIP_81_Redirect_Full
serverfarm EQUIPPROD-CUSTOMER-81
class class-default
sticky-serverfarm Sticky_EQUIPPROD
policy-map multi-match global
class VIP-EQUIPPROD
loadbalance vip inservice
loadbalance policy VIP-EQUIPPROD-l7slb
loadbalance vip icmp-reply
nat dynamic 13 vlan 1000
interface vlan 1000
nat-pool 13 10.1.1.97 10.1.1.97 netmask 255.255.255.0 patOutput from that class from the show service-policy command. And no, it doesn't appear to be pingable from the ACE.
class: VIP-EQUIPPROD
nat:
nat dynamic 13 vlan 1000
curr conns : 361 , hit count : 116690
dropped conns : 5
client pkt count : 4815293 , client byte count: 739114009
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
VIP Address: Protocol: Port:
10.1.1.97 any
loadbalance:
L7 loadbalance policy: VIP-EQUIPPROD-l7slb
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 392 , hit count : 134300
dropped conns : 431
client pkt count : 4869950 , client byte count: 741545220
server pkt count : 7281612 , server byte count: 8753101386
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : VIP-EQUIPPROD-l7slb
class/match : EQUIP_81_Redirect
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 12602
dropped conns : 0
compression : off
class/match : EQUIP_81_Redirect_Full
LB action :
primary serverfarm: EQUIPPROD-CUSTOMER-81
state: UP
backup serverfarm : -
hit count : 0
dropped conns : 0
compression : off
class/match : class-default
LB action: :
sticky group: Sticky_EQUIPPROD
primary serverfarm: EQUIPPROD
state:UP
backup serverfarm : -
hit count : 107831
dropped conns : 5
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
pscaceinside01/Prod# ping 10.1.1.97
Pinging 10.51.221.97 with timeout = 2, count = 5, size = 100 ....
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
No response received from 10.1.1.97 within last 2 sec
5 packet sent, 0 responses received, 100% packet loss
For what it's worth, none of my VIP's are pingable from the ACE. I think that has to do with me being in one-arm configuration, and using the NAT addresses per VIP. But all other VIPs are pingable from other sources on the subnet. With the exception of this VIP. -
Hi All,
I am not able to connect to a virtual IP address of ACE 4710 and either i am able to ping it. Kindly let me know if anything wrong here.
Regards,
Neha.Hi Yahb/Neha,
Please try and confirm this:-
1) See if you have permited the traffic:-
access-list ALL line 8 extended permit ip any any
class-map match-all L4_VIP_ADDRESS_CLASS
2 match virtual-address 1.1.1.1 any
class-map type management match-any REMOTE_ACCESS
201 match protocol ssh any
202 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY
class class-default
serverfarm SFARM1
policy-map multi-match L4_LB_VIP_POLICY
class L4_VIP_ADDRESS_CLASS
loadbalance vip inservice
loadbalance policy L7_VIP_LB_ORDER_POLICY
loadbalance vip icmp-reply
2)
Apply the ACL on to the correct vlan:-
interface vlan 20
description Server-side Interface
ip address 2.2.2.2 255.255.255.0
access-group input ALL --->make sure you have applied the ACL.
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 30
description Client side connectivity
ip address 3.3.3.3. 255.255.255.0
access-group input ALL
service-policy input L4_LB_VIP_POLICY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.x.x
Let us know if you have done this.
Regards
Shariff -
Rservers initiated traffic not sourcing the traffic as VIP in Ace 4710
One of the feature of our application is that our Application Server initiate text message to our devices sourcing from UDP 1120 and device need to see the message come from a specific pubic IP (2.2.2.2) with UDP port 1120 and reply back with the same Public IP (2.2.2.2) with UDP port 1120.The problem is we can make that happen if we have only one server in our ACE Serverfarm when we do a SNAT the real servers with the VIP address (10.1.246.32) but it does not work when we have more than one server in the Serverfarm. Since we have 2 servers, i cannot nat the real servers with the VIP address, if I do a PAT, obviously it is changing the source port of the request.
Note: This setup is working fine with the Cisco Content Switch module running on chasis 6509. When I sniff the traffic initiated from the server coming the CSM load balancer, it is sourcing the traffic as the VIP and the source port remains the same by default but this is not the case with ACE 4710
Traffic flow as follows
===============
ACE 4710 FWSM (Firewall static NAT) Device ( configured with 2.2.2.2:1120 (udp) to snd/rcv msg)
VIP
Rserver 1 - 10.1.104.80 10.1.246.32 10.1.246.32 < - > 2.2.2.2 1.1.1.1
Rserver 2 - 10.1.104.81c
----------------------------------------------------------> -------------------------------> - traffic flow from server to the device when we send msg
Configs:
======
rserver host server1
ip address 10.1.104.80
inservice
rserver host server2
ip address 10.1.104.81
inservice
serverfarm host SFARM
failaction purge
probe ICMP
rserver server1
inservice
rserver server2
inservice
access-list TEST-1120 line 8 extended permit udp host 10.1.104.80 eq 1120 any
access-list TEST-1120 line 16 extended permit udp host 10.1.104.81 eq 1120 any
parameter-map type connection UDP_TIMEOUT
set timeout inactivity 3600
sticky ip-netmask 255.255.255.255 address source STKY-SFARM
serverfarm SFARM
timeout 180
replicate sticky
class-map match-all CLS-SFARM
2 match virtual-address 10.1.246.32 udp eq 1120
class-map match-all SERVERNAT
2 match access-list TEST-1120
policy-map type loadbalance first-match POL-SFARM
class class-default
sticky-serverfarm STKY-SFARM
policy-map multi-match POL-LB
class CLS-SFARM
loadbalance vip inservice
loadbalance policy POL-SFARM
loadbalance vip icmp-reply active
connection advanced-options UDP_TIMEOUT
class SERVERNAT
nat dynamic 1 vlan 244
int vlan 244
ip address 10.1.246.2 255.255.255.0
service-policy input POL-LB
nat-pool 1 10.1.246.32 10.1.246.32 netmask 255.255.255.255
mac-sticky enable
no icmp-guard
no shut
interface vlan 2506
ip address 10.1.104.2 255.255.255.0
service-policy input POL-LB
mac-sticky enable
no icmp-guard
no shutI see in CSS, they are able to nat the source ip address with VIP and port-mapping diabled. How do I implement
portmap disable in ACE 4710
Disabling Port Mapping
By default, the CSS NATs source IP addresses and PATs source ports for a configured source group. If you configure the portmap disablecommand in a source group, the CSS performs NAT on the source IP addresses but does not perform PAT on the source ports of UDP traffic that matches on that source group.
For UDP applications with high-numbered assigned ports (for example, SIP and WAP), we recommend that you preserve those port numbers by configuring destination services in source groups instead of using the portmap disable command. Destination services cause the CSS to NAT the client source ports, but not the destination ports. For information about configuring destination services, -
Access Server through VIP (ACE 4710) but very slow
Re: Access Server through VIP (ACE 4710) but very slow
Hi Shiva
Kindly Help .....Accessing the server very slow.., Plz check my real configuration... this configuration is for application server and after this i have to configure more serverfarm for different server like webmail etc. in this ACE 4710. I have only one ACE 4710 .
ACE Version A4(2.0) = is there supports Probe with this version.??? without probe server will work but very slow. And plz guide Nat-pool is required
VIP :-- 172.16.15.8
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
logging enable
logging host 172.29.91.112 udp/514
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
member RC1
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
webhost-redirection / 302
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 192.168.10.3
inservice
rserver host web2
ip address 192.168.10.4
inservice
rserver host web3
ip address 192.168.10.5
inservice
serverfarm host http
rserver web1
inservice
rserver web2
inservice
rserver web3
inservice
serverfarm redirect https_redirect_farm
description Redirect traffic to https
serverfarm redirect maintenance_farm
description send user to maintenance page
parameter-map type connection paramap_http
description parameter connection tcp
exceed-mss allow
sticky ip-netmask 255.255.255.0 address source Sticky_http
timeout activeconns
serverfarm http
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 172.16.15.8 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
connection advanced-options paramap_http
interface vlan 30
description "Client Side"
ip address 172.16.15.24 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
ip address 192.168.10.1 255.255.255.0
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.15.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$b2txbc5U$TA74D920oSdd2eOZ4hSFe/ role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$8C7eRKrI$it3UV4URZ26X4S/Bh6OEr0 role Admin domain d
efault-domain
ssh key rsa 1024 force
banner motd # "ro" #
Regards,
PremHi Shiva,
plz guide i'm new with ACE LB, also find my n/w design for connected ace to server. but server accessing very very slow, but when i connect through my old server software LB (with two interface)then accessing very fast. I just replace my old serverLB(with two interface) to ACE4710 and connect the same scenario then why not server accessing smoothly with VIP .Reply soon only I connect ACE's two interface with switch.....
Regards,
Prem -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
Facing Issue in ACE 4710 ..Secondary ACE showing as FSM_FT_STATE_STANDBY_COLD ...
Hi All ,
I am facing problem with my ACE 4710 in active-standby environment . When I check Show ft group detail on my Active ACE , it shows peer state as
FSM_FT_STATE_STANDBY_COLD for Admin context . Below is the output :
Primary_ACE/Admin#sh ft group detail
FT Group : 1
No. of Contexts : 1
Context Name : Admin
Context Id : 0
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_COLD
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:55 2002
Running cfg sync enabled : Enabled
Running cfg sync status : Peer in Cold State. Error on Standby device when
applying configuration file replicated from active
Startup cfg sync enabled : Enabled
Startup cfg sync status : Peer in Cold State. Startup configuration sync ha
[7m--More--[m
s completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
FT Group : 2
No. of Contexts : 1
Context Name : APP_Context
Context Id : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 120
My Net Priority : 120
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Jan 1 05:32:56 2002
Running cfg sync enabled : Enabled
[7m--More--[m
Running cfg sync status : Running configuration sync has completed
Startup cfg sync enabled : Enabled
Startup cfg sync status : Startup configuration sync has completed
Bulk sync done for ARP: 0
Bulk sync done for LB: 0
Bulk sync done for ICM: 0
Also when I give show ft config-errors on my secondary ACE it gives the following result .
Secondary_ACE/Admin#sh ft config-error
Mon Jun 10 00:04:11 IST 2002
`no 3 match virtual-address 10.40.3.15 tcp eq https`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.15 tcp eq 8082`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq www`
Error: LB action requires match vip command
`no 3 match virtual-address 10.40.3.21 tcp eq https`
Error: LB action requires match vip command
`2 match virtual-address 10.40.3.21 tcp eq https`
Error: This configuration already exists
`2 match virtual-address 10.40.3.21 tcp eq www`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq 8082`
Error: This configuration already exists
`2 match virtual-address 10.40.3.15 tcp eq https`
Error: This configuration already exists
Error(s) while applying config.
I am attaching the running configuration of both the ACE's . Kindly help me in resolving the issue .
Also I noticed one thing . There is configuration difference in Primary and Secondary ACE . I guess this is causing the issue .
Need help to fix this asap .
Following configuration is missing on the secondary ACE .
======================================================================
class-map match-all WEB_FARM_VIP-80
3 match virtual-address 10.40.3.15 tcp eq www
policy-map type loadbalance first-match WEB_FARM_VIP-80-l7slb
class class-default
serverfarm HTTP-2-HTTPS
class WEB_FARM_VIP-80
loadbalance vip inservice
loadbalance policy WEB_FARM_VIP-80-l7slb
Thanks ,
TusharDear all,
Pls help me out in this regard, I dont have much idea about ACE.
Regards,
Sashi -
ACE 4710 - Internet Explorer cannot display the webpage randomly
We have a ACE 4710 with a basic config, (see below).
When clicking on a tab from a window within Interent explorer we occasionally get an issue with it returning: "Internet Explorer cannot display the webpage" The details show "Access is denied" accessing a particular line of a javascript file.
We have put one web server out of service in the farm to make sure that this isn't a result of stickyness not quite working.
We have tested extensively by going directly to the web server directly without the load balancer and cannot reproduce the problem but we can produce the issue within a few minutes when going to the load balanced address.
Thanks in advance for any advice.
HOST-1/Admin# show run
Generating configuration....
logging enable
logging fastpath
logging standby
logging timestamp
logging trap 6
logging history 6
resource-class SLB_ResourceClass_T_R
limit-resource all minimum 10.00 maximum unlimited
resource-class sticky
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
peer hostname HOST-2
hostname HOST-1
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
description LB003
switchport access vlan 1
shutdown
interface gigabitEthernet 1/4
description LB004
switchport access vlan 2
shutdown
interface port-channel 1
port-channel load-balance src-dst-port
no shutdown
clock timezone standard GMT
switch-mode
context Admin
description SUTLB01
member SLB_ResourceClass_T_R
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe tcp probe_tcp_80
port 80
rserver host Server_S_W301
description Server_S_W301
ip address x.x.32.152
inservice
rserver host Server_S_W302
description Server_S_W302
ip address x.x.32.154
inservice
serverfarm host sfarm_T_R
description sfarm_T_R
predictor leastconns
probe probe_tcp_80
rserver Server_S_W301 80
rserver Server_S_W302 80
inservice
sticky http-cookie Cookie1 T_R_sticky_cookie
cookie insert browser-expire
timeout 3600
serverfarm sfarm_T_R
class-map match-any T_R_L4Class
2 match virtual-address x.x.33.150 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match T_R_L7policy
class class-default
sticky-serverfarm T_R_sticky_cookie
policy-map multi-match T_R_L4Policy
class T_R_L4Class
loadbalance vip inservice
loadbalance policy T_R_L7policy
loadbalance vip icmp-reply active
nat dynamic 2 vlan 1000
interface vlan 1000
ip address x.x.33.148 255.255.254.0
access-group input ALL
nat-pool 2 x.x.33.151 x.x.33.151 netmask 255.255.254.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input T_R_L4Policy
no shutdown
ip route 0.0.0.0 0.0.0.0 x.x.32.1
ssh key rsa 1024 force+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 421347 , TCP data msgs sent : 2099597
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 6169 , TCP rst msgs sent: : 769
Bounced fin msgs sent : 5 , Bounced rst msgs sent: : 1
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 337811 , Particles read : 5040829
Reuse msgs sent : 0 , HTTP requests : 342499
Reproxied requests : 183422 , Headers removed : 37475
Headers inserted : 342124 , HTTP redirects : 0
HTTP chunks : 224859 , Pipelined requests : 71466
HTTP unproxy conns : 267246 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 71302 , Analysis errors : 0
Header insert errors : 22 , Max parselen errors : 215
Static parse errors : 99 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 267246
HTTP passthrough stat : 0
NOTE - We did turn on caching at one point to try and resolve the issue but it has since been turned off -
SIP load balancing issue with ACE 4710
SIP Load balancing Issue with ACE 4710
I have a Cisco ace 4710 with vesion Version A4(2.2). i configued simple SIP load balancing first without stickiness. without stikeiness we are having a problem because bye packet at the was not going to the same server all the time that left our port in used even though user hang up the phone. its happen randmly. i have a total 20 licenced ports and its fill out very quickly. so i dicided to use the stickiness with call-ID but still same issue. below is the config
rserver host CIN-VOX-31
ip address 172.20.130.31
inservice
rserver host CIN-VOX-32
ip address 172.20.130.32
inservice
serverfarm host CIN-VOX
probe SIP-5060
rserver CIN-VOX-31
inservice
rserver CIN-VOX-32
inservice
sticky sip-header Call-ID VOX_SIP_GROUP
timeout 1
timeout activeconns
replicate sticky
serverfarm CIN-VOX
class-map match-all CIN_VOX_L4_CLASS
2 match virtual-address 172.22.12.30 any
class-map match-all CIN_VOX_SIP_L4_CLASS
2 match virtual-address 172.22.12.30 udp eq sip
policy-map type loadbalance sip first-match CIN_VOX_LB_SIP_POLICY
class class-default
sticky-serverfarm VOX_SIP_GROUP
policy-map multi-match GLOBAL_DMZ_POLICY
class CIN_VOX_SIP_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
class CIN_VOX_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
interface vlan 20
description VIP_DMZ_VLAN
ip address 172.22.12.4 255.255.255.192
alias 172.22.12.3 255.255.255.192
peer ip address 172.22.12.5 255.255.255.192
access-group input PERMIT-ANY-LB
service-policy input GLOBAL_DMZ_POLICY
could you please help me on this...
thanks
Rakesh PatelI mean there should be one more statement-
class-map type sip loadbalance match-any CIN_VOX_LB_SIP_POLICY
match sip header Call_ID header-value sip:
and that will be called under-
policy-map multi-match GLOBAL_DMZ_POLICY
class CIN_VOX_SIP_L4_CLASS
loadbalance vip inservice
loadbalance policy CIN_VOX_LB_SIP_POLICY
loadbalance vip icmp-reply
is that missing in your config ? -
ACE 4710 transparent LB with two Caches and two routers.
Hello,
I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.
I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?
Kindly I need some assistance
Thank you and regards,
George
access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any
ip name-server 8.8.8.8
ip name-server 4.2.2.2
##################################Config for Cache Cache Servers###################
probe http CISCO_WWW_PROBE
ip address 72.163.4.161
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
probe http YAHOO_WWW_PROBE
ip address 87.248.112.181
interval 2
faildetect 2
passdetect interval 2
passdetect count 5
request method head url /index.html
expect status 200 200
exit
serverfarm host TRANSPARENT_PROXY_SF
description Transparent Proxy Farm
transparent
predictor hash url
probe CISCO_WWW_PROBE
probe YAHOO_WWW_PROBE
rserver CFLOW01
inservice
rserver CFLOW02
inservice
exit
exit
############################################# Router Cache Farm ############################
probe icmp ICMP_PROBE
description *** Probe for icmp health monitoring ***
interval 5
faildetect 2
passdetect interval 60
passdetect count 2
exit
rserver host Router01
description Connection to Sodetel Router
ip address 192.168.14.4
probe ICMP_PROBE
inservice
rserver host Router02
description Connection to IDM Router
ip address 192.168.14.5
probe ICMP_PROBE
inservice
serverfarm host Routers
description Transparent Proxy Farm
transparent
predictor hash url
probe ICMP_PROBE
rserver Router01
inservice
rserver Router02
inservice
exit
exit
################################# Management################################
class-map type management match-any REMOTE_MGMT
description Allow Remote management for below protocols
8 match protocol icmp any
9 match protocol ssh source-address 172.31.13.31 255.255.255.255
10 match protocol ssh source-address 172.31.31.21 255.255.255.255
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGMT
permit
class-map match-all CFLO2Internet
2 match virtual-address 0.0.0.0 0.0.0.0 any
class-map match-all TRANSPARENT_VIP_CM
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match TRANSPARENT_LB_PM
class class-default
serverfarm TRANSPARENT_PROXY_SF backup Routers
policy-map type loadbalance first-match CFLO2Internet_LB
class class-default
serverfarm Routers
policy-map multi-match CFLO2Internet_PM
class CFLO2Internet
loadbalance vip inservice
loadbalance policy CFLO2Internet_LB
loadbalance vip icmp-reply active
connection advanced-options TCP
policy-map multi-match L3L4_PM
class TRANSPARENT_VIP_CM
loadbalance vip inservice
loadbalance policy TRANSPARENT_LB_PM
loadbalance vip icmp-reply active
connection advanced-options TCP
====Interfaces======
interface vlan 11
description Interface between Routers and ACE
ip address 192.168.14.2 255.255.255.224
alias 192.168.14.1 255.255.255.224
peer ip address 192.168.14.3 255.255.255.224
no icmp-guard
access-group input PERMIT_ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input L3L4_PM
no shutdown
interface vlan 21
description Connection to CFlow ServerFarm
ip address 192.168.12.2 255.255.255.224
alias 192.168.12.1 255.255.255.224
peer ip address 192.168.12.3 255.255.255.224
no icmp-guard
access-group input CFLOW
service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
no shutdownHi George,
In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.
The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)
If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.
Regards
Daniel -
Hi,
Pls can you help me find out where is my error in the below:
I have an ACE 4710. Also I have 2 Bluecoat Proxy SG working in proxy mode. I want the ACE to be the Load Balancer for these 2 Proxy SG. I configure the ACE as below and put the vip-address in the Internet Explorer LAN Settings but it did not work. Also I configure Policy-based Routing on the Core Switch (for any http or https traffic going through core apply set ip next-hop vip-address).
Core SW SVI:
interface Vlan56
description BC Proxy
ip address 10.0.1.33 255.255.255.224
interface Vlan57
description ACE-LB-Alias
ip address 10.0.1.65 255.255.255.224
ACE 4710:
hostname VSS-ACE-BC-01
interface gigabitEthernet 1/1
description Management
speed 1000M
duplex FULL
switchport access vlan 101
no shutdown
interface gigabitEthernet 1/2
description User Side
speed 1000M
duplex FULL
switchport access vlan 56
no shutdown
interface gigabitEthernet 1/3
description BC Proxy Side
speed 1000M
duplex FULL
switchport access vlan 57
no shutdown
interface gigabitEthernet 1/4
description Failover
speed 1000M
duplex FULL
ft-port vlan 900
no shutdown
context Admin
member sticky
access-list external line 10 extended permit ip any any
access-list external line 20 extended permit icmp any any
access-list external line 30 extended permit tcp any any
access-list external line 40 extended permit udp any any
access-list internal line 10 extended permit ip any any
access-list internal line 20 extended permit icmp any any
access-list internal line 30 extended permit tcp any any
access-list internal line 40 extended permit udp any any
probe tcp web443
port 443
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
probe tcp web8080
port 8080
interval 30
faildetect 1
passdetect interval 30
passdetect count 1
open 1
rserver host BC01
ip address 10.0.1.41
inservice
rserver host BC02
ip address 10.0.1.42
inservice
serverfarm host web443
probe web443
rserver BC01
inservice
rserver BC02
inservice
serverfarm host web8080
probe web8080
rserver BC01
inservice
rserver BC02
inservice
sticky ip-netmask 255.255.255.255 address source group1
replicate sticky
serverfarm web8080
sticky ip-netmask 255.255.255.255 address source group2
replicate sticky
serverfarm web443
class-map type management match-any REMOTE_ACCESS
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol snmp any
class-map match-all external-web
2 match virtual-address 10.0.1.70 any
class-map match-all external-web443
2 match virtual-address 10.0.1.70 any
class-map match-any nat-class
2 match access-list external
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
policy-map type loadbalance http first-match slb
class class-default
sticky-serverfarm group1
policy-map type loadbalance http first-match slb443
class class-default
sticky-serverfarm group2
policy-map multi-match external-access
class nat-class
nat dynamic 1 vlan 57
class external-web
loadbalance vip inservice
loadbalance policy slb
class external-web443
loadbalance vip inservice
loadbalance policy slb443
timeout xlate 120
interface vlan 56
description Server-Side
ip address 10.0.1.43 255.255.255.224
ip verify reverse-path
alias 10.0.1.40 255.255.255.224
peer ip address 10.0.1.44 255.255.255.224
mac-address autogenerate
access-group input internal
service-policy input REMOTE_MGMT
no shutdown
interface vlan 57
description VIP-Interface
ip address 10.0.1.67 255.255.255.224
alias 10.0.1.66 255.255.255.224
peer ip address 10.0.1.68 255.255.255.224
mac-address autogenerate
access-group input external
service-policy input external-access
service-policy input REMOTE_MGMT
no shutdown
interface vlan 101
description Management
ip address 10.220.1.131 255.255.255.0
alias 10.220.1.133 255.255.255.0
peer ip address 10.220.1.132 255.255.255.0
mac-address autogenerate
service-policy input REMOTE_MGMT
no shutdown
ft interface vlan 900
ip address 172.20.100.1 255.255.255.252
peer ip address 172.20.100.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 900
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 10.0.1.65I see that you used:
nat dynamic 1 vlan 57
Where is the nat pool on Vlan 57 ?
May be you can try to assign that and that should help.
Something like below:
Interface vlan 57
nat-pool 1 10.0.1.93 10.0.1.93 netmask 255.255.255.224 pat
regards,
Ajay Kumar -
I'm trying to set DSCP flags in traffic from ACE 4710 to clients. Unfortunatly it doesn't seem to work this way:
class-map type http loadbalance match-any URL-AF21
2 match http url /aaa/.*
4 match http url /bbb/.*
policy-map type loadbalance http first-match LB-WITH-DSCP
class URL-AF21
set ip tos 72
serverfarm MyServerFram
class default
set ip tos 0
serverfarm MyServerFram
Traffic from ACE to Real Server is tagged but not traffic from ACE to clients.
Any idea which config might work ?Hi,
If we are setting the TOS Bit in the Policy map, as in you are doing it, ToS Bit will only get set in the ACE to Server Leg of connection. Ace will not set the value for the traffic returning back to Clients.
The way around to this situation is to set the TOS bit via the parameter map and then call it under the class in multimatcg policy. In this way you will have the TOS bit set for both direction of the traffic (From ACE to Server and from ACE to client. The down side of this approach will be that you won't be able to use it for a specific class of traffic.
If you are interested in applying the TOS bit for the whole flows hitting a VIP then please follow this configuration example.
parameter-map type connection SET_TOS
set ip tos 72
Regards,
Kanwal
Note: Please mark answers if they are helpful. -
Dear All,
We have two servers (sharepoint ) and need to add it in ACE 4710 to works as internal no need WAN , how to add it ?
Thanks a lot in AdvanceHi,
Here's the example:
Let's say you have two servers
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
You add them in serverfarm
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
After that you configure the VIP and condition. Here any means any protocol and port
class-map match-all VIP-30
2 match virtual-address 172.16.51.30 any
YOu define the L7 policy map
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS--------->Serverfarm to which traffic would be loadbalanced.
policy-map multi-match CLIENT_VIPS---->L3 policy map.
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
nat dynamic 1 vlan 451----------------->You need to apply the NAT when your client is in same subnet as server so that return traffic comes back to ACE and not to client directly.
interface vlan 251
description Client vlan
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input REMOTE_MGT
service-policy input CLIENT_VIPS
no shutdown
interface vlan 451
description Servers vlan
ip address 192.168.1.1 255.255.255.0
nat-pool 1 192.168.1.100 192.168.1.110 netmask 255.255.255.0 pat---->Nat pool defined. It should always be on server side vlan.
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.51.1
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Maybe you are looking for
-
Open File in Reader or Acrobat
I have Acrobat 8 and Reader X installed on my PC (Vista Business). After installing updates for both programs over the past few months I have lost the default toolbar on documents I download from the web and need to use F8 to get a toolbar. In additi
-
Problem with download %APPDATA%
Help please - I have been trying for 3 days to get past the error %APPDATA%\. Everytime I download itunes 10.1 I get this error. I have read all the posts and have tried everything imaginable. Nothing seems to work. It is getting very frustrating. I
-
Question about sending a photo
When trying to send a photo directly from ilibrary, the email server didn't recognize username/password combo. I only use gmail which popped up in my from box.
-
Error 0x80070543 when activate Windows Server 2008 Backup Features
Hi, When I try to activate the Window Server 2008 Backup Features, the system prompt me an error. please review below message appear at event viewer. Not sure how it happen / solve it? "Installation failed. Features: Windows Server Backup Features Er
-
I have numerous iworls 4 files that i want to open and convert to text or pages files. Can this be done and how? My imac is OS 10.8.5.