Ace 6500 question
new to ace just purchased a new blade, could somebody advise on deployment in routed and single arm mode. if a client connects to the vip can the traffic route back out the vip interface to the servers. we have a dmz were we want to deploy a vip, once the packet enters the dmz and hits the vip can the servers be located on the same subnet as the vip and also a backup server on another dmz or even the inside of the firewall.
I am also fairly new to the ACE modules, but I think I can answer your question. Yes the servers can be located on the same subnet as the VIP. As for the backup servers, as long as the ACE can reach the servers via IP you can load balance servers even if they are if different VLANs or DMZ's.
I have a context in one arm mode and would suggest against it unless you do not have a choice. Even though one arm mode is easy to set up, it can be a little hard to troubleshoot if you have source NAT enabled, if you do not have Source NAT enabled on the ACE, you will have to configure PBR on the MFSC of the 6500 and specify what you want to go to the ACE(what needs to be load balanced).
If you configure the ACE in routed mode, be sure that you configure it so that you do not run into an assymetrical routing issues.
Like I said; I am fairly new to these load balancers, but we have very talented folks on this site that can assist you with almost any ACE related question that you may have.
Good luck,
John...
Similar Messages
-
I have a ACE checkpoint question. when u create a checkpoint to save the config on the ACE module where does the file get stored
HI,,
To display checkpoint information, use the show checkpoint command in Exec mode. The syntax of this command is:
show checkpoint {all | detail name}
The options and arguments are:
â¢all-Displays a list of all existing checkpoints
â¢detail name-Displays the running configuration of the specified checkpoint
For example, to display the running configuration for a specific checkpoint, enter:
host1/Admin# show checkpoint detail MYCHECKPOINT
Sachin -
PSCS4 ACE Exam - Questions on 3D and Video included or not?
Hi,
I have been thinking of taking the ACE exam for CS4 for awhile now. I have been using a couple of the exam sims available, ExamAids & uCertify but have noticed that while the uC one has questions on 3D, Video and Animation, the EA one does not.
Can anyone who has actually taken the test please tell me if they had to answer questions on these elements of the software. I'm not interested in what the questions were, just if they covered those subjects. I know they are not listed on the exam bulletin, but they might crop up in the 'Advanced Knowledge' section.
And before anyone from the 'why bother with ACE exams' crowd chips in, I work for a training company that wants to become AATC, they need to use ACIs to achieve that status. So I need to become an ACE.
Thanks in advance,
KrisThe questions are only comming from the prep guide, if something isn't mentioned there then it won't be in the exam. There's nothing about 3d in the prep guide so you don't need to learn about it but there are two subpoints about video so make sure that you go through those:
• Given a scenario, describe the proper color conversion to apply. (Scenarios include: To CMYK for prepress, to a different color space for Web or video.)
• Explain how to use features that handle images moving to and from video workflows.(Includes: Pixel aspect ratio, document presets, Video Preview.) -
Hi,
I have the following configuration:
policy-map type loadbalance first-match test
class L7-URL
sticky-serverfarm test
insert-http src-ip header-value %is:%ps:%id:%pd
class class-default
serverfarm test
Does the class class-default need to be in the above configuration? The reason I as is because I see it in some examples and not in others.
Regards,
John...class-default act as a last resort under policy configuration. If there are multiple classes to check against the traffic then policy will compare traffic against all the classes and if there is no match then actions for class-default will be used.
In your case
ACE will look for the condition in "class L7-URL" , if it matches then it will use sticky-group test (which should have a serverfarm associated to it). Serverfarm under the sticky group will be used if the client request matches the class L7-URL.
If client request doesnt match the condition in "class L7-URL" then server farm test (under class-default) will be used.
HTH
Syed iftekhar Ahmed -
ACE functionally question - SSL tunnelling / proxy on behalf of non SSL client
Hi
Can the ACE perform SSL tunnelling of web services(HTTP) traffic. Can ACE perform SSL tunnelling/proxy on behalf of a non SSL client.
Example:
Client (HTTP) ---->>> (HTTP)Cisco ACE(HTTPS) ------>>>>(HTTPS) Server
The "client" Server does not support SSL.
Can an ACE tunnel the web services traffic inside an SSL tunnel to a specific destination server on behalf of the client server (that does not support SSL)
Are there any other Cisco products that could be used to perform this SSL tunnelling on behalf of a non SSL Client.
RegardsHello Byron,
Yes, the ACE can do it
Here you have some of the flavors of SSL with the ACE.
Here you have a sample about it:
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
set header-maxparse-length 65535
set content-maxparse-length 65535
class-map match-all CLEAR_TEXT_VIP
2 match virtual-address 172.20.120.19 tcp eq www
policy-map multi-match JORGE-MULTIMATCH
class CLEAR_TEXT_VIP
loadbalance vip inservice
loadbalance policy POLICY_TO_ENCRYPT_TRAFFIC
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map type loadbalance first-match POLICY_TO_ENCRYPT_TRAFFIC
class class-default
serverfarm ENCRYPTED-SERVERFARM
ssl-proxy client SSL-PROXY-JORGE
ssl-proxy service SSL-PROXY-JORGE
key TAC-key
cert TAC-cert
serverfarm host ENCRYPTED-SERVERFARM
rserver JORGE-SERVER 443
inservice
Here you have some additional details under the configuration guide:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/initiate.html
Here you have some additional samples:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples_--_SSL_Configuration_Examples
Hope this helps for you and fix your issue
Jorge -
Hi Folks,
First of all I am new the job and have very little ACE expierence. I work on a large campus. We have to 6513's with an ACE blade in each. A few contexts configured for different applications. Basically the server guys have come to me and asked me to enabled stickiness on one of there contexts.
Now I am sure this is basic stuff to ye guys but I am just wondering what I need to do? Can I implement this on the fly without causing an outage? I have cut and paste the relevant context below. And added the changes I think that need to be made. Do you guys think this will work and will it cause any outage?
I appreciate any help at all guys:
Here is current config:
probe tcp APPS-PROBE
port 8080
interval 3
passdetect interval 5
parameter-map type ssl SSL-APPS-ADVANCED
cipher RSA_WITH_RC4_128_MD5
rserver host SERVER1
ip address 10.10.10.1
inservice
rserver host SERVER2
ip address 10.10.10.2
inservice
ssl-proxy service SSL-APPS-PROXY
key appfiles.pem
cert appfilesCAcert
chaingroup APPFILES-CHAINGRP
ssl advanced-options SSL-APPS-ADVANCED
serverfarm host APPS-FARM
predictor leastconns
probe APPS-PROBE
rserver SERVER1 8080
inservice
rserver SERVER2 8080
inservice
class-map match-any APPS-VIP
2 match virtual-address 10.10.10.4 tcp eq https
policy-map type management first-match MGT-POLICY
class class-default
policy-map type loadbalance first-match APPS-POLICY
class class-default
serverfarm APPS-FARM
policy-map multi-match APPSPOLICY
class APPS-VIP
loadbalance vip inservice
loadbalance policy APPS-POLICY
loadbalance vip icmp-reply active
ssl-proxy server SSL-APPS-PROXY
service-policy input APPSPOLICY
Will adding the following to the context make stickiness work?
sticky ip-netmask 255.255.255.255 address source STICKY-APPS-FARM
timeout 720
timeout activeconns
replicate sticky
serverfarm APPS-FARM
policy-may type loadbalance first-match APPS-POLICY
class class-default
sticky-serverfarm STICKY-APPS-FARM
I am really lost on this and only getting this from looking at stickiness on other configs. Can you guys advise will this work.Also look at the following :
www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/vlansif.html
Autogenerating a MAC Address for a VLAN Interface
By default, the ACE does not allow traffic from one context to another context over a transparent firewall. The ACE assumes that VLANs in different contexts are in different Layer 2 domains, unless it is a shared VLAN. The ACE allocates the same MAC address to the VLANs.
When you are using a firewall service module (FWSM) to bridge traffic between two contexts on the ACE, you must assign two Layer 3 VLANs to the same bridge domain. To support this configuration, these VLAN interfaces require different MAC addresses.
To enable the autogeneration of a MAC address on a VLAN interface, use the mac address autogenerate command in interface configuration mode. The syntax of this command is as follows:
mac address autogenerate
For example, enter:
host1/Admin(config-if)# mac address autogenerate
To disable MAC address autogeneration on the VLAN, use the no mac address autogenerate command. For example, enter:
host1/Admin(config-if)# no mac address autogenerate -
Hi All,
In the network layout below, does the ACE need to be setup in a routed mode to work? can it be also be setup in a bridged mode in this scenario?
Network Cloud <--> Firewall <--> ACE <--> Router <--> Server Farm.
Any refences would also be greatly appreciated.
Thanks in advance.
HHyou only need the server adjacent if you do transparent loadbalancing. Which means you do not nat the virtual ip to the server ip.
Instead the servers are configured with a loopback ip address the same as the vip on the loadbalancer.
You can always bridge between 2 vlans and this is possible in your case.
However, I don't see the need to insert a router between the ace module and the servers.
Can't you have the ace module inserted between the router and the servers ?
Or get it rid of the router and have the servers directly connected to the ACE vlan and using the firewall as gateway ?
Gilles. -
We are migrating a large application to a new serverfarm one folder at a time. the exiting applicaiton server is not loadbalanced via the ACE.
We want to set a vip on the ACE as the primary DNS entry for host ans.company.com. When users requrest ans.company.com/dfr they will get L7 loadbalanced (via url matching) to a new local serverfarm.
When the users request ans.company.com/cms we want to redirect them to the old application server that wull be renamed via dns as classic.ans.company.com.
As each folder is migrated to the new servers the L7 rules will be modified to keep that traffic local
example
user requests ans.company.com/bfr or ans.company.com/cms they will be sent to the local new serverfarm.
user requests ans.company.com/dma1 or ans.company.com/dma2 they will be redirected to classic.ans.company.com/dma1 or classic.ans.comapny.com/dma2 (depending on the original request).
Does anyone have an sample script for this type of senario? I have the loadbalancing working fine. It's the redirection that is not working. I am trying to use a L7 url match to send the requrest to a redirect rserver
Any help would be appreciated.It should be some thing like
rserver redirect REDIRECT-TO-OLD
webhost-redirection http://classic.ans.company.com/%p 302
inservice
serverfarm redirect REDIRECT-SERVERFARM
rserver REDIRECT-TO-OLD
inservice
class-map type http loadbalance match-any local-new
match http url /bfr
match http url /cms
class-map type http loadbalance match-any remote-old
match http url /dma1
match http url /dma2
policy-map type loadbalance first-match L7_LOGIC
class local-new
serverfarm local-serverfarm
class remote-old
serverfarm REDIRECT-SERVERFARM
policy-map multi-match CLIENT_VIPS
class VIPs
loadbalance vip inservice
loadbalance policy L7_LOGIC
HTH
Syed Iftekhar Ahmed -
I would like to upgrade a redundant pair of ACE Modules from "3.0.0_A1_6.1" to "A2_1.2". Are there any concerns or gotchas or should this be a standard upgrade.
ThanksJust follow the documented procedure and you will be good
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/administration/guide/upgrade.html#wp1027870
Syed Iftekhar Ahmed -
Just a clarification about ACE roles. Why does the predefined "Admin" role have any rules beyond:
1. Permit Create all
Why are the other 3 rules necessary?
2. Permit Create user access
3. Permit Create system
4. Permit Create changeto
thanks,
martyThe ACE provides role-based access control (RBAC), which is a mechanism that determines the commands and resources available to each user. A role defines a set of permissions for accessing the objects and resources in a context and the actions you can perform on them.
-
Hi,
I am an ACE newbie - I have a two-tier ACE setup and I am basically trying to get the front-end ACE to divert to a sorry page if the back end servers hanging of the Back-end ACE do not reply to their probes.
I have the following setup...
Internet
|
DMZ ACE (doing SSL termination)
|
Reverse Proxy Server farm
|
Corporate LAN ACE
|
Application Server farm
DMZ ACE is probing Rev Proxy farm on TCP 2000 - and using sticky cookie insertion.
Corporate LAN ACE is probing App Server farm on TCP 2000 - and using sticky cookie insertion.
If the Application server farm becomes unavailable, I would like the DMZ ACE to detect this and then redirect the clients to a 'service unavailable' page hosted on the Reverse Proxy Servers.
My thought so far is the following...
DMZ ACE
rserver Rev_proxy1
rserver Rev_proxy2
probe icmp probe_icmp
ip address <App_Server_VIP>
serverfarm Rev_proxy_farm
probe probe_icmp
prove probe_tcp_2000
rserver Rev_proxy1, Rev_proxy2
So the above Rev_proxy_farm availability is tied to the appearance of the App Server vip due to the directed icmp probe to the Corporate LAN ACE VIP - the VIP will disappear if the App Server farm does not respond to it's TCP probe.
I am then not sure how to redirect the HTTP request to the Reverse Proxy Server seeing as though these have already been flagged unavailable.
Should I then follow 'Configuring a Sorry Server Farm' as per http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1049254 to divert the connections from the Reverse_proxy:2000 to Reverse_proxy:3000 (which serves Service unavailable page)?
Any advice on whether this is the best way to go would be much appreciated.
Cheers,
Alyou need to create a redirect host and serverfarm and use this serverfarm as a backup serverfarm for your main serverfarm.
I'm not sure that the icmp ping will work.
Because the ping will be sent to dest ip address of the vip, but the dest mac-address ill the rev-proxy where your configured the probe.
Give it a try.
Gilles. -
Hi,
I had just moved one server farm from round-robin to leastconns with slowstart of 300 second and no new rservers had been added (or failed), they are all the same as before the change.
What I see is that one rserver gets much more hits than other and one of them is practically idle. I know that CSCso93479 states that current connections count in "show serverfarm" is inaccurate, but I cannot understand such a difference....
Is total connections counter bugged as well?
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: prmesapp11
10.16.127.17:0 8 OPERATIONAL 23 6 0
rserver: prmesapp12
10.16.127.18:0 8 OPERATIONAL 44 187 0
rserver: prmesapp13
10.16.127.19:0 8 OPERATIONAL 31 43 0
rserver: prmesapp14
10.16.127.20:0 8 OPERATIONAL 27 62 0
Or am i missing something about leastconns predictor?
Thanks a lot!
DavidHi,
Nope. I was trying to see what I can do about this, so I removed the leastconn (reverting back to round-robin) then configured leastconn back, but without slow-start parameter. What I immediately noticed is that servers started to be hit in a more equal manner, which is what I expected. I then reapplied the leastconn command, but with slow-start parameter and it would seem that session distribution was as expected. I assume that maybe removing and reapplying leastconn command did the trick, or maybe slow-start parameter was somehow misbehaving when I first applied it....
Now what I noticed is there are some sessions under failure column of "show serverfarm" output and I don't believe I had those before I switched to leastconn. The number is very low, like 5 failed versus 30,000 total, but still I was wondering if there is anything different with leastconn from round-robin that would cause some of the sessions to fail ?
Thanks!
David -
Best resource that would help me to pass adobe Photoshop CC ACE exam
Best resource that would help me to pass adobe Photoshop CC ACE exam ?
and another question
can i practice from Adobe Photoshop CS6 Classroom in a Book
and then knowing the new feature of CC , to pass the exam
thanks in advanceIdeally you want to get hold of the ACE sample exam & study guides for the product versions you are testing for. It doesn't hurt to know previous versions but be keenly aware of the differences in menus, filters, etc...
Below is a PDF with some sample questions.
http://training.adobe.com/certification/exams/photoshop_cc_2013/_jcr_content/sampleExam
Online preparation
Prepare for the Adobe Certified Expert in Photoshop CC exam by Martin Perhiniak | Udemy
ACE Exam Self Study Aid (Mac)
Photoshop CC ACE Exam Questions | Adobe Certified Expert | Study Guide & Test Prep Simulator | 9A0-354 and 9A0-347
More resources here
Preparing for the Adobe Certified Expert (ACE) Exam
Nancy O. -
ACE and ANM, Syslog and SNMP Traps
Hi guys.. another ACE/ANM question.
I configured the ACE devices to send Syslog and SNMP messages to the ANM server. But i got a couple of questions:
Whats the difference between using the:
logging history 4 (this would send logging messages as SNMP traps according to doc)
And:
snmp-server host x.x.x.x traps version 2c public
snmp-server trap-source vlan 1000
This of course I think should do the same..
The funny and weird thing, in the ANM Event viewer, I can only see syslog messages, not one snmp event.
Thanks!
Omar
PS: ACE ver A2.4
ANM Ver 4.2Hi Omar,
Let's see if I can clarify your questions.
As you mentioned, the "logging history 4" command specifies that, syslog messages of severity 4 and higher will be sent as SNMP traps. After you configure it, you need the "snmp-server host x.x.x.x traps version 2c public" command to specify what will be the destination IP and SNMP community for these traps.
It would only make sense to use the "logging history 4" command if your monitoring application doesn't support receiving syslog messages. However, since ANM is able to get syslog messages from the ACE without issues, I would just configure a destination for syslog message instead (with "logging host x.x.x.x")
I hope this makes this point more clear.
Now, moving on to why you are not seeing any SNMP traps in your ANM, the first things you would need to check are:
-- Did you enable traps? You would use the "ACE(config)# snmp-server enable traps" command for this
-- Are traps being sent? You can use the "show snmp" command and check if the "Trap PDUs" counter increases
-- Is ANM getting these traps? This is the most complicated step. For this, I would recommend getting a traffic capture on the ANM server (if it's installed on linux) or as close as possible to it if it's a ANM appliance
I hope this helps
Daniel -
CSCut57898 - C897 ACL object-group leak/miss for BGP tcp 179 / causing deny
We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.We appear to be seeing this bug, or something very similar, on a 3845 running 15.1(4)M9 (c3845-adventerprisek9-mz.151-4.M9.bin), and a 3945 running 15.1(1)T (c3900e-universalk9-mz.SPA.151-1.T.bin). On both platforms traffic that should be (and most often is) matching an object-group ACE is sometimes "falling through" that ACE and hitting ACEs below the object-group based ACE that it should have matched. Depending on the ACEs in question, this sometimes results in traffic that should be permitted falling into a later deny, or more troubling, traffic that should be denied falling into a subsequent permit.
I am particularly curious to know if this may be related to http://tools.cisco.com/security/center/viewAlert.x?alertId=37423 and https://tools.cisco.com/bugsearch/bug/CSCun21071 and whether there is a fix.
Anyone who is working on this is welcome to contact me directly. I have crystal clear logging of traffic falling through ACEs on these systems, and I would be happy to assist in any way I can. I would really like to get this problem solved, it is causing me a great deal of grief and frustration.
Maybe you are looking for
-
Adobe: WHAT IS YOUR PLAN FOR DPS/ACROBAT/DISTRIBUTION?
Based on Matthew's post in this thread: http://forums.adobe.com/thread/898426?tstart=0 I'm frankly concerned about investing any more time and resources into DPS without SOME SORT OF OUTLINED PLAN from Adobe. Hinting that you may 'limit' functionali
-
Trouble printing converted document - no "Shink Oversized Pages" option in Word
Hi gurus I have a document which was originally created in Word, apparently to print as A2. I now have it in PDF format only. It prints fine in A4 size due to the selection Shink Oversized Pages defaulting on in Adobe Reader. Of course, I need to
-
Different button and different parsing?
Hi all, I have a strange problem. I have made the xml that I attach, if I see it from service button all is ok but if I see it from directory button I don't see anything. Nothing error too. From directory button I have added a menu list that point to
-
Dear Experts, My client wants its equipment to be calibrated in house. In equipment we have tab (specification) under which range and other parameter to be captured is configured through class. Now I have created order for that particular equipment.
-
Mediacore .cpp-260 error
Hi, I am receiving the following error every time I try to export a subclip. Everything was working fine, then suddenly stopped! Any help would be appreciated. Thanks!