ACE: design/config question: trans.slb + slb + mngt

Similar Messages

• ACE Design/Normalization Question

  We are deploying an ACE to LB some data center traffic.  The ACE will sit off of our core 6500 w/ SUP720.  We have multiple subnets that need to be loadbalanced that also reside on the same 6500.
  We have done different tests in both routed and bridged mode and neither of these setups work without using a policy map on the 6500.  I have disabled normalization and everything seems to work with the asymetric flow.  Are there any disadvantages to disabling normalization?  Also, i've read through most of the Cisco documents about bridged and routed mode.  Does anyone know of any other documents out there with a similar design to above.
  Thanks in Advance.

  Hi Darren,
  ACE normalization is more of a Security feature and won't allow asymmetrical flows through ACE. Normalization is enabled by
  default.
  Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to
  consider the state as ESTABLISHED.
  This link provides overview on TCP normalization,
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.html#wp1002055
  To prevent asymmetrical routing, you can configure Source NAT on ACE so that response from Server will go through ACE.
  This link provides sample example on configuring Source NAT,
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml
  Hope this helps,
  Best Regards,
  Rahul

• A few post config questions on new setup

  Hi Group,
  Just a few post config questions.
  First, how can I confirm my controller is in fact associating properly with an NTP server?  On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'.  I cannot see a way to confirm this on the gui or command line.
  Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
  Thanks.

  The third field is from a WLC running v7.4 not v7.2.  I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI.  It had issues working with certain code versions, but you might as well give it a try.
  config network web-auth secureweb disable
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Workshop Weblogic config questions

  I'm using Oracle Workshop for WebLogic 10.3 and I'm hoping someone can answer some setup/config questions.
  When I double click on the server (WebLogic Server v10.3 at localhost) a window opens with various settings that manage how workshop and weblogic work together.
  Under "Startup & Deployment" I have the following turned on:
  Launch WebLogic server in Eclipse console
  Always start WebLogic Server in debug mode
  Ignore project compilation errors when publishing (I have this turned on because of errors in a portal project, the errors aren't inmportant, and don't prevent the project form running)
  Run stand-alone web module directly from workspace
  So, first question, with these settings I was able to quickly switch to debug mode, with out restarting the server, now the server restarts whenever I turn debugging on. What have I done that has stopped this working correctly? How can I get it to start debugging without a full restart?
  next question, what happens if I turn on "Start WebLogic Server in Express Mode"? As far as I can tell nothing happens.
  Lastly, under "Automatic Publishing" I have it set to "Never publish automatically", if I choose another setting workshop essentially freezes because it's constantly publishing. So whenever I make a change, even in a jsp, I need to remove the project, then re-add it to see my changes in the browser. This is frustrating, not just because it takes 8 or 9 minutes (8 or 9 MINUTES!!!), but because the project doesn't run properly until it is redeployed. You'd think that if it needs to be re-deployed, then none of my changes should matter on the server until it is re-deployed.
  So, my question is, Is there any way to get this re-deployment to happen faster?
  Thanks for any and all help

  Well, in my experience performance is not bad as you experienced. Is it locally connected server or remotely connected server? If it is a remote server, network issue could cause this latency issue.
  Is performance better if you run the server without enabling debug mode? If yes, probably you can also review any break points set.
  You could also try out the following options
  1) Run workshop with -clean option, by opening command prompt and navigating to workshop_home\'workshop.exe -clean'
  2) Untick the option 'Launch WebLogic server in Eclipse console' and start server which would enable server to start on command prompt
  3) This would enable you to take multiple thread dumps (cutl +Break) on the server console output, while performance is very bad, to see where threads are halt.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Re: PLM4P v6003 Config Question:  Any way to configure UGM Notifications?

  After reading:
  PLM4P v6003 Config Question:  Any way to configure UGM Notifications?
  This is one of the requirements from me as well. We always wanted to customize emails sent not only for UGM but also for other modules. We wanted to conveysome message to approvers. But it seems this is still not possible. Is this functionality on road-map of AgielP4P product management?

  Currently, the subject and body of emails can be customized to an extent, as they are translations that can be overridden. The translations have some placeholder fields that get populated by the system, but you are limited to those placeholder fields. The upcoming release will give you full control of the email body and subject lines, for GSM and SCRM emails, as well as Supplier Rep emails.

• Redundant FWSM Config Question

  Hello All,
  I'm going to be configuring failover with FWSMs for our 6500 at my job and I have a config question. There is one current 6500 chassis with 2 FWSMs installed. They are both online but currently since failover isn't setup, only one FWSM is actually active. My question is since we are using mutiple contexts where do I setup the failover interface, and do I need to configure failover on every single vlan on the FWSM? We have over 10 contexts each with 2-3 interfaces on them, so do I need a failover IP for every vlan that exists on every context? Also, does the failover config get setup on the admin or system context? Any help would be greatly appreciated, and thank you so much in advance!

  Hi John.
  Failover config goes in the system context. For the data interfaces in each context, you will need a primary and a standby IP i.e. 2 IP's per VLAN. Once failover happens, the secondary FWSM will assume the active role and the secondary FWSM will take over the Primary IP address thus making the failover process transparent to end users.
  HTH.
  Regards
  Zubair

• SCCM 2012 application portal: config questions

  Hi,
  We have setup SCCM 2012 application portal correctly and it's working fine.
  However some config questions:
  -can we change the name of the configuration portal? Now its servername/CMApplicationCatalog ... what's not userfriendly.
  We'd like it to be applicationportal.ourcompany.com. Howto achieve that?
  -can we customize layout in a supported way (we could change html pages but after an upgrade of SCCM they would/could be erased)?
  -how does flexera (adminstudio?) plugs in into this. I've read this entry
  http://helpnet.installshield.com/appportal2014/Content/helplibrary/AP_CreatingCatItemSCCM.htm but what's the big picture here? Anybody using this? What are the advantages?
  J.
  Jan Hoedt

  We want to offer software center for overview of mandatory installs, application catalog for optional software.
  On our companies portal, we can then set a link which directs to the application portal. User can then install optional software from there.
  My current config works http://applicationportal.ourcompany.com/ goes to the sccm-server but not to the url below.
  That would be http://applicationportal.ourcompany.com/CMApplicationCatalog/#/SoftwareLibrary/AppListPageView.xaml
  how can I make sure the application portal shows up when this link is opened?
  It sounds like you want to perform a URL rewrite?
  http://www.iis.net/learn/extensions/url-rewrite-module/creating-rewrite-rules-for-the-url-rewrite-module
  You should test this to see if it's what you want - I may have misunderstood your question.
  Also, I wouldn't host this module on your AppCatalog server, I'd host the rewrite module elsewhere.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• What version of Acrobat is required for a CS4 ACE Design Master?

  Hi folks, I havent found this answer anyplace else so could someone tell me: does the ACE Design Master CS4 certification call for Acrobat X or Acrobat 9? Or is either one accepted?
  Thanks!

  I'm imagining the current version of the application Acrobat, which would be Acrobat X. That's what the Certification pages on the website seem to indicate. I poked around looking, but couldn't find contact information there.
  http://www.adobe.com/support/certification/ace.html
  In truth, you should probably get certified in CS5 since the applications are already at CS5.5

• Two-tier ACE config question

  Hi,
  I am an ACE newbie - I have a two-tier ACE setup and I am basically trying to get the front-end ACE to divert to a sorry page if the back end servers hanging of the Back-end ACE do not reply to their probes.
  I have the following setup...
  Internet
  |
  DMZ ACE (doing SSL termination)
  |
  Reverse Proxy Server farm
  |
  Corporate LAN ACE
  |
  Application Server farm
  DMZ ACE is probing Rev Proxy farm on TCP 2000 - and using sticky cookie insertion.
  Corporate LAN ACE is probing App Server farm on TCP 2000 - and using sticky cookie insertion.
  If the Application server farm becomes unavailable, I would like the DMZ ACE to detect this and then redirect the clients to a 'service unavailable' page hosted on the Reverse Proxy Servers.
  My thought so far is the following...
  DMZ ACE
  rserver Rev_proxy1
  rserver Rev_proxy2
  probe icmp probe_icmp
  ip address <App_Server_VIP>
  serverfarm Rev_proxy_farm
  probe probe_icmp
  prove probe_tcp_2000
  rserver Rev_proxy1, Rev_proxy2
  So the above Rev_proxy_farm availability is tied to the appearance of the App Server vip due to the directed icmp probe to the Corporate LAN ACE VIP - the VIP will disappear if the App Server farm does not respond to it's TCP probe.
  I am then not sure how to redirect the HTTP request to the Reverse Proxy Server seeing as though these have already been flagged unavailable.
  Should I then follow 'Configuring a Sorry Server Farm' as per http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1049254 to divert the connections from the Reverse_proxy:2000 to Reverse_proxy:3000 (which serves Service unavailable page)?
  Any advice on whether this is the best way to go would be much appreciated.
  Cheers,
  Al

  you need to create a redirect host and serverfarm and use this serverfarm as a backup serverfarm for your main serverfarm.
  I'm not sure that the icmp ping will work.
  Because the ping will be sent to dest ip address of the vip, but the dest mac-address ill the rev-proxy where your configured the probe.
  Give it a try.
  Gilles.

• ACE Ft config sync question during primary ACE blade replacement

  I am replacing my primary ACE blade and am wondering if when I reconfigure the admin context with the ft groups will I have any issues syncing the secondary back to the primary? I don't want to run the risk of a blank config from the new primary blade being pushed to secondary.
  Any help is appreciated.
  thanks

  Treat the current as primary and put the new module as a secondary (by applying low priority vlaues for ft vlans ) and disable premption.
  Complete steps will be...
  Before putting the new module in, configure the standby (which should be acting as master -- since primary is out) module with the "no-preempt" option on each FT vlan.
  Now with new module
  1. Bring the new ACE module online and upgrade it to the same software than is running on the temp master.
  2. Define all of your resource-maps, FT vlans
  3. Add "no preempt", set a lower "priority" than is defined on the peer (temp master)
  4. Install any SSL certificates
  5. Define your context (repeating the same for SSL certs if necessary).
  6. Add the command "ft auto-sync" to your Admin context.
  7. Once the configuration has synced, (by confirming the FT status is now
  "FSM_FT_STATE_STANDBY_HOT"), you're ready to perform the FT switch over.
  8.In your Admin context, change the peer priority to be lower than the new
  master for each FT group, then issue the command "ft switchover X",
  replacing X with each FT group beginning in the Admin context, then doing the same in your other context.
  Thanks
  Syed

• Basic ACE Design Question

  Hi All,
  In the network layout below, does the ACE need to be setup in a routed mode to work? can it be also be setup in a bridged mode in this scenario?
  Network Cloud <--> Firewall <--> ACE <--> Router <--> Server Farm.
  Any refences would also be greatly appreciated.
  Thanks in advance.
  HH

  you only need the server adjacent if you do transparent loadbalancing. Which means you do not nat the virtual ip to the server ip.
  Instead the servers are configured with a loopback ip address the same as the vip on the loadbalancer.
  You can always bridge between 2 vlans and this is possible in your case.
  However, I don't see the need to insert a router between the ace module and the servers.
  Can't you have the ace module inserted between the router and the servers ?
  Or get it rid of the router and have the servers directly connected to the ACE vlan and using the firewall as gateway ?
  Gilles.

• Transparent ACE Design

  Hi,
  I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html
  my topology will be routed access with transparent contexts, so;
  client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.
  I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.
  my questions are:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  Thanks in advance!
  Lee.

  Hi Lee,
  Let me reply you in line:
  1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?
  Yes, you can use any subnet, of course you must have a route to reach the rservers.
  2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?
  It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.
  3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?
  either static routes or a gateway.
  4) likewise for LB traffic that hits the VIP, how is it forwarded?
  normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.
  5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?
  yes it is.
  Hope this helps,
  /dom

• ACE design issue

  Hi,
  my question is about design.
  At the left side, the server and the ACE vlan interfaces are directly  connected to
  the same vlan. VIP traffic flow is green, server  management is brown.
  The problem is, that with this design i'm restricted to one server vlan per context,
  because the server gateway is the ACE and the ACE-gateway is the server-vlan-interface
  at the core.
  When the VIP is used, traffic flow is:
  1) World is routed to the VIP-VLAN Interface on the core
  2) Core sends traffic to the VIP
  3) ACE sends traffic to the server through server-vlan-interface
  4) server sends back to the ACE
  5) ACE sends back to core through the VIP VLAN
  6) core sends traffic to worl, everything is fine
  Now our server admins want to administrate from different locations:
  w/o adding host routes to the core:
  1) Admin tries to connect to the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the server
  4) server send traffic to default-gw (ACE)
  5) ACE drops traffic due to seeing traffic in only one direction, saying no matching session
  Todo: Add host route into core to force the traffic to use the ace for
  every single server.
  with adding host routes to the core:
  1) Admin tries to connect to  the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the ACE server-VLAN-interface, due to host route
  4) ACE sending to the server
  4) server send traffic to default-gw (ACE)
  5) ACE to core via server-vlan-interface (default route), core to world and everything is fine
  Now its impossible to add another Server-VLAN interface to the ACE, because the destinations
  are all the same (world) and the gateway on the ACE have to be the VLAN routing instance, the core.
  So i have a default route to one server-vlan-interface on the core and all traffic passing the ACE uses
  this gw. The result is, that the traffic is blocked by our Firewall.
  My plan is now to implement a transit-VLAN (shown on the right side of my pic) for making
  my job easier (no host routes, no server admin needed (!) to change gateways..... ) and
  overcome the different kind of problems.
  My question is now:
  Is ensured that the ACE will see all it's traffic ?
  I think all should be fine, because the traffic path is unique.
  Thanks for reading ^^ and for posting some opinions.
  regards from germany

  If I understand correctly, the servers would not be directly connected to the ACE anymore.
  Their gateway would not be the ACE anymore.
  Problem with this is to guarantee that server response to a *world* request goes back to ACE.
  Without any specific action/config, this won't happen.
  The server will forward its response to its gateway which will send it directly to the outside world, bypassing ACE and creating the same asymetry you're trying to solve.
  To solve this, you will need to do source nating on ACE.
  But then your servers will lose information about client source ip address (no more stats based on that info).
  Unless if you configure header insert and modify the server to read that info in each request.
  As you can see this is not quite easy.
  You could try bridge mode.
  Create another vlan, and bridge it (BVI) with existing server vlan.
  Keep the servers in their original vlan and connect the gateway to the new vlan (without changing ip addresses).
  ACE will then be in the middle of GW and ACE.
  Gilles.

• Design , Config, NWDS and Flow of messages in SAP PO 7.31

  Hello Experts,
  I am assigned to File -> SAP PO 7.31 -> ABAP Proxy Scenario. I never worked on SAP PO and searched to find the related stuffs but nothing really helped me.
  I am just perplexed to start from unseen boundary.Hope to receive some support from the experts.
  1. Where to create DT , MT , SI and other design objects. Should it be there are NWDS or at SWING UI.
  2. What about the config objects?
  3.Any sample scenario tutorials so that it can shed some inputs.
  4. Just then, whats the flow of messages in the SAP PO...
  5. Any real time questions which can hit my continuous stream of queries. 
  Thanks
  Rebecca

  Hello,
  1. Where to create DT , MT , SI and other design objects. Should it be there are NWDS or at SWING UI.
  >> It hardly matters which UI u are using to create ESR objects becoz functionality wise both provides same features (in case ur version is >= 7.31 SP06), so u can use either one of them. Personally speaking, i am working on PO since last 2 years and still using swing UI to create ESR objects, but having said so it's better to get acquainted with new tool as well.
  2. What about the config objects?
  >> For ID objects, it's advisable to create IFlows. Just search SDN u will get tons of blogs on the same.
  4. Just then, whats the flow of messages in the SAP PO...
  >> In PO (i believe u are using single stack version), message executes and passes through AEX. Check this for more details, but in case u have any specific doubts u can post ur questions here:
  https://help.sap.com/saphelp_nw73ehp1/helpdata/en/31/57765aef5042028eda03f2833aedd1/content.htm
  5. Any real time questions which can hit my continuous stream of queries. 
  >> Ur scenario looks straight forward, just make sure u have created destinations on PI and ECC to enable proxy connectivity.
  Thanks
  Amit Srivastava

• ACE design and RHI

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi guys!
  I'm doing a redundant ACE module installation (using 7600) and I came with some design questions.
  From the configurations guides, you configure a VLAN X for clients (where the traffic to be balanced arrives), and VLAN Y for servers (where the real servers are). In all the examples I've seen, the VIP address is from the client VLAN subnet, from that I wonder:
  1.- Is this the only way to do this?  The 7600 supervisor knows where the VIP is because it has a BVI in that same VLAN X, so it’s directly connected. For the 7600 to reach the real server subnet, it would need a static route pointing to the ACE IP address right?
  2.- In that scenario (VIP living in the Client VLAN X), RHI is not necessary right? But when the VIP is not available? What would happen then? You still need RHI so there is a "dynamic" host route for the VIP?
  3.- Then in what situations would RHI it be needed? I've read that you need RHI when you don’t have the Supervisor and the ACE directly connected, but I don’t quite get this, can someone clarify?
  4.- Can the VIP be a member of a different subnet? For example can it be a member of the Server VLAN Y? Or a completely different VLAN Z?, what would be the necessary changes?
  Thanks a lot for your time guys, any help is greatly appreciated.
  Omar M.

  RHI is mainly used for inter site redundancy, instead of relying on DNS for your VIP HA, you rely on routing by announcing a /32 route in your OSPF backbone.
  1 - yes
  2 - it depends on the way you want to ensure inter site HA.
  3 - the purpose is only to send a /32 route from multiple ACE clusters or sites. When your whole cluster or datacenters is down, the routing topology is built again pointing the same IP address to the new site (with playing on the OSPF cost) without any problem of DNS dead A record with client cache.
  4 - No problem. You can even do it manually with a conditionnal host route defined on the upstream router (conditionned with an IP SLA sensor) redistributed into your OSPF process