ACE in one-arm model. VIP on Client Side, servers in other vlan

Similar Messages

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• ACE 4710 one-arm L4 load balancing removes accept-encoding?

  We have built a simple one-arm PAT config to round robin load balance two Varnish servers. In the "Default L7 load-balancing action" we have left compression to "N/A". It looks like the ACE removes "Accept-Encoding: gzip, deflate" from the client header.
  Is this normal behaviour? We would like the Varnish to do the compression. Do we need modify the headers to get this through the ACE?

  Hi,
  Yes this does seem to be the behavior. Please read below:
  HTTP compression is a capability built into web servers and web browsers to improve site performance by reducing the amount of time required to transfer data between the server and the client. Performing compression on the ACE offloads that work from the server, thereby freeing up the server to provide other services to clients and helping to maintain fast server response times.
  When you enable HTTP compression on the ACE, the appliance overwrites the client request with "Accept-Encoding identity" and turns off compression on the server-side connection. HTTP compression reduces the bandwidth associated with a web content transfer from the ACE to the client.
  So ACE rewrites the ACCEPT-ENCODING header to IDENTITY to indicate to the server that it should not compress the return data. That would be done by ACE.
  Also, default method is used when client comes with both gzip or deflate for "ACCEPT ENCODING". For compression to work, a client must send a request with an ACCEPT-ENCODING method of gzip or deflate. If a client sends both methods, then the ACE uses the configured method(default method).
  Also, you can see if ACE is compressing the packets or in "show service-policy detail.
  switch/Admin#
  show service-policy L7_COMP_SLB_POLICY detail
  Status     : ACTIVE
  Description: -----------------------------------------
  Interface: vlan 1 108
    service-policy: L7_COMP_SLB_POLICY
      class: vip
       VIP Address:    Protocol:  Port:
       2.0.5.1         tcp        eq    80
        loadbalance:
          L7 loadbalance policy: pm
          VIP ICMP Reply       : ENABLED
          VIP state: OUTOFSERVICE
          Persistence Rebalance: ENABLED
          curr conns       : 0         , hit count        : 0
          dropped conns    : 0
          client pkt count : 0         , client byte count: 0
          server pkt count : 0         , server byte count: 0
          conn-rate-limit      : 0         , drop-count : 0
          bandwidth-rate-limit : 0         , drop-count : 0
          L7 Loadbalance policy : pm
            class/match : h
              ssl-proxy client : c
              LB action :
                 primary serverfarm: sf1
                      state: DOWN
                  backup serverfarm : -
              hit count        : 0
              dropped conns    : 0
              compression      : on  <------------------------------ Compression is enabled if the value is "on"
  compression  bytes_in  : 0       bytes_out : 0  <--- Number of bytes transmitted after compressing the server response
  Compression ratio : 0.00%  <------------------------------ Percentage of data compressed
  Gzip: 0               Deflate: 0  <--------------- Number of times the method is used
  compression errors:                                     _
  User-Agent  : 0               Accept-Encoding    : 0   |
  Content size: 0               Content type       : 0   |
  Not HTTP 1.1: 0               HTTP response error: 0   |-- Check these error counters to see if they are increasing
  Let me know if you have any questions.
  Regards,
  Kanwal

• Probe fail on Standby ACE in One-armed mode

  Hi there
  I'm Kilsoo.
  I made One-armed mode using ACE.
  Real servers are in away Vlan from ACE.
  So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
  And, the probe from active ACE works well.
  But, the probe from standby ACE was fail.
  At this point, my first question
  Is it normal situation that the probe fail from standby ACE????
  So, I made the route-map for PBR like below for temporary solution.
  route-map deny PBR 5
  match ip address Probe_ACL
  route-map permit PBR 10
  match ip address L4_ACL
    set ip next-hop <Alias IP address>
  ip access-list extended Probe_ACL
    pemit ip any <Standby ACE's IP address>
  ip access-list extended L4_ACL
  permit tcp <Real server's IP address> eq 80 any
  Second question...
  Do you have any other good solutions???
  Thanks

  Hi Cesar
  Thanks for your reply.
  But I think I was confuse when I wrote the message.
  I used both ace's vlan ip address for next-hop ip address like your advice.
  Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
  Backbone Router
           |
           |
           |
  Supervisor --------------------ACE(vserver: 172.19.100.100)
           |         (vlan 200)
           |
           |
           |(vlan 110)
           |
           |
  Real servers
  (172.19.110.111)

• ACE30 - PING to VIP and Client side SVI not working

  Hi Guys,
  Having setup the ACE30 based on the configuration guides, I've been able to get basic load balancing working, probes, stickness etc.  However in testing connectivty, I've noticed that from the real server on the backend I cannot seem to PING:
  1. The VIP for the web service that the server is a part of
  2. The Client side SVI
  I'd like this to work to ensure full connectivity.
  I've applied ACLs to the Client side SVI (on the ACE) to allow this in both directions, and also removed any ACLs attached to the client side SVI on the MSFC where the subnet is actually homed.  However I just cannot seem to PING the Client side SVI on the ACE, or the VIP.  Trying to understand if this is normal behavior.
  Have inserted my config below for completeness.
  ACE30 Config
  login timeout 60
  hostname ACE1
  boot system image:c6ace-t1k9-mz.A90_6_3_5.bin
  boot system image:c6ace-t1k9-mz.A4_1_0.bin
  resource-class RC_1
    limit-resource all minimum 10.00 maximum unlimited
  access-list all line 8 extended permit ip any any
  access-list v6-any line 8 extended permit ip anyv6 anyv6
  class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
    5 match protocol https any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
      permit
  interface vlan 768
    description Management connectivity
    ip address 10.20.40.72 255.255.255.0
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.20.40.254
  context VC_1
    allocate-interface vlan 11
    allocate-interface vlan 186
    member RC_1
  username admin password 5 $1$STizNv5q$i96.Qrt4C4SfHkbLyVT74.  role Admin domain default-domain
  username www password 5 $1$ZAn8bOtv$xmmNlH8akF6iYfXdQCKMo1  role Admin domain default-domain
  ssh key rsa1 1024 force
  ! VC_1
  ACE1/VC_1# sh run
  probe http HTTP_PROBE1
    interval 15
    passdetect interval 60
    expect status 200 200
    open 1
  rserver host RS_MONASH_WEB1
    description Test Monash Web Server 1
    ip address 10.194.27.177
    inservice
  serverfarm host SF_MONASH_WEB
    probe HTTP_PROBE1
    rserver RS_MONASH_WEB1 80
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKY_MONASH_WEB
    timeout 3600
    serverfarm SF_MONASH_WEB
  class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol ssh any
    3 match protocol telnet any
    4 match protocol icmp any
    5 match protocol https any
  class-map match-all VS_MONASH_WEB
    2 match virtual-address 10.194.11.1 tcp eq www
  access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit ip any any
  access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit icmp any any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match PM_MONASH_WEB_LB
    class class-default
      sticky-serverfarm STICKY_MONASH_WEB
  policy-map multi-match PM_MULTI_MATCH_CLIENT_VIP
    class VS_MONASH_WEB
      loadbalance vip inservice
      loadbalance policy PM_MONASH_WEB_LB
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  interface vlan 11
    description Client connectivity on Vlan 11
    ip address 10.194.11.250 255.255.255.0
    access-group input ALLOW_TRAFFIC_TOWARDS_ACE
    access-group out ALLOW_TRAFFIC_TOWARDS_ACE       ! not sure if this is required as well?
    service-policy input PM_MULTI_MATCH_CLIENT_VIP
    no shutdown
  interface vlan 186
    description CSM www monash
    ip address 10.194.27.189 255.255.255.240
    access-group input ALLOW_TRAFFIC_TOWARDS_ACE    ! not sure if this is required?
    access-group out ALLOW_TRAFFIC_TOWARDS_ACE      ! not sure if this is required?
    ip dhcp relay server 130.194.15.17
    ip dhcp relay server 130.194.15.1
    ip dhcp relay enable
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.194.11.254
  6500s
  ! test-clay1-gw - ACE connects to this 6500
  svclc multiple-vlan-interfaces
  svclc module 2 vlan-group 2
  svclc vlan-group 2  11,171-499,768
  ! test-clay0-gw - Where Client side subnet, VLAN11 is homed
  interface Vlan11
  description Testlab server subnet
  ip address 10.194.11.253 255.255.255.0
  no shut
  ip route 10.194.27.176 255.255.255.240 10.194.11.250
  thanks
  Sheldon

  To ping your VIP of the webserver, you should apple the service-policy input command on VLAN 186 too. Currently the VIP only listens on VLAN 11. For the SVI i think that was forbidden by security reason, but i cant remember anymore. Maybe you just need to put the management policy on the interface VLAN 186. If it dont work, then my first guess was right

• Headstart 6i installation - HTTP client side servers?

  We are performing the headstart 6i client side install and are confused as to the client software requirements.
  Is it necessary to install a HTTP listener on each client that is to be used for development. Or can we use the server based listener(Apache).
  The installation document specifies the installation of WEB DB as an option and indicates that this is shipped with Designer 6i, however this does not appear to be contained within the Designer 6i CD's
  Rgds, Pierre

  It is not necessary to install and configure a HTTP Listener/Forms Server installation on each (developer)client. Yet it can be useful in a number of cases, for instance when your application server is Unix based.
  WebDB itself is not shipped with Designer 6i, but when you install Des6i it will also install a Forms 6i runtime environment, and this will prompt you with a question whether you want to install a 'trial' version of Forms Server. The WebDB Listener service is a part of this Forms Server installation.
  Kind Regards,
  Peter
  null

• ACE inline VS one-armed based

  Hello Forum, ;-)
  I have 2 basic questions I am having doubts about it and would love to have some clarifications:
  1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below :
  ---- Context Microsoft ----
  ACE1/Microsoft# sh run
  interface vlan 503
     bridge-group 3
     access-group input NONIP
     access-group input ALL
     access-group output ALL
     service-policy input POLICY
     no shutdown
  interface vlan 1503
     bridge-group 3
     access-group input ALL
     access-group output ALL
     no shutdown
  interface bvi 3
     ip address 120.223.22.30 255.255.255.0
     no shutdown
  Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work:
  ---- Context Juniper----
  ACE1/Juniper(config)# int vlan 503
  Error: VLAN creation is not allowed, shared bridged VLAN exists in another context
  ACE1/Juniper(config)#
  It gives  ERROR!!
  So if I configure an interface as bridged in one Context, I cannot configure it in another context??
  2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
  Thanks so much for your explanations!!
  Giulio.

  Hello Giulio-
  You can only share vlans in one-armed or routed modes.  Think of it this way:
    Interface vlan 10 and 11 are bridged on context C1. (bridged mode)
    Interface vlan 12 and 13 are configured on context C2. (routed mode)
    When you have routed mode, your server's gateway is configured to point to the ACE interface IP (or alias if you are have FT.) If a packet comes into the physical interface on the ACE, the processor has to decide which context it belongs to.  Since the mac address is the interface on context X, it knows instantly where it goes. It will either hit a VIP, or be routed via the routing table.
    If a packet arrived on vlan 12 or 13 and the MAC address did not belong to the ACE, it would drop the packet by basic routing rules. (think a client connected to a hub sees a packet destine to a MAC that is not its own, it drops/ignores the packet.) 
    In bridged mode, the gateway for your server is the router on the other side of the bridged vlan.  I.e., you server is on vlan 10, the gateway is on vlan 11 and ace is bridging them together.  When packets arrive to the physical interface, ACE knows the traffic arrived on vlan 10 or 11 which belongs to context C2. If the MAC address is not a VIP, ACE simply hucks the packet out of the other vlan.  If you send traffic to the interface MAC that does not belong to a VIP, ACE drops it because it would not make sense to send a packet out the other vlan that has a MAC address that belongs to the interface of the ACE itself.
    One-armed mode is simply routed mode with a single vlan and source NAT. Nothing special applies to how ACE handles the traffic versus routed mode with only a single vlan.
  Now imagine this:
    Interface vlan 10 and 11 are bridged on context C1.
    Interface vlan 11 and 12 are configured on context C2.
  Remember 3 things:
  a.) ACE conserves MAC addresses - so the VIPs share MAC addresses with the interface.
  b.) ACE will never communicate between 2 contexts directly.
  c.) If you are in a routed mode and share vlans between 2 contexts, ACE will make each vlan have a unique MAC address. If you create unique vlans on each context, ACE uses the same single MAC across all vlans for all contexts.
  With traffic that is destine to ACE's MAC address and the IP is a VIP,  its not a problem - ACE could figure out which context the traffic  belongs to (especially since vlan 11 would have unique mac addresses on each context.  However, what if ACE recieved a packet to the interface 10 and 12 MAC  address? How would it know if it belonged to the bridged or routed context if it was not a VIP IP? What about traffic that arrives that doesn't have the MAC of any of the interfaces?  2 different entirely behaviors would occur, ACE should drop the packet on the bridged context, and route the packet on the routed context.
    So the bottom line is - you can't determine which context a packet would need to apply to in all circumstances if you tried to share vlans in a bridge mode across multiple contexts.
  Regards,
  Chris Higgins

• 4710 in one-armed mode

  is it possible to preserve the clients originating IP address somewhere while using the 4710 in one armed mode?  I have a situation where the client source ip is needed, and I am deciding between one-armed mode and inline.  I'd like to use one-armed, so that only load balanced traffic traverses the load balancer, but I haven't seen an example where that can be done without  loosing the clients src address.

  Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:
  action-list type modify http name
    header insert both Host header-value %is:%ps
  Then apply the action-list to your loadbalance policy-map.
  Take a look at the url below for futher information:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842
  But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?
  If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.
  hth
  /Ulrich

• What is Sharepoint client side object model ?

  What is Sharepoint client side object model ?

  The client-side object model (CSOM) provides client-side applications with access to a subset of the SharePoint Foundation server object model, including core objects such as site collections, sites, lists, and list items. As described in Data Access for
  Client Applications, the CSOM actually consists of three distinct APIs—the ECMAScript object model, the Silverlight client object model, and the .NET managed client object model—that target distinct client platforms. The ECMAScript object model and the Silverlight
  client object model provide a smaller subset of functionality. This is designed to enhance the user experience, because it minimize the time it takes Silverlight applications or JavaScript functions running in a Web page to load the files required for operation.
  The .NET managed client object model provides a larger subset of functionality for standalone client applications. However, these APIs provide a broadly similar developer experience and work in a similar way.
  You can write both managed client object model code and JavaScript Client Object model code in Visual Studio. As an example, you can create a console application having managed client object model code. Similarly, you may create a Visual Web Part and have
  JavaScript client object model code in it. The JavaScript client object model code can also be directly written inside the SharePoint Designer as well.
  Blog | SharePoint Learnings CodePlex Tools |
  Export Version History To Excel |
  Autocomplete Lookup Field

• Client side weblogic.management jar

  Hi,
  Could you help me with the following issue?
  I am writing a simple mgmt application that uses Weblogic's JMX APIs remotely
  via JNDI/RMI either from another VM on the same or another box (no firewall issues).
  All is fine except that the weblogic.management interfaces, stubs, and skeletons
  are all part of the huge weblogic.jar.
  Do you know where I can find a client side classes for weblogic.management? I
  noticed that the Weblogic 8.1 distribution comes with client side jars for other
  APIS (e.g. JMS, Web services, EJB etc.) but cannot find one for JMX.
  Thanks a lot for any insight on this,
  Piotr

  Hi Piotr,
  I do not believe there is a client side jar for wl management. This is
  being considered for our next release.
  Thanks,
  -satya
  Piotr Krychniak wrote:
  Hi,
  Could you help me with the following issue?
  I am writing a simple mgmt application that uses Weblogic's JMX APIs remotely
  via JNDI/RMI either from another VM on the same or another box (no firewall issues).
  All is fine except that the weblogic.management interfaces, stubs, and skeletons
  are all part of the huge weblogic.jar.
  Do you know where I can find a client side classes for weblogic.management? I
  noticed that the Weblogic 8.1 distribution comes with client side jars for other
  APIS (e.g. JMS, Web services, EJB etc.) but cannot find one for JMX.
  Thanks a lot for any insight on this,
  Piotr

• Selecting the treenode at client side

  Hi all,
  I am using JSF tree (Dynamic Tree) for my application.
  I have constructed a dynamic tree .Below which one button is there.
  Requirement is like this
  1)i have to select a node and some check image will sit on the node.
  Every time i click the node it hitting to the server.But I don't wan't it to be hitted the server every time.The selection of node should not refresh the page.Only after clicking the button it should move to next page.
  2)when i navigate back to this page the node which i have selected should be remained as selected (or checked).
  Whenever i return back to the tree page the tree is refreshing and no node is selected.
  Only single node has to be selected at a time.
  So plz suggest me how can i select the tree node client side how to make it remain selectd when we navigate back to tree page.
  regards
  Raghavendra Pattar
  Bangalore.
  India.

  Rajkumar G,
  I am not clear ... is this issue happening on only one PC and IS working on the server and other PC's?  Also ... are you getting an error or is the error you are getting this "Error We are sorry for the inconvenience at client side"?
  Eddy

• Cisco AQM 8.5 not recording : wav files are deleted from client side

  Daer Networkers,
  We do have Cisco AQM 8.5 SR2 ES1 installed with UCCX 8.5
  The issue is that when accessing the Web interface of AQM and try to look for calls, I can't find any one.
  When checking the client side, I can see that the call are being recorded : The FROM and TO files are there. But once the call is terminated, the wav file appear for some seconds and then it dissappears asi fi it's deleted.
  The wav files are not in the server too;
  I don't know what is the issue. Can you please help ?
  Thanks in advance.

  Hi,
  This issue was resolved by doing a repair to the QM Base services, then run postinstall as if it was run for the first once.
  The Proxy Gateway program was missing for some reason. After doing the repair the issue was resovled and calls are uploaded to the server.
  Now I am facing another issue !  : I can hear the client voice only. Agent's voice couln't be heard in the recorded files. As if the agent's voice is not recorded. Can you please advise ?

• Client-side Conversion using  NumberConverter and DateConverter

  Hi,
  In our application we have a custom input text component and we are using the same component to capture date, number, currency and string values .As we are using the same component to capture date/number/string values I can't add number/date converter to it.
  At run time I have to read the user entered values and need to convert them into date/ number /currency values. I am planning to use Client-side Converters to format the values.
  Please let me know how make use of NumberConverter and DateConverter in java script to convert the values at client side.
  Regards,
  Kiran

  Hi Gabrie,
  Thanks for your response.
  ADF is providing NumberConverter / DateConverter to convert date/number/currency values. Instead of writing my own custom converters can I use the framework provided converters to convert the values at client side?

• How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

  I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
  Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
  The Interfaces and Nat configs are:
  interface vlan 200
    description Server-Side-VLAN
    bridge-group 5
    nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
    service-policy input VIPS
  interface vlan 300
    description Client-Side-VLAN
    bridge-group 5
  interface bvi 5
    ip address 10.1.1.3 255.255.248.0
    description Client-Server-Virtual-Interface
  ip route 0.0.0.0 0.0.0.0 10.1.1.1
  and the policy map looks like this
  policy-map multi-match VIPS
    class Port80
      loadbalance vip inservice
      loadbalance policy Port80
      nat dynamic 5 vlan 200
  Resource assignment:
  sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
    timeout 5
    serverfarm Service80
  Any suggestions will be appreciated,
  Thanks

  Hi Kanwal,
  Thanks for your quick reply,
  I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
  The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
  But I'll try again tomorrow and let you know how it goes.
  Thank you again.

• Sniffer Trace on ACE w/VACLs and One-Arm Design

  Wow...that was a mouthful of a title!
  Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
  client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
  The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
  interface GigabitEthernet x/xx
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  switchport capture
  switchport capture allowed vlan 3002
  no ip address
  no cdp enable
  Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
  bc

  This can be done by setting up a monitor session on the Sup, with the
  TenGig/1 as SPAN
  source, and a trunk port as SPAN destination.
  For example, if the ACE is in slot X, the configuration would be:
  monitor session 10 source interface TeX/1
  monitor session 10 destination interface Giy/z
  The configuration for this port would be:
  int giy/z
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  Syed Iftekhar Ahmed