ACE Module Radius with ACS 4.2
Hi,
I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
John...
You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
Following steps (On tacacs server) will make it work
1. Select your user
2. goto tacas+ settings
3. Select " shell (exec)" checkbox
4. Select "custom attributes" checkbox
5. Type your context and role information in custom attrib box, using following format
shell:*
for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
shell:Admin*Admin default-domain
Hope it helps
Syed
Similar Messages
-
Can't auth to Nortels networks devices using RADIUS with ACS 5.1
Hi,
I've got a problem with the ACS 5.1 RADIUS Authentication for Nortel network devices (Baystack 470, ERS 5530 5510, Passport 8606).
After configuring RADIUS on these device (primary serv, secondary serv, secret key, port...) and adding them to my ACS Servers.
I can't manage to login using RADIUS and i get the following message.
"Permission denied, please try again" or "No response from RADIUS server"(?) (depending on the device type)
But in my ACS View, I can see : "Authentication succeeded."
I've also checked the RADIUS frames, the "Access-Request" and "Access-Accept" are correctly transmitted.
I've got no problems with RADIUS Auth using other brand devices
Is there any known issues with Nortels devices using Cisco ACS 5.1 with RADIUS Authentication ?
Regards.Are you sure that setting up a compound condition will help ?
To me, the RADIUS Nortel VSA are used for Authorization,and my problem is about Authentication (usually for a simple authentication, we stay in the IETF RADIUS Standards ? no ?)
Also, does setting this condition will change the Access-Accept packets sent by the ACS to the device ?
Here is my steps in the ACS View
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Default Network Access
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - Internal Users
24210 Looking up User in Internal Users IDStore - radius
24212 Found User in Internal Users IDStore
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - Permit Access
11002 Returned RADIUS Access-Accept
So I think the ACS does its job -
Hi
In the Datashhet of the ACE-Module (ACE20-MOD-K9) there is the following promise:
Throughput
16 Gbps*, 8 Gbps*, and 4 Gbps
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).
Are these 4Gbps bidirectional or unidirectional?
Is it 2Gbps in one direction and 2Gbps in the other direction?
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
How can I measure the effective used bandwith on the ACE module?
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
How do I know that the ACE runs at it's bandwith limitation?
Any Ideas?
Thanks
PatrikHi Patrik,
See my answers inline:
We have a base license, so I assume we have a throughput of 4Gbps (gigabits per second).Are these 4Gbps bidirectional or unidirectional?Is it 2Gbps in one direction and 2Gbps in the other direction?
It measures the total throughput going through the box. It includes both directions. Also take into account that, for any traffic through the ACE, the packets are seen twice (client to ACE and ACE to server), so the effective throughput is half of the licensed one.
Imagine we have just 1 host (A) before the ACE module and just 1 host (B) behind the ACE module. Can I transfer data from A to B (unidirectional) with 4Gbps? Assume the hosts are connected with 10Gbps to the network and use multiple flows!
You could get up to 2Gbps unidirectional. This traffic will go through the ACE twice, adding to the 4Gbps license
How can I measure the effective used bandwith on the ACE module?
With the "show resource usage" command
What hapens, if host A tries to send data faster than 4Gbps? Does it deny single packets? Base on what? Does it deny additional sessions?
It will drop packets that go over the bandwidth without taking into account to which connection they belong
How do I know that the ACE runs at it's bandwith limitation?
Again, "show resource usage"
Regards
Daniel -
Does ACS for Windows 3.3 support AAA for the ACE module?
I don't think that is correct. I am still
having issues with ACE and ACS. See below:
ACE version Software
loader: Version 0.95
system: Version A1(7b) [build 3.0(0)A1(7b)
Cisco ACS version 4.0.1
I am trying to authenticate admin users with AAA authentication for ACE management.
This is what I've done:
ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
warning: numeric key will not be encrypted
ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
ACE-lab/Admin(config-tacacs+)# server ?
TACACS+ server name
ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
can not find the TACACS+ server
specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
ACE-lab/Admin(config-tacacs+)# -
A problem with ACL in the class-map on the ACE module
Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
RomanHi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
Simple SLB with the ACE Module
Hello,
i have some problems with a ACE module i am currently tesing.
I have a simple Serverfarm with two Servers.
But there seems to be some Problems with the Loadbalancing i not understand:
1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
2) withz the show serverfarm statement the total connects do not increment.
switch/slb-c1# show serverfarm webfarm
serverfarm : webfarm, type: HOST
total rservers : 2
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: web1
10.0.33.201:0 8 OPERATIONAL 0 0
rserver: web2
10.0.33.200:0 8 OPERATIONAL 0 0
switch/slb-c1# show service-policy L4_LB_VIP
Status : ACTIVE
Interface: vlan 300
service-policy: L4_LB_VIP
class: L4_VIP_CLASS
loadbalance:
L7 loadbalance policy: L7_SLB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 15
dropped conns : 0
client pkt count : 10198 , client byte count: 420991
server pkt count : 23367 , server byte count: 34915173
I have attatched the Config.
Any Idea what is going on?what version do you have ?
I would recommend to run the very recent A1.4.
This is something that really should work.
Gilles. -
Monitoring the Cisco ACE module with SNMP
We use 2 redundant Cisco ACE loadbalancer in our datacenter
The models are ACE20-MOD-K9 with software A2(2.0)
Does anybod know how to monitor the environment (cpu, memory) of such a module with snmp?
We were not able to find an applicable MIB for that module.
The CISCO-PROCESS-MIB.oid (ftp://ftp.cisco.com/pub/mibs/oid/CISCO-PROCESS-MIB.oid) seems not to reflect the correct oid's.
What are the correct oid's for cpu and memory?
Where can I find a detailed documentation for snmp-monitoring the cisco ace module?
thanksHi Patrik,
to monitor the ACE I use these two MIB's:
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SLB-MIB.my
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
Example for CPU:
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Normale Tabelle";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
cpmCPUTotalEntry 1.3.6.1.4.1.9.9.109.1.1.1.1
The resource usage and other interesting things you will find with a MIB browser.
Achim -
Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP
Hello Dears,
I'm trying to implement Cache loadbalancing through Cisco ACE Module.
I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
I'm afraid that I have a problem in the returned traffic PBR.
can anyone help please.
ThanksHi Ibrahim
I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
msfc---vlan 265---ACE--vlan 264----CE farm
interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown
ip route 0.0.0.0 0.0.0.0 168.168.1.50
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong
ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong
interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248
route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52
regards
Andrew -
AIRONET 1260 with new radius cisco ACS 4.x
Hi, I have a new CISCO AIRONET 1260
I have CISCO ACS 5.1 radius for VPN on ASA and tried to configure an NDG on it for AIRONET 1260 too and worked fine with IEEE 802.1x CISCO EAP-FAST authentication
As I had some trouble to let users to authenticate only on VPN if are VPN users and only on CISCO AIRONET if need only WIFI AIRONET
I tried exception policies rules but something not working. VPN was ok but not WIFI access denied for rule policy access
I decided to install CISCO ACS 4.x on Windows 2003 that is on ACS 5 DVD
I created NDG as done on ACS 5 put a shared secret , put on AIRONET too as done for ACS 5 but I receive an error against ACS 4.x
To troubleshout it I tried
http://www.cisco.com/en/US/partner/tech/tk722/tk720/technologies_configuration_example09186a00807bf3c8.shtml
but not work ! I think to have done all fine owever on ACS 5 it worked in 5 minutes
I searched log inside ACS 4 and found "Invalid message authenticator in EAP request" and I found this:
https://supportforums.cisco.com/docs/DOC-3991
Changed shared secret more times but ever not workign with ACS 4
what's wrong?
I need to have user and password prompt on client trying to authentincate on AIRONET WIFI and I need ACS INTERNAL USER no active directory, no LDAP , no external user databaseI have solved
-
APC (UPS) RADIUS authentication with ACS 5.X
I am trying to do RADIUS authentication for APC (UPS) using ACS 5.2 Appliance. It is working fine with ACS 4.2, but unfortunately not with ACS 5.2. I tried creating RADIUS VSA (Vendor Specific Attributes) for APC in ACS 5.2.
According to the APC dictionary file
VENDOR APC 318
# Attributes
ATTRIBUTE APC-Service-Type 1 integer APC
ATTRIBUTE APC-Outlets 2 string APC
VALUE APC-Service-Type Admin 1
VALUE APC-Service-Type Device 2
VALUE APC-Service-Type ReadOnly 3
# For devices with outlet users only
VALUE APC-Service-Type Outlet 4
I have added the attributes in blue(attached), how do I add the VALUE's (shown red) in ACS 5.2? What else should I do to get this working?
The hit count on the ACS shows that it is getting authentication request from the APC appliance.
Thanks in advance.Hi,
I am working on the same issue and i manage to login (using Ldap A/D backend authentication). When using the standard Radius attribute Service-Type (1 for read-only and 6 for admin) i manage to get this working. I am however trying to use the APC VSAs (as above) without any success. The objective is to have outlet management for specific users, admin or read-only others. Did u manage to get this working and how?
./G -
Issue with ACS 4 and AAA. Port scan shows no Radius but does show tacacs
to start I am new to ACS so if this is an easy issue to solve please forgive me. I am trying to get Authentication working with ACS 4. I setup everything according to the instructions and when I try to test authentication with VPN concentrator I get a No active server found error. I have tried using an Internal user to start and I also have tried an AD account. If I port scan the ACS server I do not see it advertising port 1645 but I do see Port 49 for tacacs and I also see Ports 2000-2002. CSRadius is running.
Actually, to avoid any issues I made CSRadius listen on BOTH sets of ports :)
So unless that got changed without my knowing it should be listening on 1645/6 and 1812/3
Darra -
LMS PRIME 4.2 integrating with ACS 4.2
Hello,
i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
is there document or user guide for this version of lms?
Thanks in advance.
MarwanIN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
For more details check :
Authentication Using Login Modules - Overview
-Thanks -
Reuse of context in ACE module
Hi all, just have a question about som reuse of resources in a ACE module context. I don't want to make a new context, and can reuse most of the existing configuration in one of my context. The config is not complex and difficult, but I'm not sure if I can do this.
The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
Since I haven't decided the ip addresses to be used, they are just xx in the config below.
The changes I want to implement are in bold. Will this work for me?
probe http WEBGUI_D2
description Probe for http mot webgui
interval 10
passdetect interval 10
passdetect count 1
request method get url /D2/auth/login.aspx
expect status 200 302
header User-Agent header-value "IDENTITY"
rserver host cwi003
description content server logon
ip address 10.163.22.27
inservice
rserver host cwi004
description content server logon
ip address 10.163.22.28
inservice
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON_D2
probe WEBGUI_D2
rserver cwi003 80
inservice
rserver cwi004 80
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 20
replicate sticky
serverfarm SF_LOGON_D2
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON_D2
3 match virtual-address 10.163.22.13 any
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB
class class-default
sticky-serverfarm STICKYGROUP1
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 5 vlan 1240
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 6 vlan 1240
interface vlan 1240
description Client_server
ip address 10.163.22.11 255.255.255.0
peer ip address 10.163.22.12 255.255.255.0
access-group input INBOUND
nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
service-policy input PM_ONE_ARM_MULTI_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 10.163.22.1
BR
GeirThanks for your reply.
Hope I understand you correct. This sould be the config I need to paste into the existing context.
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
timeout 20
replicate sticky
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB2
class class-default
sticky-serverfarm STICKYGROUP2
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB2
nat dynamic 6 vlan 1240
interface vlan 1240
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
Br
Geir -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas???
Maybe you are looking for
-
SWF animations not working properly when exported as PDF from InDesign
I'm using InDesign CS5 and have created a document that I want to add interactivity and animations to. I've created buttons and page destionations, etc, which all work perfectly when exported to a PDF but the simple animation that I wanted to includ
-
hi all, I have a text file called abc.txt which consits of the following data 001~ joshi (i.e account number and name - tilda seperated list). I have a table called abc which consits of two cols. acc_no and acc_name. My table consists of some data. N
-
How secure is redaction in adobe acrobat x pro? Can text be read once redacted?
I have redacted and applied all the credit card info from some pdfs and saved them after. Is there any way of undoing the redaction and being able to read the credit card info. Your experience in this field will be much appreciated. KF.
-
Troubleshooting checklist?
As I've made extensive use (my thanks to all of you on these forums!) of these Discussion pages, particularly for troubleshooting my slow Safari problem, one poster with regard to a possible incompatible plug-in problem affecting a Safari upgrade, in
-
Open .bbb files on a mac
Hi, is there a way to open blackberry files (.bbb) on a mac? I really need that information, but i can´t find a program to open the files