ACE Module Routed design

Similar Messages

• ACE module routed mode

  Hi,
  I have a scenario where I have a pair of 6509 switches and I need to add an ACE module on both of them. All clients Default gateway are on internal 5580 ASAs so there are no SVI interfaces on the 6509 switches, it's only doing layer 2 switching.
  I need to add an ACE module to the above setup, what's the ideal scenario in terms of routing without having to modify and add SVIs on the 6509?
  Regards

  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/getting/started/guide/one_arm.pdf

• Design ? about SNMP operation in ACE module ... Traps sent to different Mgmt Stations

  Good Day everyone,
  I searched the site, and I could not find the answer I was looking for, so If anyone happens to know or point me to a link I would greatly appreciate it.
  Topic:
  Can ACE module sent different Traps (oid) to different management station? Split decision processing to send specific traffic to specific stations, based on the alert it has detected.
  Scenario:
  Our network equipments have a demarc point on what devices are managed via SNMP (Traps, syslog, EMS, etc...); Routers, Switches, ACE modules, and so forth.
  However, we are not responsible for the App Servers assigned to various broadcast domains.
  Customer would like to receive Notification from the ACE module when a Real Server is taken out of rotation , when specific probes have failed.
  My team manages the ACE module, so any alerts from the ACE will be sent to the management station configured in our network.
  Unfortunately I do not have a Test Lab to test my theory, so any help would be greatly appreciated before I submit my Production configs.
  Design Requirements:
  Customer would like the following traps generated and sent to their management station:
  1) Real Server host name
  2) TCP port
  3) Real Server IP address
  4) If capable, percentage threshold for each real server, based on the prediction configured for each Server Farm
  5) Can a NetIQ agent be download on the ACE module to communicate with the NetIQ management station?
  As always thank you for any help you can provide, and if you happen to be around Huntsville Alabama/USA.. you got a cold beer waiting for you!!!!
  Cheers,
  -raman

  Gilles,
  Thank you for your prompt answer.
  When you have time please look over the following question and let me know if it is possible to implement, if the Proxy server is not an option?
  Can a Custom TCL script be executed to sent an notification via SMPT if a health probe fails?
  The SMTP message will contain the server info (IP address, Host name, TCP port).
  The script procedure will execute certain actions based on the returned result.
  Thanks,
  raman
  P.S
  Sorry about not being up to speed on TCL. I am reading up on the TCL capability, and trying to provide some options to my customer.

• ACE module rservers multiple routed hops away

  Hi all, deploying a ACE module in a cat6k. Just want to figure out, can I add to a serverfarm, rservers which are multiple routed hops away from the ACE or the cat6k in which it is deployed. please look at the attached diagrams. I have my servers at two subnets, and I want to add all 5 servers to the same server farm and load balance between them
  Is this possible, if any what are the caveats ?
  Thanks all

  Hi,
  You can do this, but ypu have to use client-NAT to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server.
  The following extract from a configuration shows the basic principle:
  rserver host master
  ip address 10.199.95.2
  inservice
  rserver host slave
  ip address 10.199.38.68
  inservice
  serverfarm host FARM-web2-Master
  description Serverfarm Master
  probe PROBE-web2
  rserver master
  inservice
  serverfarm host FARM-web2-Slave
  description Serverfarm Slave
  probe PROBE-web2
  rserver slave
  inservice
  class-map match-any L4VIPCLASS
  2 match virtual-address 10.199.80.12 tcp eq www
  3 match virtual-address 10.199.80.12 tcp eq https
  policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
  class REMOTE-ACCESS
  permit
  policy-map type loadbalance first-match LB-POLICY
  class class-default
  serverfarm FARM-web2-Master backup FARM-web2-Slave
  policy-map multi-match L4POLICY
  class L4VIPCLASS
  loadbalance vip inservice
  loadbalance policy LB-POLICY
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  nat dynamic 1 vlan 384
  service-policy input L4POLICY
  interface vlan 383
  description ACE-web2-Clientside
  ip address 10.199.80.13 255.255.255.248
  alias 10.199.80.12 255.255.255.248
  peer ip address 10.199.80.14 255.255.255.248
  access-group input ACL-IN
  access-group output PERMIT-ALL
  no shutdown
  interface vlan 384
  description ACE-web2-Serverside
  ip address 10.199.80.18 255.255.255.240
  alias 10.199.80.17 255.255.255.240
  peer ip address 10.199.80.19 255.255.255.240
  access-group input PERMIT-ALL
  access-group output PERMIT-ALL
  nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.199.80.9
  ip route 10.199.95.2 255.255.255.255 10.199.80.21
  ip route 10.199.38.68 255.255.255.255 10.199.80.21
  HTH
  Cathy

• ACE Load Balancing Design L2 Vs L3 Serverfarm

  Hi all,
  i have to understand in deep good and bad points of topology L2 (server farm L3 directly connected to ACE) and L3 server farm (of course latency maybe just a bit higher and keepalive to tune well).
  have you any experience of remote server farm (maximum 1 hop away)?
  PS: i'll use ACE module with SUP72010G and FWSM.
  tnx anyway
  Das

  Hi Das,
  Well, I've configured all my serverfarms as L3-farms, some of them multible hops away. So far, latency has not been an issue, nor have I felt the need to finetune my probes or spend much time digging into server response time.
  I guess it all comes down to your infrastructure and your design scenario, but I would think that directly attached rservers mostly come in handy when deploying your ACE in bridge mode or, for some reason, cannot use client NAT the avoid any possible routing issue.
  hth
  /Ulrich

• How to Virtual IP configuration in ACE module?

  Hi,
  I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
  I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
  Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
  Regards,
  Rachit.

  Hi Rachit,
  Here is a basic configuration example:
  access-list Allow_Access line 10 extended permit ip any any
  rserver host test
    ip address 10.198.16.98
    inservice
  rserver host test2
    ip address 10.198.16.93
    inservice
  serverfarm host test
    rserver test 80
      inservice
    rserver test2 80
      inservice
  sticky http-cookie test group2
    cookie insert
    serverfarm test
  class-map match-all VIP
    2 match virtual-address 10.198.16.122 tcp eq www
    policy-map type loadbalance first-match test
    class class-default
      sticky-serverfarm group1
  policy-map multi-match clients
    class VIP
      loadbalance vip inservice
      loadbalance policy test
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 112
  interface vlan 112
    ip address 10.198.16.91 255.255.255.192
    access-group input Allow_Access
    nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
    service-policy input NSS_MGMT
    service-policy input clients
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.198.16.65
  Here is the configuration guide:
  http://tools.cisco.com/squish/101AD
  Cesar R

• Reuse of context in ACE module

  Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
  The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
  Since I haven't decided the ip addresses to be used, they are just xx in the config below.
  The changes I want to implement are in bold.  Will this work for me?
  probe http WEBGUI_D2
  description Probe for http mot webgui
  interval 10
  passdetect interval 10
  passdetect count 1
  request method get url /D2/auth/login.aspx
  expect status 200 302
  header User-Agent header-value "IDENTITY"
  rserver host cwi003
  description content server logon
  ip address 10.163.22.27
  inservice
  rserver host cwi004
  description content server logon
  ip address 10.163.22.28
  inservice
  rserver host cwi503
  description content server logon 2
  ip address 10.163.22.23
  inservice
  rserver host cwi504
  description content server logon 2
  ip address 10.163.22.24
  inservice
  serverfarm host SF_LOGON_D2
  probe WEBGUI_D2
  rserver cwi003 80
     inservice
  rserver cwi004 80
     inservice
  serverfarm host SF_LOGON2_D2
  probe WEBGUI_D2
  rserver cwi503 80
     inservice
  rserver cwi504 80
     inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
  timeout 20
  replicate sticky
  serverfarm SF_LOGON_D2
  serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON_D2
  3 match virtual-address 10.163.22.13 any
  class-map match-all VS_LOGON2_D2
  3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB
  class class-default
     sticky-serverfarm STICKYGROUP1
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
  class VS_LOGON_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 5 vlan 1240
  class VS_LOGON2_D2
     loadbalance vip inservice
     loadbalance policy PM_ONE_ARM_LB
     nat dynamic 6 vlan 1240
  interface vlan 1240
  description Client_server
  ip address 10.163.22.11 255.255.255.0
  peer ip address 10.163.22.12 255.255.255.0
  access-group input INBOUND
  nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
  nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  service-policy input PM_ONE_ARM_MULTI_MATCH
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.163.22.1
  BR
  Geir

  Thanks for your reply.
  Hope I understand you correct.  This sould be the config I need to paste into the existing context.
  rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
  rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
  serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
      inservice
    rserver cwi504 80
      inservice
  sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
     timeout 20
     replicate sticky
     serverfarm SF_LOGON2_D2
  class-map match-all VS_LOGON2_D2
     3 match virtual-address 10.163.22.xx any
  policy-map type loadbalance first-match PM_ONE_ARM_LB2
    class class-default
      sticky-serverfarm STICKYGROUP2
  policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON2_D2
      loadbalance vip inservice
      loadbalance policy PM_ONE_ARM_LB2
      nat dynamic 6 vlan 1240
  interface vlan 1240
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
  Br
  Geir

• Ace module dropping assymetric layer 2 connections

  Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
  The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
  I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
  Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

  Bryan,
  As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
  In your first example the flow will look like this.
  client > VIP after the ACE  client > rserver
  the reply would be
  rserver > client after the ACE VIP > rserver
  In your second example using client nat it will look like this
  Client > VIP   After ACE  Natpool > rserver.
  the reply would be
  rserver > Nat-pool  after ACE VIP > client.
  The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
  Regards
  Jim

• ACE in routed mode

  My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations?  Not just how-to scenarios.
  And the primary question that brings me here:
  I've got an ACE module in a 6500 chassis that's configured for routed mode.  For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers.  vIP VLAN is 12 and rserver VLAN is 101.  I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
  When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver.  The same if user devices are sending traffic to the App servers vIP.
  When a Web server tries to send over to the App servers vIP, I get no response.  In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101).  How do I get the Web server to send traffic loadbalanced across the App servers?
  Here's an example ACE config:
  access-list ALL line 8 extended permit ip any any
  probe tcp 5555
    port 5555
    interval 5
    passdetect interval 30
  probe http HTTP
    interval 5
    passdetect interval 30
    expect status 200 200
  rserver host APP01
    description App Server 1
    ip address 10.10.101.15
    probe 5555
    inservice
  rserver host APP02
    description App Server 2
    ip address 10.10.101.16
    probe 5555
    inservice
  rserver host WEB01
    description Web Server 1
    ip address 10.10.101.17
    probe HTTP
    inservice
  rserver host WEB02
    description Web Server 2
    ip address 10.10.101.18
    probe HTTP
    inservice
  serverfarm host APP-SERVERS
    predictor leastconns
    rserver APP01
      inservice
    rserver APP02
      inservice
  serverfarm host WEB-SERVERS
    predictor leastconns
    rserver WEB01
      inservice
    rserver WEB02
      inservice
  sticky ip-netmask 255.255.255.255 address both WEB-STICKY
    replicate sticky
    serverfarm WEB-SERVERS
  sticky ip-netmask 255.255.255.255 address both APP-STICKY
    replicate sticky
    serverfarm APP-SERVERS
  class-map match-any APP-VIP
    description App Servers VIP
    2 match virtual-address 10.10.12.21 tcp eq 5555
  class-map match-any WEB-VIP
    description Web Servers VIP
    2 match virtual-address 10.10.12.20 tcp eq https
    3 match virtual-address 10.10.12.20 tcp eq www
  policy-map type loadbalance first-match L7-APP-SERVERS
    class class-default
      sticky-serverfarm APP-STICKY
  policy-map type loadbalance first-match L7-WEB-SERVERS
    class class-default
      sticky-serverfarm WEB-STICKY
  policy-map multi-match L4-CONTEXT-A-VLAN
    class WEB-VIP
      loadbalance vip inservice
      loadbalance policy L7-WEB-SERVERS
      loadbalance vip icmp-reply
    class APP-VIP
      loadbalance vip inservice
      loadbalance policy L7-APP-SERVERS
      loadbalance vip icmp-reply
  interface vlan 12
    description ACE-CONTEXT-A-vIPs
    ip address 10.10.12.5 255.255.252.0
    alias 10.10.12.4 255.255.252.0
    peer ip address 10.10.12.6 255.255.252.0
    access-group input ALL
    service-policy input MGMT-ACCESS
    service-policy input L4-CONTEXT-A-VLAN
    no shutdown
  interface vlan 101
    description ACE-CONTEXT-A-SERVERS
    ip address 10.10.101.2 255.255.255.0
    alias 10.10.101.1 255.255.255.0
    peer ip address 10.10.101.3 255.255.255.0
    access-group input ALL
    no shutdown

  Hi Adam,
  You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
  the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
  Now going back to your issue, you problem can be splitted in two parts.
  1. Web server not able to ping VLAN 101 ACE's SVI.
  ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
  to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
  one just for ICMP, that's up to you.
  2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
  Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
  for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
  load balancing for clients reaching it out through VLAN 101.
  In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.
  Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
  I've attached a sample with NAT based on your config.
  HTH
  Pablo

• Cisco Ace asymetric routing - DNS traffic

  Hi,
  I am wondering if Ace supports asymetric routing.
  In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
  Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
  So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
  When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
  Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
  So just wondering if there are any other options advisable ?
  Thanks

  Is it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
  Try adding a static route onto the destination server along the lines of ...
  route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
  This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
  That's just what I would do but I understand that it may not be the option you want.
  Good luck

• Configuring FT on ACE Modules

  Hi,
  I am trying to configure FT on ACE modules, with the following commands
  ft interface vlan 20
    ip address 172.16.20.1 255.255.255.252
    peer ip address 172.16.20.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 20
  ft group 1
    peer 1
    priority 150
    associate-context Admin
    inservice
  The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

  Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
  ft interface vlan 212
    ip address 172.31.1.221 255.255.255.252
    peer ip address 172.31.1.222 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 212
  ft group 2
    peer 1
    priority 50
    peer priority 150
    associate-context Admin
    inservice
  HQ-ACE1/Admin# sh int
  vlan212 is up, administratively up
    Hardware type is VLAN
    MAC address is 00:23:5e:25:72:f1
    Mode : routed
    IP address is 172.31.1.221 netmask is 255.255.255.252
    FT status is standby
    Description:not set
    MTU: 1500 bytes
    Last cleared: never
    Last Changed: Tue Sep  6 12:46:06 2011
    No of transitions: 1
    Alias IP address not set
    Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
    Assigned from the Supervisor, up on Supervisor
       8654909 unicast packets input, 735611030 bytes
       1151150 multicast, 161 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       13020418 unicast packets output, 1672055521 bytes
       0 multicast, 163 broadcast
       0 output errors, 0 ignored

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.

• ACE module FT

  Hi,
  I need to know if for 2 ACE to work on FT the subnet needs to be same or can it work on different subnet as well?
  Is it possible to connect 2 6509 with ACE each, connected through routes, not with vlans (layer 3, not layer 2)??
  Also, can both ACE be made funcational to work in active active??

  NO.
  You need to extend Each vlan going into one ACE module to its peer.
  Both ACE module can be Active/Active only in multi context mode. For e.g if you have four contexts C1,C2,C3,C4 the you can make C1 & C2 active on Ace1 & C3&C4 active on Ace2.
  Syed Iftekhar Ahmed

• Per-ServerFarm SNAT on ACE Module.

  Dear all,
  I hace an ACE Module configured in Multiple Routed Contexts.
  My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
  Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
  I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
  Is this correct?
  The software version is A2(3,5).
  Thanks a lot!
  David

  Hi David
  Could you please calrify and maybe separate tasks you have ?
  As I understand you have such tasks for now :
  1) Don't show rserver IPs anywere outside ACE
  2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
  First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
  Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
  2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
  E.g.
  policy-map multi-match VIP_IN
  class MY-CLASS
  loadb vip ins
  loadb policy MY-L7Policy
  nat 1 dynamic vlan X << - inside interface
  and then on inside interface
  inter vlan X
  nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
  In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
  Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

• MAC-Miss Rate on ACE module

  What exactly does the MAC-Miss rate mean on the ACE? And if we are running out of resources for it, should I worry?
  We have only implemented 1 production policy on the ACE module so far and we are already running out of resources for the mac-miss rate. All other resources look good.
  Is this OK? Or is something wrong here?
  Attached is the resource usage counters.
  Thanks,
  Ben

  When the ACE receives traffic for which it does not have an arp entry for either the source or destination, this is called a mac-miss and the fastpath agent needs to ask the slowpath agent to perform an arp request.
  This communication is rate-limited.
  With no mac entry for a src or dst, we drop the packet.
  So, you should increase the resource.
  Or review your design.
  It's best to have the clients coming through a gateway (ie: the MSFC) instead of directly accessing the ACE.
  This way only 1 mac entry is needed - the gateway.
  You'll see a counter like this
  switch/Admin# sho np 1 me-stats "-socm -v" | i mac
  Drop [mac lookup fail]: 4 0
  Gilles.