ACE Module Routed design
Hi all,
I have a requirement to install 2 ACE Modules into two 6509 chassis'
We want to run the ACE modules in a live/live scenario so we can utilise the two ACE modules
So we want to split the VIPS so we have some live on one ACE and others on the other.
Also the ACE modules will be setup in routed mode. We have a number of subnets we want to use on the client side - 3 to be exact, and there will be another 3 different subnets on the server side
A few points which are confusing me
For each subnet would i have to configure a SVI? And if so you can only have 1 SVI per contect so that would mean creating a context and a SVI for each subnet?
Are there any example configs which could help me out?
Any help would be appreciated
Thanks
James
See the config example here:
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
Normally you only need one client-side subnet per context, but multiple ones work too.
You'd create an SVI on MSFC for the client-side subnets only, otherwise server traffic would bypass the ACE.
Also keep in mind when you do active/active, it's done on the context level.
That means you need to create at least two contexts in addition to the Admin context. (although you can technically run things in /Admin)
Go through the example above, and the config guides below and you'll be all set:
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
Similar Messages
-
Hi,
I have a scenario where I have a pair of 6509 switches and I need to add an ACE module on both of them. All clients Default gateway are on internal 5580 ASAs so there are no SVI interfaces on the 6509 switches, it's only doing layer 2 switching.
I need to add an ACE module to the above setup, what's the ideal scenario in terms of routing without having to modify and add SVIs on the 6509?
Regardshttp://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/getting/started/guide/one_arm.pdf -
Good Day everyone,
I searched the site, and I could not find the answer I was looking for, so If anyone happens to know or point me to a link I would greatly appreciate it.
Topic:
Can ACE module sent different Traps (oid) to different management station? Split decision processing to send specific traffic to specific stations, based on the alert it has detected.
Scenario:
Our network equipments have a demarc point on what devices are managed via SNMP (Traps, syslog, EMS, etc...); Routers, Switches, ACE modules, and so forth.
However, we are not responsible for the App Servers assigned to various broadcast domains.
Customer would like to receive Notification from the ACE module when a Real Server is taken out of rotation , when specific probes have failed.
My team manages the ACE module, so any alerts from the ACE will be sent to the management station configured in our network.
Unfortunately I do not have a Test Lab to test my theory, so any help would be greatly appreciated before I submit my Production configs.
Design Requirements:
Customer would like the following traps generated and sent to their management station:
1) Real Server host name
2) TCP port
3) Real Server IP address
4) If capable, percentage threshold for each real server, based on the prediction configured for each Server Farm
5) Can a NetIQ agent be download on the ACE module to communicate with the NetIQ management station?
As always thank you for any help you can provide, and if you happen to be around Huntsville Alabama/USA.. you got a cold beer waiting for you!!!!
Cheers,
-ramanGilles,
Thank you for your prompt answer.
When you have time please look over the following question and let me know if it is possible to implement, if the Proxy server is not an option?
Can a Custom TCL script be executed to sent an notification via SMPT if a health probe fails?
The SMTP message will contain the server info (IP address, Host name, TCP port).
The script procedure will execute certain actions based on the returned result.
Thanks,
raman
P.S
Sorry about not being up to speed on TCL. I am reading up on the TCL capability, and trying to provide some options to my customer. -
ACE module rservers multiple routed hops away
Hi all, deploying a ACE module in a cat6k. Just want to figure out, can I add to a serverfarm, rservers which are multiple routed hops away from the ACE or the cat6k in which it is deployed. please look at the attached diagrams. I have my servers at two subnets, and I want to add all 5 servers to the same server farm and load balance between them
Is this possible, if any what are the caveats ?
Thanks allHi,
You can do this, but ypu have to use client-NAT to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server.
The following extract from a configuration shows the basic principle:
rserver host master
ip address 10.199.95.2
inservice
rserver host slave
ip address 10.199.38.68
inservice
serverfarm host FARM-web2-Master
description Serverfarm Master
probe PROBE-web2
rserver master
inservice
serverfarm host FARM-web2-Slave
description Serverfarm Slave
probe PROBE-web2
rserver slave
inservice
class-map match-any L4VIPCLASS
2 match virtual-address 10.199.80.12 tcp eq www
3 match virtual-address 10.199.80.12 tcp eq https
policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY
class REMOTE-ACCESS
permit
policy-map type loadbalance first-match LB-POLICY
class class-default
serverfarm FARM-web2-Master backup FARM-web2-Slave
policy-map multi-match L4POLICY
class L4VIPCLASS
loadbalance vip inservice
loadbalance policy LB-POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise
nat dynamic 1 vlan 384
service-policy input L4POLICY
interface vlan 383
description ACE-web2-Clientside
ip address 10.199.80.13 255.255.255.248
alias 10.199.80.12 255.255.255.248
peer ip address 10.199.80.14 255.255.255.248
access-group input ACL-IN
access-group output PERMIT-ALL
no shutdown
interface vlan 384
description ACE-web2-Serverside
ip address 10.199.80.18 255.255.255.240
alias 10.199.80.17 255.255.255.240
peer ip address 10.199.80.19 255.255.255.240
access-group input PERMIT-ALL
access-group output PERMIT-ALL
nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 10.199.80.9
ip route 10.199.95.2 255.255.255.255 10.199.80.21
ip route 10.199.38.68 255.255.255.255 10.199.80.21
HTH
Cathy -
ACE Load Balancing Design L2 Vs L3 Serverfarm
Hi all,
i have to understand in deep good and bad points of topology L2 (server farm L3 directly connected to ACE) and L3 server farm (of course latency maybe just a bit higher and keepalive to tune well).
have you any experience of remote server farm (maximum 1 hop away)?
PS: i'll use ACE module with SUP72010G and FWSM.
tnx anyway
DasHi Das,
Well, I've configured all my serverfarms as L3-farms, some of them multible hops away. So far, latency has not been an issue, nor have I felt the need to finetune my probes or spend much time digging into server response time.
I guess it all comes down to your infrastructure and your design scenario, but I would think that directly attached rservers mostly come in handy when deploying your ACE in bridge mode or, for some reason, cannot use client NAT the avoid any possible routing issue.
hth
/Ulrich -
How to Virtual IP configuration in ACE module?
Hi,
I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
Regards,
Rachit.Hi Rachit,
Here is a basic configuration example:
access-list Allow_Access line 10 extended permit ip any any
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
sticky http-cookie test group2
cookie insert
serverfarm test
class-map match-all VIP
2 match virtual-address 10.198.16.122 tcp eq www
policy-map type loadbalance first-match test
class class-default
sticky-serverfarm group1
policy-map multi-match clients
class VIP
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
ip route 0.0.0.0 0.0.0.0 10.198.16.65
Here is the configuration guide:
http://tools.cisco.com/squish/101AD
Cesar R -
Reuse of context in ACE module
Hi all, just have a question about som reuse of resources in a ACE module context. I don't want to make a new context, and can reuse most of the existing configuration in one of my context. The config is not complex and difficult, but I'm not sure if I can do this.
The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
Since I haven't decided the ip addresses to be used, they are just xx in the config below.
The changes I want to implement are in bold. Will this work for me?
probe http WEBGUI_D2
description Probe for http mot webgui
interval 10
passdetect interval 10
passdetect count 1
request method get url /D2/auth/login.aspx
expect status 200 302
header User-Agent header-value "IDENTITY"
rserver host cwi003
description content server logon
ip address 10.163.22.27
inservice
rserver host cwi004
description content server logon
ip address 10.163.22.28
inservice
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON_D2
probe WEBGUI_D2
rserver cwi003 80
inservice
rserver cwi004 80
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 20
replicate sticky
serverfarm SF_LOGON_D2
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON_D2
3 match virtual-address 10.163.22.13 any
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB
class class-default
sticky-serverfarm STICKYGROUP1
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 5 vlan 1240
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 6 vlan 1240
interface vlan 1240
description Client_server
ip address 10.163.22.11 255.255.255.0
peer ip address 10.163.22.12 255.255.255.0
access-group input INBOUND
nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
service-policy input PM_ONE_ARM_MULTI_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 10.163.22.1
BR
GeirThanks for your reply.
Hope I understand you correct. This sould be the config I need to paste into the existing context.
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
timeout 20
replicate sticky
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB2
class class-default
sticky-serverfarm STICKYGROUP2
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB2
nat dynamic 6 vlan 1240
interface vlan 1240
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
Br
Geir -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations? Not just how-to scenarios.
And the primary question that brings me here:
I've got an ACE module in a 6500 chassis that's configured for routed mode. For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers. vIP VLAN is 12 and rserver VLAN is 101. I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver. The same if user devices are sending traffic to the App servers vIP.
When a Web server tries to send over to the App servers vIP, I get no response. In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101). How do I get the Web server to send traffic loadbalanced across the App servers?
Here's an example ACE config:
access-list ALL line 8 extended permit ip any any
probe tcp 5555
port 5555
interval 5
passdetect interval 30
probe http HTTP
interval 5
passdetect interval 30
expect status 200 200
rserver host APP01
description App Server 1
ip address 10.10.101.15
probe 5555
inservice
rserver host APP02
description App Server 2
ip address 10.10.101.16
probe 5555
inservice
rserver host WEB01
description Web Server 1
ip address 10.10.101.17
probe HTTP
inservice
rserver host WEB02
description Web Server 2
ip address 10.10.101.18
probe HTTP
inservice
serverfarm host APP-SERVERS
predictor leastconns
rserver APP01
inservice
rserver APP02
inservice
serverfarm host WEB-SERVERS
predictor leastconns
rserver WEB01
inservice
rserver WEB02
inservice
sticky ip-netmask 255.255.255.255 address both WEB-STICKY
replicate sticky
serverfarm WEB-SERVERS
sticky ip-netmask 255.255.255.255 address both APP-STICKY
replicate sticky
serverfarm APP-SERVERS
class-map match-any APP-VIP
description App Servers VIP
2 match virtual-address 10.10.12.21 tcp eq 5555
class-map match-any WEB-VIP
description Web Servers VIP
2 match virtual-address 10.10.12.20 tcp eq https
3 match virtual-address 10.10.12.20 tcp eq www
policy-map type loadbalance first-match L7-APP-SERVERS
class class-default
sticky-serverfarm APP-STICKY
policy-map type loadbalance first-match L7-WEB-SERVERS
class class-default
sticky-serverfarm WEB-STICKY
policy-map multi-match L4-CONTEXT-A-VLAN
class WEB-VIP
loadbalance vip inservice
loadbalance policy L7-WEB-SERVERS
loadbalance vip icmp-reply
class APP-VIP
loadbalance vip inservice
loadbalance policy L7-APP-SERVERS
loadbalance vip icmp-reply
interface vlan 12
description ACE-CONTEXT-A-vIPs
ip address 10.10.12.5 255.255.252.0
alias 10.10.12.4 255.255.252.0
peer ip address 10.10.12.6 255.255.252.0
access-group input ALL
service-policy input MGMT-ACCESS
service-policy input L4-CONTEXT-A-VLAN
no shutdown
interface vlan 101
description ACE-CONTEXT-A-SERVERS
ip address 10.10.101.2 255.255.255.0
alias 10.10.101.1 255.255.255.0
peer ip address 10.10.101.3 255.255.255.0
access-group input ALL
no shutdownHi Adam,
You can check Gilles' DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
Now going back to your issue, you problem can be splitted in two parts.
1. Web server not able to ping VLAN 101 ACE's SVI.
ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
one just for ICMP, that's up to you.
2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
load balancing for clients reaching it out through VLAN 101.
In order to do load balancing between APP & Web Servers you need to configure L4-CONTEXT-A-VLAN on SVI 101 as well.
Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
I've attached a sample with NAT based on your config.
HTH
Pablo -
Cisco Ace asymetric routing - DNS traffic
Hi,
I am wondering if Ace supports asymetric routing.
In my setup Ace is connected to router with two transit L3 interface. Interface on the router side belongs to different VRFs (e.g. VRF-A & VRF-B). Router is running MPLS in order to connect to internet-border gateway router then to internet.
Now issue is Ace got the default route with the next hop as the router's interface in VRF-A. However the server's subnet (SVI on Ace) is advertised on router in VRF-B.
So the outbound traffic(DNS query) from servers to internet takes the default route with next hop of router's int in VRF-A and inbound traffic (DNS response) comes back via MPLS using the VRF-B. That is because server's subnet is just advertised in VRF-B so remote internet broder-gateway will see the server's subnet with route-target applied to it in VRF-B.
When I enabled the reverse-path forwarding on the transit interface I could clearly see in the Ace logs that DNS response is getting dropped on the ace. I have evn removed the reverse-path forwarding(nothing in the logs - but DNS response from internet still cant reach the servers). I think logically its still asymetrical routing from Ace's point of view but not sure.
Please can anyone confirm the solution to this issue. I am thinking if I advertise server's subnet in VRF-A as well then it will be symterical routing but not 100% sure if it will fix it.
So just wondering if there are any other options advisable ?
ThanksIs it not possible to have a host route added to the destination server ? This would allow the traffic to be routed back the same way it came and thus the connection work ?
Try adding a static route onto the destination server along the lines of ...
route add [source address of server] mask 255.255.255.255 [IP address of ACE interface]
This would cause the traffic to be routed between the two hosts via the ACE module which is good because the ACE is acting as a router between the two network segments.
That's just what I would do but I understand that it may not be the option you want.
Good luck -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
Simple SLB with the ACE Module
Hello,
i have some problems with a ACE module i am currently tesing.
I have a simple Serverfarm with two Servers.
But there seems to be some Problems with the Loadbalancing i not understand:
1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
2) withz the show serverfarm statement the total connects do not increment.
switch/slb-c1# show serverfarm webfarm
serverfarm : webfarm, type: HOST
total rservers : 2
----------connections-----------
real weight state current total
---+---------------------+------+------------+----------+--------------------
rserver: web1
10.0.33.201:0 8 OPERATIONAL 0 0
rserver: web2
10.0.33.200:0 8 OPERATIONAL 0 0
switch/slb-c1# show service-policy L4_LB_VIP
Status : ACTIVE
Interface: vlan 300
service-policy: L4_LB_VIP
class: L4_VIP_CLASS
loadbalance:
L7 loadbalance policy: L7_SLB_POLICY
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED
VIP State: INSERVICE
curr conns : 0 , hit count : 15
dropped conns : 0
client pkt count : 10198 , client byte count: 420991
server pkt count : 23367 , server byte count: 34915173
I have attatched the Config.
Any Idea what is going on?what version do you have ?
I would recommend to run the very recent A1.4.
This is something that really should work.
Gilles. -
Hi,
I need to know if for 2 ACE to work on FT the subnet needs to be same or can it work on different subnet as well?
Is it possible to connect 2 6509 with ACE each, connected through routes, not with vlans (layer 3, not layer 2)??
Also, can both ACE be made funcational to work in active active??NO.
You need to extend Each vlan going into one ACE module to its peer.
Both ACE module can be Active/Active only in multi context mode. For e.g if you have four contexts C1,C2,C3,C4 the you can make C1 & C2 active on Ace1 & C3&C4 active on Ace2.
Syed Iftekhar Ahmed -
Per-ServerFarm SNAT on ACE Module.
Dear all,
I hace an ACE Module configured in Multiple Routed Contexts.
My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
Is this correct?
The software version is A2(3,5).
Thanks a lot!
DavidHi David
Could you please calrify and maybe separate tasks you have ?
As I understand you have such tasks for now :
1) Don't show rserver IPs anywere outside ACE
2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
E.g.
policy-map multi-match VIP_IN
class MY-CLASS
loadb vip ins
loadb policy MY-L7Policy
nat 1 dynamic vlan X << - inside interface
and then on inside interface
inter vlan X
nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE. -
What exactly does the MAC-Miss rate mean on the ACE? And if we are running out of resources for it, should I worry?
We have only implemented 1 production policy on the ACE module so far and we are already running out of resources for the mac-miss rate. All other resources look good.
Is this OK? Or is something wrong here?
Attached is the resource usage counters.
Thanks,
BenWhen the ACE receives traffic for which it does not have an arp entry for either the source or destination, this is called a mac-miss and the fastpath agent needs to ask the slowpath agent to perform an arp request.
This communication is rate-limited.
With no mac entry for a src or dst, we drop the packet.
So, you should increase the resource.
Or review your design.
It's best to have the clients coming through a gateway (ie: the MSFC) instead of directly accessing the ACE.
This way only 1 mac entry is needed - the gateway.
You'll see a counter like this
switch/Admin# sho np 1 me-stats "-socm -v" | i mac
Drop [mac lookup fail]: 4 0
Gilles.
Maybe you are looking for
-
BT cutting off service without warning - plus if y...
On 18th December 2014, I rang BT to cancel my broadband service since I had found a far better deal with Hyperoptic. I was told that I had to give a month’s notice and would have to pay £30 for an engineer to come out and cut it off. Since this was t
-
I have an new iMac and a MacBook Air, both with 256GB solid state drives. I don't want my iTunes Library to reside on the solid state drives so would appreciate knowing the step by step procedure for moving the iTunes Library from the solid state dr
-
Hi all I have activated vendor return via delivery: MIGO referred to the original good receipt, movemement 122 and delivery type RLL. After that I need to create CREDIT MEMO. When I go in MIRO and select credit memo referred to the purchase order, I
-
Problems Reading SSL server socket data stream using readByte()
Hi I'm trying to read an SSL server socket stream using readByte(). I need to use readByte() because my program acts an LDAP proxy (receives LDAP messages from an LDAP client then passes them onto an actual LDAP server. It works fine with normal LDAP
-
An exception thrown while lUIX Images with Websphere app server
Hi All, we are using the UIX controls in our product. Environment Specification : Application server we are using is WebSphere6.1.0.9 UIX Implementation-Version: 2.2.24 when we deploy our application and server is started and user performs some opera