ACE routed mode design issue
I am configuring ACE in routing mode ,
Below is my ACE interface config.
interface vlan 28
description "CLIENT VLAN"
ip address 192.168.10.11 255.255.255.248
peer ip address 192.168.10.12 255.255.255.248
mtu 1500
mac-sticky enable
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
interface vlan 29
description "SERVER VLAN"
ip address 192.168.10.19 255.255.255.248
peer ip address 192.168.10.20 255.255.255.248
mtu 1500
mac-sticky enable
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input POLICY
no shutdown
When I configuring my servers in vlan 29 and point the default gateway to 192.168.10.19 it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19 do i need to manually change it .20
or can I configure HSRP,Please advise me on this
Hi ,
Yes the alias should be set as gateway for the servers.
The alias is a shared address between the peers. This address will be on the ACTIVE ace.
Regards
Dan
Similar Messages
-
Ace routing mode desging issue
need some assistance in configuring an application using routing mode on cisco ace
clients ---asa--3750--cisco ace--- servers behind vip
|
visa card transaction servers
i am able to setup a vip on ace using routing mode on ACE,as the servers need to see the client ip ,so we are not performing SNAT,this part is working fine
when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
Or do we need to have static routes defined on the visa servers to point to ASA
please advise me on thisClint
No they are completely in a different network ,
When a client hits the VIP ,the request goes to the ASA
ASA fwd the vip traffic to the ACE (VIP) interface ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
But when visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
Are on the farm servers can we have static routes for the visa servers
Or can I defind static routes on ACEs for the visa servers. -
Sharing a VLAN between FWSM and ACE (Routed Mode)
Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
I wanted to configure it like this.
firewall vlan group 10 <FWSM only vlans>
firewall vlan group 20 <shared FWSM and ACE vlan>
or
svclc vlan group 20 <shared FWSM and ACE vlan>
svclc vlan group 30 <ACE only vlans>
The design hides the client side network and the server side network for the ACE behind the FWSM module.
Layout:
|-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
So allocation on the 65xx would be like this.
firewall module n vlan-group 10,20
svclc module n vlan-group 20,30
Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
FWSM and ACE will be in routed mode.
Thanks for reading...
RobleNever mind...
Just found the perfect answer for this in a another posting from Syed.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
Roble -
Can VIP and Rservers be in the same subnet in ACE Routed Mode
Good Day,
Sorry for the lengthy post.
Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
Unfortunately I don't have a spare ACE to test scenario.
As always any help would greatly be appreciated.
Regards,
RamanLink-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections. -
Two ACEs LoadBalancers are setup as active standby in routed mode.
serverfarm host s1
predictor leastconns
probe PROBE_HTTP
rserver app1
inservice
rserver app2
inservice
class-map match-all s1_CLASS
2 match virtual-address 10.12.7.11 tcp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match s1_POLICY
class class-default
serverfarm s1
policy-map multi-match POLICY
class s1_CLASS
loadbalance vip inservice
loadbalance policy s1_POLICY
loadbalance vip icmp-reply active
we had one connection from client to app2 server
performed a code upgrade on LB2 ,did a swithover to make LB2 active,.the client connection was still on app2 server
when LB1 was upgraded and made it primary , the connection was still on app2 .
but after couple mins was seeing the connection on app1 ,instead of app2 .
please help me on this
when
whenHi,
What you saw it is totally expected behavior.
What happens is that the ACE will keep the connections active and they will be served until the either the connection is closed by the client( by closing the browser) or times out due to inactivity, then if you switchover to another ACE then all "NEW" connections will be handled by the new master ACE since there´s no reason to send the traffic to the previous master ACE because it is not longer the Primary.
Again, this is expected.
Hope this helps
Jorge -
ACE Routed mode - cannot see serverside network
Hi all,
I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
Am I missing something obvious. I've attached the config if that helps.
Thank you
CathyI am not sure what your question is
Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
Or you want to see the Server vlan in the routing table of 6500?.
If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
Syed Iftekhar Ahmed -
Hi,
I am having this design issue with route reflectors and could use some help.
I have 18 routers fully meshed in an MP-iBGP session and i am going to introduce route reflectors into the network to minimize the total number of TCP sessions
My problem is that some of these routers have outboud policies with one another. for example i have a route map on router 1 affecting only router 2 and would like to keep it this way
is there any way to do that through route reflectors ?
Thank you
HadiHi Riccardo,
I have 18 routers in a full MP-iBGP mesh topology. Some pairs of these routers have the following policy :
I have a route-map matching on Route Targets and i am setting the next hop to be different from the rest of the RT for that site.
This way, the prefixes originating from site A for example will reach site B with different next hops depending on how i set it in my route-map.
These policies are only between pairs of routers i.e. router#1 needs only to affect router#2
How can i achieve this using RRs
Thank you
Hadi -
Example Config ACE routed mode with NAT
Hi all,
i have a two-arm loadbalancer (routed mode).
client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
BR
DominikHi Dominik,
Something like this:
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 10.198.16.2
inservice
rserver host SERVER_02
ip address 10.198.16.3
inservice
rserver host SERVER_03
ip address 10.198.16.4
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
nat dynamic 1 vlan 452
interface vlan 451
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 452
description Servers vlan
ip address 10.198.16.1 255.255.255.0
access-group input ANYONE
nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Cesar R
ANS Team -
I am carving up an internet Class C for customer. This class C is used by 3 distinct QA, Corporate and Production firewalls. I want to carve up IP space so there is a /26 for each environment. The issue I have is the firewalls may need communication with each other via the public IP space. Currently I don’t have any L3 switches in between the firewalls and the edge internet router. So with subnetting, it would seem I need to push everything through the internet router for the intra-firewall communication.
I would rather not push this traffic through the edge router, so I came up with an idea to allocate all firewall outside interface IP’s in the 4th (last remaining) /26. That way, I can allow firewalls to communicate over the primary interface IP’s, which will all be in the same subnet – without going through a routing “engine”/device.
For the actual environment subnets (NAT's on respective firewalls), I create a static route on the edge router pointing to each of the firewall’s primary IP’s for the respective environment routes (the first 3 - /26’s).
This is still a beta design, but I have done this before on small scale when ISP gave me 2 subnets for example, assuming I was going to put a router in between the customer firewall and ISP. I would use the “routed subnet” on the ASA interface, and then pull the NAT’s from the other subnet. The ISP would have to add a static route directing the NAT subnet to the “routed subnet” correct IP - which would be the firewall outside interface primary IP.
I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet. This means the ISP/router will have to assign static ARP entries on the edge router. This can get messy after the first few NAT entries. So I am debating the design now. I think this kind of stuff going forward won’t be worthwhile with newer ASA 8.4.3 code.
Any ideas on how to communicate between different ASA’s, while still carving up the Class C into usable smaller subnets? The primary reason for doing this in the first place is to support routing on the edge router. I am thinking it might be time to ask for another Class C to do the routing functions, and keep the firewalls all at Layer 2 in one /24 - Class C?I recently found out that with ASA OS 8.4.3 and up, ASA will not proxy arp for IP’s not in its local interface subnet.
That is a surprise especially as using a different subnet than the one used to connect the ASA to the router for NAT is quite a common setup.
Anyway as we are brainstorming here are a couple of options that spring to mind. Please feel free to shoot them down
For both solutions you still have 4 x 26, the first 3 for each firewall to use as NAT and then the last /26 for the firewall interfaces + the ISP internal interface.
Option 1
======
when you allocate the IP to the firewall outside interfaces and the ISP internal interface they come out of the last /26 range but you use a /24 subnet mask. The router will arp out for all addresses within the /24 subnet but the firewalls should only answer via proxy arp for any statically mapped NAT entries that they have. They will answer because the /26 they use for NAT are within the range of their outside interface IP because that is using a /24.
Obviously because the interfaces are in the same /24 range they will be able to talk to each other wihout bouncing off the router.
Option 2
=======
pretty much the same as option 1 except the ISP router uses a /26 subnet and has routes for easch /26 NAT subnet pointing to the relevant firewall. This way you don't have as many arps being sent by the ISP router. The firewalls still have to use a /24 mask to enable them to talk with each other. And the firewalls and router still need to have IPs from the last /26.
Both would need testing and i may have missed something but i would have thought both would work.
Jon -
Is it possible in a routed setup for clients to talk to the servers in the Server Farm directly? IE - Not through the VIP. IE - I want to ping the real server or access a file share, etc.
As you know, in a routed setup, the server gateway is the ACE. It appears that when I try to talk to the server directly, the server talks back to the ACE and traffic is dropped/lost.
I ask because our servers run many applications. I need to load balance to just one of the applications (WWW) but not to the other several apps that are running.Yes it is possible.
You need to have an ACL applied to ACE that allows traffic to the real servers.
Yourd upstream routers should be configured such that they route the traffic destined to he real servers to the ACE.
Syed Iftekhar Ahmed -
My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations? Not just how-to scenarios.
And the primary question that brings me here:
I've got an ACE module in a 6500 chassis that's configured for routed mode. For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers. vIP VLAN is 12 and rserver VLAN is 101. I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver. The same if user devices are sending traffic to the App servers vIP.
When a Web server tries to send over to the App servers vIP, I get no response. In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101). How do I get the Web server to send traffic loadbalanced across the App servers?
Here's an example ACE config:
access-list ALL line 8 extended permit ip any any
probe tcp 5555
port 5555
interval 5
passdetect interval 30
probe http HTTP
interval 5
passdetect interval 30
expect status 200 200
rserver host APP01
description App Server 1
ip address 10.10.101.15
probe 5555
inservice
rserver host APP02
description App Server 2
ip address 10.10.101.16
probe 5555
inservice
rserver host WEB01
description Web Server 1
ip address 10.10.101.17
probe HTTP
inservice
rserver host WEB02
description Web Server 2
ip address 10.10.101.18
probe HTTP
inservice
serverfarm host APP-SERVERS
predictor leastconns
rserver APP01
inservice
rserver APP02
inservice
serverfarm host WEB-SERVERS
predictor leastconns
rserver WEB01
inservice
rserver WEB02
inservice
sticky ip-netmask 255.255.255.255 address both WEB-STICKY
replicate sticky
serverfarm WEB-SERVERS
sticky ip-netmask 255.255.255.255 address both APP-STICKY
replicate sticky
serverfarm APP-SERVERS
class-map match-any APP-VIP
description App Servers VIP
2 match virtual-address 10.10.12.21 tcp eq 5555
class-map match-any WEB-VIP
description Web Servers VIP
2 match virtual-address 10.10.12.20 tcp eq https
3 match virtual-address 10.10.12.20 tcp eq www
policy-map type loadbalance first-match L7-APP-SERVERS
class class-default
sticky-serverfarm APP-STICKY
policy-map type loadbalance first-match L7-WEB-SERVERS
class class-default
sticky-serverfarm WEB-STICKY
policy-map multi-match L4-CONTEXT-A-VLAN
class WEB-VIP
loadbalance vip inservice
loadbalance policy L7-WEB-SERVERS
loadbalance vip icmp-reply
class APP-VIP
loadbalance vip inservice
loadbalance policy L7-APP-SERVERS
loadbalance vip icmp-reply
interface vlan 12
description ACE-CONTEXT-A-vIPs
ip address 10.10.12.5 255.255.252.0
alias 10.10.12.4 255.255.252.0
peer ip address 10.10.12.6 255.255.252.0
access-group input ALL
service-policy input MGMT-ACCESS
service-policy input L4-CONTEXT-A-VLAN
no shutdown
interface vlan 101
description ACE-CONTEXT-A-SERVERS
ip address 10.10.101.2 255.255.255.0
alias 10.10.101.1 255.255.255.0
peer ip address 10.10.101.3 255.255.255.0
access-group input ALL
no shutdownHi Adam,
You can check Gilles' DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
Now going back to your issue, you problem can be splitted in two parts.
1. Web server not able to ping VLAN 101 ACE's SVI.
ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
one just for ICMP, that's up to you.
2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
load balancing for clients reaching it out through VLAN 101.
In order to do load balancing between APP & Web Servers you need to configure L4-CONTEXT-A-VLAN on SVI 101 as well.
Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
I've attached a sample with NAT based on your config.
HTH
Pablo -
Reg:FWSM router mode issue
Hi,
I have a Cisco FWSM installed on Cisco 7613 router,the topology is like mentioned below,
7613+{FWSM}------3560---------3560----[10.220.0.0/29,10.220.1.0/29,10.220.2.0/29]
Here we created a p2p link between 7613 gig port and switch3560 gig port (say 10.220.1.252/29) and then there ia a trunk between both 3560 switches ,We wish to run FWSM in router mode and configured vlan groups 10(101,102)and 20(200,201),assigned both these groups to firewall module on router on vlan 200 ip add 192.168.2.1/24 has been given, while on fwsm on int vl 200, 192.168.2.2 ip has been given,although the interfaces are up and pinging their individual ip ads they are not pinging each other(both ip ads appear in sh arp though.Kindly help in resolving this issue.
Also i configured inside vlan 201as inside its also up and visible in arp of router but not pinging others kindly help in the resolution of this issue.
We need to put this firewall in front of the router which has a serial line to another 7600 router,how would i take traffic to fwsm ,pls suggest what else do i need to do ,as i m new to FWSM .
router config:
Router#sh firewall module
Module Vlan-groups
04 1,2
Router#sh firewall vlan-group
Display vlan-groups created by both ACE module and FWSM
Group Created by vlans
1 ACE 100-101,200-202
2 <empty>
Router#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.225.62.145 - 001d.a156.9300 ARPA GigabitEthernet10/1
Internet 10.225.62.146 107 001d.a1a5.fbc1 ARPA GigabitEthernet10/1
Internet 192.168.2.1 - 001d.a156.9300 ARPA Vlan200
Internet 192.168.2.2 7 0007.0e5c.3d00 ARPA Vlan200
Internet 192.168.3.1 4 0007.0e5c.3d00 ARPA Vlan201
Internet 192.168.3.2 - 001d.a156.9300 ARPA Vlan201
Fwsm config:
hostname FWSM
interface Vlan200
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
interface Vlan201
nameif inside
security-level 100
ip address 192.168.3.1 255.255.255.0
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500
no failover
no asdm history enable
arp timeout 14400
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 1:00:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect smtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:4e3eadb1a489f3b696d0c6da8b1b20b9
: end
FWSM#
FWSM# sh arp
outside 192.168.2.1 001d.a156.9300
inside 192.168.3.2 001d.a156.9300
eobc 127.0.0.81 0000.1800.0000
FWSM# sh int
Interface Vlan200 "outside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.2.2, subnet mask 255.255.255.0
Traffic Statistics for "outside":
6 packets input, 658 bytes
12 packets output, 1316 bytes
474 packets dropped
Interface Vlan201 "inside", is up, line protocol is up
Hardware is EtherSVI
MAC address 0007.0e5c.3d00, MTU 1500
IP address 192.168.3.1, subnet mask 255.255.255.0
Traffic Statistics for "inside":
6 packets input, 658 bytes
7 packets output, 726 bytes
107 packets droppedhi,
thanks for being so helpful,there is a little issue thats arisen, i can not ping inside address configured on fwsm(192.168.3.1)where as i can ping 192.168.3.2 on router interface.i cannot telnet fwsm using its outside interface ip 192.168.2.2 either,hereis my FWSM config ,kindly suggest if there is any mistake .
thanks.
Also i tried to ping inside fwsm interface from my client 10.220.2.2 and enabled debug,to get these ,
FWSM# debug icmp trace 255
debug icmp trace enabled at level 255
FWSM# ICMP echo request (len 50 id 2 seq 34642) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 34642) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 34898) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 34898) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 35154) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 35154) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 43602) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 43602) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 49746) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 49746) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 32 id 2 seq 55634) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 32 id 2 seq 55634) 192.168.3.1 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25683) 10.220.2.2 > 192.168.2.2
ICMP echo reply (len 50 id 2 seq 25683) 192.168.2.2 > 10.220.2.2
ICMP echo request (len 50 id 2 seq 25939) 10.220.2.2 > 192.168.3.1
ICMP echo reply (len 50 id 2 seq 25939) 192.168.3.1 > 10.220.2.2
Kindly suggest what could be done.
thanks. -
ACE bridge mode , FWSM routed mode
i have the following senario:
MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
vlan 180 is the server side vlan
i want he FWSM ip address to be the Server gateway while ACE module in
bridge mode
i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
ACE
if i change ACE to routed mode , i can ping to FWSM
any body can help me in this issue?The config looks good.
I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
Is evertyhing else working ?
Like ping through the ACE module ?
Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
Gilles. -
ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue
Hi All,
I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
The customer wants the following:
They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
Anyone have an idea how to build this?Hi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
backup-rserver test1
inservice
rserver test1
inservice standby
rserver test2
inservice standby
regards,
Ajay Kumar -
Guys,
Should the ACE be the gateway for the load balanced servers in a routed mode scenario ? If yes then why ?
Sent from Cisco Technical Support iPad Appyes ACE interface on server vlan should be gateway. routed mode implies layer 2 adjacency of servers and ace. If ace is not the gateway and you are not doing source nat on ace then servers would respond around the ace to client via it's gateway. unless specifically configured for direct server return client would be seing response from server address rather than vip resulting in failure.
Maybe you are looking for
-
I am trying to open a Dialog window using an af:CommandLink. It is not opening a new window, only navigating to the page as normal. Is there anything obvious I am doing wrong? I have also seen this syntax useDialog="true" The IDE is rejecting this as
-
Problem while importing a Crystal Report in SAP Business One
Hi Experts, I am facing a problem while importing a Crystal Report in SAP Business One, it displaying an error "No matching records found 'Queries' (OUQR) (ODBC -2028) [Message 131-183]" , and there is no use of this table OUQR
-
I do not know where my music went
I am at my wits end. I bought an Ipod nano 2GB this afternoon. Connected it to my PC Windows XP and kopied 3 mp3 files - windows media player to the ipod. I see the Ipod on my computer. When I open it I see the 3 music files (and also one picture) bu
-
Provider hosted app in windows Azure cloud Virtual Machine
Hi thanks in advance, 1. I am having requirement to setup a sitecollections specific to clients with same app installed for each client site collection( as app will act specific to client configuration). Thoughts : 1. Create a provider hosted app or
-
Ecc6.0 server free remote access
Hi, Presently am working with Sap R/3 4.7 version I interest to learn WebDynpro, is there any free Ecc.60 remote access is available through browser, with regards, Thiru