ACE Te Interface config recommendation

Similar Messages

• PING TO ACE VLAN INTERFACES

  Hi,
  I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.
  I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.
  I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.
  Is there any option available to enable icmp on the interfaces.

  In order to ping the Vlan Interface you just need management policy applied to the vlan interface.
  Class-maps used in the management-policy
  defines the source addresses from where these management accesses are allowed.
  If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.
  1. Some routing issues
  2. Source IPs in Management class maps are not defined.
  Following is an example of typical management policy
  #Allow telnet & SSH from these ip addresses
  #Allow ICMP from any source
  class-map type management match-any MGMT-CLASS
  10 match protocol telnet
  20 match protocol ssh
  30 match protocol icmp any
  policy-map type management first-match MGMT-POLICY
  class MGMT-CLASS
  permit
  interface vlan 10
  ip address x.x.x.x 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  interface vlan 20
  ip address y.y.y.y 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  Syed Iftekhar Ahmed

• ACE Switchover and Config Sync

  Hi
  I'm new to the ACE modul and trying to set up some szenarios and i run already into some troubles.
  Question 1)
  I configured redundancy to another module - virtulised mode. Config sync between the context worked fine. If i change s'thing in the activ context it was copied to the standby context. But if i changed something in the active Admin context it was not copied to the standby Admin context.
  Question 2)
  FT Switchover in the Admin context is not possible returns the following fault:
  ACE_Switch08/Admin# ft switchover
  This command will cause card to switchover (yes/no)? [no] yes
  Invalid FT group. FT switchover command will be ignored.
  ACE_Switch08/Admin#
  If I switch a single FT group it works. But how is it possible to switch all FT groups a the same time? Do i have to switch each context by itself?
  Question 3)
  After i have switched the active context to the standby context, the ft group x command shows both peers as active. After i take the standby ft group no inservice and back inservice it shows correctly Active and standby_HOT.
  The configuration:
  hostname ACE_Switch08
  boot system image:c6ace-t1k9-mz.3.0.0_A1_4a.bin
  resource-class RC1
  limit-resource all minimum 10.00 maximum equal-to-min
  class-map type management match-any REMOTE_ACCESS
  description -- Remote Access traffic match --
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  interface vlan 2100
  ip address 172.29.190.16 255.255.255.0
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  ft interface vlan 2020
  ip address 192.168.100.1 255.255.255.0
  peer ip address 192.168.100.2 255.255.255.0
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 2020
  ip route 0.0.0.0 0.0.0.0 172.29.190.1
  context sf0-2200
  allocate-interface vlan 2201
  allocate-interface vlan 2207
  member RC1
  context sf0-2220
  allocate-interface vlan 2221
  allocate-interface vlan 2227
  member RC1
  ft group 1
  peer 1
  no preempt
  priority 200
  peer priority 150
  associate-context sf0-2200
  inservice
  ft group 2
  peer 1
  no preempt
  priority 200
  peer priority 150
  associate-context sf0-2220
  inservice
  username admin password xxx role Admin domain
  default-domain
  username www password xxx role Admin domain de
  fault-domain
  Any help is appreciated
  pat

  Hi Pat,
  1)
  for my config i just put the "user" or "backend" contexts into ft groups. I don't sync the admin contexts on both aces. I am not even sure if that makes sense or is "best practicse".
  So if you don't put the admin context into an extra ft group it won't be synced. you have to configure the admin contexts on each physical ace separately.
  Putting the contexts sf0-2200 & sf0-2220 into an ft group and not having an ft group for admin is the way to go IMHO.
  2)
  If you do a switchover you always have to specify which context you want to switchover. I don't think that you can actually switchover a whole bunch of contexts with this command. If you want to do that a reload is the only way AFAIK.
  Try:
  ft switchover 1
  ft switchover 2
  3)
  This could be because you have not configured the other ACE's admin context to participate in the ft properly.
  My configs looke like this.
  ACE01:
  ft interface vlan 777
  ip address 172.16.99.1 255.255.255.252
  peer ip address 172.16.99.2 255.255.255.252
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 777
  query-interface vlan 444
  ft group 3
  peer 1
  priority 150
  peer priority 110
  associate-context FOO
  inservice
  ft group 4
  peer 1
  priority 150
  peer priority 110
  associate-context BAR
  inservice
  ft group 2
  peer 1
  priority 150
  peer priority 110
  associate-context FOO-BAR
  inservice
  ACE02:
  ft interface vlan 777
  ip address 172.16.99.2 255.255.255.252
  peer ip address 172.16.99.1 255.255.255.252
  no shutdown
  ft peer 1
  heartbeat interval 200
  heartbeat count 20
  ft-interface vlan 777
  query-interface vlan 444
  ft group 2
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context FOO
  inservice
  ft group 3
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context BAR
  inservice
  ft group 4
  peer 1
  no preempt
  priority 110
  peer priority 150
  associate-context FOO-BAR
  inservice
  Hope that helps
  Roble

• ACE FT interface errors

  I have 2 ACE appliances running in active/standby.  On each appliance I have port 3 used for FT and port 4 used for server traffic.  Every one of the connections terminates on a 3750 10/100 switch.  The switch ports (all configured as access ports) are configured the same way and each of the connections from port 4 (the server port) works great with no interface errors.  However, on BOTH ACE appliances, port 3, (the FT port) causes non-stop input errors and runts on the switch interface and failover will not work.  I have tried to hardset the speed/duplex on both devices and every other possible combination with no success.  AS A TEST ONLY --> When I plugged each of the FT interfaces into a $10 linksys hub, failover worked perfectly.
  Since using the $10 hub is not an option, any ideas on what I can try to fix the issue?

  The FT interface is  a trunk interface.
  You have to set your switch to trunking mode not access mode.
  This is explained somewhere in the documentation.
  Gilles.

• Simple question - ACE Context Running Config

  How do I erase the running config of a context ? wr erase only gets rid of the the start up. I can go through it with no commands but was hoping there is a better way.

  If you could reload per context erasing the startup config would work. Unfortunately you can only reload the whole ace blade.
  Fastest way to get rid of a config within a context is to delete the context in the admin context and then re-create it.
  changeto Admin
  conf t
  no context
  context
  If you had checkpoints already created those are gone as well once you issue the "no context " command.
  To make it easier in the future i would suggest you create an empty checkpoint at the very beginning or at the point of your configuration where you want to start to experiment with the settings.
  conf t
  checkpoint create
  or
  checkpoint create
  To get the settings back u issue.
  conf t
  checkpoint rollback
  The checkpoints are per context btw.
  Hope that helps.
  Roble

• ACE Mod20 interface vlan

  Hi,
  is it possible to setup the service-policy on the server side vlan interface and still have it available for clients with a client subnet ip?
  What i'm currently trying it to reach is the other side through the ace. And ping the interface vlan's in a context. But i don't get any answer.
  Trying to reach the interface vlan adress 2.1.1.1 from a host in vlan1, but with no success. I can ping the interface vlan 1 though and can route through the module also.
  Setup is simple as that:
  access-list anyone line 18 extended permit ip any any
  interface vlan 1
  desc client vlan
    ip address 1.1.1.1 255.255.255.0
    alias 1.1.1.2 255.255.255.0
    access-group input anyone
    service-policy input remote-mgmt
    no shutdown
  interface vlan 2
  desc server vlan
    ip address 2.1.1.1 255.255.255.0
     alias 2.1.1.2 255.255.255.0
     access-group input anyone
    service-policy input remote-mgmt
    no shutdown
  Greetings,
  Frank

  Hi Frank,
  Service-policies need to be applied to the incoming/ingress interface, hence the 'input' keyword when applying them.  As for ping, by design, the ACE will not allow you to ping a remote interface on the ACE.  In other words, a host on VLAN 1 will be able to ping IP 1.1.1.1, but not 2.1.1.1.  A host on VLAN 2 will be able to ping 2.1.1.1, but not 1.1.1.1.
  Hope this helps,
  Sean

• CSM4.4 and 87x router interface config

  I'm trying to configure a bunch of 877 routers via CSM4.4sp2. I'm struggling with assigning the ports to VLANs.
  On the 87x router there are 4 switch ports, which are handled rather like a L2 (eg, Cat2960) switch in that you can't assign them a L3 address as you would a regular router port. Rather you create an SVI (int vlan 200) and assign the port to that VLAN (switchport access vlan 200).
  I can create the SVI from CSM under the Interfaces policy, but I can't for the life of me see how to assign the switchports without having to do a FlexConfig.
  I imagine the situation will be the same for branch routers with eg HWIC-4ESW switch modules.
  Anyone?
  --hugh

  Thanks for helping me again. I really appreciate.
  I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
  Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
  Because on Cisco ASA I guess I have everything.
  Here is show crypto session detail
  router(config)#do show crypto session detail
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: GigabitEthernet0/0
  Session status: DOWN
  Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
        Desc: (none)
        Phase1_id: (none)
    IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
          Active SAs: 0, origin: crypto map
          Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
          Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  Should I see something in crypto isakmp sa?
  pp-border#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  IPv6 Crypto ISAKMP SA
  Thanks again for your help.

• ACE module interfaces

  Hello friends,
  we need to know if ACE context can support many intefaces, our needs is to configure one contexts and place 4 vlan interfaces inside that context
  on bridge mode, vlan 102,201,103 and 301, we need to bridge interface vlan 102 and 201 on the same  bridge id, the same with 103 and 301
  but all these on the same context.
  is this applicable setup.
  please advice me.

  yes that is no problem.
  But bridged vlans can only exist in one context...you can't share vlans between contexts when those vlans are bridged.
  Gilles.

• Apex Listener config recommendations

  Our DBA is installing Apex Listener 1.1.2.131.15.23 for the first time, and had a question regarding some setup. Right now it's just a stand alone copy. In the JDBC Settings, what are your recommendations for the following settings?
  Initial Pool Size: 3
  Maximum Statements: 10
  Minimum Connections: 1
  Inactivity Timeout: 1800 seconds
  Maximum Connections: 10
  Abandoned Connection Timeout: 900 seconds
  If there is some recommended reading on how to determine the best way to set this up, that would be great.

  Hello Rick,
  it's hard to give you actual values. These settings concern, more or less, your load expectations. The numbers you need are
  - average number of concurrent sessions (work load)
  - maximum number of concurrent sessions (peek load)
  Some settings might as well depend on your applications.
  Recommended reading would be the Table A-1 of the Installation and Developers Guide, where the parameters you picked are described among other configuration parameters.
  Just some thoughts on connection handling:
  The APEX Listener uses a pool of connections to the database that is shared among all users. Usually it would be a waste of resources to have a dedicated connection for each application session, as there are usually times when there's no user activity, e.g. when a user is reading a report. So you want to make the pool size as small as possible without negative impact on your user experience. To achieve this, you may initialize your pool to be able to serve your average work load and allow it to grow to the expected peek. You may want to set the minimum number of connections below that value, so resource consumption is reduced in times of low charge.
  The timeouts concern the reduction of the pool size due to reduced load (inactivity timeout - a connection isn't needed any more) or failures or unexpected long database reaction times (abandoned connection).
  Statements caching can reduce database load and response times, but increases resource consumption of the Listener and may result in inacurate results if cached values are outdated.
  If you have more practical questions on that topic, don't hesitate to ask.
  -Udo

• Airport Extreme and a Time Capsule - config recommendations?

  Hi!
  So I find myself (in a fortunate position?!) with a new Airport Extreme and a Time Capsule.
  I have very few requirements - I would like to be able to connect to the Internet wirelessly, and I'd like to be able to backup a couple of Macs using Time Machine (also wirelessly).  I realise that the TC can provide me with that functionality nice and easily, but since I have an AE and a TC, I figure it would be good to make use of both, and so I wanted to ask if anyone had any recommendations for a useful configuration?
  I think there are 2 basic options I could make use of (have I missed any?!):
  1) Use AE as base station and connect the TC to it as an external HD
  2) Use AE as base station and also make TC available for back up wirelessly
  Does anyone have any thoughts on the above?  If you'd recommend 2), what would be your suggested approach as I think I'm right in saying that 2) could be done in several ways? Roaming? WDS? Just setup TC as a stand-alone wireless box with no internet connection? (does this latter approach mean I could connect to the internet and backup at the same time - I'm guessing not?)
  If 1) is the way to go, is it just a case of putting an ethernet cable between the 2 boxes?
  Any thoughts would be hugely appreciated!
  Many thanks

  I would use the Time Capsule as the wireless base station connected to the modem.  Then I'd use the Airport Extreme to extend the network or to create a roaming network (ethernet cable betwee the units), whichever worked best in the premises.  Naturally, Time Capsule would be used for backups of all machines equipped with Time Machine.  Have never hooked up any Apple equipment but from my understanding of it, this is what I'd try.

• WLC Virtual Interface config for a public SSL cert for Web Authentication

  I'm trying to get a cert loaded on my 5508 WLC running 7.6.130.0 so when a Web-Auth users tries to authenticate they don't get the SSL cert error.
  In the document "Generate CSR for Third−Party Certificates and
  Download Chained Certificates to the WLC"
  Document ID: 109597 it states the following
  "Note: It is important that you provide the correct Common Name. Ensure that the host name that is
  used to create the certificate (Common Name) matches the Domain Name System (DNS) host name
  entry for the virtual interface IP on the WLC and that the name exists in the DNS as well. Also, after
  you make the change to the VIP interface, you must reboot the system in order for this change to take
  effect.
  Here are my questions.
  1. I have always had 1.1.1.1 as the address of the Virtual interface, should that change or can I leave it as 1.1.1.1?
  2. In the "DNS Host Name" Field do I simply put the domain or the FQDN?  Example. Company.com or hostname.company.com

  Hi,
  1) You can change that if you want. Normally it is non-Public and non-routable in your network.
  2) Put the Host name for which you are going to give in your company DNS server where that Host name would be mapped to the Virtual ip address.
  Regards
  Dhiresh
  ** Please rate helpful posts**

• ACE 4710 OS upgrade recommend

  Hi all,
  I have a pair of 4710s running A3(2.5) OS. Could somebody please recommend what would be the best OS to upgrade to?
  Only requirement is that it supports this feature "insert Subject and Subject-CN client certificate headers".
  Thank you very much.

  Jorge,
  So the A5 is a no-go for us. We will go for A4 which is enought for us as the main requirement is that feature "insert Subject and Subject-CN client certificate headers" which seems to be introduced in A4(1.0).
  I still do have a question if I may.
  Is it possible to upgrade directly to A4(2.3) from current A3(2.5)? Or there is some process that I need to follow, upgrade to A4(1.0) first and then I can go to 2.5.
  What would you recommend please, and maybe some advise to guide as how the upgrade is done in easiest way. As I haven't done that before I would be grateful for any advice. We have several contexts there so want to be sure I get everything right.
  Thank you.

• Config. recommended for MDS9216 and WAAS 7341

  Hello,
  i am testing for a customer datacenter replication with 2 MDS 9216i with Hitachi storage in each site. A WAN emulated with WAN BRIDGE with 155MB and delay 220ms. I have WAAS in each site.
  Can you tell me the best recommendation to achieve the best performance ?? i am using WAAS in replication-acceleration mode.
  Thanks and regards.
  Leo.

  Thanks so much for your response.
  yes, i am using 2 7341 with inline card from demo depot.un fortunally one 7341 has hardware problem then we are replace it by a 7326. we change to application acceleration with software version 4.1.3.b
  i think the waas is working goog but my customer need more performance. we are using WAN-BRIDGE to emulate 155 mbps with 220 ms delay and we found that his performance goes down each day needing reboot.
  Do you know any other application to emulate the wan ?
  thanks so much again.
  Leo.

• Double check my interface config, what is the "vpc" line?

  Dual nexus 5010 switches,
  Say I'm bringing up a new LACP port for a server, this is what I'd do (on both switches)
  interface   port-channel135
  description LouPrBdw025
  vpc 135
  switchport access vlan 14
  interface   Ethernet105/1/7
  description LouPrBdw025
  switchport access vlan 14
  channel-group 135 mode active
  I understand everything there, and this works, but on the port-channel interface, what is the "vpc 135" line for? is it needed?

  Hi,
  According to the IEEE 802.3ad Link Aggregation standard, an aggregate link (or port-channel in Cisco terminology) is only allowed between two devices e.g., a single switch and a server. This can be used if you want to add additional bandwidth or provide resilience against link failure, but it doesn't provide resilience against a switch failure.
  The Cisco vPC (virtual port-channel) is a proprietary mechanism that allows two Cisco Nexus switches to appear to a downstream device as if it's a single switch. This allows the Nexus switches to work as per the IEEE standard, and at the same time adds resilience against a single switch failure.
  The vpc command is that which enables this functionality on the port-channel interface of the Nexus switches.
  You'll need the command if you're running vPC i.e., the physical links of the aggregate from the downstream device are distributed across both Nexus switches. If you're going to run standard port-channel i.e., all physical links from the downstream device connected to a single Nexus switch, then it's not needed.
  There's some other configuration required to run vPC on the Nexus which you should be able to see if you execute the show running vpc command. You'll see feature vpc, vpc domain etc., that must all be configured prior to actually enabling the vpc command on a port-channel interface. If you say this is working then presumably that's already configured.
  Regards

• Etherchannel Simultaneous Primary and Sub-Interface Config

  Hello Cisco Experts:
  Question: Can I run layer 2 traffic across EtherChannel and layer 3 traffic simultaneously across the same etherchannel on a subinterface?  If not, and considering the background information below, is there an advisable alternative?  The documentation I've been reading isn't clear on the subject.
  Background
  I'd like to split my VLans across (2x) L3 3560 switches interconnected by EtherChannel.  I'll use SVI's for the routing - but if Switch #1 SVI must route to another SVI on Switch #2, I'd like this traffic to cross the EtherChannel instead of heading to another L3 Device before continuing its route to the destination switch.  (I.E. I prefer direct switch to switch routing.)
  Design Preference:
  I don't want my etherchannel to become a 100% routed channel.  
  I don't want to add another connection between the switches - ports are at a premium and budget is tapped.
  No access level switches are being used at this time.
  Physical Topology
  Thank you for your time,
  Mike

  Hi Jon:
  First, I didn't begin to think you were criticizing my design.  I just wanted to relieve your confusion.
  I tested your ideas this morning, and everything checked out and worked fine.  After some more investigation, I remembered why I was asking the question about using EtherChannel with an encapsulated Subinterface & IP Addr. for switch-to-switch routing.
  Regrettably it had nothing to do with Intervlan routing, which was working fine.  But it does have something to do with routing between the two switches.  
  Link Failure and High Availability
  When I began to consider each case of link failure, I discovered 4 cases of link failure that created problematic results.  Two of the cases led to an extra hop, and two of the cases result in a black hole.  These ideas were tested with packet tracer to verify I had a problem.
  These instances occur because I'm routing 3 vlans out of each switch.  Each problem could be resolved by a complete HSRP fail-over to the other switch.  But maybe the more elegant decision is a switch-to-switch route with an appropriate administrative distance (preferably using the EtherChannel)? 
  Note: Primary is the primary WAN connection and Backup is the backup WAN connection.
  Scenario 1: Extra Hop
  Scenario 2: Extra Hop
  Scenario 3: Black Hole
  Scenario 4: Black Hole
  Let me know what you think the ideal solution is: 1) use HSRP tracking to failover to the other switch, 2) create a direct switch to switch route using EtherChannel Subinterface with IP, or 3) some third option.
  Thank you for your time,
  Mike