ACE versus CCS.

Hi all,
can someone help me what is better to use? We are planning to create Data center with Cat6500 so there is possibility to insert ACE module, but ACE is a quite expensive to CSS.
On the other side, is it possible to virtualize CSS as ACE?
BR
gg

You should not be comparing ACE module with CSS appliance.
CSS appliance can be compared with ACE 4710 appliance which is not as expensive as ACE module.Ace module is needed when more throughput is needed ( more than supported by ACE appliance).
Since there is no active development for CSS its not advisable to deploy CSS in new Data Centers.
CSS cannot be virtualized.
Syed Iftekhar Ahmed

Similar Messages

ACE - Inspection per VIP and other Questions

I have my ACE up and running with SLB for HTTP, terminating SSL and inspection for the traffic flowing through the ACE.
One thing i haven't figured out yet is how to let the ACE distinguish between inspecting only the VIP traffic versus inspecting the whole traffic flowing through the routed VLAN.
My service-policy is currently bound on the xfer net VLAN which also services the VIP.
I made a "match url" rule with action reset for the regex "admin". If try to access the link "slb.foo.local/admin" via the VIP it works but it unfortunatly also works if i access the real servers in the VLAN behind the ACE directly.
A: Any idea how to solve that with best practice?
B: I haven't found a way to create a self signed certificate so far. Is it not implemented or did i just miss it?
C: Is an ACL mandatory to get traffic flowing via the VIP to the real servers? I have the feeling that without an ACL permitting the traffic explicitly there won't be a flow at all.
D: The commands "loadbalance vip icmp-reply active" and "loadbalance vip advertise active" for RHI are now two times in my config. Do i only need them once in my policy or does it make sense to keep them per HTTP and HTTPS Class?
The corresponding config:
class-map match-all HTTP-INSPECT-L4CLASS
description HTTP protcol deep packet inspection
2 match port tcp eq www
class-map type http inspect match-any HTTP-INSPECT-L7CLASS
description HTTP - Deep packet Inspection - Definition
2 match content length range 0 256
3 match url [/]admin
4 match url .asp
class-map match-all L4-VIP-CLASS
2 match virtual-address 10.10.10.85 tcp eq www
class-map match-all L4-VIP-CLASS-SSL
2 match virtual-address 10.10.10.85 tcp eq https
class-map type http loadbalance match-any L7-SLB-CLASS-1
3 match http header Host header-value "10.10.10.85*"
4 match http header Host header-value "slb.foo.local*"
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGM_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match L7-SLB-Policy
class L7-SLB-CLASS-1
serverfarm LB-Testfarm
policy-map type inspect http all-match HTTP-INSPECT-L7POLICY
class HTTP-INSPECT-L7CLASS
reset
policy-map multi-match L4-SLB-POLICY
class L4-VIP-CLASS
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_PARAMETER_MAP
class L4-VIP-CLASS-SSL
loadbalance vip inservice
loadbalance policy L7-SLB-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server SSL-PSERVICE-Server
class HTTP-INSPECT-L4CLASS
inspect http policy HTTP-INSPECT-L7POLICY
interface vlan 444
description XFER-ACE
ip address 10.10.10.83 255.255.255.240
access-group input All
access-group output All
service-policy input L4-SLB-POLICY
service-policy input REMOTE_MGM_ALLOW_POLICY
no shutdown
interface vlan 555
description ACE-Server
ip address 10.10.10.97 255.255.255.240
access-group input All
access-group output All
no shutdown
Thanks for reading...
Roble

Gilles hope you still read this thread :)
In another Post you mentioned that the ACE features URL rewriting. I am desperate looking for this feature but can't find it anywhere in the docs.
Since i am terminating ssl on the front and speaking plain http on the back end i have some problems with the portal application and links to non-secure documents.
I don't think i can make the appl. admins fix the problem or make the company for the portal
rewrite the code. (3 letters NOT starting with an I)
From the SCA Docs i found following description which matches my problem.
[quote]
When you have configured the urlrewrite command, the SCA can inspect the full HTML answer to replace all links to a nonsecure document with a link to the same document via HTTPS
[/quote]
EDIT:
Another thing...
I currently redirect all my http traffic to a certain https url with a redirect rserver. Works fine.
I am still thinking about how to solve the same problem with ssl/https portion of my vip.
vip:443 -> redirect to vip:443/url/foo/bar/
I tried something like...
vip:443 -> redirect to vip:444/url/foo/bar/
But somehow that didn't work out. You have a valid "conceptional" approach to this issue?
Roble

ACE SSL Sticky class-map generic vs class default differences.

There was a thread recently titled "ACE 3.0(0) SW / LB with SSL Session-ID" where Giles Dufour outlined a configuration for an ACE performing sticky based on SSL Session ID.
Can anyone explain the benefits and differences of using a specific class-map generic such as this:
class-map type generic match-any SSL-v3-32
2 match layer4-payload regex "\x16\x03\x00..\x01.*"
3 match layer4-payload regex "\x16\x03\x01..\x01.*"
Versus just matching class default?
So if I have a configuration such as this:
policy-map type loadbalance generic first-match SSL-v3-Sticky
class SSL-v3-32
sticky-serverfarm ssl-v3
vs
policy-map type loadbalance generic first-match SSL-v3-Sticky
class class-default
sticky-serverfarm ssl-v3
What's the benefit or drawback?

The SSL session id is only available in version 3.0.1 and 3.1.1
So you can match this particular version and then attempt to do stickyness.
You are guaranteed to find what you're looking for.
If you match a class-default it means you apply stickyness to any version of ssl packet.
So there is a risk to misinterpret the content of the packet and stick on something else than the session id.
Gilles.

ACE 4710 & SSL Offloading

I testing the 4710 for load balancing between 2 web servers. I have the http portion working just fine but would like to get some input on the SSL portion.
We have a section of our site that requires user login and the whole session is https from when they login and when they are browsing through our site.
My questions are within the design aspects. Would this best be designed using SSL offloading and then using clear text from the ACE to the web servers? Also, what would the differences be with configuring ssl offloading with stickiness if configured with http server load balancing on the same server farm versus creating a new server farm just for https? Would end-to-end ssl be best in this scenario?
Description of the web application usage:
Users log in and their whole session is https. Users will be filling out forms, inputting data, registering for events and uploading some files.

Okay so that makes sense to me now. When the client requests an HTTPS page and the ACE terminates the connection, the ACE uses SSL rewrite/redirect to send the request back to the client so that the client still maintains the SSL connection. Otherwise it will request an HTTP page instead of the HTTPS page.
Am I correct?

Class-maps used for load balancing on ACE

I am from CCS background and am trying to understand how the VIPs could be configured on an ACE module (using class maps).
I am looking for specific information for the following :
1. Will each VIP have a corresponding Service-policy on the VLAN Interface or can we club many VIPs (through policy-maps) onto a single service-policy entry on teh interface?
2. I could not find any cisco doco with the configuration examples for more than one VIP address and would please like to know some examples, if possible or could some one direct me to a doco with many VIP entries ?
- Should each VIP have a seperate class-map or can list them together?

You will have to configure L3/L4 class-maps for corresponding VIPs. You just need a single policy with n class-maps for n VIPS.
I am writing a sample that will hopefully help you on this
class-map match-all app1-vip
match virtual-address 10.1.1.1 tcp eq 80
class-map match-any app2-vip
match virtual-address 10.1.1.2 tcp eq 443
policy-map type loadbalance first-match L7app1
class class-default
server-farm App1-farm
policy-map type loadbalance first-match L7app2
class class-default
server-farm App2-farm
policy-map multi-match All-vips
class app1-vip
loadbalance vip inservice
loadbalance policy L7app1
loadbalance vip icmp-reply active
class app2-vip
loadbalance vip inservice
loadbalance policy L7app2
loadbalance vip icmp-reply active
int vlan 100
ip address 10.10.10.101 255.255.255.0
service-policy input All-vips
Syed Iftekhar Ahmed

ACE: Upgrade from A2(1.4a) to A2(3.0)

Hi,
I'm planning on upgrading my ACE-modules, currently running A2(1.4a) to A2(3.0), as I need to test the 'persistence rebalance strict' feature. So far, I haven't found anything in the releasenotes that would advise against this upgrade.
My main concern is that v3.0 is still relatively new (released 12/2009 if I remember correctly), so I'm trying to learn, if anyone has already gone through the upgrade from A2(1.x) to A2(3.0) and have had the chance to test it. Unfortunately, I only have one set of modules running both my test and production enviroment, so my testoptions are quite limited. Still, A2(3.0) might solve a couple of ongoing issues, I've struggled with for quite some time now.
Any info will do.
Thanx
/Ulrich

Persistence rebalance strict was introduced in A2(2.1) ,
You can upgrade to A2(2.3) which has more bug fixes than A2(3.0). It wil
l take a while for A2(3.x) train to catch up with bug fixes. (like IOS T train versus IOS mainl
ine)

Best practices...ACE

I am trying to get myself familier theoratically with ACE before actual deployment, so here are some questions...
First, we often hear the term offloading the SSL to ACE, to make it work on L7 and make decision based on header, quesion arises as to how simple is this to work on ACE at Layer 7 rather than on layer 4? Is it really worthit to go for it, and in which scenarios?
Mutliple Contexts, is there any central way to measure the overall resource consumption done by all/selective context? what are the benchmarks/limitations (not just the count) for ACE module for 6500? Is it prductive/or wast to have FT for each context, or FT is one per box?
Howuseful it is to have http over ssl (i know it depends on requirement, need to know the impact on the box itself)
TCP Reuse, Persistant LB & Header Insert, can these features be used in L4 model, or is it really L7 thing?
Can a single context of ACE be used for multiple contexts of a boundry ASA (i don't know why i am asking for this)

SSL offloading is not just needed for making L7 based decisions but is also beneficial
for performance & certificate management.
* On Web Servers typically native SSL processing happens in Software (unless they are using SSL acceleration cards)
, as a result they handle fewer requests, will have far slower response time, and significantly decreased total throughput.
* SSL processing is computationally intensive, SSl offloading takes the SSL processing off the Web server
* Since the back-end WEb/App servers do not need to process any encrypted data,
they more effectively serve data or run applications.
* Overall certificate Management gets easier
(as you have to deploy/renew only one cert, versus N certs for N servers)
With Load balancing SSL traffic using Layer 4 parameters you can ensure persistence only by using
"Source IP" or "SSL ID" (the unencrypted fields).Source IP based persistence is not recommended if Mega Proxies are used.
SSL ID based persistence is not reliable as some IE browsers renegotiate it during a session.
The only viable option is to use cookies/Header values to stick client to a single server during
a session. If SSL offload is not configured, a loadbalancer cannot read the headers and cannot ensure
persistence (if IP based persistence is not an option).
Similarly there are scenarios where you want to make decisions based on L7 based info and due to encrypted traffic
LoadBalancer cant read the headers. For e.g lets suppose you are running an internet facing application in 3 languages,
If the loadbalnacer can read header (SSL offloading in place) it can select Server-X dedicated
for language X and Server-Y for language-Y requests. There is a lot of valuable information in Headers which Loadbalancers
can look and utilize. If the traffic is encrytpted & SSL offloading is not in place, it wont be able to make "Intelligent decisions".
"show resource usage" will give you resources used each context.
One FT link is used for all contexts. Each context uses the same link.
Withing configuration you can select which context will be active on which ACE peer.
Any feature that utilizes TCP fields are L4 & any feature that goes beyond that can be called L7
Persistence can be L4 ( Source IP) 0r L7 (cookie, headers..)
Header Insert is Layer7 (You are opening the header)
You can share ASAs inside with multiple ACE contexts. (Not true for FWSM).
HTH
Syed Iftekhar Ahmed

ACE migration

Migrating from a single 4710 appliance to a pair of ACE30s in a VSS cluster. The 4710 is running in bridged mode and I plan on utilizing the same VLANs and mode for the ACE30s. They are currently configured as a redundant pair. I have not yet turned up the VLAN interfaces on the ACE30s. The 4710 is currently connected to a single switch with the 2 VLANs defined on the switch. The ACE30s I'm migrating to are on a VSS cluster and switches between are a pair of Nexus 7010s. The end result is no spanning tree redundancy. Everything is a port-channel or vPC. My question is do I need to worry about spanning tree when migrating to the ACE30s utlizing the same VLANs on the 6509s. This is to mimize changes to the servers on these VLANs. I basically want to be able to migrate the VIPs from the 4710 to the ACE30s one at a time. I've attached a diagram of the basic layout.

I've been thinking more about this. One question I have is that when I move a VIP to the ACE30s how will I get the back end server to send the traffic back through the ACE30 as opposed to the 4710? I'm assuming the arp for the client address will lead it back to the firewall (which is in front of the ACEs and is the default gateway for the subnet). How will it know to return through the ACE30 versus the 4710? Would I have to do source NAT on the ACE30s to work around this as a temporary solution until I remove the 4710 or should I use a third VLAN that only lives behind the ACE30s and move the servers onto it as part of each VIP migration.

ACE inline VS one-armed based

Hello Forum, ;-)
I have 2 basic questions I am having doubts about it and would love to have some clarifications:
1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below :
---- Context Microsoft ----
ACE1/Microsoft# sh run
interface vlan 503
   bridge-group 3
   access-group input NONIP
   access-group input ALL
   access-group output ALL
   service-policy input POLICY
   no shutdown
interface vlan 1503
   bridge-group 3
   access-group input ALL
   access-group output ALL
   no shutdown
interface bvi 3
   ip address 120.223.22.30 255.255.255.0
   no shutdown
Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work:
---- Context Juniper----
ACE1/Juniper(config)# int vlan 503
Error: VLAN creation is not allowed, shared bridged VLAN exists in another context
ACE1/Juniper(config)#
It gives ERROR!!
So if I configure an interface as bridged in one Context, I cannot configure it in another context??
2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
Thanks so much for your explanations!!
Giulio.

Hello Giulio-
You can only share vlans in one-armed or routed modes. Think of it this way:
Interface vlan 10 and 11 are bridged on context C1. (bridged mode)
Interface vlan 12 and 13 are configured on context C2. (routed mode)
When you have routed mode, your server's gateway is configured to point to the ACE interface IP (or alias if you are have FT.) If a packet comes into the physical interface on the ACE, the processor has to decide which context it belongs to. Since the mac address is the interface on context X, it knows instantly where it goes. It will either hit a VIP, or be routed via the routing table.
If a packet arrived on vlan 12 or 13 and the MAC address did not belong to the ACE, it would drop the packet by basic routing rules. (think a client connected to a hub sees a packet destine to a MAC that is not its own, it drops/ignores the packet.)
In bridged mode, the gateway for your server is the router on the other side of the bridged vlan. I.e., you server is on vlan 10, the gateway is on vlan 11 and ace is bridging them together. When packets arrive to the physical interface, ACE knows the traffic arrived on vlan 10 or 11 which belongs to context C2. If the MAC address is not a VIP, ACE simply hucks the packet out of the other vlan. If you send traffic to the interface MAC that does not belong to a VIP, ACE drops it because it would not make sense to send a packet out the other vlan that has a MAC address that belongs to the interface of the ACE itself.
One-armed mode is simply routed mode with a single vlan and source NAT. Nothing special applies to how ACE handles the traffic versus routed mode with only a single vlan.
Now imagine this:
Interface vlan 10 and 11 are bridged on context C1.
Interface vlan 11 and 12 are configured on context C2.
Remember 3 things:
a.) ACE conserves MAC addresses - so the VIPs share MAC addresses with the interface.
b.) ACE will never communicate between 2 contexts directly.
c.) If you are in a routed mode and share vlans between 2 contexts, ACE will make each vlan have a unique MAC address. If you create unique vlans on each context, ACE uses the same single MAC across all vlans for all contexts.
With traffic that is destine to ACE's MAC address and the IP is a VIP, its not a problem - ACE could figure out which context the traffic belongs to (especially since vlan 11 would have unique mac addresses on each context. However, what if ACE recieved a packet to the interface 10 and 12 MAC address? How would it know if it belonged to the bridged or routed context if it was not a VIP IP? What about traffic that arrives that doesn't have the MAC of any of the interfaces? 2 different entirely behaviors would occur, ACE should drop the packet on the bridged context, and route the packet on the routed context.
So the bottom line is - you can't determine which context a packet would need to apply to in all circumstances if you tried to share vlans in a bridge mode across multiple contexts.
Regards,
Chris Higgins

ACE SNMP cesRserverTotalConns "There is no such variable name in this MIB"

I have an ACE 4710 appliance currently running version A3(2.6), though earlier revisions had the same behavior. I am able to query some parts of the CISCO-ENHANCED-SLB-MIB, but others result in "(noSuchName) [t]here is no such variable name in this MIB." For instance, I can successfully `snmpwalk` cesRserverOperStatus, cesRserverStatechangeDescr, and several other OIDs, but not cesRserverTotalConns, cesRserverFailedConns, nor cesRserverCurrConns. I've also tried `snmpget` of specific real servers with the same results. Things like OperStatus and IpAddress work, but Total, Failed, and CurrConns do not.
Here is an snmp debug from the ACE:
First, a query that works:
2010 Aug 23 18:19:46.930481 snmpd[1372]: (ctx:3)asn_parse_objid :   from asn1.c asn_objid, length is 0
2010 Aug 23 18:19:46.930582 snmpd[1372]: (ctx:3)178189364.000000:iso.3.6.1.4.1.9.9.470.1.1.1.1.14.1.4.116.101.115.116 = NULL SNMPPKTEND
2010 Aug 23 18:19:46.931635 snmpd[1372]: (ctx:3) SNMPPKTSTRT: 0.000000 160 178189364.000000 0.000000 0.000000 0.000000 0 0 1 1 0   <removed-community-for-security> 12 0 0 0.000000 0.000000 0.0.0.0 0 0 0 0 0 0 0 19
2010 Aug 23 18:19:46.931661 snmpd[1372]: (ctx:3)snmpv3_get_engineID : context id in snmpv3_get_engineID = 3
2010 Aug 23 18:19:46.931683 snmpd[1372]: (ctx:3)snmpv3_get_engineID : length in snmpv3_get_engineID = 9
2010 Aug 23 18:19:46.931725 snmpd[1372]: (ctx:3)snmpv3_get_engineID : context id in snmpv3_get_engineID = 3
2010 Aug 23 18:19:46.931747 snmpd[1372]: (ctx:3)snmpv3_get_engineID : length in snmpv3_get_engineID = 9
2010 Aug 23 18:19:46.931780 snmpd[1372]: (ctx:3)var_cesRserverTable : var_cesRserverTable : Request 1 length = 20
2010 Aug 23 18:19:46.931803 snmpd[1372]: (ctx:3)var_cesRserverTable : GET: rservNameLen = 4 groupSubtreeLen 4
2010 Aug 23 18:19:46.931824 snmpd[1372]: (ctx:3)var_cesRserverTable : GET: Incoming rservName test
2010 Aug 23 18:19:46.931846 snmpd[1372]: (ctx:3)var_cesRserverTable :   GET rservname test magic 17
2010 Aug 23 18:19:46.931384 snmpd[1372]: (ctx:3)var_cesRserverTable : rs name from tnrpc : test and rs ip 192.0.2.1
2010 Aug 23 18:19:46.931424 snmpd[1372]: (ctx:3)var_cesRserverTable : tnrpc mesg recv successful from rservers stub code
2010 Aug 23 18:19:46.931446 snmpd[1372]: (ctx:3)var_cesRserverTable : *length 20 rservertype 2 ipaddresstype 1 description
2010 Aug 23 18:19:46.931504 snmpd[1372]: (ctx:3)178189364.000000:iso.3.6.1.4.1.9.9.470.1.1.1.1.14.1.4.116.101.115.116 = STRING: "ARP-FAILURE" SNMPPKTEND
2010 Aug 23 18:19:46.931548 snmpd[1372]: (ctx:3) SNMPPKTSTRT: 0.000000 162 178189364.000000 0.000000 0.000000 0.000000 0 0 1 1 0   <removed-community-for-security> 12 0 0 0.00000
Next, a query that does not work:
2010 Aug 23 18:20:55.096428 snmpd[1372]: (ctx:3)asn_parse_objid :   from asn1.c asn_objid, length is 0
2010 Aug 23 18:20:55.096531 snmpd[1372]: (ctx:3)497544101.000000:iso.3.6.1.4.1.9.9.470.1.1.1.1.17.1.4.116.101.115.116 = NULL SNMPPKTEND
2010 Aug 23 18:20:55.096577 snmpd[1372]: (ctx:3) SNMPPKTSTRT: 0.000000 160 497544101.000000 0.000000 0.000000 0.000000 0 0 1 1 0   <removed-community-for-security> 12 0 0 0.000000 0.000000 0.0.0.0 0 0 0 0 0 0 0 19
2010 Aug 23 18:20:55.096603 snmpd[1372]: (ctx:3)snmpv3_get_engineID : context id in snmpv3_get_engineID = 3
2010 Aug 23 18:20:55.096625 snmpd[1372]: (ctx:3)snmpv3_get_engineID : length in snmpv3_get_engineID = 9
2010 Aug 23 18:20:55.095827 snmpd[1372]: (ctx:3)snmpv3_get_engineID : context id in snmpv3_get_engineID = 3
2010 Aug 23 18:20:55.095849 snmpd[1372]: (ctx:3)snmpv3_get_engineID : length in snmpv3_get_engineID = 9
2010 Aug 23 18:20:55.095883 snmpd[1372]: (ctx:3)var_cesRserverTable : var_cesRserverTable : Request 1 length = 20
2010 Aug 23 18:20:55.095905 snmpd[1372]: (ctx:3)var_cesRserverTable : GET: rservNameLen = 4 groupSubtreeLen 4
2010 Aug 23 18:20:55.095927 snmpd[1372]: (ctx:3)var_cesRserverTable : GET: Incoming rservName test
2010 Aug 23 18:20:55.095948 snmpd[1372]: (ctx:3)var_cesRserverTable :   GET rservname test magic 26
2010 Aug 23 18:20:55.106549 snmpd[1372]: (ctx:3)var_cesRserverTable : rs name from tnrpc : test and rs ip 192.0.2.1
2010 Aug 23 18:20:55.106580 snmpd[1372]: (ctx:3)var_cesRserverTable : tnrpc mesg recv successful from rservers stub code
2010 Aug 23 18:20:55.106602 snmpd[1372]: (ctx:3)var_cesRserverTable : *length 20 rservertype 2 ipaddresstype 1 description
2010 Aug 23 18:20:55.106669 snmpd[1372]: (ctx:3)497544101.000000:iso.3.6.1.4.1.9.9.470.1.1.1.1.17.1.4.116.101.115.116 = NULL SNMPPKTEND
2010 Aug 23 18:20:55.105723 snmpd[1372]: (ctx:3) SNMPPKTSTRT: 0.000000 162 497544101.000000 0.000000 2.000000 1.000000 0 0 1 1 0   <removed-community-for-security> 12 0 0 0.0000
I have reviewed the Cisco ACE 4700 Series Appliance Administration Guide - Configuring SNMP document and read the "SNMP Limitations" which states "[i]f an SNMP MIB table has more than one string index that contains more than 48 characters, the index may not appear in the MIB table when you perform an SNMP walk. According to SNMP standards, the SNMP requests, response, or traps cannot have more than 128 subidentifiers."
If that is the reason this doesn't work, could someone please more adequately explain the difference between querying the OperStatus versus the CurrConns when the OID I'm querying in each instance is the exact same length? And is there anything that I could change in my configuration so that I can query connection information with SNMP?
If that documented SNMP limitation is not the reason that those particular queries fail, does anyone have any idea what the problem might be and/or next steps I should take in troubleshooting and resolving the issue?

Are you using snmp v1? If so, please try snmp v2.
The following is the test result in my lab.
### snmp v1
lin168:~# snmpget -c cdn -v 1 1.164.0.51 .1.3.6.1.4.1.9.9.470.1.1.1.1.17.1.3.115.118.49
Error in packet
Reason: (noSuchName) There is no such variable name in this MIB.
Failed object: SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.3.115.118.49
### snmp v2
lin168:~# snmpget -c cdn -v 2c 1.164.0.51 .1.3.6.1.4.1.9.9.470.1.1.1.1.17.1.3.115.118.49
SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.3.115.118.49 = Counter64: 251118
snmpwalk also works with snmp v2 as below.
lin168:~# snmpwalk -c cdn -v 2c 1.164.0.51 .1.3.6.1.4.1.9.9.470.1.1.1.1.17
SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.3.115.118.49 = Counter64: 251118
SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.3.115.118.50 = Counter64: 0
SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.11.65.86.83.45.82.83.69.82.86.69.82 = Counter64: 0
SNMPv2-SMI::enterprises.9.9.470.1.1.1.1.17.1.12.65.86.83.45.82.82.83.69.82.86.69.82 = Counter64: 0
lin168:~#
ACE4710/Admin# show rserver
rserver              : sv1, type: HOST
state                : OPERATIONAL (verified by arp response)
                                                ----------connections-----------
       real                  weight state        current    total
   ---+---------------------+------+------------+----------+--------------------
   serverfarm: sf
       192.168.222.20:0      8      OPERATIONAL 0          251118
rserver              : sv2, type: HOST
state                : OPERATIONAL (verified by arp response)
                                                ----------connections-----------
       real                  weight state        current    total
   ---+---------------------+------+------------+----------+--------------------
   serverfarm: sf
       192.168.222.21:0      8      STANDBY      0          0
If you use snmp v1, the behavior looks expected since syntax is not convertable to SMIv1 as below.
It means you have to use snmp v2 if you want to get Total, Failed, and CurrConns MIBs.
### snmp v1 mib
cesRserverTotalConns OBJECT-TYPE
    SYNTAX --?? syntax is not convertable to SMIv1
           Counter
-- Units
--    connections
    ACCESS read-only
    STATUS mandatory
    DESCRIPTION
        "The total number of connections loadbalanced to
        this real server."
    ::= { cesRserverEntry 17 }
ftp://ftp.cisco.com/pub/mibs/v1/CISCO-ENHANCED-SLB-MIB-V1SMI.my
### snmp v2 mib
cesRserverTotalConns OBJECT-TYPE
    SYNTAX          Counter64
    UNITS           "connections"
    MAX-ACCESS      read-only
    STATUS          current
    DESCRIPTION
        "The total number of connections loadbalanced to
        this real server."
    ::= { cesRserverEntry 17 }
ftp://ftp.cisco.com/pub/mibs/v2/CISCO-ENHANCED-SLB-MIB.my
Regards,
Yuji

ACE Module vs ACE Appliance

Hello,
What is the difference between ACE Module and ACE Appliance? why the ACE Module is better? or ACE Appliance, what is the advantage between Module and Appliance.
anyone can explain me?
Best Regards

In the past Cisco has been shipping two line of Loadbalancing products
First line ( modules dedicated for 6500/7600 chassis ) includes CSM & CSM-S & SSLSM (for ssl offloading)
The other line comprises of appliance based CSS series products.
ACE module is a next generation module replacing CSM modules that fits into 6500/7600 chassis.
It gives you upto 16Gbps throughput (versus CSM's 4Gbps throughput).
ACE appliance is a next gen replacement of CSS line of appliance based products.
CSS appliances were used to come in different Hardware models with varied
performance capacities. ACE appliance is a single hardware with various licenses
used to scale the performance/features.Ace appliance supports upto 4Gbps of throughput.
Previously CSS & CSM code terminologies & command set was different. For example a real server
was termed as "service" in CSS & was called "real" in CSM . Similarly "probe" in CSM was "keepalive"
in CSS.
With ACE line of products you get the same terminologies & command sets for both
modules & Appliances.
ACE Appliance & ACE modules are functionality vise coming closer with every new release but
still there are some differences.
For example following ACE appliance features are not available in ACE module:
Appl optimization (flash forward, Delta Encoding)
Embedded Device manager
Http compression
Which one is better than the other really depends on your requirement
From Performance perspective Module give you much higher performance then Appliance.
SO if performance is your criteria the ACE module is better than ACE appliance.(Some performance metrics at the end of the post).
If you are looking for Application optimization & HTTP compression along with Loadbalancing
then it can only be achieved with ACE appliance.
If you are not using 6500/7600 series chassis in your environment then you can only use ACE appliance
(unless you are open to buy module+chassis due to performance requirement).
Some performance metrics
Ace Appliance supports 1 Million concurrent connections where as Ace Module supports 4 Million.
Ace Appliance supports 120K L4 conn/sec where as Ace Module supports 380K L4 conn/sec.
Ace Appliance supports 40K L7 conn/sec where as Ace Module supports 133K L7 conn/sec.
Ace Appliance supports upto 4Gbps throughput where as Ace Module supports 16Gbps throughput .
HTH
Syed Iftekhar Ahmed

Need help to Configure Cisco ACE 4710 Cluster Deployment

Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-

Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
rserver ebsapp2 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
    serverfarm ebsppsvrfarm
class class-default
    compress default-method deflate
    sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
    loadbalance vip inservice
    loadbalance policy ebsapp-vip-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal-

Cisco ACE - Firewall load balancing

I am using two sets of ACE load balancers for load balancing traffic across two firewalls (firewall load balancing).
The solution works fine. I have a virtual address of 0.0.0.0 in either direction to match traffci going from the internal users to the internet and vice versa.
The problem is that when I try to manage the load-balanced firewalls (either using SSH (or) HTTPS) from outside, then that connection also gets load balanced and when I try to connect to FW1 then sometimes this connection ends up on FW2 and vice versa and the connection gets dropped. I have a workaround in place where i am using a virtual address per firewall to connect to the real IP address of the firewall.
Is there any other way of managing firewalls (which are defined as real-servers) in a FWLB setup.
Attached is the configuration of the external ACE which has the two firewalls defined as the real-servers.
access-list ALL line 8 extended permit ip any any
probe icmp ICMP-Probe
interval 15
passdetect interval 60
rserver host FW1-ASA
ip address 10.11.71.10
inservice
rserver host FW2
ip address 10.11.71.11
inservice
serverfarm host Firewalls
transparent
predictor leastconns
rserver FW1-ASA
    inservice
rserver FW2
    inservice
serverfarm host Firewalls-NO-LB
rserver FW1-ASA
    inservice
serverfarm host Firewalls-NO-LB1
rserver FW2
    inservice
sticky ip-netmask 255.255.255.255 address source new-sticky
timeout activeconns
serverfarm Firewalls
This is my workaround for connection to the IP address of the firewalls (for management)
class-map match-any FW-Real
2 match virtual-address 10.11.71.254 any
class-map match-any FW-Real2
2 match virtual-address 10.11.71.253 any
class-map type management match-any Remote-Access
201 match protocol telnet any
202 match protocol http any
203 match protocol https any
204 match protocol ssh any
205 match protocol snmp any
206 match protocol icmp any
class-map match-any fwlb
2 match virtual-address 0.0.0.0 0.0.0.0 any
policy-map type management first-match Remote-Management-Policy
class Remote-Access
    permit
policy-map type loadbalance first-match FWLB-No-LB
class class-default
    serverfarm Firewalls-NO-LB
policy-map type loadbalance first-match FWLB-No-LB1
class class-default
    serverfarm Firewalls-NO-LB1
policy-map type loadbalance first-match FWLB-l7slb
class class-default
    serverfarm Firewalls
policy-map multi-match Firewall-No-LB
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
policy-map multi-match Firewall-No-LB1
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
policy-map multi-match int70
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input Firewall-No-LB --> connect to the real IP address of the firewall for management
service-policy input Firewall-No-LB1 --> connect to the real IP address of the firewall for management
service-policy input int70
no shutdown
interface vlan 71
description "Firewall side"
ip address 10.11.71.2 255.255.255.0
mac-sticky enable
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
no shutdown

Hello,
as i know, there is no others ways.
You can only reduce your configuration by puting all your class undert the same policy-map:
policy-map multi-match int70
class FW-Real
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB
class FW-Real2
    loadbalance vip inservice
    loadbalance policy FWLB-No-LB1
class fwlb
    loadbalance vip inservice
    loadbalance policy FWLB-l7slb
interface vlan 70
description "Client side"
ip address 10.11.70.2 255.255.255.0
no icmp-guard
access-group input ALL
access-group output ALL
service-policy input Remote-Management-Policy
service-policy input int70
no shutdown

Problem with ACE and Internet Explorer 8

I have a problem with ACE (system A2(1.1)) and Internet Explorer 8.
exactly:
ACE is configured as end-to-end ssl with 2 rserver and with the sticky source address. When user is opening the virtual address from IEv7, the web portal (On Microsoft IIS) works fine.
If user opens the same web portal but using IEv8, the session is suspended after 60 seconds.
I think, that the reason is http keep-allive, which is sending every 60 seconds from the user's internet browser.
Here is some information about this. http://en.wikipedia.org/wiki/HTTP_persistent_connection
Do you have any idea how to resolve this problem: upgrade ACE, change the configuration on IIS or ACE ??
Please help.

Hi Kazik,
Using a persistent connection or HTTP keepalives should not have any negative effect on the ACE, so, giving you a straight-forward answer to fix it is not going to be easy.
I would recommend you to open a TAC case to have this investigated further. When you do, please, provide the following data:
A showtech from the Admin context of the ACE
A traffic capture taken on the TenGig interface connecting the switch with the ACE backplane while doing a test connection (preferably one with IE7 and one with IE8 to compare)
If possible, a copy of the SSL private key. Being able to decrypt the traffic capture to look inside the HTTP flow would really make troubleshooting much easier.
Regards
Daniel

A problem with ACL in the class-map on the ACE module

Hi all,
I configured the following on the ACE module:
object-group network test
host 192.168.1.21
host 192.168.1.22
host 192.168.1.23
object-group service port
tcp eq www
tcp eq 8080
access-list T line 8 extended permit object-group port object-group test any
I tried to configure a class-map for matching this ACL:
ACE-4710-2/Lab-OPT-11(config)# class-map match-any TEST_C
ACE-4710-2/Lab-OPT-11(config-cmap)# match access-list T
Error: Cannot associate acl having object-group ACEs in class-map.
So couldn't I configure the class-map by using ACL with object-groups involved? Is it the bug or the normal behaviour? Because the customer uses object-groups in ACLs and he has to configure ACL without object-groups for the traffic classification. It is horrible.
Thank you
Roman

Hi Roman,
I'm afraid it's the expected behavior. You cannot use an ACL with object-groups inside a class-map.
Regards
Daniel

ACE versus CCS.

Similar Messages

Maybe you are looking for