Ace with servers in VMware

Similar Messages

• One-armed ACE with servers gateway to ACE (no SNAT?)

  Hello ACE experts, I have two questions;
  Design;
  One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)
  Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?
  (This would eliminate the SNAT requirement for one-armed)
  I know I need;
  -no icmp-guard                 to allow ‘asymmetric icmp’
  -no normalisation            to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)
  And other question;
  Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?
  So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?
  Regards Kristof

  Hi
  the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.
  The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.
  regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy.

• Nexus 1000V. problem when working with the console VMWare

  I have a problem when working with the console VMWare.
  Sometimes it is impossible to connect any of the hypervisor to the guest OS managed by them.
  I get the message: "Unable connect to the MKS: Host address lookup for server <name of the hypervisor> failed: No such host is known."
  This message always appears in conjunction with the reconfiguration of virtual switch: "Reconfigure vNetwork Distributed Switch .... Initiated by Cisco_Nexus_1000V_ ....."
  Upon completion of the reconfiguration, Communication console, with guest OS is restored, or on its own or after a reboot srv-vc.
  In this time, I do not see any message in Nexus 1000v log.
  What is this?
  Thanks in advance.

  Smells of a DNS issue.  Are you sure your ESX hosts are reachable from your client via DNS hostname?  Try pinging them from a command prompt/terminal.  You may have DNS server issues.
  As a temp fix, edit your [windowspath]/system32/etc/drivers/hosts file and manually add the ESX host name and IP, then re-test.
  Regards,
  Robert

• Does apple provide app developers with servers when publishing an app on their App Store?

  I want to develpo apps for mobile devices for Apple's App Store and I was just wondering if I had to have my own servers to launch the app or if Apple provides an app developer with servers. I thought they did since they charge you 99$ a year and take 30% of earnings.

  Apple supplies the infrastructur for app distribution, update management and payment handling using the App Store that runs on their servers, as mentioned above.
  Depending on your application you may also be able to use GameCenter or iCloud (which run on Apple servers) to support certain app features/functionality without having to run or pay for your own servers.
  Depending on your needs there may also be other (non-Apple) webservices, that may reduce the amount of work that you'll need to spend, to setup and maintain your servers.

• ACE implementation with servers at remote locations

  Hi,
  We are having two ACE appliances in the datacenter in failover mode. Currently, we using route mode with two servers placed in the DC which are getting load balanced. Now, we are planning to move the servers to a new location and this location is reachable via WAN from the DC. Is there any challenge in moving the servers to a new location.
  1. Do we need to do any natting ?
  2. Is there any configuration document for ACE appliance using route mode with NAT ?
  Any help would be appreciated.
  Rgds./
  Sck

  There are 2 things to look at.
  1/ Make sure the ACE can reach the server (ping)
  2/ Make sure the return traffic from the server goes back to the ACE
  This 2nd point can be tricky when the servers are not directly connected to ACE.
  The servers will see the connections coming from clients (not ACE ip address), therefore they will use a default gateway to send the response which does not necessarily send traffic back to ACE.
  You may need policy routing on the gateway.
  Or you may have to configure client nat (in this case, the servers see the connections coming from ACE itself), but then you lose information about client source ip.  This can be solved by doing header insert but this is only possible for HTTP and it has a cost in terms of performance.
  The best option is to keep the servers close to the loadbalancer.
  If you want to move both servers, see if you can also move the loadbalancer to the same remote location.
  Gilles.

• ACE implementacion with servers Lan in other Router

  Hi,
  I need help in this topology, I need to design an escenario, where the Lan Servers  are  in other Router, the conexion between the ACE module and the Lan Server is throught a routing protocols using a Layer 3 device like an ASA.
  I have a confusion of using a Context in routed mode or One Armed mode. i dont know what is the best option.
  I need help.
  Attached a Diagram of the  escenarios.
  Regards,
  Fidel Gonzalez

  Hi Fidel,
  This should work in Routed or One-Armed, the only thing you need to be sure is that the response of the servers is going back to the ACE instead of going directly to the client.
  You probably will need to use source nat when the ACE sends the traffic to the servers.
  Cesar R
  ANS Team

• ACE with sticky http-cookies across two server farms issue

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  We need the same sticky http cookie to applied to two server farms (which are actually the same servers but listening on different ports in each farm) to persist sessions to the same real backend server.
  e.g.
  Farm1 (front end HTTP service) - StickyGroup1
  rserver1 - 192.168.0.1:80
  rserver2 - 192.168.0.2:80
  rserver3 - 192.168.0.3:80
  Farm2 (SSL front end authentication service) - StickyGroup2
  rserver1 - 192.168.0.1:443
  rserver2 - 192.168.0.2:443
  rserver3 - 192.168.0.3:443
  We have setup two Sticky Groups (one for each of the farms above) both using the same cookie name e.g. cookieXYZ
  Our service is behind a single virtual server configured as follows (example URL and addresses):
  Virtual Server Configuration
  Virtual server name: www.somedomain.com
  Virtual IP: 2.2.2.2
  TCP/443 (https)
  SSL Termination - Proxy service name: www.somedomain.com (all keys and certs loaded and correct)
  L7 Load Balancing - **inline** rule match HTTP URL:(/AuthenticateMe/).*  Action : Sticky, Group: StickyGroup2, SSL Initiation enabled (www.somedomain.com)
  Default L7 Load Balancing action : Sticky, Group: StickyGroup1
  So normally we would expect users to first hit www.somedomain.com first and therefore Farm1, get cookieXYZ from the ACE (cookie insert is only enabled on StickyGroup1) and then be redirected to www.somedomain.com/AuthenticateMe which matches the inline URL L7 rule which directs the request at Farm2 - at this point we expected the ACE to use cookieXYZ to persist the user to the same real server hit in Farm1 but instead the stickiness doesn't seem to work.
  We suspect that the ACE uses IP:port as the unique value in the Cookie ID and therefore the ACE fails to match the same real host in a different farm because we are using a mix of port numbers across farms. Is this correct? Is there another way of accomplishing what we are after with a different configuration but still the same setup with single VIP and multiple services on the backend servers?
  Any suggestions or solutions appreciated.
  Thanks
  Paul

  The issue is related to the fact that it's not about persistence because there are only "new" services in the backend in SSL, you want to keep the IP address.
  With a little bit of dev, the only way to acheive this is to redirect the user when he has been sent to http and adding a "tag" (cookie / token in the URL), then on the SSL virtual server, when performing SSL offload matching this tag to send to user to the right server. But it will be a 1-to-1 mapping.

• [ACE] Real servers and VIP in the same VLAN

  Hello.
  I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
  My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
  Thanks a lot,
  Miquel

  Hi Miquel,
  Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
       ==========================================================================
       One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
       ==========================================================================
  login timeout 0
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 192.168.1.11
    inservice
  rserver host SERVER_02
    ip address 192.168.1.12
    inservice
  rserver host SERVER_03
    ip address 192.168.1.13
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 451
  interface vlan 451
    description Servers vlan
    ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Let me know if you have any question.
  Regards,
  Kanwal

• ACE with nonat

  Hello,
  I have a static NAT configured on my ACE that translates an internal IP to an external IP, but I want the same internal IP to maintain its IP when destined to a certain network. It's the same concept that is used on PIX/ASA with a nonat rule (nat 0). Any ideas on how to accomplish this?
  Here's my static NAT config:
  class-map match-all cmap-static-10.20.1.10
  2 match source-address 10.20.1.10 255.255.255.255
  policy-map multi-match pmap-nat-vl4001
  class cmap-static-10.20.1.10
  nat static 5.5.5.5 netmask 255.255.255.255 vlan 501
  interface vlan 4001
  service-policy input pmap-nat-vl4001
  Thanks,
  Lee

  I hate to drudge up an old post, but this sounds exactly like an issue I am researching and I was wondering if anyone could help expand on this.
  I have a serverfarm that I want everyone to hit with NAT'd addresses except for two IP's, but when I attempt to add a "match access-list" the class-map (which already has a match virtual-address), I get an error that I can not add other match types.
  class-map match-all VIP_HOST1
    2 match virtual-address 172.1.1.100 any
  Basically I have a serverfarm (HOST1.domain.com) that has two rservers (10.1.1.101 and 10.1.1.102) that use VIP 172.1.1.100. I have two other servers (10.1.1.201 and 10.1.1.202) that will use the VIP of HOST1, but I do not wish for those two IP's to get NAT'd.
  Thanks for any assistance!

• How do I license my Physical Windows and Unix/Linux Servers for VMware VCM?

  I currently have vCenter Operations Manager Suite Enterprise edition which will allow me to manage my VMware VMs with VCM.
  I would also like to manage my 300-500 Physical Windows and Linux/Unix Servers.
  What license do I need to buy to achieve this?
  Cheers,
  /m

  You need an OS Instance (OSI) license for each managed endpoint.
  vRealize Suite Cloud Management Platform Purchasing | United States
  Cheers,
  Paul

• Display Questions with Retina and VMware Fusion (Windows 7/8)

  Looking to buy my first MacBook Pro and looking to make sure I get the specs I need and have a couple of questions.
  I would like to be able to run (simultaenously)
  During the day for work:
  Windows 7 x64 - 30GB HD - 1 Core - 1GB Ram - Purpose: Has a VPN client that allows me to VPN and RDP only
  Windows 8.1 x64 - 60GB HD - 2 Cores - 4GB+ Ram - Purpose: Office 2013 installed on this VM and all my other work applicatons (light weight)
  OSX 10.10 - Whatever it can take - Light Web Browsing etc while at work.
  After work:
  Guess it doesn't matter really - i'd like to play games (bootcamp fine) if possible too. Nothing crazy so barely worth mentioning.
  My main questions:
  Display: Iris Pro or nVidia - Can the base 15 inch GPU/CPU handle the two VMs at the same time plus the host OS (OSX) without hiccups?
  Display: How does VMware Fusion recognize the discrete GPU - will the system be smooth/quiet without activating it?
  Battery life: Virtualization is pretty heavy battery wise. Does anyone know what happens to the battery when you're running a couple VMs?
  Display: How is running Windows 7/8 on a MacBook with a specifically retina display? Do the Windows PCs look really ugly/blurry due to such a high resolution?
  What is the minimum hardware required for these VMs to run fast and responsive? (CPU/GPU/RAM only)
  Thanks!!

  Sorry - we're users here, just like you, and some questions just get lost sometimes.
  The fastest hardware you can buy, the easier you'll be able to run Windows. If you use Boot Camp to run Windows (7, 8 or 8.1) the machine will run at it's best. If you want to run Windows alongside the Mac OS, you'll need to use a VM application (I use Parallels - I've tried VMwareFusion but like Parallels better and it just works best for me).
  So, to your questions:
  The Retina machine with the NVIDIA GPU will be the fastest - it's a faster processor and has more VRAM.
  Any VM is going to use resources - how much RAM, for example, is up to you. I have 16 GB of RAM and 8GB dedicated to Parallels/Windows 7 Pro.
  I wouldn't (and you really can't) run a VM for very long on battery. If you're using VM's, that's the time to plug into mains. Running a 'couple' of VM would put further heavy use on your GPU, CPU and shorten your battery life.
  I would make sure to get a good, fast quad-core i7 processor, the 2GB of VRAM NVIDIA GPU and the maximum amount of RAM (16GB).
  Good luck,
  Clinton

• Problems with flash in VMware

  Hi all,
  I am currently having trouble with flash player in VMware.  Some flash content works fine while others do not.  For example, when navigating to youtube the banner will not load correctly but I can watch a video with no issues.  Have gone through the reinstallation process to no avail.  Flash player was working properly before the update and the issue does not occur in a native machine with the same specs.  Any help would be greatly appreciated.
  Thank you in advance.
  Specs:
  Native OS: Mac OS X 10.6.8
  VMware Fusion 3.1.3 running Windows 7 Professional 64bit SP 1
  Browser: Internet Explorer 9 32bit
  Flash Version:  10.3.181.34

  Thank you for adding this.  I've added my vote and I'd like to suggest to others impacted by this to take a minute, visit the bug, add their vote and make a comment.
  https://bugbase.adobe.com/index.cfm?event=bug&id=2940665
  Chris

• Cisco Prime Collaboration Deployment with BE7K and VMWare license

  Hello, I am looking for some help trying to figure out if Cisco Prime Collaboration Deployment can be used to upgrade our existing 7.1.5 cluster.  From what I have read there is a API problem with the VMWare license that comes with the BE7K.  But after reviewing the BOM/quote from my VAR it lists the foundation license which based of the release notes is supported.
  UCSS-U-VMW-FND-5-1
  UCSS Cisco UC Virt. Foundation  Five Year - 1 server
  Has anybody out there had expericne with PCD and BE7K'?
  This is from release notes of PCD
  http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/10_5_1/CUCM_BK_P139675A_00_pcd-rns-1051/CUCM_BK_P139675A_00_pcd-rns-1051_chapter_010.html
  Search for “Business Edition 7000” and it will state it is not supported with PCD.  It is because the licenses that the BE 6k and 7K are shipped with don’t enable certain VMware APIs that PCD needs.
  “Virtualization Software License Compatibility
  Cisco Prime Collaboration Deployment is not compatible with all license types of VMware vSphere ESXi, as some licenses do not enable required VMware APIs.
  The following are compatible with Cisco Prime Collaboration Deployment:
  Cisco UC Virtualization Foundation (appears as "Foundation Edition" in vSphere Client)
  VMware vSphere Standard Edition, Enterprise Edition, or Enterprise Plus Edition
  Evaluation mode license
  The following are not compatible with Cisco Prime Collaboration Deployment:
  Cisco UC Virtualization Hypervisor (appears as "Hypervisor Edition" in vSphere Client)-preloaded on Cisco Business Edition 6000 and Business Edition 7000
  VMware vSphere Hypervisor Edition
  Any help would be appreacted.
  JP

  Thanks Jamie for repsonding, we haven't made any purchase's yet but I wanted to ensure we are purchasing a solution that won't lead to a lot of frustration.  We only have 1000 phones so we are pretty small and the BE7K seems to be a good fit and value.
  Cheers,

• ACE with cache engine "spoof" mode

  If Cache Engine use spoof mode, how ACE be configured for support this mode. Have it any command add into ACE?

  I am looking into this myself. Can the ACE work in this fashion:
  Clients VLAN 10
  Internet VLAN 20
  Cache Servers VLAN 30
  Traffic that comes in from clients on vlan 10, any of it that is tcp port 80, send to the cache on vlan 30. Traffic coming back from the internet, vlan 20, if its tcp port 80, send to the cache on vlan 30.
  Its basic layer 4 redirection. But when the traffic goes to the cache, the cache is not going to use its own IP to make the internet request, its going to use the clients IP, this is why a map is needed on vlan 10 and vlan 20, to ensure traffic is pipelined thru the ace. Has anyone done this?

• ACE with TACACS+ Issue

  Trying to get ACE module and IOS devices to work with TACACS+. I have ACS v3.2.
  The "optional" syntax does not work. Any idea if the argument is valid for the ACS version ?
  service=exec
  optional shell:Admin=Admin domain
  Tried it with quotations but that didn't work either.

  Hi,
  Here is a reference doc for configuring ACE for Tacacs+ authentication,
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
  0_A1/configuration/security/guide/aaa.html#wp1321891
  Under custom attribute for Tacacs+ we need to specify attribute as,
  shell:Admin*ADMIN MYDOMAIN1
  = means mandatory attribute
  * means optional
  Information on context/role/domain (Virtualization on ACE):
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
  0_A1/configuration/virtualization/guide/ovrview.html
  Default "role" on ACE:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
  0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
  HTH
  JK
  Plz rate helpful posts-