Ace4710 one-armed mode case
hi all
If ace4710 one-armed mode must have two subnet ?
and sw or router must config pbr or snat ?
tks
thank you
I config it successful
but another question
1:Shutdown left or right realservice ,test ok
2:Shutdown1.1.1.28 7001 and 1.1.1.29 7002 test result :telnet 1.1.1.19 7001 Ok
Telnet 1.1.1.19 7002 fail ;but telnet 109.101.108.29 7002 test ok
3:cross shutdown realservice why only single service ok?
1.1.1.28
Tcp port 7001
Tcp port 7002
Tcp port 7009
1.1.1.29
Tcp port 7001
Tcp port 7002
Tcp port 7009
VIP 1.1.1.19
[BEGIN] 2012/6/17 18:47:48
sh run
Generating configuration....
logging enable
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
limit-resource rate bandwidth minimum 20.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
peer hostname SFMI-2
hostname SFMI-1
shared-vlan-hostid 2
peer shared-vlan-hostid 1
interface gigabitEthernet 1/1
shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
ft-port vlan 199
switchport trunk native vlan 1
--More--
switchport trunk allowed vlan 1-3,6-8
no shutdown
interface gigabitEthernet 1/4
shutdown
clock timezone shanghai 8 10
context Admin
member RC1
access-list SFMI-ACL line 10 extended permit icmp any any
access-list SFMI-ACL line 20 extended permit ip any any
access-list SFMI-ACL line 30 extended permit tcp any any
probe tcp 7001
port 7001
interval 30
faildetect 1
passdetect interval 30
passdetect count 2
receive 2
--More--
open 2
probe tcp 7002
port 7002
interval 30
faildetect 1
passdetect interval 30
passdetect count 2
receive 2
open 2
probe tcp 7008
port 7008
interval 30
faildetect 1
passdetect interval 30
passdetect count 2
receive 2
open 2
probe tcp 7009
port 7009
interval 30
faildetect 1
passdetect interval 30
--More--
passdetect count 2
receive 2
open 2
probe icmp PROBE-ICMP
interval 10
faildetect 1
passdetect interval 2
passdetect count 1
receive 1
rserver host Rserver1
ip address 1.1.1.28
inservice
rserver host Rserver2
ip address 1.1.1.29
inservice
serverfarm host SERVERFARM
probe 7001
probe PROBE-ICMP
rserver Rserver1
inservice
--More--
rserver Rserver2
inservice
serverfarm host SERVERFARM2
probe 7002
probe PROBE-ICMP
rserver Rserver1
inservice
rserver Rserver2
inservice
serverfarm host SERVERFARM3
probe 7009
probe PROBE-ICMP
rserver Rserver1
inservice
rserver Rserver2
inservice
sticky ip-netmask 255.255.255.255 address source SGROUP1
timeout 300
serverfarm SERVERFARM
sticky ip-netmask 255.255.255.255 address source SGROUP2
timeout 300
--More--
serverfarm SERVERFARM2
sticky ip-netmask 255.255.255.255 address source SGROUP3
timeout 300
serverfarm SERVERFARM3
class-map match-all VIP-17
2 match virtual-address 1.1.1.19 any
class-map match-all VIP-18
2 match virtual-address 1.1.1.19 any
class-map match-all VIP-19
2 match virtual-address 1.1.1.19 any
class-map type management match-any remote-manage
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol https any
6 match protocol http any
7 match protocol snmp any
policy-map type management first-match remote-manage
class remote-manage
--More--
permit
policy-map type loadbalance first-match VIP-17
class class-default
sticky-serverfarm SGROUP3
policy-map type loadbalance first-match VIP-18
class class-default
sticky-serverfarm SGROUP2
policy-map type loadbalance first-match VIP-19
class class-default
sticky-serverfarm SGROUP1
policy-map multi-match global
class VIP-19
loadbalance vip inservice
loadbalance policy VIP-19
loadbalance vip icmp-reply active
nat dynamic 1 vlan 6
class VIP-18
loadbalance vip inservice
loadbalance policy VIP-18
loadbalance vip icmp-reply active
--More--
nat dynamic 1 vlan 6
class VIP-17
loadbalance vip inservice
loadbalance policy VIP-17
loadbalance vip icmp-reply active
nat dynamic 1 vlan 6
interface vlan 6
ip address 1.1.1.4 255.255.255.0
peer ip address 1.1.1.5 255.255.255.0
no normalization
access-group input SFMI-ACL
access-group output SFMI-ACL
nat-pool 1 1.1.1.99 1.1.1.99 netmask 255.255.255.0 pat
service-policy input global
service-policy input remote-manage
no shutdown
Similar Messages
-
ACE One Arm Mode vs Routed Mode
Gents,
When is it required to use the One Arm Mode and one do I use the routed mode? Actually I am confused and would really like to know the pros and cons of each?
Regards,
HeshamHi Hesham,
When you do not want to change the physical topology of your network then you usually go with ONE ARM mode.
Such as default gateway on server, IP addressing on servers. In this case client can access the server directly as well.
Its a flat network topology where your VIP and servers are in the same network ( VLAN ).
You use routed mode when you want to segregate the servers in seperate vlan and don't want to allow client to access it directly.
Client and VIP in same VLAN >>> ACE >>>>>> Server VLAN ( In this case we usually point the default gateway to ACE)
hope it helps.
regards,
Ajay Kumar -
I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
The Interfaces and Nat configs are:
interface vlan 200
description Server-Side-VLAN
bridge-group 5
nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
service-policy input VIPS
interface vlan 300
description Client-Side-VLAN
bridge-group 5
interface bvi 5
ip address 10.1.1.3 255.255.248.0
description Client-Server-Virtual-Interface
ip route 0.0.0.0 0.0.0.0 10.1.1.1
and the policy map looks like this
policy-map multi-match VIPS
class Port80
loadbalance vip inservice
loadbalance policy Port80
nat dynamic 5 vlan 200
Resource assignment:
sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
timeout 5
serverfarm Service80
Any suggestions will be appreciated,
ThanksHi Kanwal,
Thanks for your quick reply,
I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
But I'll try again tomorrow and let you know how it goes.
Thank you again. -
is it possible to preserve the clients originating IP address somewhere while using the 4710 in one armed mode? I have a situation where the client source ip is needed, and I am deciding between one-armed mode and inline. I'd like to use one-armed, so that only load balanced traffic traverses the load balancer, but I haven't seen an example where that can be done without loosing the clients src address.
Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:
action-list type modify http name
header insert both Host header-value %is:%ps
Then apply the action-list to your loadbalance policy-map.
Take a look at the url below for futher information:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842
But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?
If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.
hth
/Ulrich -
Is't Single-VLAN One-Armed Mode let the pop-ups error?
Dear all
In my network I deployed Single-VLAN One-Armed Mode In this mode,the real server’s default gateway is the upstream router. To ensure the return
flow traverses back through the load balancer, the IP address of the client isrewritten to that of the load balancer.
Direct access web was fine ,however when open Pop-ups website will appear error Example, the figure-1 :
figure-1
When I used real Server IP address not through ACE anything will be fine. Example, the figure-2 :
figure-2
The Web's Code
<%@ page language="java" pageEncoding="UTF-8"%>
<%@ taglib uri="/WEB-INF/hnisi.tld" prefix="hnisi"%>
<%@ include file="/jsp/framework/head.jsp"%>
<%@ page import="cn.sinobest.framework.util.DTOUtil,cn.sinobest.framework.util.Util,cn.sinobest.framework.util.ConfUtil" %>
<%
//当前登录用户 所属系统机构
String orgCode = DTOUtil.getUserInfo().getBAE001();
//操作员ID
String operId = DTOUtil.getValue("OPERID");
//角色类型
String roleType = DTOUtil.getValue("ROLETYPE");
String fromFuncDesc = DTOUtil.getValue("fromFuncDesc");
//所选操作员的姓名
String sOperatorName = DTOUtil.getValue("SOPERATORNAME");
//权限树 where 条件
String whereClsTree = " rightid in ( select distinct B.RIGHTID "+
" from FW_RIGHT B"+
" left join FW_OPERATOR2RIGHT A on LOCATE(B.RIGHTID,A.RIGHTID) = 1"+
" where A.AAE100 ='1'"+
" and B.AAE100 ='1' and A.operid = '"+operId+"' ";
//条件:有效角色,当前登录用户只能操作用户所属系统机构及下级机构的角色,以及上级机构的共享角色
String whereCls =" AAE100 ='1' and (BAE001 like '"+orgCode+"%' or ( IFSHARED = '1' and LOCATE(BAE001,'"+orgCode+"') = 1))";
if(!Util.isEmpty(roleType)){//角色类型
whereClsTree +=" and AUTHTYPE='"+roleType+"' ";
String roleType_zdfpzj = ConfUtil.getDict("ROLETYPE", "13");//最大分配角色
if("2".equals(roleType)){//分配角色包括:分配角色、最大分配角色
whereCls += " and ROLETYPE in('"+roleType+"','"+roleType_zdfpzj+"') ";
}else{
whereCls += " and ROLETYPE='"+roleType+"' ";
whereClsTree +=" )";
%>
<%-- 导航栏标签 --%>
<hnisi:gNavStr />
<legend style="cursor:hand;" >
<span>
<img id="img_fw_authmngr_geneauth_list_grid" src="${ctx}/themes/default/images/query_icon_right.gif">
</span>
<span title="单击展开或收缩">
<b><%=sOperatorName%></b>已拥有的权限树
<hnisi:tree id="menus" type="1" whereCls="<%=whereClsTree %>"/>
</span>
</legend>
<form name="roleListForm" method="post">
<%-- 角色列表--%>
<hnisi:glt id="fw_authmngr_geneauth_role" whereCls="<%=whereCls %>" />
<p align="center">
<%-- 确定按钮 --%>
<hnisi:btn name="btnQuery" onclick="roleAutoOk()" value="保存" href="javascript:void(0)"/>
<%-- 清除按钮 --%>
<hnisi:btn name="btnCls" onclick="cls()" value="清除" href="javascript:void(0)"/>
<%-- 关闭按钮 --%>
<hnisi:btn name="btnClose" onclick="winClose()" value="关闭" href="javascript:void(0)"/>
</p>
</form>
<form name="roleForm">
<input type="hidden" name="OPERID" value="<%=operId %>"/>
<input type="hidden" name="ROLEIDS">
</form>
<script type="text/javascript">
<!--
var orgCode ="<%=orgCode%>";
var operId ="<%=operId%>";
var roleType ="<%=roleType%>";
* 权限列表窗口
* @param roleId:角色ID
function winRight(roleId){
var eventId="1";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&ROLEID=" + roleId+"&_t="+new Date().getTime());
* 确定-保存授权信息
function roleAutoOk(){
$(function(){
var roleIds = "";
$.each($("input[name='checkbox']:checked"),function(i,o){
roleIds += (i==0 ? "" : ",")+o.value;
if (roleIds == ""){
FWalert("请选择要操作的角色!");
return;
roleForm.ROLEIDS.value = roleIds;
var params = FWGetForm(roleForm);
if(params.ROLEIDS ==""){
FWalert("请选择要操作的角色!");
}else {
var fromFuncDesc = "<%=fromFuncDesc%>";
//先进入本次权限变更列表页面,确认后再保存
var title = encodeURIComponent('授权确认');//对话框的标题
var url = "right!list.do?OPERID="+operId+"&fromFuncDesc="+fromFuncDesc+"&ROLETYPE="+roleType+"&ROLEIDS="+roleIds+"&title="+title+"&_t="+new Date().getTime();
var position="resizable:1;status:0;help:0;scroll:1;center:1;dialogWidth:800px;dialogHeight:500px";
window.showModalDialog(url,window,position);
* 直接授权:弹出权限树窗口
function directAuto(){
var eventId="2";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&OPERID=" + operId+"&_t="+new Date().getTime());
* 清除:清除已选择的角色 checkbox
function cls(){
var c_checkbox=document.getElementsByName('checkbox');
for (i=0;i<c_checkbox.length;i++){
c_checkbox[i].checked=false;
* 关闭窗口
function winClose(){
window.close();
//-->
</script>
</body>
</html>
The ACE's config
`show running-config`
Generating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
switchport access vlan 3
no shutdown
access-list ALL line 8 extended permit ip any any
access-list allowany line 8 extended permit ip any any
access-list allowany line 16 extended permit icmp any any
probe icmp Ping
interval 2
faildetect 2
passdetect interval 2
passdetect count 1
receive 2
probe tcp TCP6666
description RPC Client Access
port 6666
interval 30
passdetect interval 60
connection term forced
open 10
probe tcp TCP8888
description RPC Client Access
port 8888
interval 30
passdetect interval 60
connection term forced
open 1
rserver host YB1
ip address 110.43.102.241
inservice
rserver host YB2
ip address 110.43.102.245
inservice
rserver host YB3
ip address 110.43.102.246
inservice
rserver host YB4
ip address 110.43.102.247
inservice
rserver host YB5
ip address 110.43.102.248
inservice
rserver host YB6
ip address 110.43.102.242
inservice
serverfarm host YB01farm
predictor leastconns
probe TCP6666
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
serverfarm host YB02farm
predictor leastconns
probe TCP8888
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
parameter-map type http PRESIST-REBALANCE
persistence-rebalance
sticky ip-netmask 255.255.255.255 address source YB01-GRP
timeout 60
replicate sticky
serverfarm YB01farm
sticky ip-netmask 255.255.255.255 address source YB02-GRP
timeout 60
replicate sticky
serverfarm YB02farm
sticky http-cookie COOKIE1 STICKYYB01
cookie insert browser-expire
timeout 3600
replicate sticky
serverfarm YB01farm
action-list type modify http IP-header
header insert request X-Forwarded-For header-value "%is"
class-map match-all YB01-slb-vip
2 match virtual-address 110.43.102.251 any
class-map match-all YB02-slb-vip
2 match virtual-address 110.43.102.252 any
class-map type management match-any remote_access
description remote-access-traffic-match
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance http first-match YB01-slb
class class-default
sticky-serverfarm STICKYYB01
action IP-header
policy-map type loadbalance http first-match YB02-slb
class class-default
sticky-serverfarm YB02-GRP
action IP-header
policy-map type loadbalance first-match YB6666
class class-default
sticky-serverfarm STICKYYB01
action IP-header
insert-http https header-value "on"
policy-map multi-match client-vips
class YB01-slb-vip
loadbalance vip inservice
loadbalance policy YB6666
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
appl-parameter http advanced-options PRESIST-REBALANCE
class YB02-slb-vip
loadbalance vip inservice
loadbalance policy YB02-slb
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
interface vlan 3
ip address 192.168.50.2 255.255.255.240
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 100
ip address 110.43.102.238 255.255.255.0
access-group input allowany
nat-pool 100 110.43.102.239 110.43.102.239 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 110.43.102.112Hi,
The error comes when accessing the website through LB. The error is thrown by the server. Do we know what does that error indicate and will be thrown by server under what circumstances?
Can you just try with one server in the serverfarm and check if it works fine?
Does it load initial page at all or throws error right away.
What do you see in show conn output? Which VIP is in question here?
Regards,
Kanwal -
Probe fail on Standby ACE in One-armed mode
Hi there
I'm Kilsoo.
I made One-armed mode using ACE.
Real servers are in away Vlan from ACE.
So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
And, the probe from active ACE works well.
But, the probe from standby ACE was fail.
At this point, my first question
Is it normal situation that the probe fail from standby ACE????
So, I made the route-map for PBR like below for temporary solution.
route-map deny PBR 5
match ip address Probe_ACL
route-map permit PBR 10
match ip address L4_ACL
set ip next-hop <Alias IP address>
ip access-list extended Probe_ACL
pemit ip any <Standby ACE's IP address>
ip access-list extended L4_ACL
permit tcp <Real server's IP address> eq 80 any
Second question...
Do you have any other good solutions???
ThanksHi Cesar
Thanks for your reply.
But I think I was confuse when I wrote the message.
I used both ace's vlan ip address for next-hop ip address like your advice.
Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
Backbone Router
|
|
|
Supervisor --------------------ACE(vserver: 172.19.100.100)
| (vlan 200)
|
|
|(vlan 110)
|
|
Real servers
(172.19.110.111) -
CSM in one armed mode Redundancy
Hi,
I have a customer with a one arm setup. However they have no server vlan, only a client vlan. They are using source nat and it is working, however I am unsure how to setup redundancy as the alias command seems to be generally used on the server vlan.
i am running hsrp and a ft vlan accross the csm's
Does anyone have any experience of this type of setup, do i need to add any additional config for fault tolerence??
Cheers
ScottScott,
you can use the alias and whatever vlan [client or server].
It is required if your servers or clients are using the CSM as default gateway.
There is no special config required when doing fault tolerance in one-armed mode.
It's the same as inline mode.
Gilles. -
Source IP in One armed Mode ACE
Hi,
How do we find actual Client Source IP address in One armed mode ACE for NON-HTTP application like LDAP,FTP and etc....It's not possible. Insertion within header works only for HTTP and HTTPS with SSL offload.
-
Virtualisation and One Arm mode
Hi All ,
Is it possible to make one context and one arm mode and rest in normal
-parveesYes, no restriction. 1-arm mode is just placing the VIP in server's subnet and using source NAT for clients.
-
Web logs in one arm mode?
We use a CSS11503 one arm mode but the web servers only see the nat addresses.
Does any have a tool or way of getting the external addresses to the web team.I'd like to know this as well...
-
Cannot ping VIP in One-Arm mode
Hello.
I can ping the ip addresses of the vlan and access via management, the real-servers are Active along with the VIP service (ie. show service-policy) but I cannot ping the VIP interface and traces do not show any traffic hitting it because the 6500 the ACE (vc4710ace-mz.A1_8_0a) is connecting to has no ARP entry for the VIP.
It's in One-Arm mode; one gig-link to core, vlan 141.
I've attached the config.
Anyone got any ideas what I'm missing, please?Hi,
the default gateway of your servers is the upstream router.
Have a look at following link: http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example
Nevermind the picture, it should look more like this: http://docwiki.cisco.com/wiki/SSL_Termination_on_the_Cisco_Application_Control_Engine_Using_an_Existing_Chained_Certificate_and_Key_in_One_Arm_Mode_Configuration_Example
HTH,
Dario -
Can I configure csm as one arm and routing mode at the same time?
My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
Thanks in advance.
JasonGille,
Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
Thanks
Jason -
Hello Forum, ;-)
I have 2 basic questions I am having doubts about it and would love to have some clarifications:
1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below :
---- Context Microsoft ----
ACE1/Microsoft# sh run
interface vlan 503
bridge-group 3
access-group input NONIP
access-group input ALL
access-group output ALL
service-policy input POLICY
no shutdown
interface vlan 1503
bridge-group 3
access-group input ALL
access-group output ALL
no shutdown
interface bvi 3
ip address 120.223.22.30 255.255.255.0
no shutdown
Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work:
---- Context Juniper----
ACE1/Juniper(config)# int vlan 503
Error: VLAN creation is not allowed, shared bridged VLAN exists in another context
ACE1/Juniper(config)#
It gives ERROR!!
So if I configure an interface as bridged in one Context, I cannot configure it in another context??
2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
Thanks so much for your explanations!!
Giulio.Hello Giulio-
You can only share vlans in one-armed or routed modes. Think of it this way:
Interface vlan 10 and 11 are bridged on context C1. (bridged mode)
Interface vlan 12 and 13 are configured on context C2. (routed mode)
When you have routed mode, your server's gateway is configured to point to the ACE interface IP (or alias if you are have FT.) If a packet comes into the physical interface on the ACE, the processor has to decide which context it belongs to. Since the mac address is the interface on context X, it knows instantly where it goes. It will either hit a VIP, or be routed via the routing table.
If a packet arrived on vlan 12 or 13 and the MAC address did not belong to the ACE, it would drop the packet by basic routing rules. (think a client connected to a hub sees a packet destine to a MAC that is not its own, it drops/ignores the packet.)
In bridged mode, the gateway for your server is the router on the other side of the bridged vlan. I.e., you server is on vlan 10, the gateway is on vlan 11 and ace is bridging them together. When packets arrive to the physical interface, ACE knows the traffic arrived on vlan 10 or 11 which belongs to context C2. If the MAC address is not a VIP, ACE simply hucks the packet out of the other vlan. If you send traffic to the interface MAC that does not belong to a VIP, ACE drops it because it would not make sense to send a packet out the other vlan that has a MAC address that belongs to the interface of the ACE itself.
One-armed mode is simply routed mode with a single vlan and source NAT. Nothing special applies to how ACE handles the traffic versus routed mode with only a single vlan.
Now imagine this:
Interface vlan 10 and 11 are bridged on context C1.
Interface vlan 11 and 12 are configured on context C2.
Remember 3 things:
a.) ACE conserves MAC addresses - so the VIPs share MAC addresses with the interface.
b.) ACE will never communicate between 2 contexts directly.
c.) If you are in a routed mode and share vlans between 2 contexts, ACE will make each vlan have a unique MAC address. If you create unique vlans on each context, ACE uses the same single MAC across all vlans for all contexts.
With traffic that is destine to ACE's MAC address and the IP is a VIP, its not a problem - ACE could figure out which context the traffic belongs to (especially since vlan 11 would have unique mac addresses on each context. However, what if ACE recieved a packet to the interface 10 and 12 MAC address? How would it know if it belonged to the bridged or routed context if it was not a VIP IP? What about traffic that arrives that doesn't have the MAC of any of the interfaces? 2 different entirely behaviors would occur, ACE should drop the packet on the bridged context, and route the packet on the routed context.
So the bottom line is - you can't determine which context a packet would need to apply to in all circumstances if you tried to share vlans in a bridge mode across multiple contexts.
Regards,
Chris Higgins -
ACE in one-arm model. VIP on Client Side, servers in other vlan
Hello All
i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
the servers are in vlan 503 (10.12.3.0/24)
it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
the configuration is the next:
MSFC:
svclc module 1 vlan-group 1,2,
svclc vlan-group 1 503,900-902
svclc vlan-group 2 511
interface Vlan503
description OSS_&_Otros
ip address 10.12.3.253 255.255.255.0
standby 10 ip 10.12.3.254
standby 10 priority 150
standby 10 preempt delay minimum 305
interface Vlan900
description MSF_<->_ACE
ip address 10.0.9.126 255.255.255.192
end
access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
access-list 101 deny ip any any
route-map From_Server_OSS_to_ACE permit 10
match ip address 101
set ip next-hop 10.0.9.125
ACE_1/admin#
ip route 0.0.0.0 0.0.0.0 10.0.9.126
context OSS
allocate-interface vlan 511
allocate-interface vlan 900
allocate-interface vlan 902
member Max20
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.9.126
maybe a i need to allocate the vlan 503 in OSS Context, any advice?
Thanks in advace,
Gianni From ChileSince you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
This is how one-armed mode works.
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
nat dynamic 10 vlan 900
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown -
CSS 11503 One-arm Design and Server Default Gateway
Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
Thanks!
TomHi Tom,
If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
I hope you find this helpful. Thanks!
Regards,
Jose Quesada.
Maybe you are looking for
-
GR in one GL Code and IR in different GL code -how to clear?
hi, If the gl a/c during GR differ from gl a/c during Invoice verification then what configuration we need to do so that these accounts get cleared automatically? For example During GR the GR/IR clearing a/c was 307213 and during Invoice Verificat
-
Acrobat 7.0 (22020134.exe) will not install in my system running Vista 64
My XP system computer took a dump. I've got a borrowed laptop running Vista Business 64. I keep trying to install Acrobat 7.0 using a file I was told to download, 22020134.exe. Every time I try to install it I get an error message telling me I don't
-
Hi Question I have is related to the following setup. WLSM and access points (L3 roaming)incorporated into 6500 with FWSM. The FWSM is firewalling 2 wireless networks. Access points have BVI on seperate subnet with subinterfaces on fastethernet defin
-
Please help me please!'I
-
Default role + session role
Hi, How do I enable a session role in addition to keeping the default role enabled. Eg. If user scott has a default role of scott_dflt, I want to enable role scott_session without affecting scott_dflt. Using dbms_session.set_role to enable scott_sess