Cisco ACE default vlan

Hello everybody,
I am installing a ACE 4700 in a customer but when i started to work and saw their topology, then i realized that i had a problem. The problem is that i cannot create the interface vlan 1 and assign an ip address to it. I saw some documments is cisco.com site that the ACE hide this vlan.
Follows my topology:
Servers vlan are the vlan 1
Clients vlans are 5
Management vlan is 8
As i undertood, the ACE has to have at least one interface in the servers vlan, but i cant create the VLAN 1. So my problem is, how do i unhide the vlan 1 in the ACE so i can configure an ip address on it.
Leandro

If you can't have the customer migrate the servers into a different VLAN, you need to trick a bit, as VLAN1 is not usable on the ACE.
Pick a VLAN number that you will use inside the ACE for the outer VLAN1. Say, VLAN101.
If you have an access port connecting to the server segment, just set it to 101:
switchport access vlan 101
If you connect via a trunk, set your native VLAN to 101:
switchport trunk native vlan 101

Similar Messages

Need help to Configure Cisco ACE 4710 Cluster Deployment

Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-

Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
rserver ebsapp2 80
    conn-limit max 4000000 min 4000000
    probe icmp-probe
    inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
    serverfarm ebsppsvrfarm
class class-default
    compress default-method deflate
    sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
    loadbalance vip inservice
    loadbalance policy ebsapp-vip-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal-

Urgent!!! Cisco ACE and asymetric routing assistance needed

I am wondering if someone can give me pointers on the cisco ACE
and asymetric routes. I've attached the diagram:
-Cisco IOS IP address is 192.168.15.4/24 and 4.1.1.4/24
-Firewall External interface is 192.168.15.1/24,
-Firewall Internal interface is 192.168.192.1/24,
-F5_BigIP External interface is 192.168.192.4/24,
-F5_BigIP Internal interface is 192.168.196.1/24 and 192.168.197.1/24,
-host_y has IP addresses of 192.168.196.10/24 and 192.168.197.10/24,
-Checkpoint has static route for 192.168.196.0/24 and 192.168.197.0/24
pointing to the F5_BigIP,
-host_y is dual-home to both VLAN_A and VLAN_B with the default
gateway on host_y pointing to VLAN_A which is 192.168.196.1,
-host_x CAN ssh/telnet/http/https to both of host_y IP addresses
of 192.168.196.10 and 192.168.197.10.
In other words, from host_x, when I try to connect to host_y
via IP address of 192.168.197.10, the traffics will go through VLAN_B
but the return traffics will go through VLAN_A. Everything
is working perfectly for me so far.
Now customer just replaces the F5_BigIP with Cisco ACE. Now,
I could not get it to work with Asymetric route with Cisco ACE. In
other words, from host_x, I can no longer ssh or telnet to host_y
via IP address of 192.168.197.10.
Anyone knows how to get asymetric route to work on Cisco ACE?
Thanks in advance.

That won't work because ACE uses the vlan id to distinguish between flows.
So when the response comes back on a different vlan, ACE can't find the flow it belongs to and it drops it.
Even if we could force it to accept the packet, ACE would then try to create a new flow for this packet and it will collide with the flow already existing on the frontend.
You would need to force your host to respond on the same vlan the traffic came in.
This could be done with client nat on ACE using different nat pool.
Gilles.

Slow connection in one server if accessing through Cisco ACE

Hi,
Good day, Can someone help me on my problem? I have 3 servers, server1, server2 and server3. When one pc accessing the server 3 application via Cisco ACE, it experienced a slow connection but when direct access without Cisco Ace, it's fast. The connection of this PC through cisco ace and direct access have no issue.
What need to do in my configuration? Below is my configuration
logging enable
logging timestamp
logging trap 7
logging buffered 7
logging monitor 7
logging host 167.81.126.5 udp/514
logging host 137.55.152.147 udp/514
resource-class SG_01
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_0.bin
login timeout 30
peer hostname singapore-ace2
hostname singapore-ace1
interface gigabitEthernet 1/1
channel-group 14
no shutdown
interface gigabitEthernet 1/2
channel-group 14
no shutdown
interface gigabitEthernet 1/3
channel-group 14
no shutdown
interface gigabitEthernet 1/4
channel-group 14
no shutdown
interface port-channel 14
description ISOLAN-ACE-TRUNK
ft-port vlan 99
switchport trunk native vlan 1
switchport trunk allowed vlan 12,14,112
no shutdown
clock timezone SGT 8 0
ntp server 137.55.152.1
context Admin
member SG_01
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
ip domain-name ysn.psg.philips.com
probe http singapore_01
description This probe used to monitor application url-app-script
interval 5
passdetect interval 5
request method get url /insiteserverstatus/insiteserverstatus.aspx
expect status 200 200
open 1
probe http singapore_02
description This probe used to monitor IIS-login-page
interval 5
passdetect interval 5
request method get url /InSiteLumiledsApplication/
expect status 200 200
open 1
probe icmp uplink
description This probe used in conjunction with ft track host
interval 2
faildetect 2
passdetect interval 3
parameter-map type connection PARAM_L4STICKY-IP
exceed-mss allow
rserver host sggysnysn1ms013
ip address 137.55.152.135
inservice
rserver host sggysnysn1ms014
ip address 137.55.152.136
inservice
rserver host sggysnysn1ms018
ip address 137.55.152.145
inservice
serverfarm host PLI9058
probe singapore_01
probe singapore_02
rserver sggysnysn1ms013
    inservice
rserver sggysnysn1ms014
    inservice
rserver sggysnysn1ms018
    inservice
sticky ip-netmask 255.255.255.255 address both SG_GROUP_01
timeout 720
replicate sticky
serverfarm PLI9058
class-map type management match-any HTTPS-ALLOW_CLASS
class-map match-all L4STICKY-IP_141:ANY_CLASS
2 match virtual-address 137.55.152.141 any
class-map type http loadbalance match-any NO_MS018
50 match source-address 137.55.155.31 255.255.254.0
class-map type management match-any SSH-ALLOW_CLASS
2 match protocol ssh source-address 167.81.124.0 255.255.255.192
3 match protocol ssh source-address 167.81.126.0 255.255.255.192
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
    sticky-serverfarm SG_GROUP_01
    insert-http X-Forwarded-For header-value "%is"
policy-map multi-match PLI9058-VIPs_POLICY
class L4STICKY-IP_141:ANY_CLASS
    loadbalance vip inservice
    loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
    loadbalance vip icmp-reply
    connection advanced-options PARAM_L4STICKY-IP
interface vlan 12
description Client-side vlan
bridge-group 1
no normalization
mac-sticky enable
access-group input ALL
access-group output ALL
service-policy input PLI9058-VIPs_POLICY
no shutdown
interface vlan 14
ip address 137.55.152.236 255.255.255.248
peer ip address 137.55.152.237 255.255.255.248
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 112
description Server-side vlan
bridge-group 1
no normalization
access-group input ALL
access-group output ALL
nat-pool 1 137.55.152.141 137.55.152.141 netmask 255.255.255.192 pat
no shutdown
interface bvi 1
ip address 137.55.152.189 255.255.255.192
alias 137.55.152.188 255.255.255.192
peer ip address 137.55.152.190 255.255.255.192
description Bridge-Group 1 Virtual Interface
no shutdown
ft interface vlan 99
ip address 192.168.1.1 255.255.255.252
peer ip address 192.168.1.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 99
ft group 1
peer 1
priority 150
peer priority 50
associate-context Admin
inservice
ft track host test1
track-host 137.55.152.234
peer track-host 137.55.152.235
peer probe uplink priority 50
probe uplink priority 50
ip route 0.0.0.0 0.0.0.0 137.55.152.233

Hi Earsdale,
All the three servers are using the same configuration, so, I'm afraid it's not possible to give you a simple answer. You will need more troubleshooting.
I would recommend you to start by checking the differences between the servers because one of those differences is certainly causing the failure.
Also, it would be helpful to get traffic captures on the TenGig interface of the ACE to compare the behavior of the connection when going to the different servers, as well as the differences when being load-balanced vs accessing the server directly.
If you need help with this troubleshooting, you can always open a TAC service request
Regards
Daniel

802.1x default VLAN

Hi,
I am trying to set up 802.1x on a Catalyst 4006 with a Supervisor III module with IOS 12.1(12c)EW1. I am using Cisco Secure ACS 3.0(2) Build 5 for my Radius server. I'm using the Windows 2000 802.1x hotfix for my 802.1x client software. My goal is as follows:
If USER1 gets authenticated, authorize them to access VLAN 10.
If USER2 gets authenticated, authorize them to access VLAN 20.
If someone tries to logon to the network without the 802.1x Client, authorize them to access VLAN 30.
I have been able to get USER1, and USER2 onto their correct VLANs, but I have been unable to setup a default VLAN for unauthenticated/unauthorized users to be able to access. The only thing I have been able to do is Force Authorization on to VLAN 30 for all users, but then I am unable to assign USER1 or USER2 to their correct VLANS because when I turn on Force Authorization, the switch ignores the client requests for authorization, it just automatically throws them onto VLAN 30.
The reason I would like to do this is so that we can assign known users onto the VLANS we want them to access, and we want to throw unknown users onto VLAN 30. We want to allow unknown users access to the internet because we have outside venders teaching classes on our campus, and we can't be guarenteed that they will have 802.1x on their laptops, but they will still need to access the internet to teach their classes.
If more information is needed (how we have the switch configured now) or I have not been very clear in what I need, let me know. Any help would be greatly appreciated.
Jeremy Zanitsch

From you question I understand that you want a procedure to authenticate unknown user, may be the following URLs could give you some ideas.
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007dea7.html#xtocid2932211
http://www.cisco.com/warp/public/cc/pd/sqsw/sq/tech/deacs_wp.htm

Cisco ACE - "show conn" command queries

Hi all,
i have some queries regarding the "show conn" command in Cisco ACE.
Working Scenario:
VIP : 10.10.10.1
Server 1 : 10.10.20.1
Server 2 : 10.10.20.2
Client: 30.30.30.1
When a client 30.30.30.1 initiates a connection to the VIP on 10.10.10.1, the ACE load balances it to Server 1, 10.10.20.1. Looking at the "show conn" table, it shows that Server 1 is replying back to the Client 30.30.30.1 through the ACE.
Now, my question is when the ACE returns the traffic to the Client, should the Client be seeing the source IP coming from the VIP or Server 1? My understanding is that the Client should be seeing traffic returning from the VIP. But the show conn table does not seem to suggest so.
show conn table
conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
1768       1 in TCP   10   30.30.30.1:9221   10.10.10.1:80       ESTAB
41         1 out TCP   52    10.10.20.1:80    30.30.30.1:9221   CLOSED

Daniel,
The client is expecting a response from the VIP otherwise there would be an asymmetrical routing problem and conns will never complete.
The fact that you're seeing 30.30.30.1 as the destination address is just that the server is able to see client's IP address on the request, when your backend servers sends the reply back to the client this response is forced to go through the ACE, when the ACE looks at the packet it matches with a previously conn created on the flow table so it "NATs" the reply so now the source of the packet is the VIP and destination is 30.30.30.1.
This is a expected behavior as you're not using S-NAT on your network.
HTH.
Pablo

Management and Default VLAN

Hi All
I need advice.
At my former office, we used to have another vlan e.g. vlan 10 for management vlan purpose so that we do not use default VLAN 1 to access the switches which i think is good for security purpose.
Now how can I convince my present company that it is the best way to go as they have only vlan 1 for management purposes but then use another vlan say vlan 189 for all unused port which alas, they do not keep to, so invariably, we have ports in vlan 1 and 99 and every where
Is there a doc whereby I can show them why it is best to have a different management vlan from default vlan.?
Thanks

Hi, here is a link that gives a little explanation on Precautions for the use of default management vlan.
Refer to "Precautions for the Use of VLAN 1" section.
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a008013159f.shtml#wp38986

Integrate Cisco ACE into AAA TACACS+

Dear Community!
I would like to configure Cisco ACE 4710 CLI and WebAmin to use ACS v4.2 TACACS+ authentication and accounting feature. After found a Cisco document, which describes ACE AAA features (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/aaa.html), I have setup all configuration parameters mentioned in this document, everything seems to be OK.
But...
I have a TACACS+ group named "Network Administrators", which has privilege level 15 option enabled, so admins do not have to type enable password when authenticating. After setting up ACE AAA, the prvilege level 15 option stops working, while logging in Cisco routers: after authentication, the user remains in privilege level 1.
Logging in Cisco switches seems to be OK, stepping immediately to level 15 as usual.
I tried upgrading IOS in a router, but no luck...
Does anybody have any experiance about this "bug"?
Thanks in advance!
Regards,
Belabacsi
@ Budapest, Hungary

Hello Bela
In ACE on every context (including Admin and other) you should have following strings:
tacacs-server host x.x.x.x key 7 "xxx"
tacacs-server host x.x.x.x key 7 "xxx"
aaa group server tacacs+ MYTACACS
server x.x.x.x
server x.x.x.x
aaa authentication login default group MYTACACS local
aaa authentication login console group MYTACACS local
aaa accounting default group x.x.x.x
On ACS side for group named "Network Administrators" you should configure in TACACS settting:
1. Shell (exec) enable
2. Privilege level 15
3. Custom attributes:
          shell:Admin*Admin default-domain
    if you have additional context add next line
          shell:mycontext*Admin default-domain
After loging to ACE and issuing sh users command you should see following
User            Context                                                                 Line     Login Time   (Location)        Role   Domain(s)
*adm-x       Admin                                                                   pts/0   Sep 21 12:24 (x.x.x.x)    Admin   default-domain
Regards,
Stas

VPC / Cisco ACE and the Nexus 2K and 5K

Hi all,
So we have a test environment that looks like the following. We have 2 5K's switch 1 and switch 2. Switch 1 has two 10gb connections downstream to a 2K and switch 2 has two 10Gb connections downstream to the other 2K. We have a few servers that are multi-homed with LACP and VPC via the 2Ks and it works a treat.
We have our Cisco ACE 01, ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K, ACE02 ports 1 and 2 going to one of the 2K's and we have ports 3 and 4 going to the other 2K. If i enable VPC and none LACP based etherchannel i cannot get the ACE's talking to each other, but looking at the VPC status its all healthy and up.
Has anyone managed to multi-home the ACE between two 2K's with VPC successfully?
If I disable the links so each ACE only has links upstream in a traditional port-channel and not cross connected, the ACE's can see each other with no issues.
Cheers

Doh.. so we had a cable patching issue in the end. Let this be a lesson to all networking chaps - always check the basics first! Now we have patched the cables as per design the VPC has been established and works.
Now we have VPC is working we are simulating link failures. When we restore a shutdown physical port within the port-channel/VPC that sits between the 2K and ACE (simulating a port failure) the ACE's lose sight of each other for about 10 seconds and causes an short outage until the port is up and up. The logs on the ACE show 'the Peer x.x.x.x is not reachable. Error: Heartbeat stopped. No alternate interface configured' but the VLAN for the FT interface is carried over all four ACE NIC's that are multi-homed to two 2K's... very strange, i would not expect this, it's like the MAC addresses for the FT interface are waiting to be timed out on the 2K until they are switched on another interface within the port-channel and VPC.
Anyone seen this before?

Cisco Ace parser.

Is there anyone who has an custom parser for Cisco ACE ?.
Can't understand why it isn't included by default as supported device in Cisco MARS.

Hi.
I'm trying to make an custom parser for ACE logs.
And it works fine except denied icmp traffic, The problem is the event-id is the same in ACE (%ACE-4-106023).
The parser check for protocol type and src ip,src port and so on. Icmp however is logged without src port (pretty obvius) but the parser breaks if it dosn't get an src port.
%ACE-4-106023: Deny icmp src vlanx:x.x.x.x dst undetermined:y.y.y.y (type 11, code 0) by access-group "access-list" [0x20c017d8, 0x0]
%ACE-4-106023: Deny udp src vlanx:x.x.x.x/6155 dst undetermined:y.y.y.y/6155 by access-group "access-list" [0xffffffff, 0x0]
So what i am missing in my parser is an "IF proto=ICMP don't match src&dst ports".
Any ideas how i can make this work.

Cisco ACE Module with Bluecoat Cache Proxy, Transparent and spoofing client IP

Hello Dears,
I'm trying to implement Cache loadbalancing through Cisco ACE Module.
I have 2 Bluecoat cache proxies, when i do configure transparent proxy without spoofing client IP, everything work properly, but when I enable spoofing client IP (reflect client IP address), clients are not able to access internet, although they are going to cache servers, I can see their sessions.
I'm afraid that I have a problem in the returned traffic PBR.
can anyone help please.
Thanks

Hi Ibrahim
I ahve reviewed the config. The ACE config is all god but I do see some issue with the switch side. If you are doing ip spoofing, then "match ip address" in pbr should be the client ip address. However, what you did is ip address between the ACE and MSFC. Try to configure the test client ip address into the below access-list.
msfc---vlan 265---ACE--vlan 264----CE farm
interface vlan 265
description Interface_With_MSFC_SUBS_2_INTERNET
ip address 168.168.1.52 255.255.255.248
access-group input PERMIT_ALL
service-policy input L3L4_PM
no shutdown
ip route 0.0.0.0 0.0.0.0 168.168.1.50
ip access-list extended HSDPA_2_CACHE
permit tcp 168.168.0.0 0.0.255.255 any eq www <<<-- wrong
ip access-list extended Internet_2_CACHE
permit tcp any eq www 168.168.0.0 0.0.255.255 <<<---wrong
interface Vlan 265
description Interface_With_ACE
ip address 168.168.1.50 255.255.255.248
route-map INTERNET_2_HSDPA permit 10
description "PBR for Response HTTP Traffic"
match ip address Internet_2_CACHE
set ip next-hop 168.168.1.52
route-map HSDPA_2_INTERNET permit 10
match ip address HSDPA_2_CACHE
set ip next-hop 168.168.1.52
regards
Andrew

Change Default VLAN on SRW2008P

I have an SRW2008P switch I am trying to connect to my Layer3 network, which is all CIsco 3560 IOS. i think the default vlan for cisco is 100 but the default vlan for linksys is 1. I have port 8 on the SRW2008P connected to my cisco network and have it set as trunk on both sides. I have the vlan 100 set as untagged on the SRW2008P. Also, I have my user/mgt vlan 19 set as a tagged interface on the SRW2008P. Now, when I set the Management VLAN on the SRW2008P to 19, I am not able to communicate with the switch at all from my 3560, no ping, http, etc. My only idea is that the default vlan on the SRW2008P needs to be 100, not 1, is there a way to change that? Am I missing some other step?

As per Linksys documentation, the default or native VLAN cannot be changed.
I would prefer setting up one of the ports on the SRW2008P as TRUNK. Create VLAN 100, member ports to VLAN100 including the TRUNK port and check if that would work.
Hope this helps!

Cisco ACE backend communication

We are performing SSL overloading in Cisco ACE 4710..
443 from client to load balancer then 80 on the backend.. which works fine, however when I change the backend to 8080 I get to the initial screen but everything after breaks,..
It seems to be something with 443 as if I configure the front end to talk port 81 and backend 8080 all works, as soon as the front end is changed to 443 I get to the first page then everything after breaks

Hi Networker,
Kindly use the following command:
ssl url rewrite location expression [sslport number1] [clearport number2]
As per in your case:
CLIENT -----> ACE = port 443 = sslport
ACE --------> Server = port 8080=clearport
Suppose you are specifying SSL URL rewrite for the URL www.cisco.com or www.cisco.net using the default SSL port of 443 and a clear port of 8080,
Then enter:
host1/Admin(config-actlist-mod)# ssl url rewrite location www\.cisco\.* sslport 443 clearport 8080
In the above example, the ACE attempts to perform the following tasks:
1. Match all HTTP redirects to http://www.cisco.com:8080 or http://www.cisco.net:8080
2. Rewrite the HTTP redirects as https://www.cisco.com:443 or https://www.cisco.net:443
3. Forward the HTTP redirects to the client
After you enter the ssl url rewrite command, associate the action list with a Layer 3 and Layer 4 policy map.
Check the URL for your reference:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/command/reference/actnlist.html#wp1041777http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_1_0/command/reference/actnlist.html#wp1050875
HTH
Sachin Garg

Cisco ACE - Exempt HTTP URL from SSL Offloading

Hi,
I have a cisco ACE module A2 (3.6). I am offloading url www.abc.com on cisco ACE. HTTP redirection to https is working & over https I am able to browse website perfectly. real servers are redirecting some pages over http. Due to page redirection from webserver I have to exempt one URL (http://www.abc.com/modules/docs/abc.aspx) from ssl offloading. It is possible or as a work around i have to rewrite complete url www.abc.com as ssl port.
Your inputs highly appreciated.
Regards,

Hi Masif,
In case you have not gotten assistance with this one, you just need to specify the specific URL and match it on top of the loadbalance policy that is already doing the redirection.
class-map type http loadbalance match-any No-Redirect
2 match http url /docs/abc.aspx
policy-map type loadbalance first-match ABC
class No-Redirect
serverfarm HTTP-Servers
class class-default
serverfarm Redirect
Hope this helps.
Pablo

CISCO ACE forward to Sorry page

Hello everyone,
I have a problem with Cisco ACE. I want to view Sorry pages when primary server farm is not available, but this sorry pages should be loaded from other server farm with specific URL.
When my site (https://www.mysite.com) is not available and all my servers in server farm is shutdown clients who visit page should see on main pages (https://www.mysite.com) Sorry Pages, this sorry pages is on other server farm in specific url.
So my question is: How to redirect client to other server farm to specific URL where is static pages for example /folder/maintenance.html?

You cannot add a normal host in a redirect serverfarm:
====not good=====
host1/Admin(config)# rserver BSERVER3
host1/Admin(config-rserver-host)# ip address 192.168.12.6
host1/Admin(config-rserver-host)# inservice
host1/Admin(config-rserver-host)# exit
host1/Admin(config)# serverfarm redirect SFARM2
host1/Admin(config-sfarm-redirect)# rserver BSERVER3
host1/Admin(config-sfarm-redirect-rs)# inservice
host1/Admin(config-sfarm-redirect-rs)# exit
=======
To acheive what you want you will need to create a redirect serverfarm and a backup serverfarm and use layer7 classification. something like this:
dvishwak/Admin(config)# rserver redirect SERVER4
dvishwak/Admin(config-rserver-redir)# webhost-redirection http://%h/folder/maintenance.html 301
dvishwak/Admin(config-rserver-redir)# inservice
dvishwak/Admin(config-rserver-host)# exit
dvishwak/Admin(config)# serverfarm redirect SFARM4
dvishwak/Admin(config-sfarm-redirect)# predictor roundrobin
dvishwak/Admin(config-sfarm-redirect)# rserver SERVER4
dvishwak/Admin(config-sfarm-redirect-rs)# inservice
dvishwak/Admin(config-sfarm-redirect-rs)# exit
dvishwak/Admin(config)# rserver BSERVER3
dvishwak/Admin(config-rserver-host)# ip address 192.168.12.6
dvishwak/Admin(config-rserver-host)# inservice
dvishwak/Admin(config-rserver-host)# exit
dvishwak/Admin(config)# serverfarm host SFARM3
dvishwak/Admin(config-sfarm-redirect)# rserver BSERVER3
dvishwak/Admin(config-sfarm-redirect-rs)# inservice
dvishwak/Admin(config-sfarm-redirect-rs)# exit
dvishwak/Admin(config)# class-map type http loadbalance match-any MATCH-SORRY
dvishwak/Admin(config-cmap-http-lb)# match http url /folder/maintenance.html
dvishwak/Admin(config)# policy-map type loadbalance first-match L7SLBPOLICY
dvishwak/Admin(config-pmap-lb)# class MATCH-SORRY
dvishwak/Admin(config-pmap-lb-c)# serverfarm SFARM3dvishwak/Admin(config-pmap-lb-c)# exit
dvishwak/Admin(config-pmap-lb)# class class-default
dvishwak/Admin(config-pmap-lb-c)# serverfarm SFARM1 backup SFARM4
This way the backup SFARM4 will redirect to your desired page while still keeping the URL what you desire, and when the redirect hits us back on the same VIP we catch in the layer 7 class MATCH-SORRY and send it to your desired server.
-Regards,
Devendra Vishwakarma
-=Please rate helpful posts and mark answers=-

Cisco ACE default vlan

Similar Messages

Maybe you are looking for