CSM-S to ACE migration

If the private key and certificate pairs are imported from CSM-S to ACE for SSL termination, will they work on ACE?
Thanks

yes as long as they are valid you can use them on the ace.
For ace you would use the server cert and key in the ssl-proxy, and use the imtermediate and/or root cert in a chaingroup and then configure the chaingroup under the ssl proxy .

Similar Messages

  • CSM - ACE Migration

    I have a pair of 6509's with CSM and SSL modules. We are migrating these to ACE modules in a few days. I have the configuration (except for the interfaces) configured on the ACE, including exported/imported SSL certificates/keys. By not configuring the interfaces with service-policy, the VIP's nor the server IP addresses can conflict with the CSM.
    Also, the supervisor config has already been set up to include the client and server vlans for the service linecard. That connectivity has been established, however, I will be changing the client side interface vlan to the one that the CSM was using as the existing one is temporary.
    My plan is as follows:
    1. Remove the vlan statements for server and client from the supervisor (from config mode, csm mod #).
    2. Power down CSM and SSL modules from supervisor.
    3. Session into ACE. Modify inteface vlans for both client and server side to use the IP addresses from the vlan server and vlan client configs.
    At this time, the servers should begin to appear in the ACE modules' ARP table and the client VIP's should start responding.
    Now, what or how do we clean up the rest of the CSM configuration in the supervisor?
    If you see any flaws in this plan, please let me know.
    Thanks in advance for your assistance.

    Regarding clean up the CSM configuration, please refer to the following discussion.
    Erasing CSM configuration
    https://supportforums.cisco.com/message/446477
    You can remove CSM config with 'no mod csm [slot#]' command, where you have
    to remove all vserver config before you issue this command as Phil said in above
    discussion. (I checked with 12.2(18)SXF13 and the result was as below.)
    #conf t
    (config)#no mod csm 3
    % Remove vserver before unconfiguring slot 3  <<==
    (config)#
    (config)#mod csm 3
    (config-module-csm)#no vser test
    (config-module-csm)#end
    #coff t
    (config)#no mod csm 3
    (config)#end
    Regarding migration step, probably it works fine.
    When I migrate from CSM to ACE in my lab, I use the following step.
    1) issue 'no power enable' command on the sup for the CSM
    2) issue 'svclc vlan-group' command on the sup for the ACE module
    #conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    (config)#no power enable module 3
    Aug 17 00:24:29.643: %C6KPWR-SP-4-DISABLED: power to module in slot 3 set off (admin request)
    (config)#end
    #conf t
    (config)#svclc vlan-group 1  771,772
    (config)#end
    ## sup config for ACE in slot4
    #sh run | i svclc
    svclc autostate
    svclc multiple-vlan-interfaces
    svclc module 4 vlan-group 1
    svclc vlan-group 1  771,772
    ## CSM config in slot 3
    #sh run mod 3
    Building configuration...
    Current configuration : 458 bytes
    module ContentSwitchingModule 3
    vlan 771 client
      ip address 192.168.71.250 255.255.255.0
    vlan 772 server
      ip address 192.168.72.250 255.255.255.0
    real SV1
      address 192.168.72.11
      inservice
    real SV2
      address 192.168.72.12
      inservice
    serverfarm SF
      nat server
      no nat client
      real name SV1
       inservice
      real name SV2
       inservice
    vserver TEST
      virtual 192.168.71.100 any
      serverfarm SF
      persistent rebalance
      inservice
    end
    #conf t
    Enter configuration commands, one per line.  End with CNTL/Z.
    (cnfig)#mod csm 3
    (config-module-csm)#no vser test
    (config-module-csm)#exit
    (config)#no mod csm 3  <<== clear config
    (config)#end
    *Aug 17 00:31:07.619: %SYS-5-CONFIG_I: Configured from console by console
    #sh run mod 3
    Building configuration...
    Current configuration : 5 bytes
    end
    ## ACE config
    ACE20/Admin# sh run
    Generating configuration....
    hostname ACE20
    boot system image:c6ace-t1k9-mz.A2_3_1.bin
    access-list all line 8 extended permit ip any any
    rserver host sv1
      ip address 192.168.72.11
      inservice
    rserver host sv2
      ip address 192.168.72.12
      inservice
    serverfarm host sf
      rserver sv1 80
        inservice
      rserver sv2 80
        inservice
    class-map match-all vip-l3
      2 match virtual-address 192.168.71.100 any
    policy-map type loadbalance first-match lb
      class class-default
        serverfarm sf
    policy-map multi-match client-vips
      class vip-l3
        loadbalance vip inservice
        loadbalance policy lb
        loadbalance vip icmp-reply
    access-group input all
    interface vlan 771
      ip address 192.168.71.250 255.255.255.0
      service-policy input client-vips
      no shutdown
    interface vlan 772
      ip address 192.168.72.250 255.255.255.0
      no shutdown
    Regards,
    Yuji

  • CSS to ACE migration

    I am in the process of Migration all servers from our Content switch to CIsco ACE4710.
    one content has this line item
    advanced-balance sticky-srcip
    What would be similar option in ACE.?
    Thanks for any help on this.
    Mehdi

    Hello,
    Here you have a sample about it:
    rserver host SLB-1
      ip address 10.198.16.100
      inservice
    serverfarm host SLB
      rserver SLB-1
        inservice
    sticky ip-netmask 255.255.255.255 address both ACE-SLB
      timeout 10   
      timeout activeconns
      serverfarm SLB
    policy-map type loadbalance first-match SLB-Policy
      class class-default
        sticky-serverfarm ACE-SLB
    Here you have a document about it:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/slb/guide/sticky.html
    Some of feature under the sticky group may vary based on your requirements but besides that, the sample above is what you could be looking for.
    Jorge

  • CSS to ACE Migration Tool

    Hi,
    We are planning to upgrade from the existing CSS 11500 series to ACE (6506 bundle with 720 Sup engine). To facilitate a smooth migration, do we have any tool/procedure set?
    Thanks,
    RG.

    Currently there is no such tool to migrate CSS configs to ACE module. I heard that such a tool will be available with the release of ACE appliance (ACE box).
    Syed

  • CSS to ACE migration Tool in A4(2.0)

    Hi,
    I'm currently working on migration from CSS to ACE. The ACE appliance is running A4(2.0) code. And i couldn't find the CSS to ACE conversion tool in the Web gui. Anybody faced the same issue?
    merci,
    arun

    Hi Arun,
    As we discussed over the phone for the TAC case , the conversion tool is avialable over HTTP access only.
    The tool is not avialable over HTTPS to ACE.
    Sincerely,
    Viral

  • ACE migration

    Migrating from a single 4710 appliance to a pair of ACE30s in a VSS cluster.  The 4710 is running in bridged mode and I plan on utilizing the same VLANs and mode for the ACE30s.  They are currently configured as a redundant pair.  I have not yet turned up the VLAN interfaces on the ACE30s.  The 4710 is currently connected to a single switch with the 2 VLANs defined on the switch.  The ACE30s I'm migrating to are on a VSS cluster and switches between are a pair of Nexus 7010s.  The end result is no spanning tree redundancy.  Everything is a port-channel or vPC.  My question is do I need to worry about spanning tree when migrating to the ACE30s utlizing the same VLANs on the 6509s.  This is to mimize changes to the servers on these VLANs.  I basically want to be able to migrate the VIPs from the 4710 to the ACE30s one at a time.  I've attached a diagram of the basic layout.

    I've been thinking more about this.  One question I have is that when I move a VIP to the ACE30s how will I get the back end server to send the traffic back through the ACE30 as opposed to the 4710? I'm assuming the arp for the client address will lead it back to the firewall (which is in front of the ACEs and is the default gateway for the subnet).  How will it know to return through the ACE30 versus the 4710? Would I have to do source NAT on the ACE30s to work around this as a temporary solution until I remove the 4710 or should I use a third VLAN that only lives behind the ACE30s and move the servers onto it as part of each VIP migration.

  • Migration from CSM to ACE

    What points need to be kept in mind while migrating from CSM to ACE? Configuration/hardware??? CSM at 2 sites with ft, what would be the best stratgy to minimize the downtime? illustrated steps would help alot and be appreciated...

    Hi Ahmed,
    You should test ACE in pre-production environment before putting them in production. There will be connection break since you are moving from one device to another.Not sure of any way we will not have an outage. But you should have a roll back plan and ensure that you have a MW while you are migrating. I don't see any documented procedure to migrate other than that tool which helps you in converting the CSM config to ACE.
    Regards,
    Kanwal

  • Is there a CSM-to-ACE conversion tool?

    Hi Sir,
    Is there a tool to convert CSM config to ACE equivalent config?
    I have a long CSM config that needs to be migrated to ACE. If there's such a conversion tool, it would be great.
    Thank you.
    B.Rgds,
    Lim TS

    ACE web interface has the tool. Besides you can go to this site
    http://ace-tools.cisco.com/cgi-bin/csm2ace/csm2ace/
    thanks

  • CSM to ACE - vserver vlan

    Greetings,
    Can someone please help converting the following CSM config to ACE config. Need to understand how vlans under vservers would be included for ACE. Also how is the nat client natpool configured on ACE? Thanks.
    CSM#
    vlan 10 client
    ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
    vlan 11 server
    ip address 192.168.18.3 255.255.255.0 alt 192.168.18.4 255.255.255.0
    natpool POOL_FEtoLOC 111.1.0.1 111.1.0.200 netmask 255.255.255.0
    serverfarm FARM
    nat server
    no nat client
    real name R1 8090
    inservice
    real name R2 8090
    inservice
    serverfarm FARM_N
    nat server
    nat client POOL_FEtoLOC
    real name R1 8090
    inservice
    real name R2 8090
    inservice
    vserver VIP
    virtual 192.168.10.6 tcp www
    vlan 10
    serverfarm FARM
    replicate csrp connection
    persistent rebalance
    inservice
    vserver VIP_N
    virtual 192.168.11.6 tcp www
    vlan 11
    serverfarm FARM_N
    replicate csrp connection
    persistent rebalance
    inservice

    with ace the policy [vserver] is configured globally or on the interface vlan.
    So, if in your CSM config there is a vlan specified under the vserver, it means you apply the policy to a specific vlan only.
    So, in ACE you would have
    interface vlan 11
    service-policy input VIP_N
    interface vlan 10
    service-policy input VIP
    The client nat function in ace works differently than the CSM.
    It's not per serverfarm but per interface/policy.
    So, first define the client pool on the outbound interface [interface towards server]
    interface vlan x
    natpool 1 x.x.x.x ....
    Then on your policy, select the natpool
    policy-map multimatch VIP_N
    class ...
    nat dynamic 1 vlan x
    But, do you know that ACE comes with a CSM -> ACE config converter onboard ?
    Easier than having to figure this out if you don't have time.
    Gilles.

  • Moving from CSS to ACE

    I'm trying to find documentation on moving from a CSS to the ACE but have not been able to find much on the ACE in general (no books at all). Does anyone have any info on this? We are currently using the CSS for multiple Web and Server farms, and are looking to add SSL in the mix. Trying to decide if we should just offload the SSL to the ACE for now (eventually migrating completely to the ACE) or if we should convert everything over at the same time.
    Any links or book suggestions would be appreciated!

    Hi,
    Here is the official link to ACE documentaton (but you probably have already found this...):
    http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
    I don't believe that there is a book, as this is relatively new product. Also don't hope too much to find migration guide :)
    You may use some design guides for CSM module and try to apply a part of it to ACE (Topology will be simmilar for ACE and CSM, but with ACE you additionaly have possibility of virtualization/contexts).
    But, pay attention, becouse ACE and CSM have completely different config command syntax and configuration philosophy!
    I did not quite understand your dilemma regarding migration?
    Personally, I have not yet had a chance to implement SSL offload on ACE, but it sounds logical to move the server farm that will use SSL offload behind ACE, and do SSL termination and load-balancing for that server farm on ACE. Then, gradually you can move other servers behind ACE...
    You will have to decide based on conditions and requirements in your network, and after reading thousands of pages of documentation... ;)
    Good luck!
    Best regards,
    Jasmina

  • Change Source

    Hi All,
    I have to change source into my data warehouse.
    At the moment my data is coming from acemigration(source) and load the data into datawarehouse now i just need to change the souce called acedress(source).
    Acemigration and Acedress is the schema name. Both structures are the same
    I need to do this because the data quality is not good in ace migration.
    At which places do i need to make necessary changes.
    Thanks in advance
    kaushal

    another way is........
    Right Click the SourceModule
    Select "Open Editor"
    Select "Data Locations" tab
    Remove your existing source location from the "Selected Locations" panel
    Click "New" button
    Give the credentials of you new source location
    Click OK and you are done
    Go to the mappings in your Target Module and make sure that the source objects are still Bound to the correct tables of source
    Drop the objects of Target Modules (if you have already deployed)
    And then Deploy the objects of Target Module again
    I hope this will help
    Regards,
    Usman

  • In-band health checking

    Hi,
    Is there anybody who can explain the advantage of in-band health checking? What is the benefit of using this checks when its is still neccesary to use the normal probes? Only reading the ciso pdf gives me not enough information to understand this kind of health checking mechanism.
    TIA,
    Stephan

    In the old days there was no probes (I'm talking about 10 years ago with the localdirector).
    But for those people who liked this feature we ported it to the CSM and then ACE.
    Personnally, I prefer regular probes.
    Gilles.

  • How CSS will treat incoming RTSP request?

    We are introducing one more service to serve live streaming traffic. I have prepared a configuration for the same too. My worry is that incoing url will be " rtsp://liv.tataindicom.com:554". By default, CSS will consider it as a http traffic. If I configure, CSS in the following way, will it work?
    content RTSP
    vip address 172.23.2X2.XX
    protocol tcp
    port 554
    add service RTSP_Live
    application realaudio-control
    flow-timeout-multiplier 10
    url "//liv.tataindicom.com:8080/*"
    active
    content RTSP-UDP
    vip address 172.23.2X2.XX
    protocol udp
    url "//liv.tataindicom.com:8080/*"
    flow-timeout-multiplier 10
    active
    Thanks in advance

    first, the url command can only be used for HTTP traffic - the css will be looking for "http://"
    So, you can't use it for rtsp.
    Same for udp traffic, the command can't be used on such content rule.
    Also, the 'application real audio' is really not going to do what you expect.
    This command was introduced a long time ago for a specific issue.
    The CSS actually does not understand RTSP protocol.
    So, if you can make this work at level 3 or 4 [ip,tcp,udp] then that's fine.
    Just be aware that since the CSS does not understand rtsp traffic it won't be able to change the payload andyou might see the client trying to connect directly to the server instead of the vip.
    I would recommend not to loadbalance rtsp with the CSS.
    If you need to loadbalance this protocol, the CSM or the ACE module would be a better option.
    Gilles.

  • CSS/CSM to ACE conversion tool

    Hi,
    Are there any plans to release a standalone CSS/CSM to ACE config migration tool? (just like the CatOS to IOS tool)?
    thanks,
    Andrew.

    Currently, there isn't one available yet, the conversion tool is embedded into the software image of the ACE. Not sure if there are plans to make it standalone, I have been looking for those answers as well.

  • Migrating from LocalDirector to CSM?

    We have a LocalDirector 416 Version 3.2.2 which we are trying to migrate to the CSM. They are both connected to the same 6509 switch IOS. They are both in bridge mode and on the same subnet. When removing the VIP and RIP on the LD even after 300 minutes the VIP mac-address is still advertised. I cleared the arp table on the 6509 and Local Director but it appears the LD is still advertising its mac for this VIP any ideas?

    Personally, I would migrate to ACE or stay with the CSS.
    You really do not gain much benefit going to the CSM.
    You may even lose some features as they do not share the same features.
    Gilles.

Maybe you are looking for

  • How can I fix slow AFP writes to our Xserve RAID?

    Hi, This problem has been posted before but I couldn't find a solution. We have a Intel Xserve connected via fibre channel to a 14 disk 10.5 TB Xserve RAID. It's setup as two RAID5 volumes soft raided into one volumes (RAID 50). There are multiple AF

  • Setting up "Download Create PDF Desktop Tool"

    I am setting up "download create PDF desktop tool" from Acrobat.com. When I reach the configure internet port pop-up, it tells I do not have access to the printer - try a different username or password. I am using the only user name and password I kn

  • Illustrator CS5.5: Mauszeiger hellgrau, kaum sichtbar

    Hallo zusammen, seit ich einen neuen iMac habe (OS X 10.8.5), wird der Mauszeiger bei Illustrator bei diversen Werkzeugen hellgrau und ist kaum zu sehen. Bereits erfolglos getestet: - Voreinstellungen überprüft - Settingsordner löschen - Deinstallati

  • Working Offline with RoboSource

    Hello, I've been working with RoboHelp at my office and I am going to become a remote employee in the coming weeks. I am wondering a few things about RoboHelp and RoboSource. I am relatively new to the RoboHelp software. Firstly, can I work on a Robo

  • Unable to copy or download vhd file.

    Gettitng this message when trying to set up SharePoint 2010 VHD: Unable to copy or download vhd file.  Please check the source settings and re-attempt. Exitiing...