CSS11500 one arm design configuration assistance.
Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
Regards
yes you can configure CSS in one armed mode. You would do the nat with a group config ie:
service yada
ip address 192.168.20.40
active
content yadayada
vip address 192.168.20.55
add service yada
group yadayadayada
vip address 192.168.20.55
add destination service yada
Similar Messages
-
Sniffer Trace on ACE w/VACLs and One-Arm Design
Wow...that was a mouthful of a title!
Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
interface GigabitEthernet x/xx
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport capture
switchport capture allowed vlan 3002
no ip address
no cdp enable
Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
bcThis can be done by setting up a monitor session on the Sup, with the
TenGig/1 as SPAN
source, and a trunk port as SPAN destination.
For example, if the ACE is in slot X, the configuration would be:
monitor session 10 source interface TeX/1
monitor session 10 destination interface Giy/z
The configuration for this port would be:
int giy/z
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Syed Iftekhar Ahmed -
ACE 4700 one-arm design with SSL termination
Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George GeorgiouThere are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed -
Source Nating in CSM one armed design
What is the best practice for creating Source Nating in CSM One armed design? I am doing CSS to CSM migration. I have created the NATPOOL used the VIP address like natpool CSS0 10.xxx.xx.xxx 10.xxx.xx.xxx netmask 255.255.255.0. I did experience some latency after migrating to CSM. Then I used diffrent Ip address is the NATPOOL that improved the latency. Is there any documentation which clearly explains this issue?
Thanksthe natpool will have no impact on performance.
The problem must come from somewhere else.
You should capture a sniffer trace and verify what is going on.
Gilles. -
CSS 11503 One-arm Design and Server Default Gateway
Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
Thanks!
TomHi Tom,
If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
I hope you find this helpful. Thanks!
Regards,
Jose Quesada. -
OEM10g install: ORACLE NET CONFIGURATION ASSISTANT HANGS
After the execution of "allroot.sh", the configuration assistant window comes up and then "Oracle Net Configuration Assistant" shows "in progress..." indefinitely. I can not proceed further. When I stop it, the OUI exits.
I raised a TAR 3 times but did not get a resolution. If any of you had this issue, I would appreciate if you could help me
Thanks
Mohammed
OS: HP-UX B.11.23 U ia64
OEM: 10.2.0.3 (downloaded from Oracle)Oracle Net Configuration Assistant will not install, here is the end of the install log.
The following configuration assistants have not been successfully completed. These assistants must be completed for your product to be completely configured.
Execute file C:\Oracle\product\10.1.0\Client_1\cfgtoollogs/configToolCommands to re-run all skipped/failed configuration assistants.
echo Oracle Net Configuration Assistant
C:\Oracle\product\10.1.0\Client_1\jdk\jre\\bin/java.exe -Dsun.java2d.noddraw=true -Duser.dir=C:\Oracle\product\10.1.0\Client_1\bin -classpath ";C:\Oracle\product\10.1.0\Client_1\jdk\jre\\lib\rt.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ldapjclnt10.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ewt3.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ewtcompat-3_3_15.jar;C:\Oracle\product\10.1.0\Client_1\network\jlib\NetCA.jar;C:\Oracle\product\10.1.0\Client_1\network\jlib\netcam.jar;C:\Oracle\product\10.1.0\Client_1\jlib\netcfg.jar;C:\Oracle\product\10.1.0\Client_1\jlib\help4.jar;C:\Oracle\product\10.1.0\Client_1\jlib\jewt4.jar;C:\Oracle\product\10.1.0\Client_1\jlib\oracle_ice.jar;C:\Oracle\product\10.1.0\Client_1\jlib\share.jar;C:\Oracle\product\10.1.0\Client_1\jlib\swingall-1_1_1.jar;C:\Oracle\product\10.1.0\Client_1\jdk\jre\\lib\i18n.jar;C:\Oracle\product\10.1.0\Client_1\jlib\srvmhas.jar;C:\Oracle\product\10.1.0\Client_1\jlib\srvm.jar;C:\Oracle\product\10.1.0\Client_1\network\tools" oracle.net.ca.NetCA /orahome C:\Oracle\product\10.1.0\Client_1 /orahnam OraClient10g_home1 /instype custom /inscomp client,oraclenet,ano /insprtcl tcp,nmp /cfg local /authadp NO_VALUE /nodeinfo NO_VALUE /responseFile C:\Oracle\product\10.1.0\Client_1\network\install\netca_clt.rsp
Error:*** Alert: One or more configuration assistants have not completed successfully. However these are optional, so they are not required for the correct configuration of your system. A list of the configuration assistants that need to be run is generated in the log of this session which is located at:
C:\Program Files\Oracle\Inventory\logs\installActions2008-04-15_11-01-05AM.log *** -
Can I configure csm as one arm and routing mode at the same time?
My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
Thanks in advance.
JasonGille,
Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
Thanks
Jason -
CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy
With Reference to the following CCO documentation;
1). "How to Configure the CSS to Load Balance Using 1 Interface"
In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
(i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
(ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
Method a)
1.Configure the Real Server's gateway to Router's Gateway
2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
3.Configure VIP(non-shared) redundancy for the VIP on the CSS
4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
Method b)
1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
3. Configure VIP(non-shared) redundancy for the VIP on the CSSif you use method a) (server gateway is the router) you need the CSS to nat
the source ip address of the client in order to force the server to send traffic back to the CSS.
The issue then is that the server does not see the IP address of real client.
The server only see connections with source IP address = CSS ip address.
With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
You have a performance issue because the traffic will cross 2 times the one-armed interface.
If this is a new design, it is strongly recommended not to use one-armed setup.
Regards,
Gilles. -
CSM-S, move to one-arm configuration.
Hello.
We are using a couple of CSM-S with a single subnet bridge and fault tolerance configuration. Now we are evaluating to move to an one-arm configuration, so I’m reading some design guides.
We want to move to this topology because there are some advantages like efficient utilization of resources.
Because we are serving different areas with different security level I’m looking for best practices also.
The main question is about security because CSM does not support virtual contexts like ACE.
Any suggestions?
Thanks.
AndreaHello Andrea,
As you noted, the capability for ACE to be able to keep traffic segregated is much easier to work with than the CSM's. Basically, you have to utilize both client groups and the VLAN statement under Vservers to be able to keep traffic segregated. Here is an example:
module ContentSwitchingModule 4
vlan 100 client
ip address 192.168.100.1 255.255.255.0
vlan 150 client
ip address 192.168.150.1 255.255.255.0
vlan 200 client
ip address 192.168.200.1 255.255.255.0
vlan 250 client
ip address 192.168.250.1 255.255.255.0
natpool POOL-1 192.168.100.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-2 192.168.150.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-3 192.168.200.2 192.168.250.2 netmask 255.255.255.0
natpool POOL-4 192.168.250.2 192.168.250.2 netmask 255.255.255.0
serverfarm DMZ1
nat server
nat client POOL-1
real 192.168.100.50
no inservice
real 192.168.100.51
inservice
real 192.168.100.52
inservice
serverfarm DMZ2
nat server
nat client POOL-2
real 192.168.150.82
no inservice
real 192.168.150.83
inservice
real 192.168.150.84
inservice
serverfarm DMZ3
nat server
nat client POOL-3
real 192.168.200.75
no inservice
real 192.168.200.78
inservice
real 192.168.200.90
inservice
serverfarm DMZ4
nat server
nat client POOL-1
real 192.168.250.82
no inservice
real 192.168.250.83
inservice
real 192.168.250.84
inservice
vserver DMZ1
virtual 192.168.100.10 tcp www
vlan 100
serverfarm DMZ1
persistent rebalance
inservice
vserver DMZ2
virtual 192.168.150.10 tcp www
vlan 150
serverfarm DMZ2
persistent rebalance
inservice
vserver DMZ3
virtual 192.168.200.10 tcp www
vlan 200
serverfarm DMZ3
persistent rebalance
inservice
vserver DMZ4
virtual 192.168.250.10 tcp www
vlan 250
serverfarm DMZ4
persistent rebalance
inservice
In the above configuration, if any packet comes into vlan 100 destine to 192.168.100.10 on port 80, it can hit the vip. If the same packet comes into any other vlan, it will not be able to hit the vip. The "vlan 100" statement under DMZ1 vserver filters the traffic so that only traffic that came into that vlan can hit that specific vserver.
If you need to do additional filtering, say by source subnet range, you can use client groups to furthur permit/deny traffic at a more granular level. Here is an example:
(The access-list is created globally on the 6500 - the access list is then referenced by number in the CSM configuration. ONLY standard access lists can be used!!)
access-list 2 permit 192.168.0.0 0.0.255.255
access-list 2 deny any
access-list 3 permit 10.10.0.0 0.0.255.255
access-list 3 deny any
policy 192_subnet_filter
client-group 2
serverfarm DMZ4
vserver DMZ4
virtual 192.168.250.10 tcp www
vlan 250
slb-policy 250_subnet_filter
persistent rebalance
inservice
With this configuration, only traffic with a source IP of 192.168.0.0/16 or 10.10.0.0/16 that arrive on vlan 250 will be allowed to hit the vserver. "Client-Group 2" refers to the "Access-list 2" in the global config.
Note that the serverfarm that used to be under the vserver was removed. If you leave the serverfarm DMZ4 statement under the vserver along with the slb-policy applied, and traffic that does not match your client group is sent to that serverfarm. It is another way of filtering traffic out. If you do not include a fallback serverfarm (like the example above), any traffic that doesn't match the client group is reset.
Let me know if you have any furthur questions!
Regards,
Chris Higgins -
Trade-off between the one-arm and two-arm WAE designs
We are configuring a WAE (model 512) for a branch office and I was wondering if someone could please tell me the trade-off between the one-arm and two-arm WAE designs..
thanks..
greg..if you are using WCCP then the WAE becomes the client withing the servcie groups 61, 62. In order to accelerate both vlans then apply the ip redirect 61 in on the client vlan ineterfaces to the one interface.
If inline, you can use both 2 port groups for each client interface or trunk all to a single inetrface and configure which vlans you would like to accelerate.
Now in terms of of using both GE inetrfaces, I would have to check. A topology diagram would help -
CSS redundancy on one-armed configuration
Can we configure box-to-box redundancy on a one-armed configuration or do we have to use the 'Active-active stateful failover ASR' ?
We are using CSS 11500.you can use box-to-box.
However, the vip/interface redundancy is much more interesting.
With the combination of ASR you have stateful redundancy that you do not have with box-to-box.
Also, box-to-box redundancy as a single point of failure since you can have only 1 cable for the redundancy protocol between the 2 CSS.
If this connection fails, both CSS will become active and you get into lot of troubles.
Regards,
Gilles. -
Please verify the CSS and SCA configuration for one-armed transparent mode
I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
Thanks,
** connectivity ********
<client>----<router>----<CSS>---<SCA>,<Server>
- client=7.7.7.100
- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
- SCA=11.11.11.100, connect to VLAN3 of CSS
- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
** configuration *********
CSS11050# sh run
!Generated on 01/01/2079 00:00:47
!Active version: ap0500105
configure
!*************************** GLOBAL ***************************
acl enable
ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e3
bridge vlan 3
interface e4
bridge vlan 4
interface e5
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN1
ip address 9.9.9.2 255.255.255.0
circuit VLAN2
ip address 8.8.8.2 255.255.255.0
circuit VLAN3
ip address 11.11.11.1 255.255.255.0
circuit VLAN4
ip address 10.147.153.1 255.255.255.0
!************************** SERVICE **************************
service ING_SVC_12
protocol tcp
ip address 10.147.153.12
active
service ING_SVC_15
protocol tcp
ip address 10.147.153.15
active
service ING_SVC_SCA
port 443
protocol tcp
ip address 11.11.11.100
type transparent-cache
no cache-bypass
active
service upstream
ip address 8.8.8.3
type transparent-cache
active
!*************************** OWNER ***************************
owner ING_OWNER
content cnt_443
add service ING_SVC_SCA
protocol tcp
port 443
vip address 9.9.9.1
active
content cnt_80
add service ING_SVC_12
add service ING_SVC_15
protocol tcp
port 80
url "/*"
vip address 9.9.9.1
active
content cnt_81
add service ING_SVC_12
add service ING_SVC_15
vip address 9.9.9.1
protocol tcp
port 81
url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
acl 2
clause 10 permit any any destination any
apply circuit-(VLAN2)
acl 3
clause 10 permit any any destination any
apply circuit-(VLAN3)
acl 4
clause 10 permit any any destination any
apply circuit-(VLAN4)
ING_SCA# sh run
# Cisco SCA Device Configuration File
# Written: Sun Feb 6 01:12:54 2106 MST
# Inxcfg: version 4.1 build 200211151311
# Device Type: CSS-SCA
# Device Id: S/N 11aca8
# Device OS: MaxOS version 4.1.0 build 200211151311 by reading
### Mode ###
mode one-port
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Device ###
ip address 11.11.11.100 netmask 255.255.255.0
hostname ING_SCA
timezone "MST7MDT"
### Password ###
password idle-timeout 15
### SNTP ###
sntp interval 86400
### Static Routes ###
ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
### RIP ###
no rip
### DNS ###
no ip name-server
no ip domain-name
### Telnet ###
telnet enable
### Web Management ###
web-mgmt port 80
no web-mgmt enable
### SNMP Subsystem ###
no snmp
### SSL Subsystem ###
ssl
server ING create
ip address 9.9.9.1
localport 443
remoteport 81
key default
cert default
secpolicy default
sslv2 enable
sslv3 enable
tlsv1 enable
session-cache size 20480
session-cache timeout 300
session-cache enable
no clientauth enable
clientauth verifydepth 1
clientauth error cert-other-error fail
clientauth error cert-not-provided fail
clientauth error cert-has-expired fail
clientauth error cert-not-yet-valid fail
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-signature-failure fail
clientauth error cert-revoked fail
sharedcipher error failhtml
ephemeral error failhtml
no httpheader client-cert
no httpheader server-cert
no httpheader session
no httpheader pre-filter
httpheader prefix "SSL"
ephrsa
keepalive frequency 5
keepalive maxfailure 3
no keepalive enable
end
endthe problem is the routing.
You need a route for the client pointing to the SCA like this
ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
This is so the reply from the server to the client goes back to the SCA first
for encryption.
Gilles. -
ACE in one-arm model. VIP on Client Side, servers in other vlan
Hello All
i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
the servers are in vlan 503 (10.12.3.0/24)
it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
the configuration is the next:
MSFC:
svclc module 1 vlan-group 1,2,
svclc vlan-group 1 503,900-902
svclc vlan-group 2 511
interface Vlan503
description OSS_&_Otros
ip address 10.12.3.253 255.255.255.0
standby 10 ip 10.12.3.254
standby 10 priority 150
standby 10 preempt delay minimum 305
interface Vlan900
description MSF_<->_ACE
ip address 10.0.9.126 255.255.255.192
end
access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
access-list 101 deny ip any any
route-map From_Server_OSS_to_ACE permit 10
match ip address 101
set ip next-hop 10.0.9.125
ACE_1/admin#
ip route 0.0.0.0 0.0.0.0 10.0.9.126
context OSS
allocate-interface vlan 511
allocate-interface vlan 900
allocate-interface vlan 902
member Max20
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.9.126
maybe a i need to allocate the vlan 503 in OSS Context, any advice?
Thanks in advace,
Gianni From ChileSince you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
This is how one-armed mode works.
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
nat dynamic 10 vlan 900
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown -
Unable to launch the Database Configuration Assistant
I have installed Oracle 10g Database Release 1 and I cant launch the Database Configuration Assistant (DBCA). The file c:\oracle\product\10.1.0\Db_1\bin\launch.exe does not exist on my computer.
My intent is to design a simple database in Oracle for an organization that uses Oracle extensively. I am running WinXP professional on my home computer. WinXP includes Microsoft IIS and I regularly test web-packaged files on this intranet server using the domain localhost. I downloaded Oracle 10g and installed it to the c:\ drive following the instructions in Chapter 2 of the tutorial Oracle 2-day DBA Course. I selected basic installation and standard edition.
I note that in the tutorial, the Oracle Home path has forward slants. The summary page of the Oracle installation wizard shows my installation with back slants. Do I need to install Oracle 10g to one of the directories in Microsoft IIS?
NicholasInstall the Oracle database with the procedure in
http://www.oracle.com/technology/obe/2day_dba/install/install.htm
When you select the Install button, the Oracle universal installer displays the installation of the Database Configuration Assistant.
Uninstall the previous installation. To uninstall database 10g
1. Stop the oracle services Adminstrative Tools>Services.
2. Uninstall the installed products in Oracle Universal Installer.
3. In the Run field specify
Regedt32
In the Registry Editor select
SYSTEM>Current Control Set>Services
Remove the oracle services.
4. Restart and dlete the directories in the oracle installation directory. -
CSM-S mode -One-Arm-vs- routed
We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?
Gilles,
What do you recommend when the traffic flows from the load balanced server are significant?
ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?
Maybe you are looking for
-
MMS is not working on ios 5.0.1
Since I have updated my iPhone 4 to ios 5.0.1, I can not send MMS any more. No need to mention that before update it was working without any problem, just using the default setting. I already checked different forums but none of the proposed solution
-
Mac Pro not recognising 2 monitors.
I have an oldish MacPro 1.1. First of all I upgraded it to Lion and had 2 Asus V2424 monitors. All working fine. I then got a second hand Apple 30" cinema display. All still good. Then because I want to run FCP7 and FCP 10 I decided to install a
-
Please help! Thanks!
-
I feel like there should be a simple solution for this but I am having the hardest time figuring it out. I am using crystal report 9 and there is a group header that contains the account number and beginning balance. I want to show the account numb
-
Indesign - Bilder verspringen beim neu platzieren
Hallo, wir müssen häufig Bilder in Indesign neu platzieren, bei denen der Hintergrund über eine Arbeitsflächen-Erweiterung stark an einer oder zwei Seiten erweitert wurde. Leider verspringen diese beim neu platzieren. Kennt jeman eine Lösung für dies