CSS11500 one arm design configuration assistance.

Similar Messages

• Sniffer Trace on ACE w/VACLs and One-Arm Design

  Wow...that was a mouthful of a title!
  Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
  client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
  The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
  interface GigabitEthernet x/xx
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  switchport capture
  switchport capture allowed vlan 3002
  no ip address
  no cdp enable
  Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
  bc

  This can be done by setting up a monitor session on the Sup, with the
  TenGig/1 as SPAN
  source, and a trunk port as SPAN destination.
  For example, if the ACE is in slot X, the configuration would be:
  monitor session 10 source interface TeX/1
  monitor session 10 destination interface Giy/z
  The configuration for this port would be:
  int giy/z
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  switchport nonegotiate
  Syed Iftekhar Ahmed

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• Source Nating in CSM one armed design

  What is the best practice for creating Source Nating in CSM One armed design? I am doing CSS to CSM migration. I have created the NATPOOL used the VIP address like natpool CSS0 10.xxx.xx.xxx 10.xxx.xx.xxx netmask 255.255.255.0. I did experience some latency after migrating to CSM. Then I used diffrent Ip address is the NATPOOL that improved the latency. Is there any documentation which clearly explains this issue?
  Thanks

  the natpool will have no impact on performance.
  The problem must come from somewhere else.
  You should capture a sniffer trace and verify what is going on.
  Gilles.

• CSS 11503 One-arm Design and Server Default Gateway

  Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
  Thanks!
  Tom

  Hi Tom,
  If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
  You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
  Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
  I hope you find this helpful. Thanks!
  Regards,
  Jose Quesada.

• OEM10g install: ORACLE NET CONFIGURATION ASSISTANT HANGS

  After the execution of "allroot.sh", the configuration assistant window comes up and then "Oracle Net Configuration Assistant" shows "in progress..." indefinitely. I can not proceed further. When I stop it, the OUI exits.
  I raised a TAR 3 times but did not get a resolution. If any of you had this issue, I would appreciate if you could help me
  Thanks
  Mohammed
  OS: HP-UX B.11.23 U ia64
  OEM: 10.2.0.3 (downloaded from Oracle)

  Oracle Net Configuration Assistant will not install, here is the end of the install log.
  The following configuration assistants have not been successfully completed. These assistants must be completed for your product to be completely configured.
  Execute file C:\Oracle\product\10.1.0\Client_1\cfgtoollogs/configToolCommands to re-run all skipped/failed configuration assistants.
  echo Oracle Net Configuration Assistant
  C:\Oracle\product\10.1.0\Client_1\jdk\jre\\bin/java.exe -Dsun.java2d.noddraw=true -Duser.dir=C:\Oracle\product\10.1.0\Client_1\bin -classpath ";C:\Oracle\product\10.1.0\Client_1\jdk\jre\\lib\rt.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ldapjclnt10.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ewt3.jar;C:\Oracle\product\10.1.0\Client_1\jlib\ewtcompat-3_3_15.jar;C:\Oracle\product\10.1.0\Client_1\network\jlib\NetCA.jar;C:\Oracle\product\10.1.0\Client_1\network\jlib\netcam.jar;C:\Oracle\product\10.1.0\Client_1\jlib\netcfg.jar;C:\Oracle\product\10.1.0\Client_1\jlib\help4.jar;C:\Oracle\product\10.1.0\Client_1\jlib\jewt4.jar;C:\Oracle\product\10.1.0\Client_1\jlib\oracle_ice.jar;C:\Oracle\product\10.1.0\Client_1\jlib\share.jar;C:\Oracle\product\10.1.0\Client_1\jlib\swingall-1_1_1.jar;C:\Oracle\product\10.1.0\Client_1\jdk\jre\\lib\i18n.jar;C:\Oracle\product\10.1.0\Client_1\jlib\srvmhas.jar;C:\Oracle\product\10.1.0\Client_1\jlib\srvm.jar;C:\Oracle\product\10.1.0\Client_1\network\tools" oracle.net.ca.NetCA /orahome C:\Oracle\product\10.1.0\Client_1 /orahnam OraClient10g_home1 /instype custom /inscomp client,oraclenet,ano /insprtcl tcp,nmp /cfg local /authadp NO_VALUE /nodeinfo NO_VALUE /responseFile C:\Oracle\product\10.1.0\Client_1\network\install\netca_clt.rsp
  Error:*** Alert: One or more configuration assistants have not completed successfully. However these are optional, so they are not required for the correct configuration of your system. A list of the configuration assistants that need to be run is generated in the log of this session which is located at:
  C:\Program Files\Oracle\Inventory\logs\installActions2008-04-15_11-01-05AM.log ***

• Can I configure csm as one arm and routing mode at the same time?

  My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
  Thanks in advance.
  Jason

  Gille,
  Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
  Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
  Thanks
  Jason

• CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

  With Reference to the following CCO documentation;
  1). "How to Configure the CSS to Load Balance Using 1 Interface"
  In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
  2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
  In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
  Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
  (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
  (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
  Method a)
  1.Configure the Real Server's gateway to Router's Gateway
  2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
  3.Configure VIP(non-shared) redundancy for the VIP on the CSS
  4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
  Method b)
  1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
  2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
  3. Configure VIP(non-shared) redundancy for the VIP on the CSS

  if you use method a) (server gateway is the router) you need the CSS to nat
  the source ip address of the client in order to force the server to send traffic back to the CSS.
  The issue then is that the server does not see the IP address of real client.
  The server only see connections with source IP address = CSS ip address.
  With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
  You have a performance issue because the traffic will cross 2 times the one-armed interface.
  If this is a new design, it is strongly recommended not to use one-armed setup.
  Regards,
  Gilles.

• CSM-S, move to one-arm configuration.

  Hello.
  We  are using a couple of CSM-S with a single subnet bridge and fault  tolerance configuration. Now we are evaluating to move to an one-arm  configuration, so I’m reading some design guides.
  We want to move to this topology because there are some advantages like efficient utilization of resources.
  Because we are serving different areas with different security level I’m looking for best practices also.
  The main question is about security because CSM does not support virtual contexts like ACE.
  Any suggestions?
  Thanks.
  Andrea

  Hello Andrea,
  As you noted, the capability for ACE to be able to keep traffic segregated is much easier to work with than the CSM's.  Basically, you have to utilize both client groups and the VLAN statement under Vservers to be able to keep traffic segregated.  Here is an example:
  module ContentSwitchingModule 4
  vlan 100 client
    ip address 192.168.100.1 255.255.255.0
  vlan 150 client
     ip address 192.168.150.1 255.255.255.0
  vlan 200 client
     ip address 192.168.200.1 255.255.255.0
  vlan 250 client
     ip address 192.168.250.1 255.255.255.0
  natpool POOL-1 192.168.100.2 192.168.250.2 netmask 255.255.255.0
  natpool POOL-2 192.168.150.2 192.168.250.2 netmask 255.255.255.0
  natpool POOL-3 192.168.200.2 192.168.250.2 netmask 255.255.255.0
  natpool POOL-4 192.168.250.2 192.168.250.2 netmask 255.255.255.0
  serverfarm DMZ1
  nat server
  nat client POOL-1
  real 192.168.100.50
    no inservice
  real 192.168.100.51
    inservice
  real 192.168.100.52
    inservice
  serverfarm DMZ2
  nat server
  nat client POOL-2
  real 192.168.150.82
     no inservice
    real 192.168.150.83
     inservice
    real 192.168.150.84
     inservice
  serverfarm DMZ3
  nat server
  nat client POOL-3
  real 192.168.200.75
     no inservice
    real 192.168.200.78
     inservice
    real 192.168.200.90
     inservice
  serverfarm DMZ4
  nat server
  nat client POOL-1
  real 192.168.250.82
     no inservice
    real 192.168.250.83
     inservice
    real 192.168.250.84
     inservice
  vserver DMZ1
    virtual 192.168.100.10 tcp www
    vlan 100
    serverfarm DMZ1
    persistent rebalance
    inservice
  vserver DMZ2
    virtual 192.168.150.10 tcp www
    vlan 150
    serverfarm DMZ2
    persistent rebalance
    inservice
  vserver DMZ3
    virtual 192.168.200.10 tcp www
    vlan 200
    serverfarm DMZ3
    persistent rebalance
    inservice
  vserver DMZ4
    virtual 192.168.250.10 tcp www
    vlan 250
    serverfarm DMZ4
    persistent rebalance
    inservice
  In the above configuration, if any packet comes into vlan 100 destine to 192.168.100.10 on port 80, it can hit the vip.  If the same packet comes into any other vlan, it will not be able to hit the vip.  The "vlan 100" statement under DMZ1 vserver filters the traffic so that only traffic that came into that vlan can hit that specific vserver.
  If you need to do additional filtering, say by source subnet range, you can use client groups to furthur permit/deny traffic at a more granular level.  Here is an example:
  (The access-list is created globally on the 6500 - the access list is then referenced by number in the CSM configuration. ONLY standard access lists can be used!!)
  access-list 2 permit 192.168.0.0 0.0.255.255
  access-list 2 deny   any
  access-list 3 permit 10.10.0.0 0.0.255.255
  access-list 3 deny   any
  policy 192_subnet_filter
    client-group 2
    serverfarm DMZ4
  vserver DMZ4
     virtual 192.168.250.10 tcp www
     vlan 250
    slb-policy 250_subnet_filter
     persistent rebalance
     inservice
  With this configuration, only traffic with a source IP of 192.168.0.0/16 or 10.10.0.0/16 that arrive on vlan 250 will be allowed to hit the vserver. "Client-Group 2" refers to the "Access-list 2" in the global config.
  Note that the serverfarm that used to be under the vserver was removed.  If you leave the serverfarm DMZ4 statement under the vserver along with the slb-policy applied, and traffic that does not match your client group is sent to that serverfarm.  It is another way of filtering traffic out.  If you do not include a fallback serverfarm (like the example above), any traffic that doesn't match the client group is reset.
  Let me know if you have any furthur questions!
  Regards,
  Chris Higgins

• Trade-off between the one-arm and two-arm WAE designs

  We are configuring a WAE (model 512) for a branch office and I was wondering if someone could please tell me the trade-off between the one-arm and two-arm WAE designs..
  thanks..
  greg..

  if you are using WCCP then the WAE becomes the client withing the servcie groups 61, 62. In order to accelerate both vlans then apply the ip redirect 61 in on the client vlan ineterfaces to the one interface.
  If inline, you can use both 2 port groups for each client interface or trunk all to a single inetrface and configure which vlans you would like to accelerate.
  Now in terms of of using both GE inetrfaces, I would have to check. A topology diagram would help

• CSS redundancy on one-armed configuration

  Can we configure box-to-box redundancy on a one-armed configuration or do we have to use the 'Active-active stateful failover ASR' ?
  We are using CSS 11500.

  you can use box-to-box.
  However, the vip/interface redundancy is much more interesting.
  With the combination of ASR you have stateful redundancy that you do not have with box-to-box.
  Also, box-to-box redundancy as a single point of failure since you can have only 1 cable for the redundancy protocol between the 2 CSS.
  If this connection fails, both CSS will become active and you get into lot of troubles.
  Regards,
  Gilles.

• Please verify the CSS and SCA configuration for one-armed transparent mode

  I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
  I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
  Thanks,
  ** connectivity ********
  <client>----<router>----<CSS>---<SCA>,<Server>
  - client=7.7.7.100
  - router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
  - SCA=11.11.11.100, connect to VLAN3 of CSS
  - server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
  ** configuration *********
  CSS11050# sh run
  !Generated on 01/01/2079 00:00:47
  !Active version: ap0500105
  configure
  !*************************** GLOBAL ***************************
  acl enable
  ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
  ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
  ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
  !************************* INTERFACE *************************
  interface e2
  bridge vlan 2
  interface e3
  bridge vlan 3
  interface e4
  bridge vlan 4
  interface e5
  bridge vlan 4
  !************************** CIRCUIT **************************
  circuit VLAN1
  ip address 9.9.9.2 255.255.255.0
  circuit VLAN2
  ip address 8.8.8.2 255.255.255.0
  circuit VLAN3
  ip address 11.11.11.1 255.255.255.0
  circuit VLAN4
  ip address 10.147.153.1 255.255.255.0
  !************************** SERVICE **************************
  service ING_SVC_12
  protocol tcp
  ip address 10.147.153.12
  active
  service ING_SVC_15
  protocol tcp
  ip address 10.147.153.15
  active
  service ING_SVC_SCA
  port 443
  protocol tcp
  ip address 11.11.11.100
  type transparent-cache
  no cache-bypass
  active
  service upstream
  ip address 8.8.8.3
  type transparent-cache
  active
  !*************************** OWNER ***************************
  owner ING_OWNER
  content cnt_443
  add service ING_SVC_SCA
  protocol tcp
  port 443
  vip address 9.9.9.1
  active
  content cnt_80
  add service ING_SVC_12
  add service ING_SVC_15
  protocol tcp
  port 80
  url "/*"
  vip address 9.9.9.1
  active
  content cnt_81
  add service ING_SVC_12
  add service ING_SVC_15
  vip address 9.9.9.1
  protocol tcp
  port 81
  url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
  active
  !**************************** ACL ****************************
  acl 1
  clause 10 permit any any destination any
  apply circuit-(VLAN1)
  acl 2
  clause 10 permit any any destination any
  apply circuit-(VLAN2)
  acl 3
  clause 10 permit any any destination any
  apply circuit-(VLAN3)
  acl 4
  clause 10 permit any any destination any
  apply circuit-(VLAN4)
  ING_SCA# sh run
  # Cisco SCA Device Configuration File
  # Written: Sun Feb 6 01:12:54 2106 MST
  # Inxcfg: version 4.1 build 200211151311
  # Device Type: CSS-SCA
  # Device Id: S/N 11aca8
  # Device OS: MaxOS version 4.1.0 build 200211151311 by reading
  ### Mode ###
  mode one-port
  ### Interfaces ###
  interface network
  auto
  end
  interface server
  auto
  end
  ### Device ###
  ip address 11.11.11.100 netmask 255.255.255.0
  hostname ING_SCA
  timezone "MST7MDT"
  ### Password ###
  password idle-timeout 15
  ### SNTP ###
  sntp interval 86400
  ### Static Routes ###
  ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
  ### RIP ###
  no rip
  ### DNS ###
  no ip name-server
  no ip domain-name
  ### Telnet ###
  telnet enable
  ### Web Management ###
  web-mgmt port 80
  no web-mgmt enable
  ### SNMP Subsystem ###
  no snmp
  ### SSL Subsystem ###
  ssl
  server ING create
  ip address 9.9.9.1
  localport 443
  remoteport 81
  key default
  cert default
  secpolicy default
  sslv2 enable
  sslv3 enable
  tlsv1 enable
  session-cache size 20480
  session-cache timeout 300
  session-cache enable
  no clientauth enable
  clientauth verifydepth 1
  clientauth error cert-other-error fail
  clientauth error cert-not-provided fail
  clientauth error cert-has-expired fail
  clientauth error cert-not-yet-valid fail
  clientauth error cert-has-invalid-ca fail
  clientauth error cert-has-signature-failure fail
  clientauth error cert-revoked fail
  sharedcipher error failhtml
  ephemeral error failhtml
  no httpheader client-cert
  no httpheader server-cert
  no httpheader session
  no httpheader pre-filter
  httpheader prefix "SSL"
  ephrsa
  keepalive frequency 5
  keepalive maxfailure 3
  no keepalive enable
  end
  end

  the problem is the routing.
  You need a route for the client pointing to the SCA like this
  ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
  This is so the reply from the server to the client goes back to the SCA first
  for encryption.
  Gilles.

• ACE in one-arm model. VIP on Client Side, servers in other vlan

  Hello All
  i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
  i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
  the servers are in vlan 503 (10.12.3.0/24)
  it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
  the configuration is the next:
  MSFC:
  svclc module 1 vlan-group 1,2,
  svclc vlan-group 1 503,900-902
  svclc vlan-group 2 511
  interface Vlan503
  description OSS_&_Otros
  ip address 10.12.3.253 255.255.255.0
  standby 10 ip 10.12.3.254
  standby 10 priority 150
  standby 10 preempt delay minimum 305
  interface Vlan900
  description MSF_<->_ACE
  ip address 10.0.9.126 255.255.255.192
  end
  access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
  access-list 101 deny ip any any
  route-map From_Server_OSS_to_ACE permit 10
  match ip address 101
  set ip next-hop 10.0.9.125
  ACE_1/admin#
  ip route 0.0.0.0 0.0.0.0 10.0.9.126
  context OSS
  allocate-interface vlan 511
  allocate-interface vlan 900
  allocate-interface vlan 902
  member Max20
  ACE_1/OSS# sh run
  Generating configuration....
  access-list EVERYONE line 10 extended permit ip any any
  access-list EVERYONE line 20 extended permit icmp any any
  rserver host OSS_FES_1
  description OSS_Front_End_Server_1
  ip address 10.12.3.140
  inservice
  rserver host OSS_FES_2
  description OSS_Front_End_Server_2
  ip address 10.12.3.150
  inservice
  serverfarm host SERVER_farm_OSS
  rserver OSS_FES_1
  inservice
  rserver OSS_FES_2
  inservice
  class-map match-all VIP-OSS
  2 match virtual-address 10.0.9.66 any
  policy-map type loadbalance first-match OSS-LB-POLICY
  class class-default
  serverfarm SERVER_farm_OSS
  policy-map multi-match OSS-POLICY-MAP
  class VIP-OSS
  loadbalance vip inservice
  loadbalance policy OSS-LB-POLICY
  loadbalance vip icmp-reply
  interface vlan 900
  description Clients-side
  ip address 10.0.9.125 255.255.255.192
  access-group input EVERYONE
  access-group output EVERYONE
  service-policy input OSS-POLICY-MAP
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.9.126
  maybe a i need to allocate the vlan 503 in OSS Context, any advice?
  Thanks in advace,
  Gianni From Chile

  Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
  This is how one-armed mode works.
  ACE_1/OSS# sh run
  Generating configuration....
  access-list EVERYONE line 10 extended permit ip any any
  access-list EVERYONE line 20 extended permit icmp any any
  rserver host OSS_FES_1
  description OSS_Front_End_Server_1
  ip address 10.12.3.140
  inservice
  rserver host OSS_FES_2
  description OSS_Front_End_Server_2
  ip address 10.12.3.150
  inservice
  serverfarm host SERVER_farm_OSS
  rserver OSS_FES_1
  inservice
  rserver OSS_FES_2
  inservice
  class-map match-all VIP-OSS
  2 match virtual-address 10.0.9.66 any
  policy-map type loadbalance first-match OSS-LB-POLICY
  class class-default
  serverfarm SERVER_farm_OSS
  policy-map multi-match OSS-POLICY-MAP
  class VIP-OSS
  loadbalance vip inservice
  loadbalance policy OSS-LB-POLICY
  loadbalance vip icmp-reply
  nat dynamic 10 vlan 900
  interface vlan 900
  description Clients-side
  ip address 10.0.9.125 255.255.255.192
  nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
  access-group input EVERYONE
  access-group output EVERYONE
  service-policy input OSS-POLICY-MAP
  no shutdown

• Unable to launch the Database Configuration Assistant

  I have installed Oracle 10g Database Release 1 and I can’t launch the Database Configuration Assistant (DBCA). The file c:\oracle\product\10.1.0\Db_1\bin\launch.exe does not exist on my computer.
  My intent is to design a simple database in Oracle for an organization that uses Oracle extensively. I am running WinXP professional on my home computer. WinXP includes Microsoft IIS and I regularly test web-packaged files on this “intranet server” using the domain “localhost”. I downloaded Oracle 10g and installed it to the c:\ drive following the instructions in Chapter 2 of the tutorial “Oracle 2-day DBA Course”. I selected “basic installation” and “standard edition”.
  I note that in the tutorial, the Oracle Home path has forward slants. The summary page of the Oracle installation wizard shows my installation with back slants. Do I need to install Oracle 10g to one of the directories in Microsoft IIS?
  Nicholas

  Install the Oracle database with the procedure in
  http://www.oracle.com/technology/obe/2day_dba/install/install.htm
  When you select the Install button, the Oracle universal installer displays the installation of the Database Configuration Assistant.
  Uninstall the previous installation. To uninstall database 10g
  1. Stop the oracle services Adminstrative Tools>Services.
  2. Uninstall the installed products in Oracle Universal Installer.
  3. In the Run field specify
  Regedt32
  In the Registry Editor select
  SYSTEM>Current Control Set>Services
  Remove the oracle services.
  4. Restart and dlete the directories in the oracle installation directory.

• CSM-S mode -One-Arm-vs- routed

  We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

  Gilles,
  What do you recommend when the traffic flows from the load balanced server are significant?
  ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
  Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?