How to Virtual IP configuration in ACE module?

Hi,
I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
Regards,
Rachit.

Hi Rachit,
Here is a basic configuration example:
access-list Allow_Access line 10 extended permit ip any any
rserver host test
  ip address 10.198.16.98
  inservice
rserver host test2
  ip address 10.198.16.93
  inservice
serverfarm host test
  rserver test 80
    inservice
  rserver test2 80
    inservice
sticky http-cookie test group2
  cookie insert
  serverfarm test
class-map match-all VIP
  2 match virtual-address 10.198.16.122 tcp eq www
  policy-map type loadbalance first-match test
  class class-default
    sticky-serverfarm group1
policy-map multi-match clients
  class VIP
    loadbalance vip inservice
    loadbalance policy test
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 112
interface vlan 112
  ip address 10.198.16.91 255.255.255.192
  access-group input Allow_Access
  nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
  service-policy input NSS_MGMT
  service-policy input clients
  no shutdown
ip route 0.0.0.0 0.0.0.0 10.198.16.65
Here is the configuration guide:
http://tools.cisco.com/squish/101AD
Cesar R

Similar Messages

  • Ssh access into virtual context on the ACE module A(2.2)

    Hello,
    I tried to configure:
    Admin(conf)#context test
    Admin(conf-context)#ssh key rsa1 1024
    but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
    Thank you

    Here's a link on how to configure it.
    https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
    Hope that helps.

  • Have any one configure transparent caching on ACE module

    How to configure transparent caching on ACE module? Please kindly give me a example configure. Thank you very much.

    here is a basic config.
    The module will intercept traffic coming in on vlan 20 and loadbalance it doing a url hashing to caches in vlan 30.
    The mode is transparent so the destination ip address is preserved.
    serverfarm host CACHES
    transparent
    predictor hash url
    rserver linux1
    inservice
    rserver linux1-24
    inservice
    class-map match-all VIP-TCP80
    2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
    policy-map type loadbalance first-match SF-CACHES
    class class-default
    serverfarm CACHES
    policy-map multi-match SLB-CACHES
    class VIP-TCP80
    loadbalance vip inservice
    loadbalance policy SF-CACHES
    interface vlan 20
    ip address 192.168.20.123 255.255.255.0
    peer ip address 192.168.20.121 255.255.255.0
    access-group input PERMIT-ANY
    service-policy input ALLOW-ALL
    service-policy input SLB-CACHES
    no shutdown

  • Configuring FT on ACE Modules

    Hi,
    I am trying to configure FT on ACE modules, with the following commands
    ft interface vlan 20
      ip address 172.16.20.1 255.255.255.252
      peer ip address 172.16.20.2 255.255.255.252
      no shutdown
    ft peer 1
      heartbeat interval 300
      heartbeat count 10
      ft-interface vlan 20
    ft group 1
      peer 1
      priority 150
      associate-context Admin
      inservice
    The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

    Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
    ft interface vlan 212
      ip address 172.31.1.221 255.255.255.252
      peer ip address 172.31.1.222 255.255.255.252
      no shutdown
    ft peer 1
      heartbeat interval 300
      heartbeat count 20
      ft-interface vlan 212
    ft group 2
      peer 1
      priority 50
      peer priority 150
      associate-context Admin
      inservice
    HQ-ACE1/Admin# sh int
    vlan212 is up, administratively up
      Hardware type is VLAN
      MAC address is 00:23:5e:25:72:f1
      Mode : routed
      IP address is 172.31.1.221 netmask is 255.255.255.252
      FT status is standby
      Description:not set
      MTU: 1500 bytes
      Last cleared: never
      Last Changed: Tue Sep  6 12:46:06 2011
      No of transitions: 1
      Alias IP address not set
      Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
      Assigned from the Supervisor, up on Supervisor
         8654909 unicast packets input, 735611030 bytes
         1151150 multicast, 161 broadcast
         0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
         13020418 unicast packets output, 1672055521 bytes
         0 multicast, 163 broadcast
         0 output errors, 0 ignored

  • Configuring ACE Module for Redundancy

    Hi Sir,
    I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
    Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
    ft group 1
    peer 1
    priority 110
    peer priority 105
    associate-context Admin
    inservice
    ft group 2
    peer 1
    priority 110
    peer priority 105
    associate-context ace-context1
    inservice
    ft group 3
    peer 1
    priority 105
    peer priority 110
    associate-context ace-context2
    inservice
    ft group 4
    peer 1
    priority 105
    peer priority 110
    associate-context ace-context3
    inservice
    Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
    Thank you.
    B.Rgds,
    Lim TS

    Hi Gilles,
    I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
    I noticed a few things:
    (1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
    (2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
    (3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
    One issue I encountered in one of the user contexts is as follows:
    ace1/ace-context-1# sh run int
    Generating configuration....
    interface vlan 950
    description *** Client-Facing VLAN ***
    ip address 10.1.35.5 255.255.255.0
    alias 10.1.35.4 255.255.255.0
    peer ip address 10.1.35.6 255.255.255.0
    access-group input ACL_VL950_IN
    service-policy input REMOTE_MGMT
    service-policy input MY_LB
    no shutdown
    interface vlan 951
    description *** Connection to Real Servers ***
    ip address 10.1.36.2 255.255.255.0
    alias 10.1.36.1 255.255.255.0
    peer ip address 10.1.36.3 255.255.255.0
    access-group input ACL_VL951_IN
    service-policy input NAT_REAL
    no shutdown
    This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
    Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
    Please advise.
    Thank you.
    B.Rgds,
    Lim TS

  • How to configure 7916 expansion module

    Hi
    Can somebody show me, how to configure 7916 expansion module, it's the first time I worked with and i have just a blue screen when I connect it to 7965.
    thanks for all

    Hi Malek,
    The steps are detailed here;
    Attaching a Cisco Unified IP Phone Expansion Module
    http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7962g_7961g_7961g-ge_7942g_7941g_7941g-ge/7_1/english/administration/guide/62614241set.html#wp1039513
    Hope this helps!
    Rob

  • ACE module - Qos - set ip tos #

    All,
    Trying to mark traffic to/from L4 rules in the ACE.
    Documentation (like always) says it's really easy.  Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration.  Ok, so I do this, set ip tos 24.
    Enable qos globally on the 6500 host, but don't see the traffic being marked.
    sh mls qos says that packets are being modified by module 5 (ACE)
    But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
    sh mls qos:
    QoS is enabled globally
      Policy marking depends on port_trust
      QoS ip packet dscp rewrite enabled globally
      Input mode for GRE Tunnel is Pipe mode
      Input mode for MPLS is Pipe mode
    QoS Trust state is CoS on the following interface:
    Te3/1
    QoS Trust state is DSCP on the following interface:
    Gi2/3
      Vlan or Portchannel(Multi-Earl) policies supported: Yes
      Egress policies supported: Yes
    ----- Module [5] -----
      QoS global counters:
        Total packets: 207147888661
        IP shortcut packets: 0
        Packets dropped by policing: 0
        IP packets with TOS changed by policing: 2663386
        IP packets with COS changed by policing: 4889352
        Non-IP packets with COS changed by policing: 0
        MPLS packets with EXP changed by policing: 0
    Can someone explain to me what I've got wrong here?  Is the ACE simply marking traffic destined for the servers behind it and not the return traffic?  Am I missunderstanding something?

    Well... hopefully someone knows how to classify traffic coming from the ACE.
    I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it.  At least not the way I want.
    However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution.  Problem is, "partially" successful.
    You'll have a bunch of little conversations like this with no tos value full of push-acks:
    10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
    10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
    10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
    10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
    10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
    10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
    10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
    10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
    10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
    10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
    10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
    But then you'll see another conversation pop up with the correct markings
    10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
    10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
    I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
    I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either.  And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
    So.... PLEASE... Anyone???  Ideas???

  • Want to know about ACE module in 6509 : load-balancing concept

    Hi,
    I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
    In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
    I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
    I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
    1) what is difference between CSM or any other product load-balancer and ACE module :
    Gone through site as well , but not getting proper answer or comparison.
    1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
    2) If suppose i go for configuring different IP address with all server IP :
    How do i achieve it ?
    3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
    4) will the load-balancing happens based on destination based or session based ?
    Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?

    Hello,
    1) what is  difference between CSM or any other product load-balancer and ACE  module :
    There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
    One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
    ACE serise has specific hardware chip for supporting SSL termination but some others do not.
    For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
    The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
    Let me try clarifying your other questions.
    3)  what is Virtual IP concept in ACE because i do not have and other ACE  module then why do i need virtual IP ?
    4) will the load-balancing happens  based on destination based or session based ?
    I think I'd better to put 3) and 4) first.
    Virtual ip  address (VIP) is the address to which client accesses.
    VIP is tied with a  serverfarm or serverfarms, in a serverfarm one or multiple rservers can  be configured.
    "serverfarm" is a group of "rservers".
    "rserver" means  real-server that has an ip address and processes transactions.
    When a client  accesses to the VIP, ACE picks up a rserver according to algorithm.
    If you configure a  VIP that is tied with a serverfarm where only one rsever is  configured, client accesses to the virtual ip address are
    all forwarded to  the rserver.
    If you configure a  VIP that is tied with a serverfarm where multiple rsevers are  configured,  client accesses to the virtual ip address are
    balanced among  those rservers.
    If you configure  multiple VIPs, client accesses to those VIPs are forwareded to  corresponding rservers according to configuration.
    1)  I have some of the server configured with clustering and getting one  virtual IP, In this case , will ACE work ?
    ACE load-balances connections to configured rservers.
    If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
    sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
    2) If suppose i go for  configuring different IP address with all server IP :
    How do i  achieve it ?
    You can configure those ip addresses as rserver ip address.
    Multiple rservers are tied into a group, "serverfarm".
    I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
    Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
    This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
    Above is just an overveiw. ACE gives you granular control not mentioned above.
    I can provide more specific information if you tell me details of what you are trying to archive with ACE.
    Regards,
    Kimihito.

  • Reuse of context in ACE module

    Hi all, just have a question about som reuse of resources in a ACE module context.  I don't want to make a new context, and can reuse most of the existing configuration in one of my context.  The config is not complex and difficult, but I'm not sure if I can do this.
    The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
    Since I haven't decided the ip addresses to be used, they are just xx in the config below.
    The changes I want to implement are in bold.  Will this work for me?
    probe http WEBGUI_D2
    description Probe for http mot webgui
    interval 10
    passdetect interval 10
    passdetect count 1
    request method get url /D2/auth/login.aspx
    expect status 200 302
    header User-Agent header-value "IDENTITY"
    rserver host cwi003
    description content server logon
    ip address 10.163.22.27
    inservice
    rserver host cwi004
    description content server logon
    ip address 10.163.22.28
    inservice
    rserver host cwi503
    description content server logon 2
    ip address 10.163.22.23
    inservice
    rserver host cwi504
    description content server logon 2
    ip address 10.163.22.24
    inservice
    serverfarm host SF_LOGON_D2
    probe WEBGUI_D2
    rserver cwi003 80
       inservice
    rserver cwi004 80
       inservice
    serverfarm host SF_LOGON2_D2
    probe WEBGUI_D2
    rserver cwi503 80
       inservice
    rserver cwi504 80
       inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
    timeout 20
    replicate sticky
    serverfarm SF_LOGON_D2
    serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON_D2
    3 match virtual-address 10.163.22.13 any
    class-map match-all VS_LOGON2_D2
    3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB
    class class-default
       sticky-serverfarm STICKYGROUP1
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
    class VS_LOGON_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 5 vlan 1240
    class VS_LOGON2_D2
       loadbalance vip inservice
       loadbalance policy PM_ONE_ARM_LB
       nat dynamic 6 vlan 1240
    interface vlan 1240
    description Client_server
    ip address 10.163.22.11 255.255.255.0
    peer ip address 10.163.22.12 255.255.255.0
    access-group input INBOUND
    nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
    nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    service-policy input PM_ONE_ARM_MULTI_MATCH
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.163.22.1
    BR
    Geir

    Thanks for your reply.
    Hope I understand you correct.  This sould be the config I need to paste into the existing context.
    rserver host cwi503
      description content server logon 2
      ip address 10.163.22.23
      inservice
    rserver host cwi504
      description content server logon 2
      ip address 10.163.22.24
      inservice
    serverfarm host SF_LOGON2_D2
      probe WEBGUI_D2
      rserver cwi503 80
        inservice
      rserver cwi504 80
        inservice
    sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
       timeout 20
       replicate sticky
       serverfarm SF_LOGON2_D2
    class-map match-all VS_LOGON2_D2
       3 match virtual-address 10.163.22.xx any
    policy-map type loadbalance first-match PM_ONE_ARM_LB2
      class class-default
        sticky-serverfarm STICKYGROUP2
    policy-map multi-match PM_ONE_ARM_MULTI_MATCH
      class VS_LOGON2_D2
        loadbalance vip inservice
        loadbalance policy PM_ONE_ARM_LB2
        nat dynamic 6 vlan 1240
    interface vlan 1240
      nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
    Br
    Geir

  • Ace module dropping assymetric layer 2 connections

    Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server.  The server in question was using Transmit Load Balancing with Fault Tolerance.
    The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
    I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1.  The ace module is in transparent mode.  When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port.  Does it share some kind of layer 2 RPF check with the 6500 ?
    Please note there is no routing involved here.  The destination server is just on another vlan on the same subnet, on the other side of the ace.

    Bryan,
    As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
    In your first example the flow will look like this.
    client > VIP after the ACE  client > rserver
    the reply would be
    rserver > client after the ACE VIP > rserver
    In your second example using client nat it will look like this
    Client > VIP   After ACE  Natpool > rserver.
    the reply would be
    rserver > Nat-pool  after ACE VIP > client.
    The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
    Regards
    Jim

  • Ace module in bridged mode with client nat

    Could someone confirm whatever a NAT is supported for ACE-20 module, please?
    Let me to explain technical details.
    I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
    if the configuration below is correct. ACE module should be configured in bridge mode with two
    vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
    NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
    "policy-map type loadbalance"
    Could you check two parts of configs and advise me if the ACE config is
    properly converted from CSM and will be working in the same way (especialy for NAT).
    Thank you in advance.
    CSM config
    =======
    vlan 36 client
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
      gateway 10.36.3.1
    vlan 436 server
      ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
    natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
    sticky 30 netmask 255.255.255.255 address source timeout 60
    probe SHAREPOINT tcp
      interval 30
      failed 120
      open 3
      port 80
    probe WEBMAIL-443 tcp
      interval 5
      failed 60
      open 2
      port 443
    serverfarm WEBMAIL-443
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 443
       inservice
      real 10.36.3.102 443
       inservice
      probe WEBMAIL-443
    serverfarm WEBMAIL-80
      nat server
      nat client WEB-MAIL
      predictor leastconns
      real 10.36.3.101 80
       inservice
      real 10.36.3.102 80
       inservice
      probe SHAREPOINT
    vserver WEBMAIL-443
      virtual 10.36.3.100 tcp https
      serverfarm WEBMAIL-443
      sticky 60 group 30
      replicate csrp sticky
      replicate csrp connection
      persistent rebalance
      inservice
    vserver WEBMAIL-80
      virtual 10.36.3.100 tcp www
      serverfarm WEBMAIL-80
      replicate csrp connection
      persistent rebalance
      inservice
    ACE config
    =======
    probe tcp WEBMAIL-443
      interval 5
      open 2
      passdetect interval 60
      port 443
    probe tcp SHAREPOINT
      interval 30
      open 3
      passdetect interval 120
      port 80
    serverfarm host WEBMAIL-443
      predictor leastconns
      probe WEBMAIL-443
      rserver 10-36-3-101 443
        inservice
      rserver 10-36-3-102 443
        inservice
    serverfarm host WEBMAIL-80
      predictor leastconns
      probe SHAREPOINT
      rserver 10-36-3-101 80
        inservice
      rserver 10-36-3-102 80
        inservice
    class-map match-all WEBMAIL-80
      match virtual-address 10.36.3.100 tcp eq www
    class-map match-all WEBMAIL-443
      match virtual-address 10.36.3.100 tcp eq https
    sticky ip-netmask 255.255.255.255 address source 30
      serverfarm WEBMAIL-443
      replicate sticky
      timeout 60
    policy-map type loadbalance first-match WEBMAIL-80
      class class-default
        serverfarm WEBMAIL-80
        nat dynamic 1025 vlan 436 serverfarm primary
    policy-map type loadbalance first-match WEBMAIL-443
      class class-default
        sticky-serverfarm 30
        nat dynamic 1025 vlan 436 serverfarm primary
    parameter-map type http HTTP_ADV_OPT
      persistence-rebalance
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    interface vlan 36
      bridge-group 36
      service-policy input IFVLAN36-POLICY
      mac-sticky enable
      no shutdown
    interface vlan 436
      bridge-group 36
      nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
      no shutdown
    interface bvi 36
      ip address 10.36.3.3 255.255.255.0
      peer ip address 10.36.3.4 255.255.255.0
      no shutdown

    Hello F.Makarenko-
      You will want to use PAT while you do nat, so change the natpool configuration to this:
       nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
      You also need to apply the nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
      class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
        nat dynamic 1025 vlan 436
    If you are going to build out a lot of classes, you can instead do source nat like this:
    policy-map multi-match IFVLAN36-POLICY
    class WEBMAIL-80
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-80
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class WEBMAIL-443
        appl-parameter http advanced-options HTTP_ADV_OPT
        loadbalance policy WEBMAIL-443
        loadbalance vip inservice
        loadbalance vip icmp-reply active
    class class-default
        nat dynamic 1025 vlan 436
    Regards,
    Chris Higgins

  • ACE Module Management IP

    How can I configure ssh management access to the ACE module configured in bridged mode.

    do not mix "domain" name and user "domain".
    The domain name is something like cisco.com or yourcompany.net ...
    But the user domain is what objects is a user allowed to modify/configure/access inside ACE.
    I don't think you need to specify a domain-name to generate the key.
    Here is what I did :
    switch/Admin(config)# ssh key rsa 768
    generating rsa key(768 bits).....
    generated rsa key
    switch/Admin(config)#
    gdufour-cat6k1#ssh -l admin 10.86.213.40
    Password:
    Cisco Application Control Software (ACSW)
    TAC support: http://www.cisco.com/tac
    Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    User 'www' is disabled.Please change the password to enable the user.
    switch/Admin#
    Just make sure you allow SSH traffic with your management policy.
    Gilles.

  • Per-ServerFarm SNAT on ACE Module.

    Dear all,
    I hace an ACE Module configured in Multiple Routed Contexts.
    My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
    Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
    I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
    Is this correct?
    The software version is A2(3,5).
    Thanks a lot!
    David

    Hi David
    Could you please calrify and maybe separate tasks you have ?
    As I understand you have such tasks for now :
    1) Don't show rserver IPs anywere outside ACE
    2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
    First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
    Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
    2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
    E.g.
    policy-map multi-match VIP_IN
    class MY-CLASS
    loadb vip ins
    loadb policy MY-L7Policy
    nat 1 dynamic vlan X << - inside interface
    and then on inside interface
    inter vlan X
    nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
    In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
    Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

  • ACE Module

    Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
    ACE1/10.0.0.0_Network# sho run
    Generating configuration....
    access-list ALL line 8 extended permit ip any any
    rserver host CE-565-1
    ip address 10.0.2.83
    inservice
    serverfarm host Content_Engine_SF
    rserver CE-565-1
    inservice
    class-map match-all Content_Engine_VIP
    2 match virtual-address 10.0.18.101 any
    class-map type management match-any Remote_Management
    2 match protocol http any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    policy-map type management first-match rmt_mgt_policy
    class Remote_Management
    permit
    policy-map type loadbalance first-match Content_Engine_VIP-l7slb
    class class-default
    serverfarm Content_Engine_SF
    policy-map multi-match int18
    class Content_Engine_VIP
    loadbalance vip inservice
    loadbalance policy Content_Engine_VIP-l7slb
    loadbalance vip icmp-reply active
    access-group input ALL
    interface vlan 3
    description Server_Side
    ip address 10.0.3.240 255.255.254.0
    mac-sticky enable
    no shutdown
    interface vlan 18
    description Client Side Network
    ip address 10.0.18.251 255.255.255.0
    mac-sticky enable
    service-policy input int18
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.0.18.1
    if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.

    If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
    1. Use NAT to ensure the return traffice makes it back to ACE.
    2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
    3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827

  • ACE module - end-to-end SSL

    Hello,
    I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
    I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
    Is there any clear documentation on how to configure an end to end SSL ?
    I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
    I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
    Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?

    just don't know where to start.
    I feel like you do not have the right key/cert.
    This would be the very first thing to verify.
    Where did you get your key and cert ?
    What certificate authority signed your certificate ?
    The creation of the session key requires the use of an RSA key pair (private/public).
    Every server must have a public and a private key associated with a certificate signed by a certificate authority.
    If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
    Maybe you should start be reading on the subject from various article available on the WEB.
    openssl is a great tool to generate keys and certficates.
    I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
    Then import everything into ACE.
    Once you have valid key/cert we can continue with the configuration.
    Gilles

Maybe you are looking for

  • Boot camp assistant says "not enough space" with 35GB available!

    I have recently cleared space on my hard drive to accomodate a 64bit Windows 7 partition, which I wanted to make with boot camp assistant. I made absolutely sure I had plenty of space; in fact, I have no less than 35 GB of space available on my start

  • Errors in a log file /var/log/system.log

    I'm getting these errors in a log file /var/log/system.log Shutdown: Sep 21 12:41:38 Mac-mini.local WindowServer[86]: CGXGetConnectionProperty: Invalid connection 42243 Sep 21 12:41:38 Mac-mini.local coreservicesd[58]: SendFlattenedData, got error #2

  • Blurred / out of focus screen

    I placed my new PowerBook G4 15" next to an identical PowerBook and my screen / display is more blurred. Documents, icons, everything is blurred on mine, clear on the other. I checked all "display" settings in Sys Prefs and they are identical on both

  • Calling an unix command from a java program which runs on windows

    Hello All I have an Java Application which is run on windows server (I) I have another Sun Server (II) I want to call an unix command on server(II) from java application which is on server(I) I am using Samba Server in order to share files between Wi

  • How to enable Enterprise services

    Hi guys started leanring about SOA. We are currently on ECC 6.0 with the latest support packs. Is there anything that needs to be installed for the ESOA / web services to work or do they come as default with ECC 6.0 and higher. Do i need to ask the b