How to Virtual IP configuration in ACE module?
Hi,
I am in the process of configuring load balancing on ACE module but struggling to configure virtual IP address for ACE module.
I'm working on ACE30 module and using software version A5 (1.2). ACE module is in slot of Catalyst 6504 switch.
Can anybody please post the steps/commands to perform this activity? An early response would be appreciated.
Regards,
Rachit.
Hi Rachit,
Here is a basic configuration example:
access-list Allow_Access line 10 extended permit ip any any
rserver host test
ip address 10.198.16.98
inservice
rserver host test2
ip address 10.198.16.93
inservice
serverfarm host test
rserver test 80
inservice
rserver test2 80
inservice
sticky http-cookie test group2
cookie insert
serverfarm test
class-map match-all VIP
2 match virtual-address 10.198.16.122 tcp eq www
policy-map type loadbalance first-match test
class class-default
sticky-serverfarm group1
policy-map multi-match clients
class VIP
loadbalance vip inservice
loadbalance policy test
loadbalance vip icmp-reply active
nat dynamic 1 vlan 112
interface vlan 112
ip address 10.198.16.91 255.255.255.192
access-group input Allow_Access
nat-pool 1 10.198.16.122 10.198.16.122 netmask 255.255.255.192 pat
service-policy input NSS_MGMT
service-policy input clients
no shutdown
ip route 0.0.0.0 0.0.0.0 10.198.16.65
Here is the configuration guide:
http://tools.cisco.com/squish/101AD
Cesar R
Similar Messages
-
Ssh access into virtual context on the ACE module A(2.2)
Hello,
I tried to configure:
Admin(conf)#context test
Admin(conf-context)#ssh key rsa1 1024
but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
Thank youHere's a link on how to configure it.
https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
Hope that helps. -
Have any one configure transparent caching on ACE module
How to configure transparent caching on ACE module? Please kindly give me a example configure. Thank you very much.
here is a basic config.
The module will intercept traffic coming in on vlan 20 and loadbalance it doing a url hashing to caches in vlan 30.
The mode is transparent so the destination ip address is preserved.
serverfarm host CACHES
transparent
predictor hash url
rserver linux1
inservice
rserver linux1-24
inservice
class-map match-all VIP-TCP80
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match SF-CACHES
class class-default
serverfarm CACHES
policy-map multi-match SLB-CACHES
class VIP-TCP80
loadbalance vip inservice
loadbalance policy SF-CACHES
interface vlan 20
ip address 192.168.20.123 255.255.255.0
peer ip address 192.168.20.121 255.255.255.0
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input SLB-CACHES
no shutdown -
Hi,
I am trying to configure FT on ACE modules, with the following commands
ft interface vlan 20
ip address 172.16.20.1 255.255.255.252
peer ip address 172.16.20.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 20
ft group 1
peer 1
priority 150
associate-context Admin
inservice
The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?Hi have the following config which seems to be working fine for me... check your vlan20 interface is up
ft interface vlan 212
ip address 172.31.1.221 255.255.255.252
peer ip address 172.31.1.222 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 212
ft group 2
peer 1
priority 50
peer priority 150
associate-context Admin
inservice
HQ-ACE1/Admin# sh int
vlan212 is up, administratively up
Hardware type is VLAN
MAC address is 00:23:5e:25:72:f1
Mode : routed
IP address is 172.31.1.221 netmask is 255.255.255.252
FT status is standby
Description:not set
MTU: 1500 bytes
Last cleared: never
Last Changed: Tue Sep 6 12:46:06 2011
No of transitions: 1
Alias IP address not set
Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
Assigned from the Supervisor, up on Supervisor
8654909 unicast packets input, 735611030 bytes
1151150 multicast, 161 broadcast
0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
13020418 unicast packets output, 1672055521 bytes
0 multicast, 163 broadcast
0 output errors, 0 ignored -
Configuring ACE Module for Redundancy
Hi Sir,
I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
ft group 1
peer 1
priority 110
peer priority 105
associate-context Admin
inservice
ft group 2
peer 1
priority 110
peer priority 105
associate-context ace-context1
inservice
ft group 3
peer 1
priority 105
peer priority 110
associate-context ace-context2
inservice
ft group 4
peer 1
priority 105
peer priority 110
associate-context ace-context3
inservice
Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
Thank you.
B.Rgds,
Lim TSHi Gilles,
I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
I noticed a few things:
(1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
(2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
(3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
One issue I encountered in one of the user contexts is as follows:
ace1/ace-context-1# sh run int
Generating configuration....
interface vlan 950
description *** Client-Facing VLAN ***
ip address 10.1.35.5 255.255.255.0
alias 10.1.35.4 255.255.255.0
peer ip address 10.1.35.6 255.255.255.0
access-group input ACL_VL950_IN
service-policy input REMOTE_MGMT
service-policy input MY_LB
no shutdown
interface vlan 951
description *** Connection to Real Servers ***
ip address 10.1.36.2 255.255.255.0
alias 10.1.36.1 255.255.255.0
peer ip address 10.1.36.3 255.255.255.0
access-group input ACL_VL951_IN
service-policy input NAT_REAL
no shutdown
This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
Please advise.
Thank you.
B.Rgds,
Lim TS -
How to configure 7916 expansion module
Hi
Can somebody show me, how to configure 7916 expansion module, it's the first time I worked with and i have just a blue screen when I connect it to 7965.
thanks for allHi Malek,
The steps are detailed here;
Attaching a Cisco Unified IP Phone Expansion Module
http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7962g_7961g_7961g-ge_7942g_7941g_7941g-ge/7_1/english/administration/guide/62614241set.html#wp1039513
Hope this helps!
Rob -
ACE module - Qos - set ip tos #
All,
Trying to mark traffic to/from L4 rules in the ACE.
Documentation (like always) says it's really easy. Mark traffic by using the "set ip tos <value>" command in Policy/Class configuration. Ok, so I do this, set ip tos 24.
Enable qos globally on the 6500 host, but don't see the traffic being marked.
sh mls qos says that packets are being modified by module 5 (ACE)
But I never see the tos value in any of my captures either via netflow from the host 6500, or at the firewall one hop away.
sh mls qos:
QoS is enabled globally
Policy marking depends on port_trust
QoS ip packet dscp rewrite enabled globally
Input mode for GRE Tunnel is Pipe mode
Input mode for MPLS is Pipe mode
QoS Trust state is CoS on the following interface:
Te3/1
QoS Trust state is DSCP on the following interface:
Gi2/3
Vlan or Portchannel(Multi-Earl) policies supported: Yes
Egress policies supported: Yes
----- Module [5] -----
QoS global counters:
Total packets: 207147888661
IP shortcut packets: 0
Packets dropped by policing: 0
IP packets with TOS changed by policing: 2663386
IP packets with COS changed by policing: 4889352
Non-IP packets with COS changed by policing: 0
MPLS packets with EXP changed by policing: 0
Can someone explain to me what I've got wrong here? Is the ACE simply marking traffic destined for the servers behind it and not the return traffic? Am I missunderstanding something?Well... hopefully someone knows how to classify traffic coming from the ACE.
I've given up on using the ACE to mark traffic as I'm fairly certain it won't do it. At least not the way I want.
However, now I've taken to marking ingress on the rserver switch ports... which has resulted in a partially sucessful solution. Problem is, "partially" successful.
You'll have a bunch of little conversations like this with no tos value full of push-acks:
10:29:53.527526 207.161.222.68.2828 > 205.200.114.228.http: P 2954:3455(501) ack 203152 win 65535 (DF)
10:29:53.527698 205.200.114.228.http > 207.161.222.68.2828: . ack 3455 win 32267
10:29:53.555271 207.161.222.68.2828 > 205.200.114.228.http: P 3455:3686(231) ack 203152 win 65535 (DF)
10:29:53.562676 205.200.114.228.http > 207.161.222.68.2828: P 203152:203784(632) ack 3686 win 32768
10:29:53.674758 207.161.222.68.2828 > 205.200.114.228.http: P 3686:4036(350) ack 203784 win 64903 (DF)
10:29:53.690853 205.200.114.228.http > 207.161.222.68.2828: P 203784:205244(1460) ack 4036 win 32768
10:29:53.690863 205.200.114.228.http > 207.161.222.68.2828: P 205244:206704(1460) ack 4036 win 32768
10:29:53.690871 205.200.114.228.http > 207.161.222.68.2828: P 206704:208164(1460) ack 4036 win 32768
10:29:53.690879 205.200.114.228.http > 207.161.222.68.2828: P 208164:209624(1460) ack 4036 win 32768
10:29:53.690887 205.200.114.228.http > 207.161.222.68.2828: P 209624:211084(1460) ack 4036 win 32768
10:29:53.690895 205.200.114.228.http > 207.161.222.68.2828: P 211084:212544(1460) ack 4036 win 32768
But then you'll see another conversation pop up with the correct markings
10:31:53.845287 205.200.114.228.http > 207.161.222.68.2828: . 32753:34213(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845298 205.200.114.228.http > 207.161.222.68.2828: . 34213:35673(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845306 205.200.114.228.http > 207.161.222.68.2828: . 35673:37133(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845313 205.200.114.228.http > 207.161.222.68.2828: . 37133:38593(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845321 205.200.114.228.http > 207.161.222.68.2828: . 38593:40053(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845328 205.200.114.228.http > 207.161.222.68.2828: . 40053:41513(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845335 205.200.114.228.http > 207.161.222.68.2828: . 41513:42973(1460) ack 1082 win 62808 (DF) [tos 0x48]
10:31:53.845343 205.200.114.228.http > 207.161.222.68.2828: . 42973:44433(1460) ack 1082 win 62808 (DF) [tos 0x48]
I think what's happening, is that the conversations full of the P-acks is the load balancer communicating directly with the client (i.e. LB pretending to be the server), whereas the marked traffic is "data only" which the load balancer isn't mangling (like it might/probably is doing with the p-acks) on it's way back to the client.
I also can't modify the configuration of the "virtual ten gig" interface that the 6500 uses as a connection to the ACE module, so can't mark traffic there either. And though I still have a couple of things to try, I don't believe I can do egress marking on a trunk from the 6500 either (connection to the firewalls).
So.... PLEASE... Anyone??? Ideas??? -
Want to know about ACE module in 6509 : load-balancing concept
Hi,
I am quite new in this field , where i need to configure and understand the concept of load-balancing through ACE.
In my existing network set-up , i have some application servers as well as some other servers where i am looking for load-balancing.
I have gone through some of the site and cisco site as well and i came across ACE module which can be installed in 6509 switch.
I have 6509 switch as well but before going for installing the ACE module I am keen to understand below things:
1) what is difference between CSM or any other product load-balancer and ACE module :
Gone through site as well , but not getting proper answer or comparison.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
Please share the knowledge. It would be great help for me to go ahead with ACE and configure it and understand all the application ?Hello,
1) what is difference between CSM or any other product load-balancer and ACE module :
There are several differences but to say simply, you get higher performance and more features with ACE module/appliance comparing others.
One big difference is that with ACE seriese, you can configure multiple contexts on one box (virtual load-balancers on one box) that makes us possible to provide a virtual load-balancer to a customer. In that way, the customer can access and makes changes on only the virtual box. You can split management domain for each customers. Also using contexts, you can assign certain resources available on the hardware for each contexts according to their service contract.
ACE serise has specific hardware chip for supporting SSL termination but some others do not.
For instance, you need a CSM-S, or a CSM and a SSL module to terminate SSL.
The other thing I should mention is that our most recent product is ACE serise that means it has longer product roadmap.
Let me try clarifying your other questions.
3) what is Virtual IP concept in ACE because i do not have and other ACE module then why do i need virtual IP ?
4) will the load-balancing happens based on destination based or session based ?
I think I'd better to put 3) and 4) first.
Virtual ip address (VIP) is the address to which client accesses.
VIP is tied with a serverfarm or serverfarms, in a serverfarm one or multiple rservers can be configured.
"serverfarm" is a group of "rservers".
"rserver" means real-server that has an ip address and processes transactions.
When a client accesses to the VIP, ACE picks up a rserver according to algorithm.
If you configure a VIP that is tied with a serverfarm where only one rsever is configured, client accesses to the virtual ip address are
all forwarded to the rserver.
If you configure a VIP that is tied with a serverfarm where multiple rsevers are configured, client accesses to the virtual ip address are
balanced among those rservers.
If you configure multiple VIPs, client accesses to those VIPs are forwareded to corresponding rservers according to configuration.
1) I have some of the server configured with clustering and getting one virtual IP, In this case , will ACE work ?
ACE load-balances connections to configured rservers.
If the clustered servers are sharing one virtual ip address and you configure the virtual ip address as a rserver, all connections are
sent to the virtual ip address. That is not "load-balancing" on ACE... You need multiple rservers to which ACE load-balances connections.
2) If suppose i go for configuring different IP address with all server IP :
How do i achieve it ?
You can configure those ip addresses as rserver ip address.
Multiple rservers are tied into a group, "serverfarm".
I'm not certain about your culstered servers but I guess you can configure each ip addresses in the culster as rservers.
Then put those rservers in a serverfarm.Client accesses to a virtual ip address configured on ACE for the serverfarm.
This way connections are load-balanced among those rservers depending on load-balancing algorithm you choose.
Above is just an overveiw. ACE gives you granular control not mentioned above.
I can provide more specific information if you tell me details of what you are trying to archive with ACE.
Regards,
Kimihito. -
Reuse of context in ACE module
Hi all, just have a question about som reuse of resources in a ACE module context. I don't want to make a new context, and can reuse most of the existing configuration in one of my context. The config is not complex and difficult, but I'm not sure if I can do this.
The primary goal is to loadbalance 2 webservers with a new vip, new serverfarm, stickygroup, policy-map and different nat-pool.
Since I haven't decided the ip addresses to be used, they are just xx in the config below.
The changes I want to implement are in bold. Will this work for me?
probe http WEBGUI_D2
description Probe for http mot webgui
interval 10
passdetect interval 10
passdetect count 1
request method get url /D2/auth/login.aspx
expect status 200 302
header User-Agent header-value "IDENTITY"
rserver host cwi003
description content server logon
ip address 10.163.22.27
inservice
rserver host cwi004
description content server logon
ip address 10.163.22.28
inservice
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON_D2
probe WEBGUI_D2
rserver cwi003 80
inservice
rserver cwi004 80
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP1
timeout 20
replicate sticky
serverfarm SF_LOGON_D2
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON_D2
3 match virtual-address 10.163.22.13 any
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB
class class-default
sticky-serverfarm STICKYGROUP1
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 5 vlan 1240
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB
nat dynamic 6 vlan 1240
interface vlan 1240
description Client_server
ip address 10.163.22.11 255.255.255.0
peer ip address 10.163.22.12 255.255.255.0
access-group input INBOUND
nat-pool 5 10.163.22.14 10.163.22.17 netmask 255.255.255.192 pat
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
service-policy input PM_ONE_ARM_MULTI_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 10.163.22.1
BR
GeirThanks for your reply.
Hope I understand you correct. This sould be the config I need to paste into the existing context.
rserver host cwi503
description content server logon 2
ip address 10.163.22.23
inservice
rserver host cwi504
description content server logon 2
ip address 10.163.22.24
inservice
serverfarm host SF_LOGON2_D2
probe WEBGUI_D2
rserver cwi503 80
inservice
rserver cwi504 80
inservice
sticky ip-netmask 255.255.255.255 address source STICKYGROUP2
timeout 20
replicate sticky
serverfarm SF_LOGON2_D2
class-map match-all VS_LOGON2_D2
3 match virtual-address 10.163.22.xx any
policy-map type loadbalance first-match PM_ONE_ARM_LB2
class class-default
sticky-serverfarm STICKYGROUP2
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
class VS_LOGON2_D2
loadbalance vip inservice
loadbalance policy PM_ONE_ARM_LB2
nat dynamic 6 vlan 1240
interface vlan 1240
nat-pool 6 10.163.22.xx 10.163.22.xx netmask 255.255.255.192 pat
Br
Geir -
Ace module dropping assymetric layer 2 connections
Hi we had a situation in where the ACE would randomly drop certain tcp connections, and all ICMP packets from a certain windows server. The server in question was using Transmit Load Balancing with Fault Tolerance.
The server has one Nic connected to Access switch1, and the other nic connected to Access switch2. Each access switch connects up to a pair of 6509's, which is active on Core1 on both switches.
I am guessing If the server sends on Nic 2, core1 knows it came in on the downstream trunk port to Switch2, it must reply to these packets based on the teamed mac of the layer 3 address(no idea who is arping for the destination - the ace?), and send them back out the downstream trunk port to switch1. The ace module is in transparent mode. When contacting a server on the other side of the ace, the ace drop packets that came from the second nic - and I am wondering how it "knows" that the return path is out of different downstream port. Does it share some kind of layer 2 RPF check with the 6500 ?
Please note there is no routing involved here. The destination server is just on another vlan on the same subnet, on the other side of the ace.Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
How can I configure ssh management access to the ACE module configured in bridged mode.
do not mix "domain" name and user "domain".
The domain name is something like cisco.com or yourcompany.net ...
But the user domain is what objects is a user allowed to modify/configure/access inside ACE.
I don't think you need to specify a domain-name to generate the key.
Here is what I did :
switch/Admin(config)# ssh key rsa 768
generating rsa key(768 bits).....
generated rsa key
switch/Admin(config)#
gdufour-cat6k1#ssh -l admin 10.86.213.40
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2008, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
User 'www' is disabled.Please change the password to enable the user.
switch/Admin#
Just make sure you allow SSH traffic with your management policy.
Gilles. -
Per-ServerFarm SNAT on ACE Module.
Dear all,
I hace an ACE Module configured in Multiple Routed Contexts.
My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
Is this correct?
The software version is A2(3,5).
Thanks a lot!
DavidHi David
Could you please calrify and maybe separate tasks you have ?
As I understand you have such tasks for now :
1) Don't show rserver IPs anywere outside ACE
2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
E.g.
policy-map multi-match VIP_IN
class MY-CLASS
loadb vip ins
loadb policy MY-L7Policy
nat 1 dynamic vlan X << - inside interface
and then on inside interface
inter vlan X
nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE. -
Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
ACE1/10.0.0.0_Network# sho run
Generating configuration....
access-list ALL line 8 extended permit ip any any
rserver host CE-565-1
ip address 10.0.2.83
inservice
serverfarm host Content_Engine_SF
rserver CE-565-1
inservice
class-map match-all Content_Engine_VIP
2 match virtual-address 10.0.18.101 any
class-map type management match-any Remote_Management
2 match protocol http any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
policy-map type management first-match rmt_mgt_policy
class Remote_Management
permit
policy-map type loadbalance first-match Content_Engine_VIP-l7slb
class class-default
serverfarm Content_Engine_SF
policy-map multi-match int18
class Content_Engine_VIP
loadbalance vip inservice
loadbalance policy Content_Engine_VIP-l7slb
loadbalance vip icmp-reply active
access-group input ALL
interface vlan 3
description Server_Side
ip address 10.0.3.240 255.255.254.0
mac-sticky enable
no shutdown
interface vlan 18
description Client Side Network
ip address 10.0.18.251 255.255.255.0
mac-sticky enable
service-policy input int18
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.18.1
if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
1. Use NAT to ensure the return traffice makes it back to ACE.
2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827 -
Hello,
I'm in the process of setting up an end to end SSL configuration but it doesn't work and I'm getting a bit confused at this stage.I imported a cert using the terminal (copy/paste) then I imported a key using the same method and the tftp. The TFTP failed and the terminal was displaying a message telling me there was topo many lines.
I checked with the crypto verify command and it failed telling me "Error: invalid or unsupported key".
Is there any clear documentation on how to configure an end to end SSL ?
I used the ACE ssl guide, but it is not really accurate and looks more like a reminder to me rather than a guide.
I attached the existing config to this post although it does not show the cert and key I imported to the ACE module, it gives a better understanding of what the idea is.
Did anybody came across the same issues on the first time configuring end-to-end ssl with ACE?just don't know where to start.
I feel like you do not have the right key/cert.
This would be the very first thing to verify.
Where did you get your key and cert ?
What certificate authority signed your certificate ?
The creation of the session key requires the use of an RSA key pair (private/public).
Every server must have a public and a private key associated with a certificate signed by a certificate authority.
If you're not familiar with those concepts, configuring an SSL offloaded like ACE won't be easy.
Maybe you should start be reading on the subject from various article available on the WEB.
openssl is a great tool to generate keys and certficates.
I would suggest maybe to get this free tool and start by creating your own RSA key pair and a self signed certificate.
Then import everything into ACE.
Once you have valid key/cert we can continue with the configuration.
Gilles
Maybe you are looking for
-
Boot camp assistant says "not enough space" with 35GB available!
I have recently cleared space on my hard drive to accomodate a 64bit Windows 7 partition, which I wanted to make with boot camp assistant. I made absolutely sure I had plenty of space; in fact, I have no less than 35 GB of space available on my start
-
Errors in a log file /var/log/system.log
I'm getting these errors in a log file /var/log/system.log Shutdown: Sep 21 12:41:38 Mac-mini.local WindowServer[86]: CGXGetConnectionProperty: Invalid connection 42243 Sep 21 12:41:38 Mac-mini.local coreservicesd[58]: SendFlattenedData, got error #2
-
Blurred / out of focus screen
I placed my new PowerBook G4 15" next to an identical PowerBook and my screen / display is more blurred. Documents, icons, everything is blurred on mine, clear on the other. I checked all "display" settings in Sys Prefs and they are identical on both
-
Calling an unix command from a java program which runs on windows
Hello All I have an Java Application which is run on windows server (I) I have another Sun Server (II) I want to call an unix command on server(II) from java application which is on server(I) I am using Samba Server in order to share files between Wi
-
How to enable Enterprise services
Hi guys started leanring about SOA. We are currently on ECC 6.0 with the latest support packs. Is there anything that needs to be installed for the ESOA / web services to work or do they come as default with ECC 6.0 and higher. Do i need to ask the b