IDSM-2 load balancing on inline mode is it possible ..?
Hi there .. I am currenty working on a project and need to find out as to whether etherchanelling load balancing can be configured between several IDSM-2 running on inline mode. The IPS 5.1 admin guide states that it is possible for IOS based switches having the IDSM-2 configured on promiscuous mode, however I have heard that it might also be possible to configure etherchannelling load balance when the IDSM-2 are on inline mode. Any help .. commments will be appreciated .. any links to refer to will be even better
Thanks !!!
To configure EtherChannel load balancing on IDSM-2, you must install Cisco IOS 12.2(18)SXE and have Supervisor Engine 720. Cisco IOS only supports promiscuous IDSM-2 EtherChanneling using VACL capture (not SPAN or monitor). Refer the URL
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html#wp1044800
Similar Messages
-
FTP Load-Balancing in DSR mode
Hello Experts ..
Need some clarity on FTP LB under DSR mode .... I have my DSR working fine for normal http traffic , but facing issues with FTP on the same , please find the configs attached below
Topology
Client ( 10.20.10.101) -----> CAT6k ( 10.20.10.110 & 10.10.15.2) --> ACE --- > Server
VLAN 149 VLAN 149 & VLAN 150
access-list access line 8 extended permit icmp any any
access-list access line 16 extended permit tcp any any
access-list acl line 8 extended permit ip any any
rserver host real2
ip address 10.10.15.101
inservice
serverfarm host ftp
transparent
rserver real2
inservice
class-map match-all ftp-vip
2 match virtual-address 192.168.5.5 tcp eq ftp
class-map match-any ftp_1
2 match access-list access
policy-map type management first-match mgmt
class class-default
permit
policy-map type loadbalance first-match ftp
class class-default
serverfarm ftp
policy-map multi-match LBPOL
class vip
loadbalance vip inservice
loadbalance policy lbpol
loadbalance vip icmp-reply active
class ftp-vip
loadbalance vip inservice
loadbalance policy ftp
inspect ftp
class ftp_1
nat dynamic 5 vlan 150
interface vlan 61
ip address 61.202.200.200 255.0.0.0
access-group input acl
service-policy input mgmt
no shutdown
interface vlan 150
description server-side
ip address 10.10.15.1 255.255.255.0
no normalization
access-group input acl
nat-pool 5 10.10.15.209 10.10.15.209 netmask 255.255.255.255 pat
service-policy input LBPOL
service-policy input mgmt
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.15.2
Client
======
root@TLS_SRV ~]# ifconfig eth1.149
eth1.149 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.20.10.101 Bcast:10.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:203 errors:0 dropped:0 overruns:0 frame:0
TX packets:68 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10444 (10.1 KiB) TX bytes:8408 (8.2 KiB)
route
192.168.5.0 10.20.10.110 255.255.255.0 UG 0 0 0 eth1.149
CAT6k
=======
interface Vlan149
ip address 10.20.10.110 255.255.255.0
end
interface Vlan150
ip address 10.10.15.2 255.255.255.0
end
ip route 192.168.5.5 255.255.255.255 10.10.15.1
Server
=======
eth1.150 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:10.10.15.101 Bcast:10.10.15.255 Mask:255.255.255.0
inet6 addr: fe80::21c:23ff:fee2:50c4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9194 errors:0 dropped:0 overruns:0 frame:0
TX packets:408 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503104 (491.3 KiB) TX bytes:71884 (70.1 KiB)
eth1.150:1 Link encap:Ethernet HWaddr 00:1C:23:E2:50:C4
inet addr:192.168.5.5 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
route
10.20.0.0 10.10.15.2 255.255.0.0 UG 0 0 0 eth1.150
When i do FTP from client 10.20.10.101 , my connection is getting refused.... But when i connect to my server directly bypassing ACE i am getting authenticated ..
As per the DSR , i made Rserver & ACE as L2 Adjacent , so when ACE receives the packet it will change the dest ip instead it will use VIP ip as destination , but the MAC will be rewritten to Rserver MAC address... As i said before all works fine for http DSR ...
I know NAT doesn't work in ACE when its configured under DSR , but for FTP i made NAT config , but even if i remove the same its not working , Is my config for FTP is correct ?
Could some please look into this and reply ?
Thanks
Charlesif you need to route / provide load balancing between 2 hosts, then you will need to have Route SAF . you can use web server 7 reverse proxy cli or gui to get this. however, you might want to start from a fresh configuration to avoid reverse-map / map that you have experimented with does not overlap with the 'Route' functionality that you seem to need here
here are some reference content
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
http://blogs.sun.com/meena/entry/configuring_reverse_proxy_in_sun
http://www.sun.com/bigadmin/features/articles/web_server_zones.jsp -
Can I use IDSM-2 to monitor in inline-mode multiple pair of vlans?
my customer wants to have IDSM-2 in inline mode for monitoring VLANs that are routed through the PIX firewalls.
These VLANs are defined on the Cat 6500 switch where the IDSM-2 resides.
They want to have one external vlan to be paired with 4 internal vlans.
As far as I know the inline VLAN pairs configuration only support one to one vlan pairing.
What's the best of doing this?Yes, you can very well use the IDSM for monitoring multiple VLANs.
Refer to the configuration guide of the IDSM for more information
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_guide_chapter09186a008055df92.html -
Firewall Load Balance using bridged mode ACE
Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help ThanksThank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much -
CSS Load Balancing Citrix Terminal server, is ti possible ?
Hi we have to balance a Terminal Server Citrix Server Farm with css, did anyone already realize it? Is there any problem to do it ? Someone told me there is nat problem with citrix metaframe terminal server, has anyone information about it ?
Any help will be greatly appreciated. Many thanks
MaxStickyness means that once a user is directed to a server through the load balancer, that user will remain on the server he was first load balanced to for the duration of their connection. Otherwise, every tcp connection that a user makes is load balanced to whatever servers are configured. There are severalways to configure stickyness. You can do it via:
-source IP
-source IP and destination port
-text string in a cookie or URL
-SSL session ID
take a look at this document that explains it better than I could:
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080772d96.html -
Hi everyone ...
I have two 6509 configured with VSS, in each 6509 we have one FWSM and IDSM2.
We have configured the FWSM with contexts and we have Failover working fine.
Now we want to configure IDMS as IPS inline but we want to use both IDSM in load balance for improve the performance and get high availability with security.
Is this possible ?
I know we can get load balance with IPS appliances using etherchannel in switching (ECLB) but I don't know if we can do this with the IDSM modules in catalyst 6509 considering VSS.
Any suggestions ?The VSS is a special configuration.
You can configure the FWSM modules to be Failover partners but in IDSM modules you need to configure the same input/output VLANs to get the Failover or balance behaviour. The Cisco IPS architecture has not Failover configuration. you can find some examples with Etherchannels or Port-Channels configuration shared with some IPS units to balance the bandwith. That's the case in VSS solucion, both chasis shared the VLANs and it's necesary to configure the input/output VLANs pairs shared between the modules to balance the bandwith. -
Load balancing and High Availability topology
Our Forms 6i client-server application currently runs on Citrix farm of 20 Windows 2000 boxes (IBM Blade Servers 2 CPU and 2 Gig Memory).
Application supports 2000 users.
We are moving to AS 10g r2, forms 10g and the goal is to use same hardware, 20 Windows boxes (or less), for intranet web deployment.
What will be our best choices for application Load balancing and High Availability?
Hardware load balancer, Web Cache, mod-oc4j? Combinations?
Any suggestions, best practices, your experience?Gerd, I understand, that you are running 10g web forms through the browser, but using Citrix for deployment. This means that in addition to Application Server and Forms runtime sessions, it will be separate browser session opened for each user. What the advantage of this configuration?
Michael, we are aware, that Citrix is not supported by Oracle as a deployment platform. That only means that prior contacting Oracle Support we have to reproduce the problem in standard environment. It was never been a problem to reproduce problem :) We were using Citrix as a deployment platform for Forms 6i client/server for 4 years, but now we are forced to upgrade to 10g.
We are familiar with various Load balancing options available. The question is which option is the most "workable" in our case. -
Internal load balancer for ADFS, Web Application Proxy join problem
Hello,
we deployed 2 x ADFS (2012 R2) behind a internal Azure load balancer.
In front are two WAP servers, which should be joined to the ADFS farm based on the internal load balancer IP.
Unfortunately the WAPs fail to join and sometimes after 5 tries it works. The problem is (based on the event logs) that the ADFS Servers dont trust the WAP certificate.
It seems, that during the join process the ADFS internal load balancer does not stick to one ADFS server. If we join the WAP directly (without the ILB) to one of the ADFS servers, everything works fine.
As soon as we try to join via the ADFS internal load balancer IP, the abover occurs.
Did anyone experience the same problems? How does the internal load balancer distribute the requests? Seems to be not sticky at all.
Thanks for any Feedback,
ThomasThomas -
This article talks (in detail) about a recently updated distribution mode - Source IP affinity.
http://azure.microsoft.com/blog/2014/10/30/azure-load-balancer-new-distribution-mode/
Hope this helps!
/Arvind -
Load-balancing in the same IP subnet
Can I use load-balancing in the same IP subnet? I have the servers and client in the same IP subnet. I'd like to load-balance client traffic to server traffic. I also need to load balance traffic between servers. Is possible to configure it only in one VLAN?
For example:
CSS:
interface 4/2
circuit VLAN1
ip address 10.0.0.10 255.255.255.0
service s1
ip address 10.0.0.101
active
service s2
ip address 10.0.0.102
active
service s3
ip address 10.0.0.103
active
service s4
ip address 10.0.0.104
active
owner test
content client
vip address 10.0.0.3
add service s1
add service s2
active
content servers
vip address 10.0.0.4
add service s3
add service s4
active
Cat6500:
interface FastEthernet4/1 - clients
no ip address
switchport
switchport mode access
spanning-tree portfast
interface FastEthernet4/2 - servers
no ip address
switchport
switchport mode access
spanning-tree portfast
interface FastEthernet4/3 - CSS
no ip address
switchport
switchport mode access
spanning-tree portfast
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip policy route-map pokus
access-list 101 permit tcp any eq 80 any
route-map pokus permit 10
match ip address 101
set ip next-hop 10.0.0.10
Thank you
Romanyes, it's possible - use trunk with two VLANs (slide 9). or you can use 'transparent' mode (slide 11 - your attachment).
answer to your question (I have the problem to understand why there are two links with the same VLAN on the picture):
on the switch are two port interfaces in *switchport* mode (not trunk). now is it clearly?
result:
both methods (bridge mode with two vlans, or transparent bridge mode) use two vlans. it's on you, which type is for you preferred.
my recommendation is - use first method - one link to CSS with trunk configured in bridge mode (one ip subnet, two vlans, default gw for servers isn't css, but parent router)
martin -
Windows Load Balancing on Multiple VLAN?
Hi all. Just wondering if any of you having this same issue as I did. I've got NLB configured on 2 VM running on Hyper-V. Each of the VM equiped with 2 NIC. The NIC for heart beat purpose is configured
with Static MAC and with the option "Enable Spoofing for MAC Address" enabled. Another NIC is for LAN communication purose. Each of the NIC is reside on a different VLAN (VLANx and VLANy). After I've got the NLB configured,
with "unicast" mode. I've noticed I am not able to ping the NLB virtual IP address from any of the clients. Ping works between the NLB hosts, and is accessible. Once I've put all the NIC into the same VLAN, NLB works
fine; I can ping the NLB virtual IP, and test on IIS works good. My question, does NLB requires all the host to reside in the same VLAN? If NLB support mulitple VLAN, then how can I configure it to support multiple VLAN (eg: production LAN
NIC on VLANx, and heart beat NIC on VLANy)? Thank you.Hi,
It seems that we need to use Multicast mode.
Configure Network Load Balancing Cluster Operation Mode
http://technet.microsoft.com/en-us/library/cc731616.aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Load balancing Application Server
Hi
I am new to peoplesoft dba
It would be great if somebody could point me to the steps required for setting up loadbalancing for Peoplesoft application server (not web server)
In particular i wanted to know where to look for information on 'directing certain loads' to particular server.
Thanks a lot
CyrilAre you talking about load balancing from Webserver to multiple appserver in 4tier mode ? See here the configuration.properties conf :
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt14.htm#H4003
Or are you talking about load balancing for 3tier mode ? See TUXEDO Connect String* in the profile (configuration manager) :
http://download.oracle.com/docs/cd/E13292_01/pt849pbr0/eng/psbooks/tsvt/book.htm?File=tsvt/htm/tsvt11.htm#H4032
Nicolas. -
Host Unreachable intermittently within a Windows Network Load Balancing Cluster
Hi,
We have 2 Windows 2008 R2 servers running multiple IIS web sites and load balanced across Windows Network Load Balancer in unicast mode. Although there are two interfaces in each server, only 1 interface in each server participates in load balancing and
other interface is used for a different backup LAN. The problem I am going to mention was not seen within the NLB for almost 1 year.
I have noticed intermittent "host unreachable" detected from NLB in each host from time to time since 3 weeks ago. After servers are rebooted, both hosts can be reached and can be detected from NLB manager. However it becomes unreachable in both
servers within minutes and then becomes reachable again after several minutes. This behavior is noticed in the load balancer and pings do not work between the two hosts when the issue occurs. I did a packet capture to see what was going on with ARP message
when the issue occurs. ARP entry goes missing in each server when the problem occurs and no ARP replies are returned from each server. But ARP requests are dispatched from both servers when the issue occurs. ARP replies come back after sometime after which
hosts become reachable again.
I tried to create a permanent static ARP entry (By copying the MAC address from ARP table when the two hosts are reachable) in each host but that hasn't solved the issue either. It seems like the individual MAC address generated by each host is a virtual
one and it doesn't seem to respond when the problem occurs.
However load balancing and web sites are fully functional without any issues even while "host unreachability" issue is detected.
Appreciate if someone could help me to dig the real problem out.
Thank you.Hi,
Did you do some change of your network or the NLB firewall settings recently?
If you are using the NLB cluster in Hyper-V guest vm you need to enable the spoofing of MAC address.
The related article:
Cannot access the virtual or dedicated IP address of an NLB node (Guest) running in Unicast Mode on Windows Server 2008 R2 Hyper-V
http://blogs.technet.com/b/networking/archive/2010/02/12/cannot-access-the-virtual-or-dedicated-ip-address-of-an-nlb-node-guest-running-in-unicast-mode-on-windows-server-2008-r2-hyper-v.aspx
More information:
Selecting the Unicast or Multicast Method of Distributing Incoming Requests
http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
Single network adapter
http://technet.microsoft.com/en-us/library/cc776178(v=ws.10).aspx
Hope this helps.
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Hyper-V 2012 R2 & NLB (Network Load Balancing) with Unicast on VMs
Hi,
We set up a 2012 R2 Hyper-V Cluster. On this Cluster we would like to run 2 VM's which are using NLB (Network load Balancing) in Unicast mode.
We have created a External Virtual Switch wich is connected trough a 3x10GB LACP Team to a Cisco Nexux Switch.
We have tried to set the NLB up in the way we did with 2008 R2 but we were not be able to get this working. Is there any Change in 2012 R2 we did not think about?
Each time we form the Cluster one Node becomes unavailable.
TimoCheck the virtual network adapter properties - you must enable MAC address spoofing. We had the same issues.
Note that this will absolutely pollute your host machine's system log with tons of spam and make it pretty much worthless. I'm trying to find a way around this as we speak, actually. -
I'm having a difficult time trying to configure load balancing on my CSM based on the URL entered. Here is my scenerio:
Two web servers (WebA & WebB), load balanced on a CSM. WebA & WebB have 90% the same content, so most traffic can be load balanced between them without a problem. The problem (for me anyway) comes in where WebA has certain web sites that WebB doesn't, and vice versa. So I need to load balance to both for 90% of the traffic, and point traffic to a particular server the other 10% of the time based on the URL entered.
Below is the test config I have so far (that doesn't work correctly), what I am trying for in this example is that any URL that contains /vhosts/ or /programs/ be directed to WebA, and any URL that contains /platform/ or /ssl/ be directed to WebB, and all other traffic be load balanced between the two evenly. (For testing purposes, the servers are being load balanced in "bridge-mode", in production they will be "routed-mode"....I did't want to go through the change controls to change the IP addresses for the test servers!).
module ContentSwitchingModule 2
vlan 605 client
ip address 10.63.240.4 255.255.255.0
gateway 10.63.240.1
vlan 606 server
ip address 10.63.240.4 255.255.255.0
natpool URL-POLICY-TEST 10.63.240.204 10.63.240.204 netmask 255.255.255.254
map SRV-A url
match protocol http url /vhosts/*
match protocol http url /programs/*
map SRV-B url
match protocol http url /platform/*
match protocol http url /ssl/*
serverfarm URL-POLICY-TEST
nat server
nat client URL-POLICY-TEST
real 10.40.109.100
inservice
real 10.40.109.101
inservice
serverfarm URL-TESTA
nat server
nat client URL-POLICY-TEST
real 10.40.109.100
inservice
serverfarm URL-TESTB
nat server
nat client URL-POLICY-TEST
real 10.40.109.101
inservice
policy TESTWEB-A
url-map SRV-A
serverfarm URL-TESTA
policy TESTWEB-B
url-map SRV-B
serverfarm URL-TESTB
vserver URL-POLICY_TEST
virtual 10.63.240.10 tcp 0
vlan 605
serverfarm URL-POLICY-TEST
sticky 1
persistent rebalance
slb-policy TESTWEB-A
slb-policy TESTWEB-B
inserviceThanks for the reply Gilles....I've been out of the office for a while.
Well, right now nothing is working....except that all traffic is going to the default server farm assinged to the vserver. Here are the URLs I am testing with:
**************TEST A************
http://10.63.240.10/manual/vhosts/fd-limits.xml
http://10.63.240.10/manual/programs/apachectl.xml
**************TEST B************
http://10.63.240.10/manual/platform/ebcdic.xml
http://10.63.240.10/manual/ssl/ssl_compat.xml
***************BOTH****************
http://10.63.240.10/manual/howto/htaccess.xml
http://10.63.240.10/manual/howto/cgi.xml
When I try attaching to the first URL for example, here is the connection info (I trimmed it down so it will fit here):
MOSL1S1A#sh mod csm 2 real
real server farm Conns/hits
10.40.109.100 URL-POLICY-TEST 1
10.40.109.101 URL-POLICY-TEST 0
10.40.109.100 URL-TESTA 0
10.40.109.101 URL-TESTB 0
MOSL1S1A#
MOSL1S1A#sh mod csm 2 conn
prot vlan source destination
In TCP 605 10.47.10.10:3738 10.63.240.10:80
Out TCP 605 10.40.109.101:80 10.63.240.204:8820
I've tried changing the syntax on the URL statement in the map as such:
/manual/*
*/manual/*
/manual/
*manual*
/manual* -
Dear all,
I have a doubt regarding load balancing in PRD. Our team is loading data through DS 12.2.2.3 to SAP BW Master / transaction Infosources.
SAP BW system has five Application Servers / instances to balance the load. BW target data store is configured to connect to the Central Instance of SAP BW.
Since we are connected to the Central instance / application server of BW system from DS, will BW system be able to balance the load across multiple instances?
Since BW Server has multiple instances to balance the load, is there any way we can utilise these BW multiple instances from Data Services?
Can you share your thoughts on this? Appreciate your responses.
Regards,
Suneer.Hi Suneer,
There are several ways how DS and BW can interact, so it might depend on what scenario you are using.
I can think of the following scenario's:
1. A DS job is executed from admin console and loads into a BW target datasource.
This should use any available server, according to load balancing settings. It is not possible to force the process to use a specific server.
2. A process chain starts an infopackage, which in turn starts a DS job
BW will use the server chosen at the time of scheduling, if everything is configured correctly and scheduled correctly it will use any avaialble server conform load balancing settings. You can set this to run on a specific server (but I would only recommend this in very special circumstances).
3. DS triggers a process chain
Again, BW will use the settings on the process chain.
4. BW runs an execution command, which starts a DS job
Well, this is not a relevant scenario as it does not update anything on BW - unless the execution command then runs a job which loads data into BW, which is described in scenario 1.
I hope this makes sense. Let me know if you have any other scenario's or concerns.
Can I just ask why you are concerned about this load balancing? I have not have load balancing problems with DS/BW but I have had plenty of problems around concurrent use of the RFC connection between DS/BW. 'Multithreading' was not supported until 12.2.3.2 and you mentioned you run on 12.2.2.3, so potentially this is a problem for you.
Jan.
Maybe you are looking for
-
Upgraded to current iMovie but don't see videos from previous version
Hi I have an iMac 27" mid 2011, and decided to upgrade yesterday to Yosemite 10.10. The upgrade went fine, but then discovered that iMovie would not work, so i had to run the update for iMovie which is currently 10.0.06. I have discovered that I ca
-
Hi, I am getting "Invalid Executable Size" error when i am trying to upload my app Ipa to iTunes , the same app was uploaded before without this issue, can any one help me to get out of this and to upload my app to iTunes , Any help greatly appreciat
-
Below is the wording from the Oracle 8i for Intel-Linux Release Note document. (a74960) I cannot find the referenced EJB directory that it talks about, can anyone else find it? THANX Oracle8i, Release 8.1.5 also includes a fully functional Java Virtu
-
HT201304 How to enter my gift card in different iPad
I have problem to enter my gift card indifferent iPad
-
hi i am not able to execute java 3D programs. i have j2sdk1.4.2_05 installed in my system and and also java 3D 1.5.0. then also it is showing me errors. can anybody guide for this so i can execute programs.