LD416 (Ver4.2.5) specification content-rule
I have localdirector 416 with 4.2.5.
How to define the rules for content load balancing
with https.
First of all, on specification Is it impossible?
As the following
content-rule rule01 depth 1024 "/aaa/"
content-rule rule02 depth 1024 "/bbb/"
virtual 10.1.1.1:443:0:tcp1 is
virtual 10.1.1.1:443:0:tcp:rule01 is
virtual 10.1.1.1:443:0:tcp:rule02 is
bind 10.1.1.1:443:0:tcp 10.1.1.2:443:0:tcp
bind 10.1.1.1:443:0:tcp:rule01 10.1.1.3:443:0:tcp
bind 10.1.1.1:443:0:tcp:rule02 10.1.1.2:443:0:tcp
sticky 10.1.1.1:443:0:tcp 10 ssl
I found the following comments about CSS.
All traffic is encrypted to avoid people to look at it.
So, the CSS does not see and has no way to see the URL.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.eea6243
Does this correspond to Local Director ?
Similar Messages
-
Content rules issue - request directed to the wrong content
Hi,
We have the following setup;
Requests to www.oursite.com goes to the content rule LB_FD_87. Request to www.oursite.com/water/* goes to the more specific content rule FD/WATER_LB_87. Sometimes, for unexplicable reasons, requests for www.oursite.com/water/* are sent to the content rule LB_FD_87 instead of the more specific rule FD/WATER_LB_87 and the client get a 404 error. Anyone have a clue?
our setup:
dql FD_87
domain www.oursite.com index 1
owner FD
content LB_FD_87
add service W0_FD_3.71
add service W1_FD_3.81
protocol tcp
vip address XXX.XXX.29.87
port 80
balance leastconn
advanced-balance arrowpoint-cookie
active
owner FD_nonbalance
content FD/WATER_LB_87
vip address XXX.XXX.29.87
add service W3_GL_3.160
protocol tcp
port 80
url "/water*" dql FD_87
active
Thanks for your help
WigHi Gilles,
I don't understand your sugestion .
I don't think increasing the flow timeout will help since according to CISCO documentation that will only permit to the flow to stay idle longer.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801ee806.html#wp1013729
CISCO DOC: "Configuring Flow Inactivity Timeouts on Content Rules and Source Groups
Use this feature with a CSS to configure flow inactivity timeout values for TCP and UDP flows on a per content rule and per source group basis. This timeout value is not the frequency with which a CSS reclaims flow resources, but is the time period that must elapse for an idle flow before the CSS marks the flow for cleanup. "
And I am not sure of what you mean by "the CSS it will stop looking into the content to detect if a remapping to a better rule is required" I think you mean that the CSS will look for a another content rule if a content rule does not repond to a request. But our understanding is that a CSS look for the more specific content rule to serve a request and if all the service of that content rule are dead the pacquet is drop not send to a another content rule.
We did test that with spefic and less specific content rule and if the more specific content rule as all is services dead the packet is drop not send to the least specific content rule.
thanks for your interest in our problem
We cannot reproduce this problem but still find the line sporadically in the web server log . -
Maximum service and content rule count
Hi,
I got asked by a customer if there is maximum of services or content rules known for a 11503. I guess this is strongly related to available memory and the sessions per content rule but I'm searching for some figures about this.
Any input is appreciated.
Kind Regards,
JoergWhat models does this figure of 10,000 apply to? What specifically is creating this limit? What may happen if this limit is exceeded?
Jason -
In SharePoint 2010 I created workflows that used the 'Create list Item' Action, which then set the Content Type ID (so I could create documents of various types in a document library).
We just switched to the SharePoint 2013 platform, and now the drop down for Content Type ID is blank in all of the workflows that are still using the SharePoint 2010 platform. Is there any way to create a list item with specific content
type? Even if I could just input a string into that field instead of using this blank drop-down. Please help!Hi Sarah,
According to your description, my understanding is that you cannot create a new list item with a specific content type using SharePoint 2010 Platform Workflow.
I tested the same scenario in my environment, and the Create List Item worked fine with the specific content type.
How did you create the content type?
Please check if the content type is added to the list/library the workflow associated with.
Best regards.
Thanks
Victoria Xia
TechNet Community Support -
Using a content rule for port translation.
If I set up a content rule to grab traffic on a VIP on port 81, can I then send it to a server that is configured for port 80 ?
cheers,
MikeIf I receive a udp packet with the sourse port 123. Can CSS forward this packet to the Server, but replace sourse port to something greater than 1023 ???
As I know CSS doesn't NAT for udp ports less than 1023. -
HI
how to check RBS maintainer is running after deleting orphan blobs and while deleting the blobs from rbs storage,
and also how to stop the RBS maintainer for a specific content db.
when I run below query I found the orphancleanup value true
SELECT [config_key],[config_value] FROM [mssqlrbs_resources].[rbs_internal_config]
where config_key='orphan_cleanup_in_progress'
adilHI
the RBS maintainer was run from one of web front end server And for one content database , that fine
but I now know this information only this did by other administrators.
Now I did not found this Maintainer running in windows task scheduler, but blobs are decreasing from content database RBS storage folder, and also I found this maintainer running I checked from when run sql queriy in sql
server
SELECT
[config_key],[config_value]
FROM
[mssqlrbs_resources].[rbs_internal_config]
where
config_key='orphan_cleanup_in_progress’
it given me true
here now I want to stop this orphan cleane up , what settings and script I will run?
adil -
I am not able to telnet my content rule VIP address
I am not able to telnet my content rule VIP address and port number. But I am able to direct to telnet to service servers, which are added into the content rule set. Can anyone tell me why. I have update the latest WEBOS 5.00 Build 69. The content switch model is 11050. thank you very much .
Is possible one armed and in line in the same content switch ?
Currently I have some content rule are using one armed solution, there is only one rule I need to make the server see the original IP. I guess my question is , can I have this rule use in -line solution only, so I will not have to impact other rules set.
The other question since this content rule's service sever have only one interface only, Can I have this in-line solution go in the content switch and come out content switch in the same server farm switch ? Thank you for all the help. -
Can a Sorry server be a content rule?
Hello
I want to direct all my traffic to server A and if that fails I want to send all my traffic to server B. This I can do by directing all traffic to service A and having server B defined as a primarySorryServer. If these two fail I want my SecondarySorry Server to refer to a content rule. Is this possible?
Thanks!Donagh,
indeed this document is not very clear but we can use it as an example.
There are 2 vips - 10.10.10.10 and 10.10.10.20.
They have a redirect service to send the traffic to 10.10.10.20.
All you have to do in your case, assuming your content rule looks similar to 10.10.10.10 in the example, is add the service redirect as a sorry server to the content rule 10.10.10.10.
What it does is if all your services go down, redirect the traffic to the 2nd content rule 10.10.10.20
Regards,
Gilles. -
CS-150-LAN extra content rule disables all access to website
We have a CS-150-LAN Content switch with software version 6.10Build203. Yesterday for no apparent reason we lost connectivity to our website through our CSS. To get around this issue we removed all content rules except for the "everything-else" rule.
owner http://www.acmi.net.au
content AIC
add service acmi-web3
url "//www.acmi.net.au/AIC*"
protocol tcp
port 80
vip address 203.14.59.174
content everything-else
add service acmi-web1
vip address 203.14.59.174
protocol tcp
port 80
active
owner http://www.vceart.com
content everything
add service acmi-web3
vip address 203.14.59.175
protocol tcp
port 80
active
What is happening now is that when l create an addional content rule it then times out all connections to our website http://www.acmi.net.au. If l suspend the additional rule "AIC" the website comes back online. We need these additional content rules for accessing subsites. Please help.
ThanksHere are the sho service summary and show summmary outputs
Owner Content Rules State Services Service Hits
www.acmi.net.au AIC Suspended acmi-web3 6
everything-else Active acmi-web1 243
acmi-web2 340
www.vceart.com everything Active acmi-web3 23
sec-css-11150# sh service summary
Service Name State Conn Weight Avg State Idx
Load Transitions
acmi-web1 Alive 2 1 2 2 2
acmi-web2 Alive 9 1 23 2 3
acmi-web3 Alive 1 1 17 2 4
The content rule AIC is suspended because if l activate it, it then makes the website www.acmi.net.au unreachable and timesout.
This config was working from day one with the AIC content rule and about another 9 content rules under the owner www.acmi.net.au
If l add the url "/*" command to the content rule "everything-else this also hangs the site www.acmi.net.au -
Hide specific content from search engine SEO, javascript
Hello,
I was wondering how good this would work to hide specific
content for search
engines.
<script>
var text =
'<table><tr><td>Hello</td></tr></table>'
document.write(text)
</script>
I have a site that has a database, when a user arrives at the
page the
database is checked against the ip and a flag is shown for
that specific
country. I would like to hide that from search engines as the
search engine
seems to make it local to itself.
do you think the above should work ok. I have been told else
where "just
make it display only by Javascript... search engines do not
run javascript
and should thereore NOT see the text"
would be interesting to know others commons on this.
regards
k.oO(Malcolm _)
>On Tue, 08 Jul 2008 18:28:41 +0200, Michael Fesser
<[email protected]>
>wrote:
>
>>.oO(twocans)
>>
>>>
http://wwp.greenwichmeantime.com/time-zone/europe/uk/flag.htm
>>>
>>>union jack
>>
>>But the Union Jack is not the English flag, which is
what I asked for.
>>
>>Working with flags in the WWW can become very
difficult. Making an
>>inappropriate choice may even offend some people.
>>
>>Micha
>
>well the English flag is the St George's Cross - Red
Cross on white
>background. it is shown just below the Union Flag.
Correct, but most people don't know that and just take the
Union Jack
for everything that's somewhat related to "English", hence my
question.
It's most commonly seen on pages that use flags to point to
different
language versions of that page.
This is not the case here, though, but I just wanted to point
out that
flags on a website can be troublesome. And I still don't
think that
determining the user's country just by looking at its IP can
be done
reliably, so some users will definitely get a wrong flag.
Whether this
might be a problem or not depends on the OP and his target
audience.
Micha -
We have configured the CSS for content rule-based DNS operation for GSLB. The CSS are installed behind a firewall. CSS are configured with private addresses for the services and the VIP. This VIP is translated at the firewall for external access.
In this scenarion, when the CSS receives a DNS query it returns the VIP (private address) and hence the clients can't reach. How can I change it to retun the public address to the user.you can configure the CSS to return the public ip address.
But internal users that may require to use the private ip address will also receive the public ip address.
To configure the CSS, you need to use dns a-record and therefore use dns zone-based solution instead of rule-based.
http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a00801eebaa.html
Regards,
Gilles. -
Sticky sessions across multiple content rules
Hi,
If a client PC initiates two requests which match different content rules on a CSS (first request http port 80 to CSS VIP downloads a small application. This application then sends a second request to the VIP, on tcp port 8085) can sticky rules be configured on the CSS content rules, so that they hit the same destination server, given that both content rules contain the same services, and hence be considered part of the same session?
Thanksthere is no sitcky accros content rules option on the CSS.
But there are solutions to this problem.
First, are you doing anything special with your HTTP content rule ? Like cookies or url inspection ?
If not, you can group the 2 content rules into a single one. You will have 1 Layer3 rule instead of 2 Layer 4 rules.
If you have L5-7 rules [http inspection], the previous solution is not possible.
You will need to maintain 2 rules.
You could then use a 'balance srcip' balancing method on both rules.
This algorithm is deterministic.
The same client will always go to the same server.
Hope this helps.
Regards,
Gilles.
Thanks for rating. -
Layer 5 port 80 content rule breaks realaudio.
I have some layer 5 content rules we are using to filter virus's:
content block_.ida
protocol tcp
port 80
url "/*"
header-field-rule .ida weight 0
add service drop
active
header-field-group .ida
header-field .ida request-line contain ".ida"
This does a great job of filtering what we want, however realaudio which uses port 80 fails. If I disable the content rule the realaudio traffic works.
Any ideas?
Thanks!Thanks for the response. We only have the one real audio stream. I have not seen and reference to .ida within the stream.
Is there anyway to create a content rule stating that all realvideo traffic on port 80 go directly to the original destination with no further processing by the CSS? -
Use of content rule vs source group for NATing
To NAT outgoing flows out of two servers, is it necessary to define a content rule and source group (or is just a source group sufficient?).
Having trouble with Option 2.
Option 1:
service svr1
ip address 192.168.10.1
no port
protocol tcp
active
Also does CSS do NAPT i.e. alter the source port number for outgoing packets from source groups?
service svr2
ip address 192.168.10.2
no port
protocol tcp
active
content outflows
protocol tcp
add service svr1
add service svr2
vip address <externalip>
active
group outgrp
vip address <external ip>
add service svr1
add service svr2
active
<add appropriate acl>
Option 2:
service svr1
ip address 192.168.10.1
no port
protocol tcp
active
service svr2
ip address 192.168.10.2
no port
protocol tcp
active
group outgrp
vip address <external ip>
add service svr1
add service svr2
active
<add appropriate acl>to nat connections initiated by the server, you only need a source group.
No need for a content rule.
The CSS will port nat.
Gilles. -
One Arm config Domain Name Content rule
Hi Guys
How does domain name content rule works in one arm config.
What do we put in source groups as VIP address.
Does it need host headers in WebServer as a requirement.
How does the client request gets completed.
Any help much appriciated..Thanks for your reply Jim,
This is what I am trying to do in a One arm config topology
( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP address in a content rule. Using a domain name in a content rule enables you
to:
Enable service provisioning to be independent of IP-to-domain namemappings
Provision cache bandwidth as needed based on domain names
So I am trying to create a content rule with a domain name instead of VIP address. For ex.
content domainRule3
protocol tcp
port 80
url "//domain.com/*"
add service Serv1
active
group servers
add destination service Serv1
VIP address ???????? ( what shd we put in here )
In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
Many thanks.
Maybe you are looking for
-
*** FREE REMOTE DEBUGGER UTILITY ***
I just created this "remote debugger" last week because I wanted to get runtime output from my servlets without having to resort to finding the server logs...scanning them...etc. It can also be used to log info locally. Here is the code for the scree
-
Unable to preview form in Livecycle Designer
Adobe Acrobat: 9.0.0 Adobe Livecycle Designer ES: 8.2.1.3144.1.471865 I load a form and when I click on the Preview tab I receive a blank popup box How can I fix this? Thanks! I've already tried uninstalling/re-installing Adobe Acrobat without any lu
-
I just got a new iPhone 4S and tried to restore but it didn't finished downloading all the apps, tried to reset and restore again, but it wouldn't start over. What can I do?
-
8 hours for 1.5GB transfer?
Not sure what is going today, but my previously speedy and perfect 802.11n is just completely busted. My Imac which connects via 802.11n is getting horrible internal transfer speeds, but no noticeable change in connecting to the Internet. My PowerBoo
-
PrintStackTrace().....is it needed at all ?
class Test public static void main(String args[]) try int x=1; int y=0; int z=x/y; catch(Exception ex) System.out.println(ex); ex.printStackTrace(); }output: java.lang.ArithmeticException: / by zero java.lang.Arithmet