One Arm config Domain Name Content rule

Similar Messages

• CSS 11503 One armed config

  All,
  I got a question on the one armed config.
  Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
  Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
  thanks

  if you set the default gateway to be the CSS, then there is no need for the source group.
  However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
  If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
  Gilles.

• CSS one arm config

  CSS 11506
  Is it possible to pass Client's IP address
  to the Backend servers in One arm config.
  It is so that we can get stats on Web Server
  Thanks in advance

  Unfortunately CSS does not support HTTP header insertion.
  You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
  Thanks
  Syed Iftekhar Ahmed

• One Armed Config for multiple C classes

  Hi,
  I am trying to implement one armed config in the existing network for several c classes.  Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
  Can I configure VIP in a different C class than Circuit VLan IP.
  I intend to use Source groups to get the traffic from servers back to CSS.
  Many thanks in advance.
  SS

  Two options are all ok.
  1. The CSS will allow you to create a secondary address on the circuit.
  for example,
  circuit VLAN2
  ip address 148.1.2.1 255.255.255.0
  ip address 148.1.3.1 255.255.255.0
  2. You could also create another interface "circuit" on the CSS and assign it with  the new subnet IP. Then trunk the vlan to core network.
  If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
  You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer.

• One-armed config

  We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
  Thanks
  chad

  I think it should work just fine. The same configuration would work for CSS 11000 series switches.
  Check the config document:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml

• Webvpn GW's on one router with domain names

  Hi,
  I'm trying to configure multiple WebVPN gateways on one router using one front door VRF and multiple back door VRF's. Think of this like a cloud service provider with several customers using different VRFs and one Internet VRF used for the incoming connections for the remote users.
  Doing so, several scenarios arise:
  Using one gateway and several context with a seperate VRF for each.
  Please let me know if I am wrong here:
  I can only assign one trustpoint because I only have one gateway. This means that all users connecting can only use one domain name like "*.isp.com". This also implies the use of a wildcard certificate.
  Using several gateways and several context with a seperate VRF for each.
  I can only assign multiple trustpoints because I only have one gateway. This means that users connecting can use multiple domains name like "webvpn.clientA.com" and "webvpn.clientB.com".
  I would prefer the first situation but then I run into a second problem:
  There are several commands related to hostname and up till now I have not figured out which one does exactly what:
  ROUTER(config)#webvpn gateway WEB_GW
  ROUTER(config-webvpn-gateway)#hostname
  ROUTER(config)#webvpn context CUST1_CT
  ROUTER(config-webvpn-context)#gateway WEB_GW domain
  ROUTER(config-webvpn-context)#gateway WEB_GW virtual-host
  Is there anyone who can explain to me what exactly does what?
  My personal guest is that I only need to configure the virtual-host like this" CUST1_CT -> virtual-host cust1.isp.com and CUST2_CT -> virtual-host cust2.isp.com". But I'm not sure about this and up till now I have not found any documentation that describes this very clearly.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• How to block top-level domain names in rules for EOP?

  Using EOP for email filtering to/from our on-premise Exchange server.  How do I block entire top-level domains in the rules section under mail flow?  For example, w need everything ending with .link blocked.  Right now I
  have only been able to block email addresses and full domain names.  I know I can setup a transport rule in our exchange, but I'd prefer EOP handle this before like it should. Thanks in advance.

  If you're using EOP and your goal is to block stuff coming from a certain geographic area then you need to go to your exchange admin center select Protection>content filter>Default Policy>International Spam>Filter email messages sent from the
  following countries or regions

• CSS one-armed-config and SMTP reverse lookup problems?

  I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
  If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
  If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
  Is this a valid concern?

  The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
  In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
  http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

• Two circuit vlan in one-armed config mode

  Hello.
  My client needs to add another vlan to the CSS because he is getting short on ip address. So he decided to add vlan 5, removed the default route to 192.168.12.1 and added two static routes.
  However nothing is working now and I can't figure out why.
  The initial config was:
  !*************************** GLOBAL ***************************
  ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
  !************************* INTERFACE *************************
  interface 1/1
  trunk
  vlan 12
  interface 1/2
  admin-shutdown
  !************************** CIRCUIT **************************
  circuit VLAN12
  ip address 192.168.12.22 255.255.255.0
  !************************** SERVICE **************************
  service www-hux1
  port 80
  protocol tcp
  ip address 192.168.12.24
  keepalive type tcp
  keepalive frequency 10
  keepalive port 80
  active
  service www-hux2
  ip address 192.168.12.25
  port 80
  protocol tcp
  keepalive frequency 10
  keepalive port 80
  keepalive type tcp
  active
  !*************************** OWNER ***************************
  owner HS
  billing-info "ahp"
  email-address [email protected]
  content rule1
  protocol tcp
  port 80
  add service www-hux2
  vip address 192.168.12.27
  add service www-hux1
  balance aca
  active
  In the new config this is what's different:
  !*************************** GLOBAL ***************************
  ip route 192.168.5.0 255.255.255.0 192.168.5.1 1
  ip route 192.168.12.0 255.255.255.0 192.168.12.1 1
  !************************* INTERFACE *************************
  interface 1/1
  trunk
  vlan 5
  vlan 12
  interface 1/2
  admin-shutdown
  !************************** CIRCUIT **************************
  circuit VLAN5
  ip address 192.168.5.20 255.255.255.0
  circuit VLAN12
  ip address 192.168.12.22 255.255.255.0
  Can you see what's wrong in here?
  I almost forgot to teel that the default gateway of real servers is the CSS
  Thanks,
  Joao Carvalho

  Ok. I think I got the problem. The destination of the packet sent by the CSS is a public ip address and none of the static routes matches that.
  Now my problem is how can I influence the next hop based on source ip address, in a CSS?
  Thanks,
  Joao

• Domain name and iweb not working 100%

  I’m a real novice.I made a site using iweb 09.with a domain name bought from fasthosts.co.uk.I pointed fasthosts at webme.com,but I can only see my site if I type nigeljames.net if I type http://www.nigeljames.net I get nothing,probably something simple but a fundamental flaw for me

  If you have used CNAME forwarding, then you need to go to the DNS settings at fasthosts and point your domain name to @, CNAME forwarded to web.me.com and then www CNAME forwarded to web.me.com and this will then work.
  Normally, you would have to cancel the A settings and then set up two CNAMES, one being your domain name represented by the @ and www, which is your sub domain. Set both up and then forward them to web.me.com, your host being MobileMe.

• Domain Names - UURRRGGGGG

  Okay. I tried associating one of my domain names with my .mac account, but never finished it.
  I never put in the cname with godaddy.com. But now my domain points at my .mac account EVEN THOUGH I have removed the domain through the .mac settings...
  HELP? I just want my domain back and not pointing to my .mac account....

  I think I had the same problem. It was poor instructions on the .mac personal domain wizard. If so, then you need to continue to the next screen in the wizard to see the button that allows you to disconnect the .mac domain serving.
  Try going back into .mac > personal domain .. it probably shows a button that says 'continue'.
  Click the continue button, then look for a button that says something like 'remove personal domain'

• CSM-S mode -One-Arm-vs- routed

  We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

  Gilles,
  What do you recommend when the traffic flows from the load balanced server are significant?
  ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
  Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

• Multiple domains names and web sites with only one SLS and one static IP

  I tried to find a post on this topic but I still can't find what needs to be done.
  SLS is configured for one domain with one web site and it's working well. We will call it domain1.com. Here is the config:
  Static IP: 69.x.x.x
  DNS setting under Server Admin:
  hostname: server.domain1.com
  Two DNS entries under domain1.com with:
  www - alias - server.domain1.com
  server - Machine - 10.0.1.x (fixe IP for server on LAN)
  Web settings under Server Admin:
  server.domain1.com - 10.0.1.x - Port 80
  Domain1.com is managed with DynDNS Custom DNS Service with 1 record:
  domain1.com - A-record - 69.x.x.x
  I want to host a second domain (for a website) called domain2.com. It's also registred at DynDNS and I have custom DNS setting to configure.
  What's need to be done to have both domains with seperate web site on SLS under DNS and Web settings (beside the fact that I will have 2 different folders with the website files in it). I understand that I will need a new entry in the DNS for the new domain (domain2.com) and also an entry in the Web Service pane. But what are the details.
  Thanks.

  When you said, "you don't need to do CNAME for both sites…", would this method still allow me to use personal web addresses for both sites?
  Yes. With "Ordinary Forwarding" you normally just type your .Mac url (web.mac.com/username/sitename) into a form at the place where you have your name.
  I thought I was using 'web.mac.com' as the 'www' CNAME (alias) for my personal domain name (web address), so that when someone typed in my personal domain name they would 'go' to the domain registration location, which would then pass it on to the .Mac server, where my web site is hosted.
  That's exactly right. It's just not the only way to do that. Ordinary Forwarding is another way, but it differs in terms of what appears in the address bar of the browser. Either you will see web.mac.com/username/.... or, if you add "masking", you will see your personal name for all pages. The CNAME method results in a address bar that reads www.myname.com/sitename/pagename.html.
  Am I way off?
  All help gratefully received,
  Jeff

• Moving domain name from one plan to another

  Hi guys,
  I am about to go live with my new partner site - hopefully today. However since there was no practical way to redo the free partner site - I decided I would just upgrade to a paid account.
  So my question is, as I will have to move my domain names over is the proper procedure to delete them from the current site and then add them to the new site?
  What will happen to the email in between?
  Is there any other unforeseen issues that might arise?

  Hi Sidney,
  According to Level 2 tech support we cannot move domains set to our partner domain if the site is rebranded. It will stop all other sites created with it from working.
  Response to case # 183389606
  The reason why you cannot add this domain - auroratec.ca to another site is because this domain is your rebranding domain and even though you have remove it from your partner site - Auroratec Business Solutions the DNS zone will not be deleted. This is because you have sites created using your rebranding domain e.g. woodlandjewellers.auroratec.ca
  In this case what I suggest here is to Brad is to re-add the domain to your partner site (by adding A Records instead of adding the New Domain) and if you need to change the content of your partner site simply use a FTP client to migrate the content from one site to another.
  Please note that the rebranding domain cannot be removed from the system so it can be used only in the partner site.
  So what I have done is added the domain back again using A records and set up a redirect to the new site with a new domain untill I can change all my business cards, advertising, vehicle graphics etc to the new domain name. It will all work out in the end - not ideal but I'll live with it. Prateek in support was very helpful and thorough.

• I want more than one site, all with personal domain names

  I have a dot mac account and I created a personal website using iweb (www.personalname.com) and now I would like to make a site for my business using iweb (www.businessname.com). Is that even possible? I've followed directions from other people. i know that I need to go into iweb and under file click new site and choose the templates and so on. But once I do all of that, I click publish and a box comes up and says this new site will now be published under your www.personalname.com.
  Am I missing something, or do I have to buy a completely new dot mac account for my business? Someone please help and walk me through this.
  Thanks a bunch!

  As Wyodor suggested have your domain name provider activate domain name forwarding for the second site. You'll need to open that site in your browser and get the actual URL to give the provider for forwarding.
  To make it easier to edit and publish individual sites I use iWebSites to manage multiple sites.. It lets me create multiple sites and multiple domain files.
  If you have multiple sites in one domain file here's the workflow I used to split them into individual site files with iWebSites. Be sure to make a backup copy of your original Domain.sites files before starting the splitting process.
  This lets me edit several sites and only republish the one I want.
  If you expect a lot of traffic to your business site you might want to consider having it hosted on a commercial hosting site that will not be bogged down with all of the bells and whistles that the MobileMe servers are in order to provide all of the special features. A commercial server will be faster and more reliable. Depending on where you purchase your business domain name you can host it on their servers.
  OT