One-armed LB with Trunk
What are the downsides of using a one-armed LB solution? I am trunking multiple VLANs across one interface instead of using multiple interfaces to connect to my server farm. The servers still have their default gateway as the CSS.
Thee are performance issues if the CSS has to LB over one interface. These should not be under estimated !!
However if you are trunking in to the CSS, you may not have this. It depends on how you configure your "logical" network. You could use one physical interface, but run two vlans over it (a trunk), these vlans are two logical interfaces, so in fact you are not running true one-armed. On CSS the vlans bind to the circuits to form the interfaces, it is only when you are LB over one circuit that you get performance issues.
Hope that made sense :-)
Similar Messages
-
CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy
With Reference to the following CCO documentation;
1). "How to Configure the CSS to Load Balance Using 1 Interface"
In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
(i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
(ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
Method a)
1.Configure the Real Server's gateway to Router's Gateway
2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
3.Configure VIP(non-shared) redundancy for the VIP on the CSS
4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
Method b)
1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
3. Configure VIP(non-shared) redundancy for the VIP on the CSSif you use method a) (server gateway is the router) you need the CSS to nat
the source ip address of the client in order to force the server to send traffic back to the CSS.
The issue then is that the server does not see the IP address of real client.
The server only see connections with source IP address = CSS ip address.
With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
You have a performance issue because the traffic will cross 2 times the one-armed interface.
If this is a new design, it is strongly recommended not to use one-armed setup.
Regards,
Gilles. -
ACE 4700 one-arm design with SSL termination
Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George GeorgiouThere are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed -
One-armed ACE with servers gateway to ACE (no SNAT?)
Hello ACE experts, I have two questions;
Design;
One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)
Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?
(This would eliminate the SNAT requirement for one-armed)
I know I need;
-no icmp-guard to allow ‘asymmetric icmp’
-no normalisation to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)
And other question;
Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?
So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?
Regards KristofHi
the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.
The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.
regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy. -
Can I configure csm as one arm and routing mode at the same time?
My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
Thanks in advance.
JasonGille,
Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
Thanks
Jason -
Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921
Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
Thanksif you want to do DNAT, you have to it a content rule.
The vip will be nated to the service address.
Then you need a group to nat the client ip.
Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
Gilles. -
Sniffer Trace on ACE w/VACLs and One-Arm Design
Wow...that was a mouthful of a title!
Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
interface GigabitEthernet x/xx
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
switchport capture
switchport capture allowed vlan 3002
no ip address
no cdp enable
Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
bcThis can be done by setting up a monitor session on the Sup, with the
TenGig/1 as SPAN
source, and a trunk port as SPAN destination.
For example, if the ACE is in slot X, the configuration would be:
monitor session 10 source interface TeX/1
monitor session 10 destination interface Giy/z
The configuration for this port would be:
int giy/z
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
Syed Iftekhar Ahmed -
Can CSS 11000 load balance multiple server farms, using different load balancing algorithms on the same ip subnet and having multiple VIPs in the one-armed configuration.
I know this is not an ideal configuration but have to do it for a relocation project.
Thank yoiyes you can.
No need for a trunk.
But you have to keep in mind that the CSS must see both sides of a connection.
So, obviously the traffic from the client will hit the CSS vip, but for the server response, you have to make sure it goes back to the CSS.
This can be done with source nating or policy routing.
Gilles. -
Trade-off between the one-arm and two-arm WAE designs
We are configuring a WAE (model 512) for a branch office and I was wondering if someone could please tell me the trade-off between the one-arm and two-arm WAE designs..
thanks..
greg..if you are using WCCP then the WAE becomes the client withing the servcie groups 61, 62. In order to accelerate both vlans then apply the ip redirect 61 in on the client vlan ineterfaces to the one interface.
If inline, you can use both 2 port groups for each client interface or trunk all to a single inetrface and configure which vlans you would like to accelerate.
Now in terms of of using both GE inetrfaces, I would have to check. A topology diagram would help -
One Armed Config for multiple C classes
Hi,
I am trying to implement one armed config in the existing network for several c classes. Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
Can I configure VIP in a different C class than Circuit VLan IP.
I intend to use Source groups to get the traffic from servers back to CSS.
Many thanks in advance.
SSTwo options are all ok.
1. The CSS will allow you to create a secondary address on the circuit.
for example,
circuit VLAN2
ip address 148.1.2.1 255.255.255.0
ip address 148.1.3.1 255.255.255.0
2. You could also create another interface "circuit" on the CSS and assign it with the new subnet IP. Then trunk the vlan to core network.
If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer. -
ACE in one-arm model. VIP on Client Side, servers in other vlan
Hello All
i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.
i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)
the servers are in vlan 503 (10.12.3.0/24)
it mi first design with ONE-arm but i thinks something is missing, because doesn't work.
the configuration is the next:
MSFC:
svclc module 1 vlan-group 1,2,
svclc vlan-group 1 503,900-902
svclc vlan-group 2 511
interface Vlan503
description OSS_&_Otros
ip address 10.12.3.253 255.255.255.0
standby 10 ip 10.12.3.254
standby 10 priority 150
standby 10 preempt delay minimum 305
interface Vlan900
description MSF_<->_ACE
ip address 10.0.9.126 255.255.255.192
end
access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63
access-list 101 deny ip any any
route-map From_Server_OSS_to_ACE permit 10
match ip address 101
set ip next-hop 10.0.9.125
ACE_1/admin#
ip route 0.0.0.0 0.0.0.0 10.0.9.126
context OSS
allocate-interface vlan 511
allocate-interface vlan 900
allocate-interface vlan 902
member Max20
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.9.126
maybe a i need to allocate the vlan 503 in OSS Context, any advice?
Thanks in advace,
Gianni From ChileSince you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.
This is how one-armed mode works.
ACE_1/OSS# sh run
Generating configuration....
access-list EVERYONE line 10 extended permit ip any any
access-list EVERYONE line 20 extended permit icmp any any
rserver host OSS_FES_1
description OSS_Front_End_Server_1
ip address 10.12.3.140
inservice
rserver host OSS_FES_2
description OSS_Front_End_Server_2
ip address 10.12.3.150
inservice
serverfarm host SERVER_farm_OSS
rserver OSS_FES_1
inservice
rserver OSS_FES_2
inservice
class-map match-all VIP-OSS
2 match virtual-address 10.0.9.66 any
policy-map type loadbalance first-match OSS-LB-POLICY
class class-default
serverfarm SERVER_farm_OSS
policy-map multi-match OSS-POLICY-MAP
class VIP-OSS
loadbalance vip inservice
loadbalance policy OSS-LB-POLICY
loadbalance vip icmp-reply
nat dynamic 10 vlan 900
interface vlan 900
description Clients-side
ip address 10.0.9.125 255.255.255.192
nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat
access-group input EVERYONE
access-group output EVERYONE
service-policy input OSS-POLICY-MAP
no shutdown -
Is't Single-VLAN One-Armed Mode let the pop-ups error?
Dear all
In my network I deployed Single-VLAN One-Armed Mode In this mode,the real server’s default gateway is the upstream router. To ensure the return
flow traverses back through the load balancer, the IP address of the client isrewritten to that of the load balancer.
Direct access web was fine ,however when open Pop-ups website will appear error Example, the figure-1 :
figure-1
When I used real Server IP address not through ACE anything will be fine. Example, the figure-2 :
figure-2
The Web's Code
<%@ page language="java" pageEncoding="UTF-8"%>
<%@ taglib uri="/WEB-INF/hnisi.tld" prefix="hnisi"%>
<%@ include file="/jsp/framework/head.jsp"%>
<%@ page import="cn.sinobest.framework.util.DTOUtil,cn.sinobest.framework.util.Util,cn.sinobest.framework.util.ConfUtil" %>
<%
//当前登录用户 所属系统机构
String orgCode = DTOUtil.getUserInfo().getBAE001();
//操作员ID
String operId = DTOUtil.getValue("OPERID");
//角色类型
String roleType = DTOUtil.getValue("ROLETYPE");
String fromFuncDesc = DTOUtil.getValue("fromFuncDesc");
//所选操作员的姓名
String sOperatorName = DTOUtil.getValue("SOPERATORNAME");
//权限树 where 条件
String whereClsTree = " rightid in ( select distinct B.RIGHTID "+
" from FW_RIGHT B"+
" left join FW_OPERATOR2RIGHT A on LOCATE(B.RIGHTID,A.RIGHTID) = 1"+
" where A.AAE100 ='1'"+
" and B.AAE100 ='1' and A.operid = '"+operId+"' ";
//条件:有效角色,当前登录用户只能操作用户所属系统机构及下级机构的角色,以及上级机构的共享角色
String whereCls =" AAE100 ='1' and (BAE001 like '"+orgCode+"%' or ( IFSHARED = '1' and LOCATE(BAE001,'"+orgCode+"') = 1))";
if(!Util.isEmpty(roleType)){//角色类型
whereClsTree +=" and AUTHTYPE='"+roleType+"' ";
String roleType_zdfpzj = ConfUtil.getDict("ROLETYPE", "13");//最大分配角色
if("2".equals(roleType)){//分配角色包括:分配角色、最大分配角色
whereCls += " and ROLETYPE in('"+roleType+"','"+roleType_zdfpzj+"') ";
}else{
whereCls += " and ROLETYPE='"+roleType+"' ";
whereClsTree +=" )";
%>
<%-- 导航栏标签 --%>
<hnisi:gNavStr />
<legend style="cursor:hand;" >
<span>
<img id="img_fw_authmngr_geneauth_list_grid" src="${ctx}/themes/default/images/query_icon_right.gif">
</span>
<span title="单击展开或收缩">
<b><%=sOperatorName%></b>已拥有的权限树
<hnisi:tree id="menus" type="1" whereCls="<%=whereClsTree %>"/>
</span>
</legend>
<form name="roleListForm" method="post">
<%-- 角色列表--%>
<hnisi:glt id="fw_authmngr_geneauth_role" whereCls="<%=whereCls %>" />
<p align="center">
<%-- 确定按钮 --%>
<hnisi:btn name="btnQuery" onclick="roleAutoOk()" value="保存" href="javascript:void(0)"/>
<%-- 清除按钮 --%>
<hnisi:btn name="btnCls" onclick="cls()" value="清除" href="javascript:void(0)"/>
<%-- 关闭按钮 --%>
<hnisi:btn name="btnClose" onclick="winClose()" value="关闭" href="javascript:void(0)"/>
</p>
</form>
<form name="roleForm">
<input type="hidden" name="OPERID" value="<%=operId %>"/>
<input type="hidden" name="ROLEIDS">
</form>
<script type="text/javascript">
<!--
var orgCode ="<%=orgCode%>";
var operId ="<%=operId%>";
var roleType ="<%=roleType%>";
* 权限列表窗口
* @param roleId:角色ID
function winRight(roleId){
var eventId="1";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&ROLEID=" + roleId+"&_t="+new Date().getTime());
* 确定-保存授权信息
function roleAutoOk(){
$(function(){
var roleIds = "";
$.each($("input[name='checkbox']:checked"),function(i,o){
roleIds += (i==0 ? "" : ",")+o.value;
if (roleIds == ""){
FWalert("请选择要操作的角色!");
return;
roleForm.ROLEIDS.value = roleIds;
var params = FWGetForm(roleForm);
if(params.ROLEIDS ==""){
FWalert("请选择要操作的角色!");
}else {
var fromFuncDesc = "<%=fromFuncDesc%>";
//先进入本次权限变更列表页面,确认后再保存
var title = encodeURIComponent('授权确认');//对话框的标题
var url = "right!list.do?OPERID="+operId+"&fromFuncDesc="+fromFuncDesc+"&ROLETYPE="+roleType+"&ROLEIDS="+roleIds+"&title="+title+"&_t="+new Date().getTime();
var position="resizable:1;status:0;help:0;scroll:1;center:1;dialogWidth:800px;dialogHeight:500px";
window.showModalDialog(url,window,position);
* 直接授权:弹出权限树窗口
function directAuto(){
var eventId="2";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&OPERID=" + operId+"&_t="+new Date().getTime());
* 清除:清除已选择的角色 checkbox
function cls(){
var c_checkbox=document.getElementsByName('checkbox');
for (i=0;i<c_checkbox.length;i++){
c_checkbox[i].checked=false;
* 关闭窗口
function winClose(){
window.close();
//-->
</script>
</body>
</html>
The ACE's config
`show running-config`
Generating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
switchport access vlan 3
no shutdown
access-list ALL line 8 extended permit ip any any
access-list allowany line 8 extended permit ip any any
access-list allowany line 16 extended permit icmp any any
probe icmp Ping
interval 2
faildetect 2
passdetect interval 2
passdetect count 1
receive 2
probe tcp TCP6666
description RPC Client Access
port 6666
interval 30
passdetect interval 60
connection term forced
open 10
probe tcp TCP8888
description RPC Client Access
port 8888
interval 30
passdetect interval 60
connection term forced
open 1
rserver host YB1
ip address 110.43.102.241
inservice
rserver host YB2
ip address 110.43.102.245
inservice
rserver host YB3
ip address 110.43.102.246
inservice
rserver host YB4
ip address 110.43.102.247
inservice
rserver host YB5
ip address 110.43.102.248
inservice
rserver host YB6
ip address 110.43.102.242
inservice
serverfarm host YB01farm
predictor leastconns
probe TCP6666
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
serverfarm host YB02farm
predictor leastconns
probe TCP8888
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
parameter-map type http PRESIST-REBALANCE
persistence-rebalance
sticky ip-netmask 255.255.255.255 address source YB01-GRP
timeout 60
replicate sticky
serverfarm YB01farm
sticky ip-netmask 255.255.255.255 address source YB02-GRP
timeout 60
replicate sticky
serverfarm YB02farm
sticky http-cookie COOKIE1 STICKYYB01
cookie insert browser-expire
timeout 3600
replicate sticky
serverfarm YB01farm
action-list type modify http IP-header
header insert request X-Forwarded-For header-value "%is"
class-map match-all YB01-slb-vip
2 match virtual-address 110.43.102.251 any
class-map match-all YB02-slb-vip
2 match virtual-address 110.43.102.252 any
class-map type management match-any remote_access
description remote-access-traffic-match
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance http first-match YB01-slb
class class-default
sticky-serverfarm STICKYYB01
action IP-header
policy-map type loadbalance http first-match YB02-slb
class class-default
sticky-serverfarm YB02-GRP
action IP-header
policy-map type loadbalance first-match YB6666
class class-default
sticky-serverfarm STICKYYB01
action IP-header
insert-http https header-value "on"
policy-map multi-match client-vips
class YB01-slb-vip
loadbalance vip inservice
loadbalance policy YB6666
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
appl-parameter http advanced-options PRESIST-REBALANCE
class YB02-slb-vip
loadbalance vip inservice
loadbalance policy YB02-slb
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
interface vlan 3
ip address 192.168.50.2 255.255.255.240
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 100
ip address 110.43.102.238 255.255.255.0
access-group input allowany
nat-pool 100 110.43.102.239 110.43.102.239 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 110.43.102.112Hi,
The error comes when accessing the website through LB. The error is thrown by the server. Do we know what does that error indicate and will be thrown by server under what circumstances?
Can you just try with one server in the serverfarm and check if it works fine?
Does it load initial page at all or throws error right away.
What do you see in show conn output? Which VIP is in question here?
Regards,
Kanwal -
Probe fail on Standby ACE in One-armed mode
Hi there
I'm Kilsoo.
I made One-armed mode using ACE.
Real servers are in away Vlan from ACE.
So, I configured the PBR with ACE alias ip address for the next-hop on the real server's gateway interface.
And, the probe from active ACE works well.
But, the probe from standby ACE was fail.
At this point, my first question
Is it normal situation that the probe fail from standby ACE????
So, I made the route-map for PBR like below for temporary solution.
route-map deny PBR 5
match ip address Probe_ACL
route-map permit PBR 10
match ip address L4_ACL
set ip next-hop <Alias IP address>
ip access-list extended Probe_ACL
pemit ip any <Standby ACE's IP address>
ip access-list extended L4_ACL
permit tcp <Real server's IP address> eq 80 any
Second question...
Do you have any other good solutions???
ThanksHi Cesar
Thanks for your reply.
But I think I was confuse when I wrote the message.
I used both ace's vlan ip address for next-hop ip address like your advice.
Do you know the standby ace can't check probe without route-map in one-armed mode like below diagram???
Backbone Router
|
|
|
Supervisor --------------------ACE(vserver: 172.19.100.100)
| (vlan 200)
|
|
|(vlan 110)
|
|
Real servers
(172.19.110.111) -
CSM in one armed mode Redundancy
Hi,
I have a customer with a one arm setup. However they have no server vlan, only a client vlan. They are using source nat and it is working, however I am unsure how to setup redundancy as the alias command seems to be generally used on the server vlan.
i am running hsrp and a ft vlan accross the csm's
Does anyone have any experience of this type of setup, do i need to add any additional config for fault tolerence??
Cheers
ScottScott,
you can use the alias and whatever vlan [client or server].
It is required if your servers or clients are using the CSM as default gateway.
There is no special config required when doing fault tolerance in one-armed mode.
It's the same as inline mode.
Gilles. -
Source IP in One armed Mode ACE
Hi,
How do we find actual Client Source IP address in One armed mode ACE for NON-HTTP application like LDAP,FTP and etc....It's not possible. Insertion within header works only for HTTP and HTTPS with SSL offload.
Maybe you are looking for
-
or another iOs device, which option do I choose? *Set up as a new iPod or *Restore from the backup of (myself or son's itouch) I have done this before but cannot remember what I did and I do not want to lose what I have.
-
Setting up small office....
If I purchase 5 or 6 airport extremes and set them up across the 5,00 sq ft office complex would that work effectively for our wireless network? Also, how do I keep them from clashing, change the channels? Thanks! Jon
-
I receive a U44M1P7 error when installing Adobe CSXS Infrastructure 4.0
Particularly annoying in that ALL FIVE installs failed, and Adobe's lovely solution based on the error code (u44m1p7) is to uninstall and reinstall. Or check the arcane logs that don't tell a real story. How about this idea? TELL THE ENGINEERS NOT TO
-
Spot Healing Brush needs 'Current and Below' and 'Ignore Adjustment Layers'
Spot Healing Brush needs 'Current and Below' and 'Ignore Adjustment Layers'
-
How to estimate (hour) for Alerts in SAP XI.
Hi Experts, I got alerts configuration assignment for mapping errors, adapter errors and queues in SAP XI/PI, my team lead asked me to provide the estimation time for alerts (alert creation, alerts configuration, alerts testing in Dev, Quality and Pr