Reuse of context in ACE module

Similar Messages

• Question in regard to management VLAN for each Context in ACE module

  Dear Pros,
  I know this will be a simple questions to answer, and I have searched the forum, but I am not able to find the answer I need.
  1) Does the ACE module require an Management IP address for each Context? Should the same VLAN be applied to each context, with larger size subnet to supply host address?
  2) If it does require that, what IP address should I used for default route in each context.
  I will be utilizing "Bridge Mode" for my application to transition the current network from Foundry to ACE. I will later on apply the "Routed Mode" model.
  Each ACE module will have 3 seperate Context, for a total of 4 including the Admin.
  Any suggestions or if you can point me to location as always will be greatly apprecaited.
  Thanks and best regards.
  Raman Azizian

  Hi,
  you have several options to choose from.
  1. Use Admin context for management
  You can use the Admin context for management. Give it an IP address in your managment VLAN, default route to upstream router, and login and change to contexts from there.
  + Easy and straightforward
  - snmp and syslog are using the ip from each individual context and not the management IP
  2. Use a Large subnet and assign an IP address in each context for management.
  You can configure 1 managment VLAN and assign an IP address to each context in this subnet. Create static routes to the management stations that need to access this management address.
  + each context has its own managment address
  - static routes need to be added
  3. Use your client-side ip address (or BVI) as management address.
  You management traffic will be inline and use the same path as your data. Default route is already configured and also valid for the management.
  + no static routes needed
  - inline management
  Personally, I choose option 1. That is, if the people that need to manage the ACE is the same team.
  If other teams (serverteam for context 1, other serverteam for context 2) need to manage the ACE, than I would choose option 3.
  HTH,
  Dario

• Reload a virtual context in ACE

  Hi,
  is possible to reload one or more virtual contexts in ACE module? Is possible to download checkpoints from ACE to remote server and vice versa?
  Thank you

  You can't reload a single context, maybe they will change this with a next major. Copying a checkpoint is also not possible imho. So if you delete a context the whole checkpoints are gone.
  If you want to do a write erase and reload for a fresh start you have to create an initial "empty" checkpoint and roll back.
  Easiest way to create a fresh context and make sure it has the same configuration is copy and paste from a config file but you have to be careful in which order. If you e.g. reference a cert which is not in the store or paste an ssl-proxy into a service policy without the ssl-proxy part configured etc.
  But as always maybe someone has even better advice.
  Roble

• Ssh access into virtual context on the ACE module A(2.2)

  Hello,
  I tried to configure:
  Admin(conf)#context test
  Admin(conf-context)#ssh key rsa1 1024
  but this command ssh is not supported int this newest version. How can I configure the ssh access directly into virtual context on the ACE module??
  Thank you

  Here's a link on how to configure it.
  https://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/admin/guide/access.html#wp1049450
  Hope that helps.

• Load Balancing on ACE Modules

  hi,
  Is it possible to load balance VIP hits on two ACE Modules in an active/active configuration. Or is it that only per FT group only single context could be active.
  Regards.

  You can have 1 context active on one ACE and the other context active on the other ACE.
  If you have 2 Vip, you can have 1 vip belonging to one context and the other vip belonging to the other context.
  Like this, you split the traffic between the 2 devices which allows you to handle more traffic than what 1 device could normally do.
  If one device can handle all your traffic, I prefer to only have 1 active unit and 1 standby.
  Easier to implement and troubleshoot.
  Gilles.

• Configuring FT on ACE Modules

  Hi,
  I am trying to configure FT on ACE modules, with the following commands
  ft interface vlan 20
    ip address 172.16.20.1 255.255.255.252
    peer ip address 172.16.20.2 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 10
    ft-interface vlan 20
  ft group 1
    peer 1
    priority 150
    associate-context Admin
    inservice
  The moment I enter the command 'ft interface vlan 20', it gives a prompt that 'interface vlan20 is not associated with ft', how do I resolve this ? Do I need to enable something ?

  Hi have the following config which seems to be working fine for me...  check your vlan20 interface is up
  ft interface vlan 212
    ip address 172.31.1.221 255.255.255.252
    peer ip address 172.31.1.222 255.255.255.252
    no shutdown
  ft peer 1
    heartbeat interval 300
    heartbeat count 20
    ft-interface vlan 212
  ft group 2
    peer 1
    priority 50
    peer priority 150
    associate-context Admin
    inservice
  HQ-ACE1/Admin# sh int
  vlan212 is up, administratively up
    Hardware type is VLAN
    MAC address is 00:23:5e:25:72:f1
    Mode : routed
    IP address is 172.31.1.221 netmask is 255.255.255.252
    FT status is standby
    Description:not set
    MTU: 1500 bytes
    Last cleared: never
    Last Changed: Tue Sep  6 12:46:06 2011
    No of transitions: 1
    Alias IP address not set
    Peer IP address is 172.31.1.222 Peer IP netmask is 255.255.255.252
    Assigned from the Supervisor, up on Supervisor
       8654909 unicast packets input, 735611030 bytes
       1151150 multicast, 161 broadcast
       0 input errors, 0 unknown, 0 ignored, 0 unicast RPF drops
       13020418 unicast packets output, 1672055521 bytes
       0 multicast, 163 broadcast
       0 output errors, 0 ignored

• ACE Module Radius with ACS 4.2

  Hi,
  I am able to authenticate to my ACE modules via Radius, but when I login it does not give my Admin rights. Does anyone have a fix for this? My ACS admin has been working with TAC since last week to no avail.
  John...

  You have to use a custom AV pair on TACACS server under user setup to make it work. ACE uses RBAC (role based Access Control) and for that you have to pass the context and User Role from Tacacs server to ACE to make it work.If there is no RBAC info is pushed from Tacacs server and user just get authenticated then the default role assigned by ACE is Network-Monitor.
  Following steps (On tacacs server) will make it work
  1. Select your user
  2. goto tacas+ settings
  3. Select " shell (exec)" checkbox
  4. Select "custom attributes" checkbox
  5. Type your context and role information in custom attrib box, using following format
  shell:*
  for e.g (if context name is Admin, domain is default-domain and you want to assign role "Admin" to this user )
  shell:Admin*Admin default-domain
  Hope it helps
  Syed

• Certificates vanished - ACE Module. Strange!

  ACE modules are configured in Active/Standby context mode on two distinct Cat6500's. The feature license is 10,000 SSL tps, 8Gbps throughput.
  We ran the application performance tests with 1000 users with https transactions and I noticed that the all the root certificates under the chaingroup disappeared. Only the website certificate remained. When I accessed the website, it gave 'error with the security certificate' i.e. the root was not identifiable due to missing certificates. Eventually, the CPU went 100% on Cat6500 and the ACE module was shutdown by the chassis. It got reenabled automatically in 5 minutes.
  I re-added the root certs, removed/added the service policy and after sometime I noticed the root certs disappeared again. STRANGE !
  show version output is
  Cisco Application Control Software (ACSW)
  TAC support: http://www.cisco.com/tac
  Copyright (c) 2002-2006, Cisco Systems, Inc. All rights reserved.
  The copyrights to certain works contained herein are owned by
  other third parties and are used and distributed under license.
  Some parts of this software are covered under the GNU Public
  License. A copy of the license is available at
  http://www.gnu.org/licenses/gpl.html.
  Software
  loader: Version 12.2[121]
  system: Version 3.0(0)A1(6.3a) [build 3.0(0)A1(6.3a) adbuild_02:16:25-2008/02/02_/auto/adbu-rel3/ws/rel_3_0_0_a1_6.3-thr
  ottle/REL_3_0_0_A]
  system image file: [LCP] disk0:c6ace-t1k9-mz.3.0.0_A1_6_3a.bin
  installed license: ACE-08G-LIC ACE-VIRT-020 ACE-SSL-10K-K9
  Hardware
  Cisco ACE (slot: 2)
  cpu info:
  number of cpu(s): 2
  cpu type: SiByte
  cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
  cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
  memory info:
  total: 957640 kB, free: 347924 kB
  shared: 0 kB, buffers: 1588 kB, cached 0 kB
  cf info:
  filesystem: /dev/cf
  total: 1014624 kB, used: 360960 kB, available: 653664 kB
  last boot reason: NP 0 Failed : NP ME Hung
  configuration register: 0x1
  Could you please advise whether there is any bug in the above software version i.e. it removes the root certs due to heavy transaction load.
  Thanks.

  I wanted to look for more details regarding this bug id. But I got the below message in Bug Toolkit. Please advise...
  CSCsl96203 Bug Details
  Information contained within bug ID CSCsl96203 is only available to Cisco employees. It is our policy to make all externally-facing bugs available in Bug Toolkit so the system administrators have been automatically alerted to the problem. By choosing to save this bug, you may be notified when the decision to make this bug available to you has been made. Note: Some product enhancement requests and documentation error bugs may not be available in Bug Toolkit.

• Configuring ACE Module for Redundancy

  Hi Sir,
  I'm configuring fault tolerance between two ACE modules installed on two different Catalyst 6513 switches. I have one Admin context and 3 user contexts.
  Do I need to configure 4 "ft group", i.e. one context per group? E.g. config:
  ft group 1
  peer 1
  priority 110
  peer priority 105
  associate-context Admin
  inservice
  ft group 2
  peer 1
  priority 110
  peer priority 105
  associate-context ace-context1
  inservice
  ft group 3
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context2
  inservice
  ft group 4
  peer 1
  priority 105
  peer priority 110
  associate-context ace-context3
  inservice
  Can you also explain the purpose of configuring an alias IP address on the client-facing VLAN interface? I understand we need an alias IP address on the server-facing VLAN interface to provide a virtual gateway address to the servers. But what's the use of an alias IP on the client-side?
  Thank you.
  B.Rgds,
  Lim TS

  Hi Gilles,
  I have configured FT for all user contexts as well as for the admin context. It works. My FT config is identical to the one I posted in this thread. Of course, one has to define the "ft interface vlan" and "ft peer" before configuring FT groups.
  I noticed a few things:
  (1) After the initial FT config, subsequent FT groups just need to be configured on the active Admin context and it will be replicated to the standby ACE, with the priority correctly reversed.
  (2) You will get the message "NOTE: Configuration mode has been disabled on all sessions" when you log in to a standby context.
  (3) The hostname of the active Admin context is not synced to the standby ACE. Do you know why?
  One issue I encountered in one of the user contexts is as follows:
  ace1/ace-context-1# sh run int
  Generating configuration....
  interface vlan 950
  description *** Client-Facing VLAN ***
  ip address 10.1.35.5 255.255.255.0
  alias 10.1.35.4 255.255.255.0
  peer ip address 10.1.35.6 255.255.255.0
  access-group input ACL_VL950_IN
  service-policy input REMOTE_MGMT
  service-policy input MY_LB
  no shutdown
  interface vlan 951
  description *** Connection to Real Servers ***
  ip address 10.1.36.2 255.255.255.0
  alias 10.1.36.1 255.255.255.0
  peer ip address 10.1.36.3 255.255.255.0
  access-group input ACL_VL951_IN
  service-policy input NAT_REAL
  no shutdown
  This is the active context. It can ping to 10.1.35.4 (alias) and 10.1.35.6 (peer) over VLAN 950 (client-side). It can ping alias 10.1.36.1 over VLAN 951 (server-side) but can't ping to peer 10.1.36.3. The ACL_VL951_IN permits ip any any. Do you know why?
  Secondly, I can remotely ping to alias 10.1.35.4 but can't telnet to it (I'm expecting it to telnet to the active context). I have to telnet to 10.1.35.5. Is this normal behavior?
  Please advise.
  Thank you.
  B.Rgds,
  Lim TS

• ACE module FT

  Hi,
  I need to know if for 2 ACE to work on FT the subnet needs to be same or can it work on different subnet as well?
  Is it possible to connect 2 6509 with ACE each, connected through routes, not with vlans (layer 3, not layer 2)??
  Also, can both ACE be made funcational to work in active active??

  NO.
  You need to extend Each vlan going into one ACE module to its peer.
  Both ACE module can be Active/Active only in multi context mode. For e.g if you have four contexts C1,C2,C3,C4 the you can make C1 & C2 active on Ace1 & C3&C4 active on Ace2.
  Syed Iftekhar Ahmed

• Clear resource usage counter on ACE module

  Hi
  Does anybody know how to clear the resource usage counter on an ACE module?
  We use an ACE20-MOD-K2 with version A2(3.5).
  Here you can see that after issuing 'clear stats resource-usage' the counters are still the same.
  uzhlbsrv1/Admin# sh resource usage resource rate bandwidth
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  Context: Admin
    bandwidth                  1966       3971    7487500  625000028          0
  Context: NOZONE
    bandwidth                     0       4450          0  617512528          0
  Context: ZONE1
    bandwidth              14021827  549340375          0  617512528  192084322
  Context: ZONE2
    bandwidth                197520   69634789          0  617512528      29385
  Context: ZONE3
    bandwidth                 38756   78911285          0  617512528    6471653
  Context: ZONE4
    bandwidth                     0       3052          0  617512528          0
  uzhlbsrv1/Admin# clear stats resource-usage
  uzhlbsrv1/Admin# sh resource usage resource rate bandwidth
                                                       Allocation
          Resource         Current       Peak        Min        Max       Denied
  Context: Admin
    bandwidth                   396        841    7487500  625000028          0
  Context: NOZONE
    bandwidth                     0       4450          0  617512528          0
  Context: ZONE1
    bandwidth               9350189  549340375          0  617512528  192084322
  Context: ZONE2
    bandwidth                128087   69634789          0  617512528      29385
  Context: ZONE3
    bandwidth                133229   78911285          0  617512528    6471653
  Context: ZONE4
    bandwidth                     0       3052          0  617512528          0
  Or is it a bug eventually?
  Thanks
  Patrik

  Hi Patrik,
  What could one of the issue here is, if this box is in production and is being used, as soon as you clear the coutners, the new traffic is still flowing in, so ace will populate the new stats. if you take this box out of production then you should be able to see all the traffic gone.
  Also to reinforce my previous argument, if you happen to see the stats second time, they are reduced , which will only point that the system is actively receiving and before you do a second show resource, it would have received some traffic and it will also take into account the existing traffic flow across the box.
  Most likely not a Bug.
  Regards
  Abijith

• Wr mem gives error on ACE module

  Hi,
  I am not able to save the configuration on the ACE module.
  Admin# wr mem
  Generating configuration....
  Error in generating running config..copy aborted
  "Write memory failed for context Admin"
  Any help would be appriated.
  Thanks
  Neha

  Hi Neha,
  Kindly check the current system resource usage for each context by entering the #show resource usage
  command .
  If the resource usage percentage is high, the ACE is overloaded .
  Use the copy running-config startup-config command instead of the write memory command. May be it can solve your issue for now.
  Write back if it does not sovle your issue.
  Sachin Garg

• Per-ServerFarm SNAT on ACE Module.

  Dear all,
  I hace an ACE Module configured in Multiple Routed Contexts.
  My cust wants to configure some NAT Feature that prevents the real server IP Address appear outside the ACE. They want that the only IP address outside the ACE will be the Virtual IP Adress (VIP) that represents the serverfarm.
  Also, the cust wants that different serverfarms comunicate each other within the same VLAN.
  I was reading and the option that acomplish both tasks is Dynamic (PAT) Per-ServerFarm SNAT using the VIP address.
  Is this correct?
  The software version is A2(3,5).
  Thanks a lot!
  David

  Hi David
  Could you please calrify and maybe separate tasks you have ?
  As I understand you have such tasks for now :
  1) Don't show rserver IPs anywere outside ACE
  2) Servers in the same VLAN should be able to communicate with serverfarm which is located in the same VLAN via VIP
  First task is a little bit unclear. I mean - actually you have VIP outiside of ACE and all outiside clients communicate to serverfarm via VIP and don't need to know rserers IPs (e.g. they can even be private and VIP is public, if we're talking about Internet)
  Or do you mean that rservers need to communicate with outside world through ACE but you want to NAT these flows too ?
  2) Yes, it's possible. For such configuration you need to create a service policy, with the same VIP and configuration as you have for outside interface and put it on inside interface. The only one key difference is that you need to add NAT statement , because return traffic should go to ACE and as rservers and clients in this case are in the same VLAN, you need to use NAT.
  E.g.
  policy-map multi-match VIP_IN
  class MY-CLASS
  loadb vip ins
  loadb policy MY-L7Policy
  nat 1 dynamic vlan X << - inside interface
  and then on inside interface
  inter vlan X
  nat-pool 1Y.Y.Y.Y netmask 255.255.255.255 pat
  In this case it will work in this way : say you have servers in vlan 10. Servers #1 and #2 are rservers in your serverfarms and server #3 wants to connect to serverfarm through VIP. Let's say that vlan 10 has subnet 10.0.0.0/24 and VIP for this serverfarm is 8.8.8.8. When you confiure like I wrote above this will happen :
  Server #3 connects to 8.8.8.8, traffic goes to ACE as a gateway, as you have a policy map on inside interface which catches traffic to 8.8.8.8 , ACE will catch it an proceed it. You have a SNAT statement there, so ACE will perform standard loadblanacing and replace source IP with NAT IP (say 10.0.0.100) , thus when server #1 which gets this loadbalanced traffic receives it , it will send return traffic to 10.0.0.100 , thus to ACE.

• ACE Module Routed design

  Hi all,
  I have a requirement to install 2 ACE Modules into two 6509 chassis'
  We want to run the ACE modules in a live/live scenario so we can utilise the two ACE modules
  So we want to split the VIPS so we have some live on one ACE and others on the other.
  Also the ACE modules will be setup in routed mode. We have a number of subnets we want to use on the client side - 3 to be exact, and there will be another 3 different subnets on the server side
  A few points which are confusing me
  For each subnet would i have to configure a SVI? And if so you can only have 1 SVI per contect so that would mean creating a context and a SVI for each subnet?
  Are there any example configs which could help me out?
  Any help would be appreciated
  Thanks
  James

  See the config example here:
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3048.shtml
  Normally you only need one client-side subnet per context, but multiple ones work too.
  You'd create an SVI on MSFC for the client-side subnets only, otherwise server traffic would bypass the ACE.
  Also keep in mind when you do active/active, it's done on the context level.
  That means you need to create at least two contexts in addition to the Admin context. (although you can technically run things in /Admin)
  Go through the example above, and the config guides below and you'll be all set:
  http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

• ACE Module

  Basically we have a running ACE context which works however we are using natting and we have some applications complaining that they can't see the source address of things. So I created a whole new context with the following config but I have the problem of when the client is on the server side network the traffic never makes it there.
  ACE1/10.0.0.0_Network# sho run
  Generating configuration....
  access-list ALL line 8 extended permit ip any any
  rserver host CE-565-1
  ip address 10.0.2.83
  inservice
  serverfarm host Content_Engine_SF
  rserver CE-565-1
  inservice
  class-map match-all Content_Engine_VIP
  2 match virtual-address 10.0.18.101 any
  class-map type management match-any Remote_Management
  2 match protocol http any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  policy-map type management first-match rmt_mgt_policy
  class Remote_Management
  permit
  policy-map type loadbalance first-match Content_Engine_VIP-l7slb
  class class-default
  serverfarm Content_Engine_SF
  policy-map multi-match int18
  class Content_Engine_VIP
  loadbalance vip inservice
  loadbalance policy Content_Engine_VIP-l7slb
  loadbalance vip icmp-reply active
  access-group input ALL
  interface vlan 3
  description Server_Side
  ip address 10.0.3.240 255.255.254.0
  mac-sticky enable
  no shutdown
  interface vlan 18
  description Client Side Network
  ip address 10.0.18.251 255.255.255.0
  mac-sticky enable
  service-policy input int18
  no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.18.1
  if I telnet to the vip from my machine 172.16.6.222 it works fine. If I telnet from 10.0.18.30 it works fine. However when I telnet from a machine on the vlan 3 10.0.2.188 it does not work. I would have thought the mac-sticky option would work but it seems to be doing nothing. Any ideas with out using a NAT pool would be great so we can see the originating IP Address.

  If you are initiating traffic from serverA to a vip that load balances to serverB in that same vlan you will have an asymmetric flow. ServerA is on the same vlan as serverB. Since both servers are in the same subnet, ServerB will ARP for serverA address and send the response directly to serverA. The traffic will never make it back to the ACE. There are a few things you can do:
  1. Use NAT to ensure the return traffice makes it back to ACE.
  2. Insert HTTP header with client IP address. This only works for HTTP traffic and your application must be able to recognize this header for logging.
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  3. Use Direct Server Return (DSR). This feature has been committed to ACE 2.0. This will require the servers to be L2 adjacent to the ACE module and you will need to configure the VIP address as a loopback address on the server. Here is CSM documentation that lists some of the limitations with DSR:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/netwcsm.html#wp1065827