Sample Config ACE20-MOD-K9
Hi,
Can some one help me with a sample configuration for ACE20?
Rgds....Partha Acharya
here is a copy of my lab config.
switch/User1# sho run
Generating configuration....
logging enable
logging buffered 7
access-list PERMIT_ANY line 10 extended permit ip any any
access-list app line 10 extended permit ip host 192.168.20.41 any
probe http ACECFG-http
interval 5
faildetect 2
passdetect interval 10
request method get url /index.html
expect status 200 299
probe ftp ftp_probe
interval 10
passdetect interval 10
expect status 0 999
open 5
parameter-map type connection REPL
parameter-map type connection TCP
rserver host 20.20.20.20
ip address 20.20.20.20
inservice
rserver host REFLECTOR-10
ip address 192.168.60.10
inservice
rserver host REFLECTOR-11
ip address 192.168.60.11
inservice
rserver host REFLECTOR-12
ip address 192.168.60.12
inservice
rserver host REFLECTOR-13
ip address 192.168.60.13
inservice
rserver host REFLECTOR-14
ip address 192.168.60.14
inservice
rserver host REFLECTOR-15
ip address 192.168.60.15
inservice
rserver host linux1-48
ip address 192.168.30.48
rserver host linux2
ip address 192.168.20.41
inservice
serverfarm host 20.20.20.20
rserver 20.20.20.20
inservice
serverfarm host REFLECTOR
predictor leastconns
rserver REFLECTOR-10
weight 1
inservice
rserver REFLECTOR-11
weight 1
inservice
rserver REFLECTOR-12
weight 1
inservice
rserver REFLECTOR-13
weight 1
inservice
rserver REFLECTOR-14
weight 1
inservice
rserver REFLECTOR-15
weight 1
inservice
rserver linux1-48
inservice
serverfarm host linux2
failaction purge
probe ACECFG-http
rserver linux2
inservice
serverfarm host linux2-ftp
probe ftp_probe
rserver linux2 21
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-REFLECTOR
replicate sticky
serverfarm REFLECTOR
class-map match-all NAT
2 match access-list app
class-map type http loadbalance match-all URL
2 match http url .*
class-map match-all VIP-250-80
2 match virtual-address 192.168.100.250 tcp eq www
class-map match-all VIP-250-ftp
2 match virtual-address 192.168.100.250 tcp eq ftp
class-map match-any VIP-REFLECTOR-254
2 match virtual-address 192.168.100.254 tcp eq www
policy-map type management first-match ALLOW
class class-default
permit
policy-map type loadbalance first-match 20.20.20.20
class class-default
serverfarm 20.20.20.20
policy-map type loadbalance first-match LB_linux2
class class-default
serverfarm linux2
policy-map type loadbalance first-match REFLECTOR
class class-default
sticky-serverfarm STICKY-REFLECTOR
policy-map type loadbalance first-match ftp-linux2
class class-default
serverfarm linux2-ftp
policy-map multi-match NAT1
class NAT
nat dynamic 1 vlan 100
policy-map multi-match SLB-REFLECTOR
class VIP-REFLECTOR-254
loadbalance vip inservice
loadbalance policy REFLECTOR
loadbalance vip icmp-reply
policy-map multi-match SLB1
class VIP-250-80
loadbalance vip inservice
loadbalance policy 20.20.20.20
loadbalance vip icmp-reply
class VIP-250-ftp
loadbalance vip inservice
loadbalance policy ftp-linux2
loadbalance vip icmp-reply
inspect ftp
service-policy input ALLOW
interface vlan 20
ip address 192.168.20.253 255.255.255.0
mac-sticky enable
access-group input PERMIT_ANY
service-policy input SLB1
no shutdown
interface vlan 100
ip address 192.168.100.2 255.255.255.0
alias 192.168.100.1 255.255.255.0
peer ip address 192.168.100.3 255.255.255.0
access-group input PERMIT_ANY
nat-pool 1 192.168.100.240 192.168.100.245 netmask 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.9
ip route 192.168.100.4 255.255.255.255 192.168.100.9
ip route 171.69.146.79 255.255.255.255 192.168.20.41
ip route 192.168.30.0 255.255.255.0 192.168.20.37
ip route 20.20.20.20 255.255.255.255 192.168.20.41
Similar Messages
-
HA - ACE20-MOD-K9 - FT Group Config Will Not Synch (SSL)
Hi,
We have a pair of ACE20-MOD-K9 in Fault Tolerant mode. They are running multiple contexts and we have a problem with one particular context which is running SSL off-loading. Despite the config being identical on both (accept for the peer addresses obviously) and both having the same SSL Key and Cert files loaded on both, the configuration will not sync between them.
Here is the outputs from both:
XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief
FT Group ID: 8 My State:FSM_FT_STATE_ACTIVE Peer State:FSM_FT_STATE_STANDBY_COLD
Context Name: XXXXX-CISCO-QUAD-SERVICES Context Id: 2 Running Cfg Sync Status: Successful
XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group brief
FT Group ID: 8 My State:FSM_FT_STATE_STANDBY_COLD Peer State:FSM_FT_STATE_ACTIVE
Context Name: XXXXX-CISCO-QUAD-SERVICES Context Id: 11 Running Cfg Sync Status: Successful
XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat
FT Group : 8
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_STANDBY_COLD
Peer Id : 1
No. of Contexts : 1
Running cfg sync status : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist
Startup cfg sync status : Peer in Cold State. Incremental Sync Failure: SSL Keyfile does not exist
XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh ft group stat
FT Group : 8
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_COLD
Peer State : FSM_FT_STATE_ACTIVE
Peer Id : 1
No. of Contexts : 1
Running cfg sync status : Incremental Sync Failure: SSL Keyfile does not exist
Startup cfg sync status : Incremental Sync Failure: SSL Keyfile does not exist
XXXX-DC2-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file
Filename File File Expor Key/
Size Type table Cert
fn42604_cert.pem 1850 PEM Yes CERT
fn42604_privatekey.pem 1679 PEM Yes KEY
quad2.pem 1675 PEM Yes KEY
quad2_cer.pem 2582 PEM Yes CERT
quad_prod_abbrv 1675 PEM Yes KEY
quad_prod_abbrv_cer.pem 2556 PEM Yes CERT
quad_prod_fqdn 1675 PEM Yes KEY
quad_prod_fqdn_cer.pem 2578 PEM Yes CERT
XXXX-DC1-00-ACE1/XXXXX-CISCO-QUAD-SERVICES# sh crypto file
Filename File File Expor Key/
Size Type table Cert
fn42604_cert.pem 1850 PEM Yes CERT
fn42604_privatekey.pem 1679 PEM Yes KEY
quad2.pem 1675 PEM Yes KEY
quad2_cer.pem 2582 PEM Yes CERT
quad_prod_abbrv 1675 PEM Yes KEY
quad_prod_abbrv_cer.pem 2556 PEM Yes CERT
quad_prod_fqdn 1675 PEM Yes KEY
quad_prod_fqdn_cer.pem 2578 PEM Yes CERT
All the Crypto files are identical as I copied them from one ACE to the other.
Can anyone shed any light on why this context is not syncing its configuration?
Thanks,
Dom WilkinsonHi,
Can you restart autosync and see if it fixes the issue,
no ft auto-sync startup-config
no ft auto-sync running-config
ft auto-sync startup-config
ft auto-sync running-config
Regards,
Siva -
Hi
Does anyone have a sample config for standalone Cisco AP1252 (Cisco IOS) for AD Authentication for wireless ?
Appreciated your kind reply.The short version :
in config terminal mode :
-radius-server host auth-port 1812 acct-port 1813 key 0
-aaa authentication dot1x eap_methods group radiusThen you need to configure your ssid for dot1x :-dot11 ssid -authentication open eap eap_methods-authentication network-eap eap_methodsThis is only the part needed for radius interaction. This assumes that you already configured your SSID with according WPA settings.that's about it I think.If you want info about more commands or so, just check out this link :http://www.cisco.com/en/US/docs/wireless/access_point/12.4_10b_JA/configuration/guide/scg12410b-chap11-authtypes.html#wp1002608 -
I'm looking for a sample config for a IPS IDSM-2. I've been reviewing the configuration manual and love the excruciating detail, but would like to work from a sample config. Maybe just the basics to get started and then I can add stuff in later.
Any samples would be most appreciated.
Thanks,
MikeYou need to decide the mode you want to run your IPS in? Promiscuous, Inline (VLAN/Interface pair) ?
Here are two examples from CCO:
https://www.cisco.com/en/US/products/sw/secursw/ps2113/products_configuration_example09186a0080876d9f.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/products_configuration_example09186a00809c37cb.shtml
Regards
Farrukh -
ACE20-MOD-K9 - how to discover a server?
Hi there!
First foray into Cisco load balancing for me. Looking to discover how to find a server instance on a Cisco ACE20-MOD-K9. What I need to do is remove 5 servers (1 at a time) using the 'no inservice' command. Just need to locate their instances on the load balancer.
I have:
Server Names
Server internal IP addresses
Since the commands aren't revealing themselves to me naturally like they seem to on Nexus for example, asking for help from the community again :)
Please advise if possible, many thanks!Hi,
So if you are looking for a server named LYNC, you will do below:
switch/Admin# sh running-config rserver LYNC
Generating configuration....
rserver host LYNC
ip address 10.x.x.x
inservice
You can do the same for serverfarms, class-maps, policy maps etc. You can also filter using "show run | inc <name>"
Show serverfarms, show rservers, show service-policy summary are few commands which can come in handy to find out configured items and names.
Pasting a link for your reference which is useful for TS and basic commands.
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide_--_Troubleshooting_ACE_Health_Monitoring
Let me know if you have any questions.
Regards,
Kanwal -
Revision: 13477
Revision: 13477
Author: [email protected]
Date: 2010-01-13 05:17:10 -0800 (Wed, 13 Jan 2010)
Log Message:
Bug: BLZ-455 - Document client-load-balancing property in the sample config
QA: No
Doc: No
Ticket Links:
http://bugs.adobe.com/jira/browse/BLZ-455
Modified Paths:
blazeds/trunk/resources/config/services-config.xml -
So I have been trying to setup trunking (got that done and tested) on a pair of CSS 11503's and now i would like to setup ASR, vr and vip redudnacy to failover between them. Does anyone have any samples of how to do this with all public ips, all the cisco docs are for nat'd configuration which we do not run, everything would be public.
right now management of the css is done over vlan100 but the servers are in vlan150, different subnet's obviously however what is messing me up is the docs are all saying to use outside public ips and inside for the servers. I only have public ips and don't have time to change anything to a nat...any help would be greatactually let me append my previous comment with a question..
since I am trunking up (to my 6509s) and down (to various switches)...what should my default route be on the CSS's
i have 2 vlan's right now
vlan 10
ip address 192.168.10.10 255.255.255.240
vlan 20
ip address 192.168.11.11 255.255.255.224
in my global however I am using
ip route 0.0.0.0 0.0.0.0 192.168.10.1 1
10.1 btw is a virtual (HSRP address) on my 6509's
11.1 would be the virtual (HSRP address) on my 6509's for vlan20 etc..
so yes my previous statement about the gateways for my web servers pointing to the CSS is true (redudant int), however if I have other servers on my switches that are not in the lb's groups and I point it those servers to my HSRP virtual for vlan20's 11.1 i cannot ping it... so what are my options cause I would rather not change gateways on some of the other machines that won't be load balancing.
I noticed in the trunking sample config the global had no route, but when i removed it, i couldn't get to anything (of course).
thanks again -
ACE20-MOD-K9 module facing NP crash/restart
Hi,
Facing isue with ACE module Part#ACE20-MOD-K9 having NP failed error message and module got restarted.
Module software currently# c6ace-t1k9-mz.A2_1_6a.bin
We have studied the Support Community document and got the BUG id's information having impact on this module,
BUG id's: CSCsv92321, CSCsx25981, CSCsq38638
Now we need help regarding software version to upgrade for the ACE module having no impact on this ACE module by these BUG id's having parity error symptoms.
Also attaching the respective logs for the module restart issue.
Regards,
AshutoshHi,
This looks like a parity error. If this is a first time occurrence I would recommend you to upgrade to a latest software and keep monitoring.
CSCsq38638
Symptom:The ACE blade cores indicating a SRAM Parity Error. Occasionally another type of process (such as IFMGR, etc.) core may accompany the SRAM error crash.
Conditions:This is a rare condition where the ACE blade is running and performs an SRAM operation that detects an SRAM parity error.
Workaround:Reboot of the ACE will clear the state. This reboot is accomplished automatically when the corefile is created. -
ACE20-MOD-K9 and ACE10-6500-K9 in redundant mode
Can ACE20-MOD-K9 and ACE10-6500-K9 be configured to work togeather as redundant pair?
ACE10-6500-K9 and ACE20-MOD-K9 modules can occupy the same chassis.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html -
Decommissioning ACE20-MOD-K9 - how to verify ALL traffic is migrated off?
Hello there community,
I'm going to be shutting down a couple ACE20-MOD-K9 modules soon, but want to verify for 100% that there is ZERO traffic flowing on them.
What are commands I can use to ensure there is no traffic on them at all any more so it's safe to shut them down?
Thank You in advance.Hi James,
"Sh conn" shall show you any connections established. If you don't see anything in source and destination except ACE IP's (including standby) and your own IP(because of telnet or ssh), then this indicates that there is no traffic coming on to these ACE's. Even the pass through traffic is part of " show conn" and that should tell you if you have any traffic. Run this command in each context.
Show resource usage all--->Can be run in Admin and shall give you an idea about all contexts.
show serverfarm summary
show service-policy summary
All these commands shall also show you any connections coming on to the ACE. You can clear all counters to have a good idea.
Regards,
Kanwal
Note: Please mark answers if they are helpful -
Sample config requested: IOS AP with WPAv2 with PEAPv0 aka EAP-MSCHAPv2
Would someone be kind enough to share a sanitized config with me for the following:
AIR-LAP1131AG-A-K9 LWAP converted to autonomous mode running IOS v12.3(8)JEA
WPAv2 with PEAPv0 aka EAP-MSCHAPv2.
Thanks,
RichardHello,
Here's what I would use. The AP is actually unaware of the EAP type:
aaa group server radius rad_eap
server RADIUS_IP auth-port 1812 acct-port 1813
aaa authentication login eap_methods group rad_eap
aaa authorization exec default local
aaa session-id common
dot11 ssid SSID_PRIVATE
VLAN X
authentication open eap eap_methods
authentication key-management wpa
guest-mode
username cisco password 0 cisco
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan x mode ciphers aes-ccm
broadcast-key vlan x change 360
ssid SSID_PRIVATE
interface Dot11Radio0.x
encapsulation dot1Q x
interface FastEthernet0.x
encapsulation dot1Q x
radius-server attribute 32 include-in-access-req format %h
radius-server host RADIUS_IP auth-port 1812 acct-port 1813 key 0 RADIUS_KEY
radius-server timeout 30
radius-server vsa send accounting
Serge -
Hi
We have one pair of CSM confiugred in bridge mode.
The user wants the servers to be able to access the VIP also.
Understand one solution is to use NAT client.
Anyone got a working config on NAT client for bridge mode?
Thanks!natpool ....
serverfarm from-server2server
nat server
nat client
real x.x.x.x
ins
real x.x.x.x
ins
vserver from-server2server
vip x.x.x.x tcp
vlan
serverfarm from-server2server
ins
That's it.
Any question, let me know.
Regards,
Gilles.
Thanks for rating this answer. -
MPLS over GRE sample config....
can any body paste a working of MPLS over GRE....
i am looking for tunnel config and any related global config...
thanks
UmarYou can try this link for GRE configuration
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml -
Sample config for TACCAS+ on ASA 8.22
I am looking for a sample configuration for doing TACCAS+ on ACS 5.2 with an ASA 8.2.2.
Any help would be appreciated.I think the following should just about do it - However it is MUCH simpler to do this in the GUI
aaa-server TACACS protocol tacacs+
aaa-server TACACS (management) host x.x.x.x key ****
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting telnet console TACACS
aaa accounting serial console TACACS
aaa accounting enable console TACACS
aaa accounting command TACACS
Remember you need to create the network device in ACS with the same shared key.
Paul -
Looking for sample config.xml
After some changes config.xml is corrupted. Need a config.xml with following descriptors -
<admin-server-name>
<app-deployment>
<jms-server>
<mail-session>
<jms-system-resource>
<jdbc-system-resource>If you had configuration auditing enabled, you'd have backup copies in a configArchive folder. You should enable this; by default it is not.
You can create a configuration quickly by just using the configuration builder script in linux ( common/bin/config.sh ) or the configuration wizard in windows.
Maybe you are looking for
-
Where can I get service in Israel for my iphone4 (purchased at UK) under warranty ?
My iPhone4 16G, has been purchased at UK, at Applestore, Brent Cross; Address: Upper West Mall London, NW4 3FP 020 8359 1050 My iPhone is still under warranty till 15-Jan-2012. About 4 weeksago I've noticed that I have problems with my microphone. Wh
-
Sending emails with both body and attachment to multiple recipients
I have a requirement to send email with body and attachment to multiple recipients. Body of the email is a standard text. It is a proxy-to-mail scenario. Here is what I've done: (I'm using PI 7.11) One mapping from Source to Target structure (format
-
How to create a Z BlView for a PCUI application
Hi can someone tell me the steps to copy and create new Blview for a PCUI application. I'm working with CRM5.0 and need to create a new view for Products Pcui Application. Regards -Rece
-
Can't turn off scroll lock Mac Book Pro Excel
Suddenly cannot move through cells or enter data in Excel for MAC. Have read all of the discussions on this topic - shift+fn+f12 don't work or any of the other suggested combinations, I have no F14 key or external keyboard, set up keyboard preference
-
More about the frezzing problem with Zen Mi
After a clean up and reformatting I fixed the frezze when turning on the device. Zen Micro turned on perfectly during one week more or less, but when I stored one radio station the problem appeared again. I use Firmware ..0 and the recover menu runs