Topology for servers' side VLAN int

Similar Messages

• SVI for Servers & User VLANs

  Hello,
  I'm deploying a ASA as  DATA CENTER FW with main goal of ensuring that:
  1. All end-user traffic to servers is passed through the FW/IPS.
  2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)
  Currently I'm setup with a 6500 core where all users (access layer switches) are terminating (collapsed core setup) and all servers terminate at Nexus 5K which has uplinks to 6500. As of now I've SVIs for all VLANs on the core.
  My question is with the ASA, would it be better to place all SVIs on the ASA as default gateway "or" have something like VRF to keep SVIs on core and have them passed to FW for further processing?
  Thanks
  Regards
  Adnan

  2. All user-user traffic should pass through FW/IPS (there is also a requirement to block all inter-dept. traffic)
  When you say all user to user traffic should pass through the FW, do you also mean users that are located within the same subnet?
  Whether to use VRFs or to set the ASA as the default gateway depends on requirements.  If some inter subnet traffic needs to communicate with eachother without having to pass through the firewall then VRF is the way to go.  If all traffic regardless of subnet should pass through the ASA then perhaps setting the ASA to the default gateway is what you would like to do.
  But then you need to also consider the future.  Is there a possibility that you will need to allow intersubnet or VLAN traffic to communicate directly with eachother without going through the firewall, then it might be best to setup the network using VRFs now, while still sending all traffic through the ASA and then in the future edit the routing to allow for traffic leaking between subnets.
  Please remember to rate and select a correct answer

• Loadbalance for servers thats belongs from different Vlan

  Hi,
  We are using FWSM and ACE module in our switch. We have to configure our new application in cisco ACE. Our exiciting servers and vip are in vlan5 and new servers and vips are in vlan 6. vlan 6 is defined in FWSM. We have craeated one interface vlan 6 for the application. While checking the interface status  through "show interface vlan 6" we are getting the following error.
    Not assigned from the Supervisor, down on Supervisor
  We have already assigned vlan group to supervisor. We have allocated same interfce vlan to context also.
  kindly suggest what chould be the issue.
  Kindly suggest can we do the loadbalance for servers thats belongs from different Vlan???
  Thanks in advance.
  Regards,
  Ranjith

  Hi Daniel,
  We are using cisco 6509 switch with FWSM and ACE module.
  We have created interface VLAN 6 in FWSM and ACE and assigned the IP as follows.
  FWSM Interface VLAN 6 is 10.6.10.55 and ACE Interfce VLAN 6 is 10.6.10.60.
  We have 2 servers in the same vlan (.49 and .50). and they are physicaly connected to switch vlan 6 and logicaly connected to FWSM interface vlan 6.
  We have defined the VIP as 10.6.10.51 and that is not pinging from our network.
  Server default gateway and ACE default gateway is FWSM interface vlan 6 IP(ie, 10.6.10.55).
  We dont want to change the server gateway as ACE interface vlan 6 ip.
  KIndly suggest how can i achive the loadbalancing with out changing my server gateway to ACE IP.
  Thanks in advance.
  Regards,
  Ranjith

• Can i use same Server for server side and client??

  Hi,
  i m developing webservices in java and using two different server for server side and client.
  e.g. i m using one tomcat server on a machine to run webservice and again using one more tomcat server on client side at different machine.
  and hence it need two tomcat server.
  But i want only one server to run webservice and client.
  So please help me out...
  Thanks

  Hi,
  It is always recommended to maintain different servers
  REgards,
  Ravi.

• How should a segment my servers into VLAN's in a datacenter design

  I am designing a data center with over 200 servers and I am trying to decide how to segment my data center into VLAN's. I have thought about putting all servers in a different vlan to guard agaist broadcast storms and also a failure that might effect the vlan as a whole. I know I can use storm control to limit broadcast storms.
  Another thought is to put all Windows servers into one Vlan and all UNIX into another.
  Another thought is to group the servers into VLAN's by the applilcations they support.
  Can anyone tell me how they do this in a large data center and if any the pros and cons to doing it that way.

  As stated you're going to need at minimum two 4000s. Since there are 200+ servers in this you may want to go with the 6000s. Obviously you'll need to do layer 3 and have a couple GigE trunks between those two switches to handle any cross switch traffic. Since you have so much riding in this data center you're going to want some horsepower at your gateway. Maybe look into redundant 3700's and use HSRP. Is this a design for a colo type data center or is it all internal servers to your company? I guess if it was the former I would split it out by *NIX / Win, and keep each VLAN down to a /29 and put 4-5 servers in each. This way, if you do have a problem it is segmented relatively well. There are so many variables, it's hard to say with just a few lines to go off of.
  Check out the Cisco Reference Designs here:
  http://www.cisco.com/warp/public/779/largeent/it/ese/srnd.html
  Good luck!!!

• CSM client side VLAN without a gateway?

  Hi there,
  We are running in bridge mode, and are having some weird arp table issues. I think I have it traced down to the fact that the CSM is arping for addresses, and the replies are getting to the CSM and getting cached, but the MSFC is never seeing them.
  Would behavior like this happen if there is no gateway configured on the client side VLAN? Is a gateway on the client side VLAN a requirement?
  Thanks!

  Let's see if I can explain this coherently, sorry if I don't...
  Problem:
  What we're seeing is that a machine with multiple IP addresses tied to one NIC can only be reached via one of those IP addresses from a different VLAN. I look on the MSFC arp table, and I only see an entry with a MAC for that one IP address, none of the others. If I add a static ARP entry, I can then reach the other IP addresses from the other VLANs. So communication is possible, the ARP table is just not getting populated automatically.
  -HOST A in VLAN A is pointing at the MSFC for it's gateway.
  -HOST B in VLAN B is pointing at the MSFC for it's gateway.
  -The CSM is in bridge mode. VLAN C is the client side VLAN. VLAN B is the server side VLAN.
  -HOST A is trying ping HOST B. HOST A can ping HOST B on it's "main" IP address, but none of the others.
  -The ARP table on the MSFC has an entry for the "main" IP address on HOST B, but no entries for any others.
  -The ARP table on the CSM does have entries for the "extra" IP addresses on HOST B.
  -A static ARP entry for an "extra" IP address on HOST B solves the problem. HOST A can then ping HOST B's "extra" IP address.
  My thoughts:
  The ARP table on the MSFC is not getting populated automatically from the CSM. As I see it, this is because HOST B is in VLAN B, which only has an interface on the CSM. The arp replies are going to the CSM successfully, but aren't getting to the MSFC because there is no gateway or route defined for VLAN B on the CSM.
  The reason that anything at all works is that the hosts in VLAN B are initiating communication outbound to their gateway on the MSFC, so it's getting their MAC addresses that way. When a machine has multiple IP addresses, and it doesn't use them to communicate outbound, the MSFC doesn't learn the MAC for those addresses because the ARP replies are going to the CSM which isn't sharing.
  Hopefully that makes sense, and it also makes sense why I'm thinking it's the lack of a gateway entry. Thanks for your help.

• Second Client Side VLAN - CSM

  Our current environment has grown to the size that a single Class C subnet on the client side of the CSM is full. We have a need to add an additional Class C subnet for the client side, but our TCOM group gave us a range which is not contiguous to the existing range and therefore cannot be added by simply changing the subnet mask (from 24 to 23).
  The default route for all traffic from the CSM is an IP address on the subnet described above.
  How should the new subnet be configured? I understand that there can only be one gateway on the CSM...so if traffic comes in on the second subnet, does this mean that it will go back out on the first subnet?
  Does this look right
  vlan 111 client
  ip address 192.168.111.5 255.255.255.0
  gateway 192.168.111.1
  vlan 222 client
  ip address 192.168.222.5 255.255.255.0
  On the Switch, when I run
  "sho ip route 192.168.111.5"
  it replys with "directly connected, via VLan111"
  When I run
  "sho ip route 192.168.222.5"
  it also replies back with the same:
  "directly connected, via VLan111"
  Please note: That I only manage the CSM and SSL-M. The switch and MSFC are managed by our TCOM group. Thanks for any information on this request!

  First, I want to thank you for the quick replies.
  I understand what you are explaining here and believe that our current configuration is as you have explained, but need to further clarify what we have in place.
  The single vlan on the client side previously had only a single class C subnet. It now has two separate Class C subnets. Traffic can reach the CSM, but never returns back to the client. When I added the configuration for the second VLAN client side and addressed it as part of the second class C address, content would now be returned to the client from the server side. But, I could not get the content to be forwarded to the SSL module which resides on a separate VLAN. I then removed client VLAN and traffic continued to flow properly (except to SSL module). I then cleared connections to the vservers (to emulate a reboot), this caused all traffic to no longer return to the client.
  Below is configuration (IP addresses changed to protect the innocent).
  ssl-proxy module 2 allowed-vlan 4,219
  ip subnet-zero
  vlan 200 server
  ip address 172.54.200.2 255.255.254.0
  alias 172.54.200.1 255.255.254.0
  vlan 4 server
  ip address 192.168.219.5 255.255.255.0
  vlan 219 client
  ip address 192.168.219.5 255.255.255.0
  gateway 192.168.219.1
  natpool SERVERSIDE1 172.54.200.241 172.54.200.254 netmask 255.255.254.0
  interface Vlan64
  description Network 64
  ip address 172.32.64.219 255.255.255.0
  ip accounting output-packets
  ip route-cache flow
  logging event link-status
  shutdown
  interface Vlan65
  description Network 65
  ip address 172.32.65.219 255.255.255.0
  ip accounting output-packets
  ip route-cache flow
  logging event link-status
  interface Vlan219
  description WebTeam URL Network
  ip address 192.168.222.2 255.255.255.0 secondary
  ip address 192.168.219.2 255.255.255.0
  no ip redirects
  no ip unreachables
  ip pim dense-mode
  ip route-cache flow
  no ip mroute-cache
  standby 10 ip 192.168.219.1
  standby 10 timers 3 9
  standby 10 priority 110
  standby 10 preempt
  standby 11 ip 192.168.222.1
  standby 11 timers 3 9
  standby 11 priority 110
  standby 11 preempt
  ip classless
  ip route 172.54.200.0 255.255.254.0 192.168.219.5
  NOTES: SSL-MODULE IP address 192.168.219.6 on VLAN 4.
  I will go ahead and open TAC Case and post results later.

• Problem with skin for server side buttons.

  Hi,
  I have a problem with the skin for server side renderd buttons.
  In my CSS file I have :
  .AFButtonStartIcon:alias
  content:url(/skins/images/btns.JPG);
  .AFButtonEndIcon:alias
  content:url(/skins/images/btne.JPG);
  .AFButtonTopBackgroundIcon:alias
  content:url(/skins/images/btntb.JPG);
  .AFButtonBottomBackgroundIcon:alias
  content:url(/skins/images/btnbb.JPG);
  JPG files in project are in dir "public_html/skins/images".
  In WAR file,the JPG files are in "/skins/images" directory.
  Skin configuration is correct because other settings from CSS
  file are functioning fine after deploying.
  But buttons are standard browser buttons and are not taking the images i have used.
  In document provided by Oracle it says:
  (Note: These icons must be specified using either context-image or
  resource-image icons. Text-based icons are not allowed.)
  I am nt able to understand what this means?

  Perhaps this thread will help.
  JSF Skining Button Images
  The doc should say whether or not the width/height is a requirement. But since it doesn't mention it, try adding a width and height.
  - Jeanne

• How can I use multiple client side vlans in ACE?

  In CSM we have a default-gateway per Client VLAN, in ACE there is no equivalent command! How does the ACE handles routing in this situation?

  Hi,
  Talk about a deja-vu. I was faced with the exact same challenge about a year ago.
  Basically, I think you're looking at two options:
  1) Firewall-consolidation - Consolidate your four firewalls into one, having one dedicated interface towards the ace and route all your vips using the ace as
      next-hop. It looks like your firewalls are virtual (but I don't know), so it's duable. But I don't know if this is even an option for you.
  2) Per. clientvlan context - Context A for vlan1001, Context B for vlan1002 and so on. Each context handles clienttraffic for the respective vlan and since
      each context handles it's own routingtable, simply use the firewall-address as your default route. But from your drawing, it looks like your server-vlans
      are all connected to the same ace, so you will need to split that up. Assign each servervlan to an ace-context as you do with the clientside-vlans.
  Well, a third option would be NAT in your firewall. Unless you have a specific need for the original client-ip the reach the ace, you could nat incoming clientsessions in each of the firewalls to an interface-address on that firewall, hence the ace will see the clientrequest as originating from the firewall and since ace has connected routes to each of the firewall, it wall return traffic to respective firewall and leave it to him to return the traffic to the client.
  Since each firewall will present the packets with a unique NAT'ed address, you can apply different policies, parameters etc. for that NAT-address, if this is required.
  hth
  /Ulrich

• Task 0085 for parallel SID assignment terminated with errors

  Hi,
  While activating the ODS object we are getting the following error
  Task 0085 for parallel SID assignment terminated with errors
  Can anyone help me on this issue.
  Thanks
  Sheela Datla

  Hi Sheela,
  Does the problem happen with activating the ODS object (definition) itself or with activating the data in the
  ODS? I think that there must be other errors apart from Task 0085. At the time of the error you should check in
  sm21 and st22 for additional error messages and dumps. If the problem is with the activation of data in the ODS
  you should also check sm37 for the job that is created for the ODS activation , you may find more detailed
  information in the job log. You should also check the activation step in the 'Details' TAB in the monitor for
  the load there may also be more detailed information here.
  In transaction rscusta2 (ODS customizing) you should try the following setting for the activation:
  No. of Par. Proc.    3          
  Min. No. Data Recs.  10000     
  Wait Time in Sec.      600
  Before changing the values you have in RSCUSTA2 please take note of the values you have already in
  case you want to change them back.
  Best Regards,
  Des.

• No CENTRAL nor DIALOG instance known for system SID

  Hi,
  We are in the process of setting up our Solution Manager 7.1. Currently we are in the step 'Managed System Configuration'.
  We are stuck on the step 7 - "Create Users". There are 4 users to be created which are already there in the systems(Created Manually).
  The users are
  SAPSUPPORT and SMDAGENT_XXX for ABAP and Java both.
  In the ABAP view it gives the error as "No CENTRAL nor DIALOG instance known for system SID".
  In the Java view it gives the error as "User Status Cannot be checked".
  We are on the below Support Pack status:
  SAP_ABA 702 0008 SAPKA70208
  SAP_BASIS 702 0008 SAPKB70208
  PI_BASIS 702 0008 SAPK-70208INPIBASIS
  ST-PI 2008_1_700 0004 SAPKITLRD4
  SAP_BS_FND 702 0006 SAPK-70206INSAPBSFND
  SAP_BW 702 0008 SAPKW70208
  SAP_AP 700 0024 SAPKNA7024
  WEBCUIF 701 0005 SAPK-70105INWEBCUIF
  BBPCRM 701 0005 SAPKU70105
  BI_CONT 706 0003 SAPK-70603INBICONT
  CPRXRPM 500_702 0006 SAPK-50006INCPRXRPM
  ST 710 0003 SAPKITL703
  ST-BCO 710 0001 SAPK-71001INSTBCO
  SOCO 101 0000 -
  ST-A/PI 01N_700SOL 0000 -
  ST-ICO 150_700 0030 SAPK-1507UINSTPL
  ST-SER 701_2010_1 0008 SAPKITLOS8
  Please suggest a solution to this.
  Thanks & Regards,
  Ajitabh

  Hello Ajitabh,
  I'm sure that you will see this error if you expand the error entry:
  SPML service failed to process searchRequest
  1. If you followed the advices from note 1616058, disabling SPML:
  When the SPML is desactivated, the status of users can't be checked.
  We are working to provide a note to solve this issue. Note number is 1647267, it is not release yet, but the solution is:
  "Enable to flag the user creation  to 'manually performed' in solman_setup".
  2. If you didn't disable SPML:
  Please refer to the steps in this SAP Note : 1647157 which will help you address the issue.
  Please let us know the outcome, thanks.
  Best regards,
  Guilherme

• Which is better for servers, Apache or Tomcat?

  Which is better for servers, Apache or Tomcat?

  For some reason that link I gave you isn't working right now, but it was today, weird. I would get Tomcat simple because sun uses it in its examples and recommends it. Here's sun's link then, it's probably more useful anyway. http://java.sun.com/products/jsp/

• Unable to use RAS SDK for server-side printing for XI 3.1

  Hi all,
  I am using RAS SDK for server-side printing.  Here are my codes:
  ISessionMgr sessionMgr = CrystalEnterprise.getSessionMgr();
  IEnterpriseSession enterpriseSession = sessionMgr.logon("Administrator", "", "cdi5boe", "secEnterprise");
  IInfoStore iStore = (IInfoStore) enterpriseSession.getService("InfoStore");
  //out.println("Current User is = " + enterpriseSession.getUserInfo().getUserName());
  //out.println ("<br>");
  IInfoObjects infoObjects = iStore.query("SELECT * FROM CI_INFOOBJECTS WHERE SI_Kind='CrystalReport' AND SI_NAME = 'Sales Print'");
  IInfoObject infoObject = (IInfoObject)infoObjects.get(0);    
  IReportAppFactory reportAppFactory = (IReportAppFactory) enterpriseSession.getService("RASReportFactory");
  ReportClientDocument rcd = new ReportClientDocument();
  rcd = reportAppFactory.openDocument(infoObject,0, java.util.Locale.US);
  //Create print options to use when printing.
  PrintReportOptions printOptions = new PrintReportOptions();
  printOptions.setPrinterName("
  cdi5boe
  HPLaserJ");
  printOptions.setJobTitle("Test Printer Job");
  printOptions.setPrinterDuplex(PrinterDuplex.horizontal);
  printOptions.setPaperSource(PaperSource.auto);
  printOptions.setPaperSize(PaperSize.paperLetter);
  printOptions.setNumberOfCopies(1);
  printOptions.setCollated(false);
  PrintReportOptions.PageRange printPageRange = new PrintReportOptions.PageRange(1,1);
  printOptions.addPrinterPageRange(printPageRange);
  //Print report.
  rcd.getPrintOutputController().printReport(printOptions);
  When I run the report, I got the following errors:
  com.crystaldecisions.sdk.occa.report.lib.ReportSDKPrinterException: com.businessobjects.crystalreports.printer.bean.ReportPrinter---- Error code:-2147215357 Error code name:internal
  I consult the Diamond Technical Community and I found the issue related to printer name:
  https://boc.sdn.sap.com/node/498
  However, I did check the printer name, it is accessible via Windows Explorer.
  Anyone knows how to resolve this?
  Regards,
  Derek

  It doesn't appear to be listed as a dependency in the developer docs, but would you try putting the ReportPrinter.jar in your RAS app?
  Sincerely,
  Ted Ueda

• ZEN for Servers 7 agent on the NW 6.5 sp7

  I've tried on couple of servers and it's definitely the problem in running
  ZEN for Servers 7 agent on the newest NW 6.5 support pack 7 because it
  causes high processor utilization after 4-5 days of server up-time. Than,
  you cannot stop the agent with the exit command but only killing its java
  thread when the processor utilization fails to the normal stage.
  As we strongly use ZEN for Servers 7 agent to distribute applications to
  users desktops, I would very appreciate if someone can help me in this
  issue.
  Sinisa

  Please see my thread from last year, TED Subscriber Locking Up. The fix was to revert to Java 1.4.2_09. NetWare SP7 installs Java 1.4.2_13. We ran into this problem when we installed the latest version of Java to fix the Daylight Savings Time issue last year. When you back rev Java to 1.4.2_09 TED no longer hangs up. Be sure to run the TZUpdater from Sun to update Java for the new DST settings.
  We are currently testing SP7 for deployment in a few weeks. I would greatly appreciate any ideas as to how we can deploy it without updating Java to 1.4.2_13. Any ideas?
  Thanks, Brian Geissman
  My Thread Post:
  http://forums.novell.com/novell-prod...ocking-up.html
  NetWare DST Page
  Search Results Page

• OVA for LMS 4.2.1 support for Red Hat Virtualization for Servers

  Is the OVA available for download on Cisco's website compatible with anything outside VMWare?  For example, Red Hat Virtualization for Servers.

  Not without a hack on your part (which would void any hope of support).