Traffic interception using ACE instead wccp

Similar Messages

• WAAS with ACE - Use Ace or use WCCP or use PBR?

  Wich is better to use, i need use two aces in HA (active x active). But the model of Switch Router is Enterasys and Enterasys dont have WCCP, but have TWCB(Transparent Web Cache Balancing (https://extranet.enterasys.com/sites/dms/DMSAssetLib/Documents/Feature%20Guides/twcbFeatGde041609.pdf), but my questions are:
  1) I have two Aces too, the better is use Ace to do this or not? (In reality i think that is not the best way).
  2) Somebody can say me if TWCB is the same of WCCP?
  3) With PBR can i use two WAAS in active x active mode?
  Thanks

  Hi Luciano,
  I tried to open the link you provided, but it's asking me for an Enterasys username and password so I couldn't find out what exactly this feature is. My guess is that it allows some transparent redirection similar to WCCP, but I have no clue how this is achieved. Therefore, I'm just going to speak about the other options.
  The first thing I would like to say is that, if you have to choose between PBR and ACE, I would recommend you to use the ACE. The main problem of PBR is that the redirection needs to be statically configured based on ACLs maching on the source or destination addresses, so, you don't have any kind of redundancy if a WAE goes down, and you may have to rewrite the ACLs if something changes in your environment. With the ACE, the load-balancing is dynamically done, so, if one of the WAE fails or the traffic patterns change, the load distribution will be dynamically adjusted
  Regards
  Daniel

• Waas traffic interseption with ace

  i will use ACE for waas traffic interception and i need help in:
  1. if i used ace so there is no need to wccp for traffic interception Right?
  2.if i used ace should i make 3 vlans vlan10 for clints(face wan) vlan12 for waes & vlan11 for datacenter
  make in 6500 interface vlan10 and give it ip 10.1.1.1 should i give interface vlan10 in ACE 10.1.1.1 (the same ip in 6500& ace) is taht logical to give same interafce vlan ip in two devices or will taht generate duplicated ip error
  3.if it right can i make static route in ACE to 6500 interface vlan10"ip route 0.0.0.0 0.0.0.0 10.1.1.1"?
  4.when i define access-list in ace to define traffic which could be routed through ACE if I deny certain network (permit only network that i wand to redirect to WAEs)will the other traffic routed through 6500 to core) i will use "transparent" in server farm & no ip normal. in other words can i consider access-list in ACE like access-list i'm using in wccp.
  5.the topology i have 2 6500 and i will install 2 ACE (1 ACE in each 6500) and i will attach 1 WAE in each 6500 switch one vlan for WAEs and i will make server farm and allocate 2 WAEs in it and i will define server farm in 2 ACEs and make default route in to ACEs to interface vlan 10.1.1.1 in this way will ACE load balance btween 2 WAEs and traffic interception work well or not?
  and finally i'm sorry for these many questions but i think i will find the answers.

  Usama,
  Here are the answers to your questions:
  1. Correct.
  2. You would not configure the same IP address on the ACE and MSFC. As far as how the VLANs should be configured, that somewhat depends on your deployment. What you have described would be common if you are deploying ACE in bridged mode. In routed mode, you can deploy ACE in a one-arm configuration.
  3. Yes.
  4. ACE does not pass traffic by default. You must explicitly permit the traffic you want to pass. Said differently, if you do not permit the traffic in your ACL, it will be dropped.
  5. If you are using a single context in ACE, they will be active/passive (i.e. only one ACE module will handle traffic at any given point in time). The configuration will automatically be synchronized between the active and passive modules.
  How are you planning to get traffic to the ACE module?
  Zach

• Use ACE to redirect or insert a WWW in a client request

  I am using ACE 4710s running 4.1 to load balance web traffic across our web server farms.  Redirection is configured to redirect http to https.  There is a new requirement to redirect a request that does not include the "www" in the URL to include the "www".  In other words, if a client merely types "mytesturl.com/test1" the ACE is to redirect or rewrite and insert the www so the request becomes"www.mytesturl.com/test1".  I am searching through the documentation, but thought I would pick the collective brains of the community at the same time to see who can come up with the correct answer first.  Below is a sample of the working config.
  Thanks in advance,
  mb
  rserver host RS_TEST_01
    description ***Test Producation Host***
    ip address 10.64.64.45
    inservice
  rserver redirect RD_EC
    description ***TEST Sub-Site***
    webhost-redirection https://www.test.com/EC/
    inservice
  rserver redirect http
    webhost-redirection https://%h%p 301
    inservice
  serverfarm redirect REDIRECT
    rserver http
      inservice
  serverfarm host SF_TEST
    rserver RS_TEST_01 80
      inservice
  serverfarm redirect SF_EC
    description ***Test Sub-Site***
    rserver RD_EC
      inservice
  sticky ip-netmask 255.255.255.0 address both STICKY_TEST_1
    timeout 600
    replicate sticky
    serverfarm SF_TEST
  ssl-proxy service SSL_TEST_1
    key TEST_KEY
    cert TEST_CERT
    chaingroup VERISIGN
    ssl advanced-options SSL_TERMINATION
  class-map match-any TEST_VIP_01
    description ***VIP for TEST***
    2 match virtual-address 10.64.74.45 tcp eq https
  class-map type http loadbalance match-all TEST_EC
    2 match http url /ec*
  policy-map type loadbalance first-match LB_TEST_01
    description ***Load Balancing Policy for Test***
    class TEST_EC
      serverfarm SF_EC
  policy-map type loadbalance first-match LB_REDIRECT
    description L7SLBPolicy-Redirect
    class class-default
      serverfarm REDIRECT
  policy-map multi-match NEW_WEB_POLICY
    class TEST_VIP_01
      loadbalance vip inservice
      loadbalance policy LB_TEST_01
      loadbalance vip icmp-reply active
      ssl-proxy server SSL_TEST_1
  interface vlan 474
    description ***Front End VIP interface***
    ip address 10.64.74.254 255.255.255.0
    alias 10.64.74.252 255.255.255.0
    peer ip address 10.64.74.253 255.255.255.0
    access-group input TEST_WEB
    service-policy input TEST_WEB_POLICY
    no shutdown

  Hi Michael,
  The configuration to achieve this would be something like the one below. I wrote it without trying it in the lab first, so, make sure to test it before putting it in production (specially the syntax of the regular expressions)
  rserver redirect http
    webhost-redirection https://%h%p 301
    inservice
  rserver redirect http_and_www
    webhost-redirection https://www.%h%p 301
    inservice
  serverfarm redirect REDIRECT
    rserver http
      inservice
  serverfarm redirect REDIRECT_and_www
    rserver http_and_www
      inservice
  class-map type http loadbalance match-all http_with_www
    2 match http header Host header-value www.*
  policy-map type loadbalance first-match LB_REDIRECT
    description L7SLBPolicy-Redirect
    class http_with_www
      serverfarm REDIRECT
    class class-default
      serverfarm REDIRECT_AND_WWW
  I hope this helps
  Daniel

• How do we use MSHOST instead of ASHOST in JCO Block xMII 11.5?

  Our SAP configuration has changed, and we are being told that we need to use MSHOST instead of ASHOST.  Can someone tell us how we can do this in the JCO block?  The error we are getting when I try to do a Get List:
  (xxxx is there to replace servernames)
  Fatal Error: JCOProxy error: Connect from SAP gateway to RFC server failed
  Connect_PM
  GWHOST=xxxxx, GWSERV=xxxxx, ASHOST=xxxxx, SYSNR=11
  LOCATION SAP-Gateway on host xxxx/xxxxx
  ERROR Gateway not connected to local R/3
  Release 700
  Component SAP-Gateway
  Version 2
  RC 726
  Module gwr3cpic.c
  Line 5609
  Counter 18

  Todd,
  Just for kicks can you Remote Desktop onto the MII server and try to ping both your MS and AS hosts?  Then I would try to verify that the communication port is actually open across the network, a quick and dirty method is to from the Command Prompt of the MII server use the telnet command:
  telnet server port
  If the screen goes blank then you will know that the port traffic is acceptable between the servers, otherwise you will get a connection error message back and you can blame the firewall for the issue.
  Thanks,
  Sam

• Using ACE RHI to inject a default route

  I think I posted this onto the wrong Forum. Anyone able to advise here?
  SteveK.
  Posted by: stevek1 - Network Administrator, Dept Natural Resources and Mines
  Apr 18, 2008, 12:04am PST
  Hi Folks,
  I need to provide internal devices with active-active access to our clustered firewall which sits across 2 data centres.
  I need to allow internal hosts to reach external/unknown networks via a default route.
  We have ACE modules in our internal network aggregation 6513s at each site.
  I aim to achieve this using RHI...ie...device at site 1 reaches the internet via firewall at site 1, device at site 2 reaches internet via firewall at site 2 (due to better route). If the firewall is inaccessible from site 2, ACE at site 2 removes the route from the MSFC using RHI and site 2 device traffic is re-routed to the site 1 exit point.
  Has anyone out there done this before?
  Regards, Steve.
  | Outline | Subscribe | E-Mail this Message
  Replied by: stevek1 - Network Administrator, Dept Natural Resources and Mines - Apr 20, 2008, 6:48pm PST
  Hi Folks,
  It's Steve here again. I haven't had a response to my query as yet, but basically I need to know the validity of using ACE RHI to inject a default route as opposed to a host route.
  Can anyone please advise?
  Best Wishes, Steve.

  Thanks so much for your response Zahoor.
  The solution you have provided is more complicated than I had in mind. For example we had not intended using FWSM (we don't have these modules). I just want to use our existing ACEs at each Data Centre to provide the injection of a default route to our internal EIGRP process based on the result of a probe to our Checkpoint FW. What do you think?
  Steve.

• Management traffic to the ACE

  Do i need to explicitly define management traffic coming to the ace module, i see in a lot of configurations that they allow managerment traffic in a special class to the ace?
  also it is necessary to apply an access-list to the ace module to accept traffic for the vip, what if i do not use any access-list on the ace, will the traffic go through?

  Yes you need to define allowed traffic to the ace. The ace acts as an implicit deny. It will block everything until you allow it. The first policy/class match that you should define is the management traffic class.
  access-list ALL line 8 extended permit ip any any
  class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 121
  ip address
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown

• Can P2 be used with transparent WCCP redirection?

  I have the following scenario for a WSA:
  A. P1 is configured as the internal facing proxy interface.
  B. P2 is configured as the public facing interface on a separate subnet from P1.
  C. IP spoofing has been enabled.
  D. The WSA uses transparent redirection based on the destination port with WCCP service 91 and WCCP service 92 with source port redirection for the return path.
  F. IP spoofing is then disabled.
  After IP spoofing is disabled, will transparently proxied traffic only use the P1 interface? Will the second (return path) WCCP service need to be disabled on the WSA?
  I'm interested in being able to use both P1 and P2 to reduce proxied traffic congestion on the P1 interface after IP spoofing is disabled.

  Hi Parleysmith,
  WCCP will only be used to redirect client traffic on the P1 once it is disabled on the P2 interface using service ID 92. The service ID 92 also needs to be disable on the WSA.
  Sincerely,
  Erik Kaiser
  WSA CSE
  WSA Cisco Forums Moderator

• Exception access violation using jlong instead of jint

  Hi,
  I hope you can help me.
  I'm using Java5 under Windows XP and I'm developing under Eclipse.
  I try to use an "old" c-Application accesed via JNI.
  Status Quo is that, I have access to the c-side, over my JNI-conform DLL. My current task is to translate the c-side structs to java-objects. This also works, but only with limitation.
  Calling methods bidirectional is working, manipulation a java-object is like a walk on an warm and sunny Saturday afternoon.
  But I'm not able to use all possible parameters (for now I have tried to use jobject, jstring, jint, jboolean, jlong).
  The first problem I had, were using Strings as parameters, but this now I deal with the loopway over java/lang/object (using java/lang/String results in an access_violation).
  The next problem, and the harder one, is, that I cannot use the type long or jlong.
  int (jint) is no problem, with int all works fine, but if I change the environment, creating and using long, I allways get an the access_violation shown below.
  Is there anything, I need to know?
  working c-side-code:
  jobject someObject;
  jint anIntegerValue;
  anIntegerValue =5;               
  jmethodID mid3 = (*env)->GetMethodID(env, cl, "initReturnSomeObject", "(ILjava/lang/Object;)Ljava/lang/Object;");
                 if(mid3 == (jmethodID)0) printf("\ndooofes MethodName4!\n");
                           else {
                                const char* myParams;
                                myParams = "ooooohwow!!!";
                                someObject = (*env)->CallObjectMethod(env, jobj, mid3,
                                           anIntegerValue, (*env)->NewStringUTF(env, myParams));
                           }wokring java-side-code
  public Object initReturnSomeObject(int i, Object obj) {
            String s = (String)obj;
            System.out.println("String: "+s+"\nInteger: "+i);
            some = new SomeObject(s,i);
            if(some==null) System.out.println("Some is not yet initialized, FEAR!!!!\n");
            else System.out.println("Yoh, I'm soooo many good!! \nSome:\nString: "+some.getS1()+"\nInt: "+some.getI1()+"\n");
            return (Object)some;
  so, und this code, doesn't work. you can see, the changes are dramatically!! ;)
  sorry for my sarcasm. I do not know, why it doesn't work.
  jlong aLongValue;
  aLongValue = 2;
  jmethodID mid3 = (*env)->GetMethodID(env, cl, "initReturnSomeObject", "(JLjava/lang/Object;)Ljava/lang/Object;");
                 if(mid3 == (jmethodID)0) printf("\ndooofes MethodName4!\n");
                           else {
                                const char* myParams;
                                   myParams = "ooooohwow!!!";
                                someObject = (*env)->CallObjectMethod(env, jobj, mid3,
                                          aLongValue, (*env)->NewStringUTF(env, myParams));
       public Object initReturnSomeObject(long i, Object obj) {
            String s = (String)obj;
            System.out.println("String: "+s+"\nInteger: "+i+"\nLong: ");
            some = new SomeObject(s,(int)i);
            if(some==null) System.out.println("Some is not yet initialized, FEAR!!!!\n");
            else System.out.println("Yoh, I'm soooo many good!! \nSome:\nString: "+some.getS1()+"\nInt: "+some.getI1()+"\n");
            return (Object)some;
  # An unexpected error has been detected by Java Runtime Environment:
  #  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d942975, pid=1784, tid=1648
  # Java VM: Java HotSpot(TM) Client VM (1.6.0_03-b05 mixed mode, sharing)
  # Problematic frame:
  # V  [jvm.dll+0x182975]
  # An error report file with more information is saved as hs_err_pid1784.log
  # If you would like to submit a bug report, please visit:
  #   http://java.sun.com/webapps/bugreport/crash.jsp
  #do you need some other informations or details? something out of the log-file? ok, i have to take the bus, so sorry for uncomplete informations or sentences ;)
  till later.

  Hi,
  I'm quite sure, the signature is correct. For failure check, yesterday I ran javap to check the signature, but I do also mean, that I changed the signature afterwards for several time. And, it works ;) at least the way, using Integer.
  Trying to use java/lang/String everytime I got the Error, that the method could not be found - this is the part, I was wrong in my description. So the error-Message is a different one.
  Belonging to the question for assumptions I made... it's difficult. I'm quite new to JNI, so, I don't know, what I can assume to do. The Method call seems to be a kind of reflection-mechanism. So I assume that the behaviour is similar. But reflection I'm not very firm, either ^^.
  What I do assume is, that the parameter-value J fits to the java-type jlong. But a work around on this, I will try today. getting the jlong into an char* or using long instead of jlong or using Ljava/lang/Long; or a casted Long as Ljava/lang/Object; ...
  I'm anxious to the ideas, I will have, bypassing this point. if there is no way, I will write a file, send a email or something like this ;)
  Thx for thinking about my problem jschel!! It's great not to be alone.
  John

• I just found my old ipod touch (i think 1st generation) and would like to let my toddler use it instead of my phone.  I am trying to download apps but it say I need to update to 4.3 but it won't let me update.  I have the most recent itunes. any idea why?

  I just found my old ipod touch (i think 1st generation) and would like to let my toddler use it instead of my phone.  I am trying to download apps but it say I need to update to 4.3 but it won't let me update.  I have the most recent itunes. any idea why? I saw a thread saying to purchase the newest software (that was posted a few years ago) I paid 4.95 for the software and it's still saying it can't be updated.  Am I just SOL??

  The 1G iPod can only go as high as 3.1.3. The 1G does not have an internal speaker or volume buttons on the upper left edge.
  Identifying iPod models
  To more easily find compatible apps:
  iOSSearch - search the iTunes store for compatible apps.
  Apple Club - filter apps by iOS version.

• How to modify a lookup field-type to use checkbox instead of radiobutton?

  How to modify a lookup field-type to use checkbox instead of radiobutton?
  I would like to modify the behavior for the lookup field.
  Normally you get a screen where it is possible to search through a lookup. The items resulted from the search are listed as radiobutton items. Therefore you can select only one at the time to be added.
  Is it possible to have the items to be listed as checkbox instead? So that you can check multiple items and therefore be able to add multiple items at the time?
  For example:
  To add the user to 10 different groups on MS-AD.
  It is desired to have the ability to check multiple groups to be added instead only one at the time.
  My client would like to use this feature in many other situations.

  Displaying will not be a big deal but with that you have to customize the action class and its working as well.

• Invalid security certificate for my website host-they say the problem is Apple Safari and use Firefox instead

  For the past few days, I keep getting an invalid security certificate in Safari whenever I select Edit My Site from my website homepage (http://annaporterartist.com), or whenever I select anything requiring a secure log in from my website host main page (FASO.com). I have contacted technical support at my website host (fineartstudioonline.com) and they say that this has been an intermittently recurring problem in Safari for years and they recommend that I use Firefox instead. As proof of this they emailed a link to an Apple Support discussion, but it was for Mac OS X Lion v 10.7.4 and Safari 5.1, even though I told them I am using Mac OS X Mountain Lion v 10.8.2 and Safari 6.0.2. I do not get this error message anywhere else on the web using Safari. I did try Firefox and it seems to work fine, but I prefer Safari and I want to know why Safari is not working as it should be. I am concerned that there is a real security problem with my website host and I need someone to explain why I am getting this error message, what it means, and if it is, in fact, a known problem with Safari or is my website host corrupted? Really tired of technical support playing pass the buck or pretending the problem does not exist.
  The specific error message is:
  Their response to my inquiry and my reply is shown below:

  Back up all data.
  Launch the Keychain Access application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Keychain Access in the icon grid.
  From the menu bar, select
  Keychain Access ▹ Preferences ▹ Certificates
  There are three menus in the window. What is selected in each of them?

• I would like to read a text file in which the decimal numbers are using dots instead of commas. Is there a way of converting this in labVIEW, or how can I get the program to enterpret the figures in the correct way?

  The program doest enterpret my figures from the text file in the correct way since the numbers contain dots instead of commas. Is there a way to fix this in labVIEW, or do I have to change the files before reading them in the program? Thanks beforehend!

  You must go in the labview option menu, you can select 'use the local
  separator' in the front side submenu (LV6i).
  If you use the "From Exponential/Fract/Eng" vi, you are able to select this
  opton (with a boolean) without changing the labview parameters.
  (sorry for my english)
  Lange Jerome
  FRANCE
  "Nina" a ecrit dans le message news:
  [email protected]..
  > I would like to read a text file in which the decimal numbers are
  > using dots instead of commas. Is there a way of converting this in
  > labVIEW, or how can I get the program to enterpret the figures in the
  > correct way?
  >
  > The program doest enterpret my figures from the text file in the
  > correct way since the numbers contain dots instea
  d of commas. Is there
  > a way to fix this in labVIEW, or do I have to change the files before
  > reading them in the program? Thanks beforehend!

• Using open instead of file open causes Acrobat X11 to barf and stop working

  I get a Critical Error when I use Open instead of File Open.
  Faulting Application Path: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe
  Problem Event Name: APPCRASH
  Application Name: Acrobat.exe
  Application Version: 11.0.9.29
  Application Timestamp: 5412b52e
  Fault Module Name: StackHash_9cd1
  Fault Module Version: 0.0.0.0
  Fault Module Timestamp: 00000000
  Exception Code: c00001a5
  Exception Offset: PCH_9A_FROM_ntdll+0x0003AAAC
  OS Version: 6.3.9600.2.0.0.256.48
  Locale ID: 1033
  Additional Information 1: 9cd1
  Additional Information 2: 9cd11aece74acb27712497bb36a41cb9
  Additional Information 3: 907e
  Additional Information 4: 907e2580c2bb8a6c100db3c807719959
  Bucket ID: 14715054b1814cb4d80f9c990e44ea23 (73554368215)

  You can use the DocOpen event.

• Firefox can't read any Bookmark that was imported from my PC with file extension .url. Safari reads them fine. Is there a fix, so I can use Firefox instead of Safari? Many thanks if so. I have the latest version of Firefox

  Firefox can't read any Bookmark on my Mac that was imported from my PC with file extension .url. Safari reads them all fine. Is there a fix, so I can use Firefox instead of Safari? Many thanks if so. I have the latest version of Firefox
  == URL of affected sites ==
  http://anysite.url
  == User Agent ==
  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-us) AppleWebKit/531.22.7 (KHTML, like Gecko) Version/4.0.5 Safari/531.22.7

  Hello JF.
  I don't think that extension is supported. I believe Firefox can only read .json and .html.
  You may want to read this though:
  [http://support.mozilla.com/en-US/kb/Importing+bookmarks+and other data from Safari Importing bookmarks and other data from Safari]