Transparent ACE Design

Similar Messages

• What version of Acrobat is required for a CS4 ACE Design Master?

  Hi folks, I havent found this answer anyplace else so could someone tell me: does the ACE Design Master CS4 certification call for Acrobat X or Acrobat 9? Or is either one accepted?
  Thanks!

  I'm imagining the current version of the application Acrobat, which would be Acrobat X. That's what the Certification pages on the website seem to indicate. I poked around looking, but couldn't find contact information there.
  http://www.adobe.com/support/certification/ace.html
  In truth, you should probably get certified in CS5 since the applications are already at CS5.5

• ACE: design/config question: trans.slb + slb + mngt

  Hi,
  Could this ACE setup/design work?
  I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
  All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
  ACE is inline between firewalls and proxy servers.
  Vip definitions:
  class-map match-all P_PXYVIP_VS_LB
  2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
  class-map match-all P_PXYTRANS_VS_LB
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
  Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
  Probably the classmap PXYTRANS is catching those sessies also.
  Are there other design/config solutions to solve this one?
  Thank you!
  Wim

  Let me repose the question:
  How could one still be able to access the realserver IP (which is directly connected
  to the ACE) for manangement.
  Knowing that there is 1 VIP which (normal) loadbalance to the realservers
  and
  there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
  transparant loadbalanced.
  The VIP 0.0.0.0 is always catching the sessions which need only to be routed
  to the real servers ip.

• ACE design issue

  Hi,
  my question is about design.
  At the left side, the server and the ACE vlan interfaces are directly  connected to
  the same vlan. VIP traffic flow is green, server  management is brown.
  The problem is, that with this design i'm restricted to one server vlan per context,
  because the server gateway is the ACE and the ACE-gateway is the server-vlan-interface
  at the core.
  When the VIP is used, traffic flow is:
  1) World is routed to the VIP-VLAN Interface on the core
  2) Core sends traffic to the VIP
  3) ACE sends traffic to the server through server-vlan-interface
  4) server sends back to the ACE
  5) ACE sends back to core through the VIP VLAN
  6) core sends traffic to worl, everything is fine
  Now our server admins want to administrate from different locations:
  w/o adding host routes to the core:
  1) Admin tries to connect to the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the server
  4) server send traffic to default-gw (ACE)
  5) ACE drops traffic due to seeing traffic in only one direction, saying no matching session
  Todo: Add host route into core to force the traffic to use the ace for
  every single server.
  with adding host routes to the core:
  1) Admin tries to connect to  the server
  2) World is routed to the Server-VLAN Interface on the core
  3)  Core sends traffic to the ACE server-VLAN-interface, due to host route
  4) ACE sending to the server
  4) server send traffic to default-gw (ACE)
  5) ACE to core via server-vlan-interface (default route), core to world and everything is fine
  Now its impossible to add another Server-VLAN interface to the ACE, because the destinations
  are all the same (world) and the gateway on the ACE have to be the VLAN routing instance, the core.
  So i have a default route to one server-vlan-interface on the core and all traffic passing the ACE uses
  this gw. The result is, that the traffic is blocked by our Firewall.
  My plan is now to implement a transit-VLAN (shown on the right side of my pic) for making
  my job easier (no host routes, no server admin needed (!) to change gateways..... ) and
  overcome the different kind of problems.
  My question is now:
  Is ensured that the ACE will see all it's traffic ?
  I think all should be fine, because the traffic path is unique.
  Thanks for reading ^^ and for posting some opinions.
  regards from germany

  If I understand correctly, the servers would not be directly connected to the ACE anymore.
  Their gateway would not be the ACE anymore.
  Problem with this is to guarantee that server response to a *world* request goes back to ACE.
  Without any specific action/config, this won't happen.
  The server will forward its response to its gateway which will send it directly to the outside world, bypassing ACE and creating the same asymetry you're trying to solve.
  To solve this, you will need to do source nating on ACE.
  But then your servers will lose information about client source ip address (no more stats based on that info).
  Unless if you configure header insert and modify the server to read that info in each request.
  As you can see this is not quite easy.
  You could try bridge mode.
  Create another vlan, and bridge it (BVI) with existing server vlan.
  Keep the servers in their original vlan and connect the gateway to the new vlan (without changing ip addresses).
  ACE will then be in the middle of GW and ACE.
  Gilles.

• ACE design and RHI

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Hi guys!
  I'm doing a redundant ACE module installation (using 7600) and I came with some design questions.
  From the configurations guides, you configure a VLAN X for clients (where the traffic to be balanced arrives), and VLAN Y for servers (where the real servers are). In all the examples I've seen, the VIP address is from the client VLAN subnet, from that I wonder:
  1.- Is this the only way to do this?  The 7600 supervisor knows where the VIP is because it has a BVI in that same VLAN X, so it’s directly connected. For the 7600 to reach the real server subnet, it would need a static route pointing to the ACE IP address right?
  2.- In that scenario (VIP living in the Client VLAN X), RHI is not necessary right? But when the VIP is not available? What would happen then? You still need RHI so there is a "dynamic" host route for the VIP?
  3.- Then in what situations would RHI it be needed? I've read that you need RHI when you don’t have the Supervisor and the ACE directly connected, but I don’t quite get this, can someone clarify?
  4.- Can the VIP be a member of a different subnet? For example can it be a member of the Server VLAN Y? Or a completely different VLAN Z?, what would be the necessary changes?
  Thanks a lot for your time guys, any help is greatly appreciated.
  Omar M.

  RHI is mainly used for inter site redundancy, instead of relying on DNS for your VIP HA, you rely on routing by announcing a /32 route in your OSPF backbone.
  1 - yes
  2 - it depends on the way you want to ensure inter site HA.
  3 - the purpose is only to send a /32 route from multiple ACE clusters or sites. When your whole cluster or datacenters is down, the routing topology is built again pointing the same IP address to the new site (with playing on the OSPF cost) without any problem of DNS dead A record with client cache.
  4 - No problem. You can even do it manually with a conditionnal host route defined on the upstream router (conditionned with an IP SLA sensor) redistributed into your OSPF process

• ACE Design/Normalization Question

  We are deploying an ACE to LB some data center traffic.  The ACE will sit off of our core 6500 w/ SUP720.  We have multiple subnets that need to be loadbalanced that also reside on the same 6500.
  We have done different tests in both routed and bridged mode and neither of these setups work without using a policy map on the 6500.  I have disabled normalization and everything seems to work with the asymetric flow.  Are there any disadvantages to disabling normalization?  Also, i've read through most of the Cisco documents about bridged and routed mode.  Does anyone know of any other documents out there with a similar design to above.
  Thanks in Advance.

  Hi Darren,
  ACE normalization is more of a Security feature and won't allow asymmetrical flows through ACE. Normalization is enabled by
  default.
  Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to
  consider the state as ESTABLISHED.
  This link provides overview on TCP normalization,
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.html#wp1002055
  To prevent asymmetrical routing, you can configure Source NAT on ACE so that response from Server will go through ACE.
  This link provides sample example on configuring Source NAT,
  http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml
  Hope this helps,
  Best Regards,
  Rahul

• ACE design with inter-Vlan routing

  Hello all.
  I'm working on a design for a customer where the ACE will perform inter vlan routing.
  A few questions about that :
  - is routed traffic enforced in hardware with some kind of CEF-like mechanism ? (I suppose yes because there is a FIB ? per
  https://supportforums.cisco.com/docs/DOC-19253 ) we expect a certain load and routing is software will not be acceptable
  - if I put my VIPs within the VLANs hosting the application, is there any restriction on accesses made to this VIP (if the VIP is reached after the routing process is performed) ?
  example :
  VLAN2 (client) ----- ACE ----- VLAN3 (servers)192.168.2.0/24                 192.168.3.0/24
  If I try to access the VIP (192.168.3.20) from a PC in the VLAN2 (192.168.2.15) does it work ?
  I assume yes because the VIP appears as a connected /32 in the routing table, I just want to be sure to not fall into some tricky part of code because the access to the VIP is done after the routing process. I just want to be sure there is no drawback / restriction about that.
  Thanks in advance.

  Hello Surya!
  Yes this is possible. You can reach the VIP from one VLAN to another (The VIP is not really inside of the VLAN). Important is to check your ACLs and you need to have the service-policy either globally or local on both VLAN-interfaces.
  And I guess there is nothing like CEF implemented in the ACE, because it is not needed there.
  Cheers,
  Marko

• Basic ACE Design Question

  Hi All,
  In the network layout below, does the ACE need to be setup in a routed mode to work? can it be also be setup in a bridged mode in this scenario?
  Network Cloud <--> Firewall <--> ACE <--> Router <--> Server Farm.
  Any refences would also be greatly appreciated.
  Thanks in advance.
  HH

  you only need the server adjacent if you do transparent loadbalancing. Which means you do not nat the virtual ip to the server ip.
  Instead the servers are configured with a loopback ip address the same as the vip on the loadbalancer.
  You can always bridge between 2 vlans and this is possible in your case.
  However, I don't see the need to insert a router between the ace module and the servers.
  Can't you have the ace module inserted between the router and the servers ?
  Or get it rid of the router and have the servers directly connected to the ACE vlan and using the firewall as gateway ?
  Gilles.

• ACE design draft.

  Hi,
  I've designed a solution for a customer after reviewing their requirements, but I've never setup ACE like this before and in theory I believe it should work, but I would like some input so I'm not too far off the base and I could actually present a doable solution.
  I have an ACE(one armed) in the DMZ functioning as a reverse proxy pointing to an internal ACE(bridged mode)
  Thanks in advance
  Tyrone

  I don't see anything out of the ordinary here. Although the second picture is not showing up. Maybe you could share more details about the requirements and desired packet flow.

• ASA Transparent Failover Design

  Hello -
  I am looking to install two ASA's in transparent mode.    On the inside there will be a 3750 stack dual homed to the inside interface on
  each ASA.   The outside interfaces of each ASA will connect to separate 6500s, (a pair of core switches) that are connected together using
  a l3 link.   The connections from the 3750 stack to the 6500s will be L3 (these will be separate /29 links) going through the ASAs.
  No need to load-balance so the failover design can be active/standby.   Given this, can I put the failover network on a separate network?  The
  boxes will be geographically separated, but the ability to connect L2 over dark fiber exists.    Basically I want each L3 link through the ASA's
  to be their own /29 network.   Then the failover interfaces to be part of a different subnet over that dark fiber.  
  Is this workable or do I need to use a different design?
  Any tips are appreciated.
  Thanks
  Chuck

  Hello Andy,
  Exactly, while one unit is on standby mode it will not introduce any loop as it will not be forwarding any data.
  That being said it's a supported scenario
  For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
  Any question contact me at [email protected]
  Cheers,
  Julio Carvajal Segura

• Transparent ACE - 2 VLAN's, 1 context, 2 VIPs

  Hi,
  We have a 3 tier application that needs to be load balanced from client to middleware and from middleware to backend.
  Usually we do this with multiple context's on the ACE.
  This time we are doing this with multiple VLAN's within the same context. Is this possible?
  setup
  client VIP = 10.0.103.3 which is mapped to IRIS_Reporting serverfarm in VLAN47
  middleware VIP = 10.0.103.4 which is mapped to IRIS_Web serverfarm in VLAN41
  client VIP hits 10.0.103.3 and then middleware box then hits 10.0.103.4. First part is working fine but middleware cannot open connection to 10.0.103.4 VIP over tcp/80. In the ACE log i see the connection timing out...
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to vl
  an47:10.0.103.4/80 (10.0.103.4/80)
  Oct  5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to vla
  n341:10.0.103.4/80 (10.0.2.149/80)
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan47:10.0.103.4/80 (10.0.103.4/80) duration 0:00:05 bytes 104 SYN Timeout
  Oct  5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to
  vlan341:10.0.103.4/80 (10.0.2.149/80) duration 0:00:05 bytes 232 TCP Reset
  thanks,
  John.

  Hi Ivan,
  Here is the config,
  access-list BPDU ethertype permit bpdu
  access-list everyone line 10 extended permit ip any any
  parameter-map type http HTTP_PARAM
    server-conn reuse
    case-insensitive
    persistence-rebalance
  parameter-map type generic SSLID_PARAM
    set max-parse-length 70
  parameter-map type ssl SSL_PARAM
    session-cache timeout 300
  parameter-map type connection TCP_PARAM
    syn-data drop
    exceed-mss allow
  rserver host BL-VAN-CDMSPBI1
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.15
    inservice
  rserver host BL-VAN-CDMSPBI2
    description IRIS Sharepoint Reporting Server
    ip address 10.0.4.18
    inservice
  rserver host BL-VAN-ITSM03
    description ITSM Reporting Server
    ip address 10.0.4.16
    inservice
  rserver host BL-VAN-ITSM04
    description ITSM Reporting Server
    ip address 10.0.4.17
    inservice
  rserver host VM-VAN-CDMSPNT1
    description IRIS Sharepoint Web Server
    ip address 10.0.2.148
    inservice
  rserver host VM-VAN-CDMSPNT2
    description IRIS Sharepoint Web Server
    ip address 10.0.2.149
    inservice
  serverfarm host IRIS_Reporting
    description IRIS Reporting Servers
    failaction reassign
    fail-on-all
    rserver BL-VAN-CDMSPBI1 80
      inservice
    rserver BL-VAN-CDMSPBI2 80
  serverfarm host IRIS_Web
    description IRIS Front End Web Servers
    failaction reassign
    fail-on-all
    rserver VM-VAN-CDMSPNT1 80
      inservice
    rserver VM-VAN-CDMSPNT2 80
      inservice
  serverfarm host ITSM_Reporting
    description ITSM Reporting Servers
    failaction reassign
    rserver BL-VAN-ITSM03 80
      inservice
    rserver BL-VAN-ITSM04 80
      inservice
  class-map match-all IRIS_REPORTING_HTTP
    2 match virtual-address 10.0.103.3 tcp eq www
  class-map match-all IRIS_WEB_HTTP
    2 match virtual-address 10.0.103.4 tcp eq www
  class-map match-all ITSM_HTTP
    2 match virtual-address 10.0.103.1 tcp eq www
  class-map type management match-any PING
    10 match protocol icmp any
    20 match protocol snmp any
  policy-map type management first-match PING-POLICY
    class PING
      permit
  policy-map type loadbalance first-match IRIS_REPORTING_HTTP-l7slb
    class class-default
      serverfarm IRIS_Reporting
  policy-map type loadbalance first-match IRIS_WEB_HTTP-l7slb
    class class-default
      serverfarm IRIS_Web
  policy-map type loadbalance first-match ITSM_HTTP-l7slb
    class class-default
      serverfarm ITSM_Reporting
  policy-map multi-match int41
    class IRIS_WEB_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_WEB_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  policy-map multi-match int47
    class ITSM_HTTP
      loadbalance vip inservice
      loadbalance policy ITSM_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
    class IRIS_REPORTING_HTTP
      loadbalance vip inservice
      loadbalance policy IRIS_REPORTING_HTTP-l7slb
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      appl-parameter http advanced-options HTTP_PARAM
      connection advanced-options TCP_PARAM
  interface vlan 41
    description Client-Side VIP for Internal WEB LB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int41
    no shutdown
    ip route inject vlan 41
  interface vlan 47
    description Client-Side VIP for Gen Applications LB
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    service-policy input int47
    no shutdown
    ip route inject vlan 47
  interface vlan 341
    description Server-Side for Internal WEB
    bridge-group 2
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface vlan 347
    description Server-Side for Gen Applications
    bridge-group 1
    no icmp-guard
    access-group input BPDU
    access-group input everyone
    service-policy input PING-POLICY
    no shutdown
  interface bvi 1
    ip address 10.0.4.58 255.255.255.192
    alias 10.0.4.59 255.255.255.192
    peer ip address 10.0.4.57 255.255.255.192
    no shutdown
  interface bvi 2
    ip address 10.0.2.186 255.255.255.192
    alias 10.0.2.187 255.255.255.192
    peer ip address 10.0.2.185 255.255.255.192
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.4.62

• It's my 3000 post – Oracle ACE and Oracle employees

  Hello,
  So, this is my post number 3000. In this forum, it’s not so unique, but still I decided to dedicate it to the subject of Oracle ACE and Oracle employees.
  Recently, Joel blogged about Carl awarded Oracle ACE (http://joelkallman.blogspot.com/2009/02/carl-backstrom-oracle-ace.html), after special efforts made by Sharon, because “the folks at the Oracle Technology Network decided that Oracle employees could no longer be awarded the ACE designation”. I truly wish I could write that Carl is a living proof of this decision being misguided. Unfortunately, I can’t. However, Carl’s case paints the situation in strong colors. Only after his death, Carl was honored with something that I’m sure seems so obvious to most of us.
  I’m thinking that if this decision, not to award Oracle employees with Oracle ACE, was made sooner, people like Scott and Joel would not have awarded Oracle ACE, not to mention Tom Kyte, and probably others I’m not familiar with. Scott and Joel deals with APEX all day long, as part of their job, and this forum is not part of their day job description. Still, they find the time to help us all. Just look at the post counter of Scott. I’m amazed each time I see it. Scott, with all his experience, doesn’t limit himself to only the most complicated issues. You can see his replies, to the most basic issues, almost every day. Joel never failed helping me, and many others on this forum, every time there is an issue only he can help with. Scott and Joel were lucky, and have been awarded Oracle ACE, prior to this decision. Carl was less lucky, and as Joel wrote, I can’t think of anyone who better represent the true meaning and spirit of the Oracle ACE program.
  The point I’m trying to make is that Oracle ACE should not be left for luck and timing, or place of work, for that matter. I’m sure that the OTN folks had best intensions when making this decision. I can understand that people might suspect favoritism toward Oracle employees; however, the solution shouldn’t be the easy one – no to every Oracle employee.
  While writing, I can think of Tyler. He’s no longer a member of the APEX team, but we can still enjoy his wisdom and experience on this forum, not to mention his APEX dedicated blog entries, were he covers special and more complex aspects of working with this tool. I don’t know if Tyler qualifies to become Oracle ACE (and, of course, I’m only using him as an example) but it seems wrong to me not to even consider it, just because he happens to work for Oracle. I’m sure there are others like Tyler, in the other forums. I believe that this kind of behavior, by Oracle employees, should be encouraged, and not taken for granted. Certainly, they shouldn’t be penalized.
  So, what all of this has to do with my 3000 posts? I believe I earned the right to call myself a frequent poster on this forum. As such, I know how time consuming this forum can be, not to mention the hard and tedious job of keep repeating the same answers to the same questions, keep pointing to old references, and such. So, I want to take this opportunity to thank all the active participants of this forum, Oracle employees and others. In spite of all the hardship, this forum can also be very rewarding, and at least for me, a very educated experience. I learned a lot in my attempts to help others. I can all heartedly recommend it to everyone who enjoys helping others, and enriching him /her self in the process.
  Regards,
  Arie.

  If I understand you correctly, you ought to reinstall. At this point, even if you're able to resurrect this installation, it might be severely unstable. Mostly because of my proclivity for messing around with settings until I screw something up, I have a tremendous amount of experience with the recovery console, and my success rate is not inspiring. If you have data you need on the drive, your best course of action is to reinstall to a different boot drive, and once you’re able to boot, archive the files you want from the corrupted installation. Then you can wax both drives, restore the data and get everything back the way you want it. Getting your data back from the recovery console is basically a lost cause since it doesn't support wildcards (as in, you'd have to copy every freaking file one at a time).
  I re-read the above paragraph, and it's not the clearest thing I've ever written, so if you need clarification on anything, let me know.

• ACE: Significance of mask in nat-pools configured for Source NAT

  Hi guys
  If I am using source nat in ACE (One IP address 10.10.10.200) used for all client address translations.
  What would be the difference between the nat-pools configured with different netmask.
  What is the recommended netmask for pat, 255.255.255.255 or Vlan interface's Mask (/24 in this case)
  and why?
  case1:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.0 pat
  service-policy input clientvips
  no shutdown
  case2:
  interface vlan 7
  ip address 10.10.10.100 255.255.255.0
  nat-pool 1 10.10.10.200 10.10.10.200 netmask 255.255.255.255 pat
  service-policy input clientvips
  no shutdown
  Thanks in Advance
  A.

  Gilles
  Thanks a lot. It makes more sense now.
  I posted another question for an ACE design validation. Could you please validate this
  I am planning to deploy ACE module in following manner:
  > ACE will be in one arm mode ( Only one vlan connected to the ACE).
  > Vips & Rservers (all serverfarms) will be in the same Vlan X.
  > Default gateway on the ACE & Real servers will be the upstream router
  > There will be Source NAT configured for all Serverfarms.
  ACE --- Vlan X -------Router--- internet
  .................|
  .................|-- Sfarm 1
  .................|
  .................|-- Sfarm 2
  .................|
  .................|-- Sfarm n
  I am pretty sure that it should work.
  Just wanted an expert opinion.
  Thanks

• Best design structure for 4710's

  We are implementing 4710's in our core network..
  what could be the best design structure from a simplicity point
  one interface vlan for for vips---connected front end to the core..and backend for servers (routed mode)
  should you have more than one interface vlan for servers and or clients?
  at which point would u need multi context.......besides an Admin context
  should you put a management interface on each context?

  We are implementing 4710's in our core network..
  --what could be the best design structure from a simplicity point
  Design would vary based on specific requirements. To connect it to a specific layer on the network (core/agg) you would have to check the traffic flow to decide what suits you best.
  In terms of ACE design, if source IP visibility is not a requirement, One-arm mode with Source NAT provides the ability for non load balanced traffic to bypass the ACE. If it is a requirement you can use PBRs but that complicates things a little because you have to now manage the routers for changes on the ACE. With routed mode, the design is simple and servers point to the ACE as their default gateway. Need to weigh the pros and cons of each of the options based on the specific requirements.
  --one interface vlan for for vips---connected front end to the core..and backend for servers (routed mode)
  Yes - for routed mode that would be the way to do it. In this case, in addition to load balancing, the ACE routes non-loadbalanced traffic to/from the servers.
  should you have more than one interface vlan for servers and or clients?
  - Depends in your subnets. If you have separate subnets for your web/app/db servers then it is a good idea to have different subnets. Also, you may want to think about separate contexts if you want complete isolation between the layers.
  --at which point would u need multi context.......besides an Admin context
  As far as possible, try to keep the Admin context only for administration. Make a separate context(s) for load balancing and manage the resources to it.
  --should you put a management interface on each context?
  Yes - that would give you the ability to have different users manage only their contexts.
  Hope that helps .

• Can ACE 4710 send ICMP-dest-unreachable?

  Dear Community!
  We have previously configured an ACE context for implementing redundant corporate DNS service and now testing a transparent ACE context and HA configuration.One virtual-IP is configured for UDP/53, listening for DNS requests. Behind the VIP, there are 3 DNS server. The next step of our testing process, we have shut down all real-server instance behind the virtual-IP while inspecting DNS clients behaviour. Besides the DNS clients requesting the virtual-IP DNS service need ICMP-destination-unreachable packet to switchover the secondary DNS server.
  Can ACE 4710 send ICMP-dest-unreachable?
  Thanks in advance!
  Regards,
  Belabacsi
  from Hungary

  Unfortunately the 4710 does not send icmp unreachable when a vserver is down.
  If you have backup dns service, you can configure it on ace itself.
  Gilles.