Two circuit vlan in one-armed config mode
Hello.
My client needs to add another vlan to the CSS because he is getting short on ip address. So he decided to add vlan 5, removed the default route to 192.168.12.1 and added two static routes.
However nothing is working now and I can't figure out why.
The initial config was:
!*************************** GLOBAL ***************************
ip route 0.0.0.0 0.0.0.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
!************************** SERVICE **************************
service www-hux1
port 80
protocol tcp
ip address 192.168.12.24
keepalive type tcp
keepalive frequency 10
keepalive port 80
active
service www-hux2
ip address 192.168.12.25
port 80
protocol tcp
keepalive frequency 10
keepalive port 80
keepalive type tcp
active
!*************************** OWNER ***************************
owner HS
billing-info "ahp"
email-address [email protected]
content rule1
protocol tcp
port 80
add service www-hux2
vip address 192.168.12.27
add service www-hux1
balance aca
active
In the new config this is what's different:
!*************************** GLOBAL ***************************
ip route 192.168.5.0 255.255.255.0 192.168.5.1 1
ip route 192.168.12.0 255.255.255.0 192.168.12.1 1
!************************* INTERFACE *************************
interface 1/1
trunk
vlan 5
vlan 12
interface 1/2
admin-shutdown
!************************** CIRCUIT **************************
circuit VLAN5
ip address 192.168.5.20 255.255.255.0
circuit VLAN12
ip address 192.168.12.22 255.255.255.0
Can you see what's wrong in here?
I almost forgot to teel that the default gateway of real servers is the CSS
Thanks,
Joao Carvalho
Ok. I think I got the problem. The destination of the packet sent by the CSS is a public ip address and none of the static routes matches that.
Now my problem is how can I influence the next hop based on source ip address, in a CSS?
Thanks,
Joao
Similar Messages
-
One Armed Config for multiple C classes
Hi,
I am trying to implement one armed config in the existing network for several c classes. Do I need to configure multiple Circuit vlan IP addresses corresponding to different C classes or one Circuit VLAN IP is sufficient.
Can I configure VIP in a different C class than Circuit VLan IP.
I intend to use Source groups to get the traffic from servers back to CSS.
Many thanks in advance.
SSTwo options are all ok.
1. The CSS will allow you to create a secondary address on the circuit.
for example,
circuit VLAN2
ip address 148.1.2.1 255.255.255.0
ip address 148.1.3.1 255.255.255.0
2. You could also create another interface "circuit" on the CSS and assign it with the new subnet IP. Then trunk the vlan to core network.
If you uses one arm mode, then you can use either source "groups" to get the traffic from servers back to CSS or PBR from switch.
You can configure VIP in a different C class than Circuit VLan IP. However, you need to control the routing tables of all other devices. Generally speaking, I would not recommend this setup to the customer. -
Please verify the CSS and SCA configuration for one-armed transparent mode
I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
Thanks,
** connectivity ********
<client>----<router>----<CSS>---<SCA>,<Server>
- client=7.7.7.100
- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
- SCA=11.11.11.100, connect to VLAN3 of CSS
- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
** configuration *********
CSS11050# sh run
!Generated on 01/01/2079 00:00:47
!Active version: ap0500105
configure
!*************************** GLOBAL ***************************
acl enable
ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e3
bridge vlan 3
interface e4
bridge vlan 4
interface e5
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN1
ip address 9.9.9.2 255.255.255.0
circuit VLAN2
ip address 8.8.8.2 255.255.255.0
circuit VLAN3
ip address 11.11.11.1 255.255.255.0
circuit VLAN4
ip address 10.147.153.1 255.255.255.0
!************************** SERVICE **************************
service ING_SVC_12
protocol tcp
ip address 10.147.153.12
active
service ING_SVC_15
protocol tcp
ip address 10.147.153.15
active
service ING_SVC_SCA
port 443
protocol tcp
ip address 11.11.11.100
type transparent-cache
no cache-bypass
active
service upstream
ip address 8.8.8.3
type transparent-cache
active
!*************************** OWNER ***************************
owner ING_OWNER
content cnt_443
add service ING_SVC_SCA
protocol tcp
port 443
vip address 9.9.9.1
active
content cnt_80
add service ING_SVC_12
add service ING_SVC_15
protocol tcp
port 80
url "/*"
vip address 9.9.9.1
active
content cnt_81
add service ING_SVC_12
add service ING_SVC_15
vip address 9.9.9.1
protocol tcp
port 81
url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
acl 2
clause 10 permit any any destination any
apply circuit-(VLAN2)
acl 3
clause 10 permit any any destination any
apply circuit-(VLAN3)
acl 4
clause 10 permit any any destination any
apply circuit-(VLAN4)
ING_SCA# sh run
# Cisco SCA Device Configuration File
# Written: Sun Feb 6 01:12:54 2106 MST
# Inxcfg: version 4.1 build 200211151311
# Device Type: CSS-SCA
# Device Id: S/N 11aca8
# Device OS: MaxOS version 4.1.0 build 200211151311 by reading
### Mode ###
mode one-port
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Device ###
ip address 11.11.11.100 netmask 255.255.255.0
hostname ING_SCA
timezone "MST7MDT"
### Password ###
password idle-timeout 15
### SNTP ###
sntp interval 86400
### Static Routes ###
ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
### RIP ###
no rip
### DNS ###
no ip name-server
no ip domain-name
### Telnet ###
telnet enable
### Web Management ###
web-mgmt port 80
no web-mgmt enable
### SNMP Subsystem ###
no snmp
### SSL Subsystem ###
ssl
server ING create
ip address 9.9.9.1
localport 443
remoteport 81
key default
cert default
secpolicy default
sslv2 enable
sslv3 enable
tlsv1 enable
session-cache size 20480
session-cache timeout 300
session-cache enable
no clientauth enable
clientauth verifydepth 1
clientauth error cert-other-error fail
clientauth error cert-not-provided fail
clientauth error cert-has-expired fail
clientauth error cert-not-yet-valid fail
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-signature-failure fail
clientauth error cert-revoked fail
sharedcipher error failhtml
ephemeral error failhtml
no httpheader client-cert
no httpheader server-cert
no httpheader session
no httpheader pre-filter
httpheader prefix "SSL"
ephrsa
keepalive frequency 5
keepalive maxfailure 3
no keepalive enable
end
endthe problem is the routing.
You need a route for the client pointing to the SCA like this
ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
This is so the reply from the server to the client goes back to the SCA first
for encryption.
Gilles. -
All,
I got a question on the one armed config.
Cisco says use "destination service" under the source group to change the default NAT behaviour of the CSS, because the servers' default gateways are set to the router IP address and the source IP address of the load balanced request is not on the local subnet. I understand this way you avoid the packets reaching the router directly when they head back to the client, bypassing the CSS.
Now the question I got here is that, what if I set the Servers' default gateway to the CSS rather than the Router. This way you are actually forcing the packets destined for remote networks to go through the CSS DG.. Should I need the source group anyway here. I think I don?t. Someone please clarify. Much appreciated?
thanksif you set the default gateway to be the CSS, then there is no need for the source group.
However, if you have traffic going directly to the servers, they will go client-->router-->server-->CSS [breaks - because asymetric flow].
If you never access the server directly, you're ok. OR you can set a route on the router forcing the traffic through the CSS.
Gilles. -
CSS 11506
Is it possible to pass Client's IP address
to the Backend servers in One arm config.
It is so that we can get stats on Web Server
Thanks in advanceUnfortunately CSS does not support HTTP header insertion.
You can either perforn PBR at the Real Server's Default gateway or use CSS as default gateway of Real Servers.
Thanks
Syed Iftekhar Ahmed -
One Arm config Domain Name Content rule
Hi Guys
How does domain name content rule works in one arm config.
What do we put in source groups as VIP address.
Does it need host headers in WebServer as a requirement.
How does the client request gets completed.
Any help much appriciated..Thanks for your reply Jim,
This is what I am trying to do in a One arm config topology
( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP address in a content rule. Using a domain name in a content rule enables you
to:
Enable service provisioning to be independent of IP-to-domain namemappings
Provision cache bandwidth as needed based on domain names
So I am trying to create a content rule with a domain name instead of VIP address. For ex.
content domainRule3
protocol tcp
port 80
url "//domain.com/*"
add service Serv1
active
group servers
add destination service Serv1
VIP address ???????? ( what shd we put in here )
In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
Many thanks. -
We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
Thanks
chadI think it should work just fine. The same configuration would work for CSS 11000 series switches.
Check the config document:
http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml -
CSS one-armed-config and SMTP reverse lookup problems?
I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
Is this a valid concern?The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml -
How can I run two instances of Firefox: one in Safe Mode and another in Normal Mode?
I think my question says it all.
You can't simultaneously run a normal instance and a Safe Mode instance using the same profile. So step one is to create a new profile.
* [[Use the Profile Manager to create and remove Firefox profiles]]
Right-click the desktop and choose New, then Shortcut. As the location of the item, use the following, substituting the placeholder profile name with the actual profile name you chose earlier.
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-remote -p NameOfTheProfile
* https://developer.mozilla.org/docs/Mozilla/Command_Line_Options -
"VLAN Database Mode" to "Config Mode" conversion
How can we convert an existing VLANs created in "VLAN Database Mode" to "Config mode? what is the right procedure?
Hello,
I would just add the VLAN's using the config mode.
As with regard to your FWSM, keep in mind that, prior to IOS 12.2(14)SY, only one SVI is supported on the FWSM. If you have a later version, use the command 'firewall multiple-vlan-interfaces' to enable support for multiple VLAN's.
Not sure if you already know this link, but you might want to check the FWSM FAQ:
Firewall Services Module Frequently Asked Questions
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml
Regards,
GP -
CSM-S mode -One-Arm-vs- routed
We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?
Gilles,
What do you recommend when the traffic flows from the load balanced server are significant?
ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS? -
ACE 4700 one-arm design with SSL termination
Hi,
We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
1. Are there any limitations in the one-arm design and the SSL offloading
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
I would appreciate if you can share some sample configs
Regards,
George GeorgiouThere are two ways to implement One Arm topology.
1. One Arm with PBR & 2.One Arm with SRC NAT
PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
1. Are there any limitations in the one-arm design and the SSL offloading
The limitations/config issues I can think of are following
One ARM with PBR:
Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
One ARM with SRC NAT:
You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
2. Can the ACE be configured with an IN and an OUT vlan to the router
CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
so that the SSL and the clear text traffic is in a separate Vlan?
Yes you can do that but wouldnt it make it routed mode topology?
3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
Details at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
HTH
Syed Iftekhar Ahmed -
Hello Forum, ;-)
I have 2 basic questions I am having doubts about it and would love to have some clarifications:
1) I configure in one ACE4710 (running 4.2.2) context a bridged interface and in another context the same interface, like here below :
---- Context Microsoft ----
ACE1/Microsoft# sh run
interface vlan 503
bridge-group 3
access-group input NONIP
access-group input ALL
access-group output ALL
service-policy input POLICY
no shutdown
interface vlan 1503
bridge-group 3
access-group input ALL
access-group output ALL
no shutdown
interface bvi 3
ip address 120.223.22.30 255.255.255.0
no shutdown
Then I move to the Juniper context and I try to create an interface (either L-2 or L-3) but it doesn’t work:
---- Context Juniper----
ACE1/Juniper(config)# int vlan 503
Error: VLAN creation is not allowed, shared bridged VLAN exists in another context
ACE1/Juniper(config)#
It gives ERROR!!
So if I configure an interface as bridged in one Context, I cannot configure it in another context??
2) If I want to migrate in context Microsoft from One-armed to inline (L-2 bridged), can I migrate one service at the time ( I.e. the config i showed above for context Microsoft, would it work also for one-armed based???)
Thanks so much for your explanations!!
Giulio.Hello Giulio-
You can only share vlans in one-armed or routed modes. Think of it this way:
Interface vlan 10 and 11 are bridged on context C1. (bridged mode)
Interface vlan 12 and 13 are configured on context C2. (routed mode)
When you have routed mode, your server's gateway is configured to point to the ACE interface IP (or alias if you are have FT.) If a packet comes into the physical interface on the ACE, the processor has to decide which context it belongs to. Since the mac address is the interface on context X, it knows instantly where it goes. It will either hit a VIP, or be routed via the routing table.
If a packet arrived on vlan 12 or 13 and the MAC address did not belong to the ACE, it would drop the packet by basic routing rules. (think a client connected to a hub sees a packet destine to a MAC that is not its own, it drops/ignores the packet.)
In bridged mode, the gateway for your server is the router on the other side of the bridged vlan. I.e., you server is on vlan 10, the gateway is on vlan 11 and ace is bridging them together. When packets arrive to the physical interface, ACE knows the traffic arrived on vlan 10 or 11 which belongs to context C2. If the MAC address is not a VIP, ACE simply hucks the packet out of the other vlan. If you send traffic to the interface MAC that does not belong to a VIP, ACE drops it because it would not make sense to send a packet out the other vlan that has a MAC address that belongs to the interface of the ACE itself.
One-armed mode is simply routed mode with a single vlan and source NAT. Nothing special applies to how ACE handles the traffic versus routed mode with only a single vlan.
Now imagine this:
Interface vlan 10 and 11 are bridged on context C1.
Interface vlan 11 and 12 are configured on context C2.
Remember 3 things:
a.) ACE conserves MAC addresses - so the VIPs share MAC addresses with the interface.
b.) ACE will never communicate between 2 contexts directly.
c.) If you are in a routed mode and share vlans between 2 contexts, ACE will make each vlan have a unique MAC address. If you create unique vlans on each context, ACE uses the same single MAC across all vlans for all contexts.
With traffic that is destine to ACE's MAC address and the IP is a VIP, its not a problem - ACE could figure out which context the traffic belongs to (especially since vlan 11 would have unique mac addresses on each context. However, what if ACE recieved a packet to the interface 10 and 12 MAC address? How would it know if it belonged to the bridged or routed context if it was not a VIP IP? What about traffic that arrives that doesn't have the MAC of any of the interfaces? 2 different entirely behaviors would occur, ACE should drop the packet on the bridged context, and route the packet on the routed context.
So the bottom line is - you can't determine which context a packet would need to apply to in all circumstances if you tried to share vlans in a bridge mode across multiple contexts.
Regards,
Chris Higgins -
One armed bandit and one port to another
I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
http://www.cisco.com/warp/public/117/one_armed_bandit.html
group Servers1
vip address 26.19.98.45
add destination service oldwww:80
active
group Servers2
vip address 26.19.98.45
add destination service oldwww:443
css-n1-1(config)# group Servers2
css-n1-1(config-group[Servers2])# active
%% An active source group with that address already existsThe port number of the vip does not have to to be the same as the real server.
You can set the port you want for the real server with the 'port' command under the service definition.
This is true for one-armed or any other type of setup.
The problem in your config is that you can't create 2 groups using the same vip ip address.
So, simply configure all your servers under one group.
ie:
group Servers1
vip address 26.19.98.45
add destination service oldwww:80
add destination service oldwww:443
active
Gilles. -
Is't Single-VLAN One-Armed Mode let the pop-ups error?
Dear all
In my network I deployed Single-VLAN One-Armed Mode In this mode,the real server’s default gateway is the upstream router. To ensure the return
flow traverses back through the load balancer, the IP address of the client isrewritten to that of the load balancer.
Direct access web was fine ,however when open Pop-ups website will appear error Example, the figure-1 :
figure-1
When I used real Server IP address not through ACE anything will be fine. Example, the figure-2 :
figure-2
The Web's Code
<%@ page language="java" pageEncoding="UTF-8"%>
<%@ taglib uri="/WEB-INF/hnisi.tld" prefix="hnisi"%>
<%@ include file="/jsp/framework/head.jsp"%>
<%@ page import="cn.sinobest.framework.util.DTOUtil,cn.sinobest.framework.util.Util,cn.sinobest.framework.util.ConfUtil" %>
<%
//当前登录用户 所属系统机构
String orgCode = DTOUtil.getUserInfo().getBAE001();
//操作员ID
String operId = DTOUtil.getValue("OPERID");
//角色类型
String roleType = DTOUtil.getValue("ROLETYPE");
String fromFuncDesc = DTOUtil.getValue("fromFuncDesc");
//所选操作员的姓名
String sOperatorName = DTOUtil.getValue("SOPERATORNAME");
//权限树 where 条件
String whereClsTree = " rightid in ( select distinct B.RIGHTID "+
" from FW_RIGHT B"+
" left join FW_OPERATOR2RIGHT A on LOCATE(B.RIGHTID,A.RIGHTID) = 1"+
" where A.AAE100 ='1'"+
" and B.AAE100 ='1' and A.operid = '"+operId+"' ";
//条件:有效角色,当前登录用户只能操作用户所属系统机构及下级机构的角色,以及上级机构的共享角色
String whereCls =" AAE100 ='1' and (BAE001 like '"+orgCode+"%' or ( IFSHARED = '1' and LOCATE(BAE001,'"+orgCode+"') = 1))";
if(!Util.isEmpty(roleType)){//角色类型
whereClsTree +=" and AUTHTYPE='"+roleType+"' ";
String roleType_zdfpzj = ConfUtil.getDict("ROLETYPE", "13");//最大分配角色
if("2".equals(roleType)){//分配角色包括:分配角色、最大分配角色
whereCls += " and ROLETYPE in('"+roleType+"','"+roleType_zdfpzj+"') ";
}else{
whereCls += " and ROLETYPE='"+roleType+"' ";
whereClsTree +=" )";
%>
<%-- 导航栏标签 --%>
<hnisi:gNavStr />
<legend style="cursor:hand;" >
<span>
<img id="img_fw_authmngr_geneauth_list_grid" src="${ctx}/themes/default/images/query_icon_right.gif">
</span>
<span title="单击展开或收缩">
<b><%=sOperatorName%></b>已拥有的权限树
<hnisi:tree id="menus" type="1" whereCls="<%=whereClsTree %>"/>
</span>
</legend>
<form name="roleListForm" method="post">
<%-- 角色列表--%>
<hnisi:glt id="fw_authmngr_geneauth_role" whereCls="<%=whereCls %>" />
<p align="center">
<%-- 确定按钮 --%>
<hnisi:btn name="btnQuery" onclick="roleAutoOk()" value="保存" href="javascript:void(0)"/>
<%-- 清除按钮 --%>
<hnisi:btn name="btnCls" onclick="cls()" value="清除" href="javascript:void(0)"/>
<%-- 关闭按钮 --%>
<hnisi:btn name="btnClose" onclick="winClose()" value="关闭" href="javascript:void(0)"/>
</p>
</form>
<form name="roleForm">
<input type="hidden" name="OPERID" value="<%=operId %>"/>
<input type="hidden" name="ROLEIDS">
</form>
<script type="text/javascript">
<!--
var orgCode ="<%=orgCode%>";
var operId ="<%=operId%>";
var roleType ="<%=roleType%>";
* 权限列表窗口
* @param roleId:角色ID
function winRight(roleId){
var eventId="1";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&ROLEID=" + roleId+"&_t="+new Date().getTime());
* 确定-保存授权信息
function roleAutoOk(){
$(function(){
var roleIds = "";
$.each($("input[name='checkbox']:checked"),function(i,o){
roleIds += (i==0 ? "" : ",")+o.value;
if (roleIds == ""){
FWalert("请选择要操作的角色!");
return;
roleForm.ROLEIDS.value = roleIds;
var params = FWGetForm(roleForm);
if(params.ROLEIDS ==""){
FWalert("请选择要操作的角色!");
}else {
var fromFuncDesc = "<%=fromFuncDesc%>";
//先进入本次权限变更列表页面,确认后再保存
var title = encodeURIComponent('授权确认');//对话框的标题
var url = "right!list.do?OPERID="+operId+"&fromFuncDesc="+fromFuncDesc+"&ROLETYPE="+roleType+"&ROLEIDS="+roleIds+"&title="+title+"&_t="+new Date().getTime();
var position="resizable:1;status:0;help:0;scroll:1;center:1;dialogWidth:800px;dialogHeight:500px";
window.showModalDialog(url,window,position);
* 直接授权:弹出权限树窗口
function directAuto(){
var eventId="2";//授权事件(1 查询、2 授权)
//弹出模态对话框,并加上时间戳以防止缓存
window.showModalDialog("right!left.do?EVENTID=" + eventId+"&ROLETYPE="+roleType+"&OPERID=" + operId+"&_t="+new Date().getTime());
* 清除:清除已选择的角色 checkbox
function cls(){
var c_checkbox=document.getElementsByName('checkbox');
for (i=0;i<c_checkbox.length;i++){
c_checkbox[i].checked=false;
* 关闭窗口
function winClose(){
window.close();
//-->
</script>
</body>
</html>
The ACE's config
`show running-config`
Generating configuration....
boot system image:c4710ace-mz.A4_2_0.bin
interface gigabitEthernet 1/1
switchport access vlan 100
no shutdown
interface gigabitEthernet 1/2
shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
switchport access vlan 3
no shutdown
access-list ALL line 8 extended permit ip any any
access-list allowany line 8 extended permit ip any any
access-list allowany line 16 extended permit icmp any any
probe icmp Ping
interval 2
faildetect 2
passdetect interval 2
passdetect count 1
receive 2
probe tcp TCP6666
description RPC Client Access
port 6666
interval 30
passdetect interval 60
connection term forced
open 10
probe tcp TCP8888
description RPC Client Access
port 8888
interval 30
passdetect interval 60
connection term forced
open 1
rserver host YB1
ip address 110.43.102.241
inservice
rserver host YB2
ip address 110.43.102.245
inservice
rserver host YB3
ip address 110.43.102.246
inservice
rserver host YB4
ip address 110.43.102.247
inservice
rserver host YB5
ip address 110.43.102.248
inservice
rserver host YB6
ip address 110.43.102.242
inservice
serverfarm host YB01farm
predictor leastconns
probe TCP6666
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
serverfarm host YB02farm
predictor leastconns
probe TCP8888
rserver YB2
inservice
rserver YB3
inservice
rserver YB4
inservice
rserver YB5
inservice
parameter-map type http PRESIST-REBALANCE
persistence-rebalance
sticky ip-netmask 255.255.255.255 address source YB01-GRP
timeout 60
replicate sticky
serverfarm YB01farm
sticky ip-netmask 255.255.255.255 address source YB02-GRP
timeout 60
replicate sticky
serverfarm YB02farm
sticky http-cookie COOKIE1 STICKYYB01
cookie insert browser-expire
timeout 3600
replicate sticky
serverfarm YB01farm
action-list type modify http IP-header
header insert request X-Forwarded-For header-value "%is"
class-map match-all YB01-slb-vip
2 match virtual-address 110.43.102.251 any
class-map match-all YB02-slb-vip
2 match virtual-address 110.43.102.252 any
class-map type management match-any remote_access
description remote-access-traffic-match
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance http first-match YB01-slb
class class-default
sticky-serverfarm STICKYYB01
action IP-header
policy-map type loadbalance http first-match YB02-slb
class class-default
sticky-serverfarm YB02-GRP
action IP-header
policy-map type loadbalance first-match YB6666
class class-default
sticky-serverfarm STICKYYB01
action IP-header
insert-http https header-value "on"
policy-map multi-match client-vips
class YB01-slb-vip
loadbalance vip inservice
loadbalance policy YB6666
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
appl-parameter http advanced-options PRESIST-REBALANCE
class YB02-slb-vip
loadbalance vip inservice
loadbalance policy YB02-slb
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
interface vlan 3
ip address 192.168.50.2 255.255.255.240
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 100
ip address 110.43.102.238 255.255.255.0
access-group input allowany
nat-pool 100 110.43.102.239 110.43.102.239 netmask 255.255.255.255 pat
service-policy input remote_mgmt_allow_policy
service-policy input client-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 110.43.102.112Hi,
The error comes when accessing the website through LB. The error is thrown by the server. Do we know what does that error indicate and will be thrown by server under what circumstances?
Can you just try with one server in the serverfarm and check if it works fine?
Does it load initial page at all or throws error right away.
What do you see in show conn output? Which VIP is in question here?
Regards,
Kanwal
Maybe you are looking for
-
I have my home computer on every day, and as I'm working or on eBay or whatever, all of a sudden nothing works. At the top line on the computer screen it says, "Mozilla Firefox (Not Responding). It happens several times a day. I cannot do anything wh
-
Windows Media Player will not play embedded in Firefox
I'm puzzled over the sudden inability to play embedded Windows Media Player files in Firefox. Everything was working fine, then suddenly yesterday with no changes made by me and no updates or other changes to the system I am aware of, suddenly it wil
-
Hello All, I have some files within sub folders. Below is the layout C:\Source\01012015\Sample_1.csv C:\Source\01012015\Sample_2.csv C:\Source\02012015\Sample_1.csv C:\Source\02012015\Sample_2.csv C:\Source\03012015\Sample_1.csv C:\Source\03012015\S
-
Default timezone from Web calendar (currently UTC)
When I create an event using the Web calendar, it seems to use UTC as the time zone. This causes a problem when I go into iCal and see that the event is several hours off compared to what I set when I created the event. I can edit the event in iCal t
-
User date formate in Application
Hi, Oracle Application How can I change date format to MM/DD/YY (which is non default) for one user. Pl provide the navigation path. Any help will be highly appreciated