Two-tier ACE config question

Similar Messages

• Two-Tier Firewall Config

  We want to setup a Data Center Network for core banking with all the application and Database servers.For the same we are planning to design a Two-Tier firewall network architecture. First Tier firewall (Cisco PIX in failover mode) will have Web servers in DMZ as front end application server. Second Tier firewall (PIX firewall Failover mode) will have the Application and database servers in DMZ as back end servers.
  Flow of data will be such that any user logging from internet will access web servers at the first level, get authenticated and web servers will in turn talk to the internal application servers for any data request.
  Is the above design OK….
  Pls find attached topology diagram….
  Also provide me with the sample PIX config for the above Two-Tier firewall architecture implementaion of application and database servers.
  Hi,
  IP Scheme is as listed below.
  Lan IP = 192.168.1.0/24 - 192.168.24.0/24
  Internet Firewall DMZ Network (Tier-1) = 192.168.252.0/28
  Internet Firewall Internal Network (Tier-1) = 192.168.252.16/28
  Intranet Firewall External Network (Tier-2) = 192.168.252.16/28
  Intranet Firewall DMZ Network (Tier-2) = 192.168.252.32.0/28
  PiX Firewall Internal Network (Tier-2) = 192.168.252.48.0/28
  Regards

  Hi Collin,
  This server is lync edge server. My idea is one network card for to NAT with public IP adddress ( 172.16.2.x NAT with Public IP ). One is for the Internal Firewall To NAT with internal network. (20.20.0.x NAT with internal IP 10.10.0.x).
  Your suggestion is want to use one NIC with one IP address for DMZ server going to both firewall, is it ?
  Please advise me, thanks.
    Thanks,
     Ko Htwe

• Upgrade from a two tier EBS 11i 11.5.10.2 on Windows 2003 Apps and Windows 2008 R2 DB  tier to two Tier R12.2.3 both on Windows 2008 R2

  Hi,
  Any ideas about the best practices for the migration/upgrade reflected with the below question?
  I have a source EBS11i 11.5.10.2 running as a two tier configuration ( apps tier on server  ora10 on Windows 2003, DB tier 11.2.0.2 on server ora1 on Windows 8 R2. Can I use the Note 1377213.1 for a migration to a two tier configuration ( apps tier on server T10 running Windows 2008 R2 and EBS 12.2.3 and DB tier running 11.2.0.4 on Windows 2008 R2 )? What alternative approach could you suggest? As far as I know EBS11i is not certified on Windows 2008 R2 and R12.2.0 is not certified on Windows 2003.

  Yes you can by following "Application Tier Upgrades and Migrations" section -- Install 12.2 apps tier on 64-bit Windows and proceed with the upgrade.
  Oracle E-Business Suite Installation and Upgrade Notes Release 12 (12.2) for Microsoft Windows x64 (64-bit) (Doc ID 1330706.1)
  Thanks,
  Hussein

• ACE checkpoint question

  I have a ACE checkpoint question. when u create a checkpoint to save the config on the ACE module where does the file get stored

  HI,,
  To display checkpoint information, use the show checkpoint command in Exec mode. The syntax of this command is:
  show checkpoint {all | detail name}
  The options and arguments are:
  •all-Displays a list of all existing checkpoints
  •detail name-Displays the running configuration of the specified checkpoint
  For example, to display the running configuration for a specific checkpoint, enter:
  host1/Admin# show checkpoint detail MYCHECKPOINT
  Sachin

• MuVo: Two-Tier Director

  Hi, i'm sure this is something that's been asked a million times before, but I'm a little confused about the Firmware upgrade i just did.
  It mentioned that the Firmware update;
  "Improves track organization and playback with two-tier directory structure."
  How does this work... I'd be grateful if someone would enlighten a novice , many thanks

  I was trying to help, and you misread my answer. Using folders to store albums in *is* simply a really great way to organise them, I was trying to be helpful!
  As I already said most MuVos do work with folders, and it is documented in the manual for *these* players. I assumed this was the case with the original MuVo (we also have the MuVo NX, MuVo TX, MuVo TX FM, MuVo USB 2.0, MuVo Slim, MuVo Micro N200, MuVo Sport C00, MuVo V200, MuVo? and MuVo? FM, so perhaps you can see it isn't quite that clear cut). I'm sorry that I couldn't fully answer your other questions, but that's no cause to be nasty to someone as any sensible person I'm sure would agree with.
  I don't own many of the products that Creative sell, but I have helped and solved a lot of questions. Take a minute or two to actually look back over some of the posts I've made, and what others have said about my answers before you jump to your conclusions.
  What is it with some people on the Internet and overreacting...Message Edited by SSR on 04-20-2005 :49 PM

• I am getting a Two Tier Service from BT - Mods?

  It just got me thinking, all us without iPlayer at the moment are effectively suffering.
  We are paying the same charges for a service that is effectively a lower tier (bugs aside) compare to everyone that has iPlayer now. To me this is a two tier service.
  Personally I think anyone that does not have iPlayer should be entitled to a rebate on their bill until they recieve it. Yes I know iPlayer is free and I agree the content is free, but somebody has to pay for the software that runs it? and lets face it iPlayer has a lot more content than Replay has?
  And when these so called Linear channels come along (Linear TV via Broadband - Multicast) I bet the same thing will happen then, We will all pay the same monthly fee, some will have it, some will not, the have nots will effectively be getting ripped off as they are getting charged the same for a inferior service.
  It happened before with ADSL/ADSL Max, and is happening now from what I can see with ADSL Max/Infinity.. People can get Infinity for the same price as ADSL Max.. i would love to have infinity for the same price where I am now but I doubt I will see it this side of 2020, same for Linear TV..
  How much longer are people going to put up with this two tier service? Last time I checked with Virgin Media, the cost was different based on what you selected And what you could get....

  Now you have changed the terms of the argument you are making from a two tier service to how BT rolls out products and try to compare it to browser upgrade.
  You are not only shifting your point now but making an absurd comparison.
  Think of it more akin to digital switchover. There are some places in the country that still can't get Freeview or even analogue Channel 5. There are places where even after DSO they only get a small number of channels.
  If you take this back to your original argument then all of it two, three and four tier services and all who don't get everything should be compensated in some way. It really doesn't stand up to scrutiny.
  Life | 1967 Plus Radio | 1000 Classical Hits | Kafka's World
  Someone Solved Your Question?
  Please let other members know by clicking on ’Mark as Accepted Solution’
  Helpful Post?
  If a post has been helpful, say thanks by clicking the ratings star.

• A few post config questions on new setup

  Hi Group,
  Just a few post config questions.
  First, how can I confirm my controller is in fact associating properly with an NTP server?  On a typically cisco product, I could just do a 'show ntp associations' or a 'show ntp status'.  I cannot see a way to confirm this on the gui or command line.
  Second, on my guest network with web-auth, if one were to choose to not use https for web-auth and instead use unsecure http, would that be possible and if so where in the gui?
  Thanks.

  The third field is from a WLC running v7.4 not v7.2.  I usually would install a 3rd party certificate, but what eles you can try is issue this command on from the CLI.  It had issues working with certain code versions, but you might as well give it a try.
  config network web-auth secureweb disable
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Three tier (mod pl/sql) vs. two tier (PL/SQL Gateway)

  I've been using 10g Database and 10g application server on separate servers for some time now.
  Going the two tier (11g) route has some attractions, but what are the disadvantages?
  The Oracle documentation I've seen says very little on making the decision, giving benefits as:
  Ease of configuration
  Included in the database
  No separate server installation
  - but no negatives.
  Does anyone have any real live experience of comparing the two options?
  I'm inclined to believe that three tier might have more tuning flexibility, better performance if each tier is on a different server. Maybe worse than two tier if on one server, assuming two tier eliminates communication overheads..
  Does pl/sql gateway have the caching ability of Apache/mod pl/sql - I assume not? - that could make a big difference.
  Any thoughts would be welcome...

  There are several key performance advantages of OHS over EPG. I'm working a lot with the EPG right now and pushing the XDB team to add several of these features (maybe in 11.2, possible backport, but don't count on it). I used recommendations from the yslow Firefox add-in to do some performance tuning. Here's there list of Best Practices:
  http://developer.yahoo.com/performance/rules.html
  - EPG does not add an "Expires" header. So, lets say you have 25 images in your page template, and none of them change. Each page view will still request those 25 images. They use etags, so you don't have to download the images, but your browser still makes the requests which is quite slow. From my testing, pages could be up to 4 times slower with the EPG with a pretty standard template. The XDB team is aware of this and working hard to resolve it.
  - EPG does not support gzip. This is another HUGE performance hit.
  Keep in mind you can't test any of those issue with debug mode in APEX, you really need to use a browser plugin such as Firebug + ySlow. The render speed from APEX's point of view will be the same, no matter what HTTP server you use.
  The other big on is mod_rewrite support. There is no way easily create friendly URLs for your apps. Another thing to consider is that a number of Identity Management systems, such as Oracle Access Manager (OAM) work by installing an Apache Module or in the case of IIS, some type of plugin (forget what they call it). There is no concept of this in EPG.
  IMHO, it's convenient for laptops, but I would never use it for production unless you needed some feature that it exposes, such as WebDav or FTP access to the XDB repository...
  Tyler

• Request - Perl script that can parse an ACE config from a VIP

  Has anyone ever written a Perl script that can take the VIP from an ACE config and parse it out into the component parts of the config, ACLs, NATs, Class-map, policy-map, etc. ?
  This seems like something someone must have written already.
  Thanks in advance!

  Any reason you dont want to use XML instead of doing just PERL ?  Its lot easier to do with XML scripts as ACE has a XML interface to query whatever is needed. So that said, you can use a perl to interface ACE via XML. Here's a simple Perl that uses LibCurl:
  #!/usr/bin/perl
  use WWW::Curl::Easy;
  my $numArgs = $#ARGV + 1;
  if ($numArgs<4)
  die("Usage: shusers.pl ip_address username password command\n");
  my $ip = @ARGV[0];
  my $uname = @ARGV[1];
  my $pwd = @ARGV[2];
  my $cmd = @ARGV[3];
  my $curl = new WWW::Curl::Easy;
  my $posturl = "http://$ip/bin/xml_agent/";
  my $xml_cmd = "xml_cmd=<$cmd/>";
  $curl->setopt(CURLOPT_HEADER, 0);
  $curl->setopt(CURLOPT_FRESH_CONNECT, 1);
  $curl->setopt(CURLOPT_URL, $posturl);
  $curl->setopt(CURLOPT_RETURNTRANSFER,1);
  $curl->setopt(CURLOPT_USERPWD,"$uname:$pwd");
  $curl->setopt(CURLOPT_POST,1);
  $curl->setopt(CURLOPT_POSTFIELDS, $xml_cmd);
  $curl->perform;
  my $info = $curl->getinfo(CURLINFO_RESPONSE_CODE);
  print $info;
  Hope this helps.
  Cheers
  V.K

• Workshop Weblogic config questions

  I'm using Oracle Workshop for WebLogic 10.3 and I'm hoping someone can answer some setup/config questions.
  When I double click on the server (WebLogic Server v10.3 at localhost) a window opens with various settings that manage how workshop and weblogic work together.
  Under "Startup & Deployment" I have the following turned on:
  Launch WebLogic server in Eclipse console
  Always start WebLogic Server in debug mode
  Ignore project compilation errors when publishing (I have this turned on because of errors in a portal project, the errors aren't inmportant, and don't prevent the project form running)
  Run stand-alone web module directly from workspace
  So, first question, with these settings I was able to quickly switch to debug mode, with out restarting the server, now the server restarts whenever I turn debugging on. What have I done that has stopped this working correctly? How can I get it to start debugging without a full restart?
  next question, what happens if I turn on "Start WebLogic Server in Express Mode"? As far as I can tell nothing happens.
  Lastly, under "Automatic Publishing" I have it set to "Never publish automatically", if I choose another setting workshop essentially freezes because it's constantly publishing. So whenever I make a change, even in a jsp, I need to remove the project, then re-add it to see my changes in the browser. This is frustrating, not just because it takes 8 or 9 minutes (8 or 9 MINUTES!!!), but because the project doesn't run properly until it is redeployed. You'd think that if it needs to be re-deployed, then none of my changes should matter on the server until it is re-deployed.
  So, my question is, Is there any way to get this re-deployment to happen faster?
  Thanks for any and all help

  Well, in my experience performance is not bad as you experienced. Is it locally connected server or remotely connected server? If it is a remote server, network issue could cause this latency issue.
  Is performance better if you run the server without enabling debug mode? If yes, probably you can also review any break points set.
  You could also try out the following options
  1) Run workshop with -clean option, by opening command prompt and navigating to workshop_home\'workshop.exe -clean'
  2) Untick the option 'Launch WebLogic server in Eclipse console' and start server which would enable server to start on command prompt
  3) This would enable you to take multiple thread dumps (cutl +Break) on the server console output, while performance is very bad, to see where threads are halt.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

• Re: PLM4P v6003 Config Question:  Any way to configure UGM Notifications?

  After reading:
  PLM4P v6003 Config Question:  Any way to configure UGM Notifications?
  This is one of the requirements from me as well. We always wanted to customize emails sent not only for UGM but also for other modules. We wanted to conveysome message to approvers. But it seems this is still not possible. Is this functionality on road-map of AgielP4P product management?

  Currently, the subject and body of emails can be customized to an extent, as they are translations that can be overridden. The translations have some placeholder fields that get populated by the system, but you are limited to those placeholder fields. The upcoming release will give you full control of the email body and subject lines, for GSM and SCRM emails, as well as Supplier Rep emails.

• Converting from two tier to three tier environment

  We are looking at converting our current two tier portal environment to a three tier environment. The database will stay on the machine where it is currently loaded I would like to move the 9ias home to a seperate machine and place it outside the firewall and utilize the dmz port for communications. Is there any documentation that deals with this process?
  Thanks in Advance
  Kevin

  any body please suggest any links to implemet the said three tier systemBack 5 - 7 years ago the company I worked for did just that.
  Previously had been running Forms 6 in client server mode.
  The forms were massaged/tweaked/rewritten such that the EXACT same source code was valid for C/S & webforms.
  I wrote a script that would nightly extract the Forms source & then compile using Forms 9 (at that time).
  At the end of this process end users could run the application using either C/S or webforms.
  One user at a time was converted from C/S forms to webforms.
  It was a long but painless transition.
  HTH

• Redundant FWSM Config Question

  Hello All,
  I'm going to be configuring failover with FWSMs for our 6500 at my job and I have a config question. There is one current 6500 chassis with 2 FWSMs installed. They are both online but currently since failover isn't setup, only one FWSM is actually active. My question is since we are using mutiple contexts where do I setup the failover interface, and do I need to configure failover on every single vlan on the FWSM? We have over 10 contexts each with 2-3 interfaces on them, so do I need a failover IP for every vlan that exists on every context? Also, does the failover config get setup on the admin or system context? Any help would be greatly appreciated, and thank you so much in advance!

  Hi John.
  Failover config goes in the system context. For the data interfaces in each context, you will need a primary and a standby IP i.e. 2 IP's per VLAN. Once failover happens, the secondary FWSM will assume the active role and the secondary FWSM will take over the Primary IP address thus making the failover process transparent to end users.
  HTH.
  Regards
  Zubair

• Ace 6500 question

  new to ace just purchased a new blade, could somebody advise on deployment in routed and single arm mode. if a client connects to the vip can the traffic route back out the vip interface to the servers. we have a dmz were we want to deploy a vip, once the packet enters the dmz and hits the vip can the servers be located on the same subnet as the vip and also a backup server on another dmz or even the inside of the firewall.

  I am also fairly new to the ACE modules, but I think I can answer your question. Yes the servers can be located on the same subnet as the VIP. As for the backup servers, as long as the ACE can reach the servers via IP you can load balance servers even if they are if different VLANs or DMZ's.
  I have a context in one arm mode and would suggest against it unless you do not have a choice. Even though one arm mode is easy to set up, it can be a little hard to troubleshoot if you have source NAT enabled, if you do not have Source NAT enabled on the ACE, you will have to configure PBR on the MFSC of the 6500 and specify what you want to go to the ACE(what needs to be load balanced).
  If you configure the ACE in routed mode, be sure that you configure it so that you do not run into an assymetrical routing issues.
  Like I said; I am fairly new to these load balancers, but we have very talented folks on this site that can assist you with almost any ACE related question that you may have.
  Good luck,
  John...

• Existing two-tier enterprise online to two tier, root offline

  I have went through many standalone to two tier discussions/forums, but found nothing conclusive on this topic.
  I have inherited a online two tier architecture, and would like to implement some best practice work:
  first step is to place the root CA offline. Based on what I have read I can do that by backing up current enterprise online root CA.
  Then to install new root standalone CA on virtual box (switching to virtual) and use the onlines public key and same hostname to install the standalone. Make sure CRLs are placed on reachable network drive and so on...
  The issuing CA will be the same. Nothing will change...other than adding additional later on.
  Did I get this correct? Or will I have to reissue the root CA and have it be trusted on all firewalls/load ballancer, ect and reissue? Also we are pushing to two factor authentication with AD and cert based and I need to make sure I have my back-end ready. 
  If i go early ahead and implement user cert templates with current architecture, can I take root offline later and everything still will be in tact?

  In a properly deployed PKI, the offline root CA is offline from build time. You should not be converting an enterprise root CA to a standalone root CA (how do you guarantee that the private key was not compromised prior to transition).
  There is no way this would pass any form of audit (for example).
  It sounds like you are early in the process, I recommend that you start over again and do it with a proper offline root CA.
  Follow the steps in this link: http://technet.microsoft.com/en-us/library/hh831348.aspx
  Brian