VIP and Interface Redundancy

Yet another question...
I am running two CSS 11501 using VIP and INT Redundancy. One thing I am a little confused about, based on the sample configs and documentation is the following statment.
"Typically, you configure VIP redundancy on the public side of CSS peers that are positioned in front of a server farm. You configure virtual interface redundancy on the private-side interfaces attached to the Layer 2 device in front of the servers"
This sort of makes sense to me. Except if I only configure VIP redundancy on the public side of the CSS how do I route my packets from my firewall to the CSS for servers behind the CSS that are not VIPed - if I do not use Interface redundancy on the public side as well, then I have to route the packets to the physical interface.
I guess the question is - can I use interface redundancy on both the public side and the Server sid of the CSS as well as VIP Redundancy on the Public side??
Thanks,
Heath

Heath,
that's no problem.
You can turn on interface redundancy wherever you want.
The documentation just refers to the most common situation.
Regards,
Gilles.

Similar Messages

  • Global load balancing/active active vip and virtual interface redundancy

    Is there a way to configure both of these technologies without exposing the external addressing to the internal network? I have active active within the data center and would like to have active/active across two data centers but I don't see any way to use internal addressing for my content rules and still use them for dns unless I can specify records without using content rules. Thanks.
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a008009438a.shtml
    http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_guide_chapter09186a0080157898.html

    Hi Victor,
    In response to your questions regarding doing Active/Active GSLB using VIP and interface redundancy.
    Rule Based GSLB will not work with VIP/Interface
    redundancy.
    The reason is because the CSS can not set up an app session to a redundant
    interface, it needs to set the app session up to a real interface. Thus, a
    full mess topology must be used for GSLB and vip/interface redudancy.
    Bug ID CSddw27861 reported this problem and engineering added the command
    "ap-kal-vip" to support a full mess topology. This command can only be used
    under zone based GSLB and not rule based.
    The syntax for the command would be:
    dns-record a www.work.com 5.5.5.5 0 single kal-ap-vip 1.1.1.1
    rule/ACL based GSLB with vip/int redundancy will not work.
    Regards,
    Mark

  • CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

    With Reference to the following CCO documentation;
    1). "How to Configure the CSS to Load Balance Using 1 Interface"
    In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
    2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
    In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
    Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
    (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
    (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
    Method a)
    1.Configure the Real Server's gateway to Router's Gateway
    2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
    3.Configure VIP(non-shared) redundancy for the VIP on the CSS
    4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
    Method b)
    1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
    2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
    3. Configure VIP(non-shared) redundancy for the VIP on the CSS

    if you use method a) (server gateway is the router) you need the CSS to nat
    the source ip address of the client in order to force the server to send traffic back to the CSS.
    The issue then is that the server does not see the IP address of real client.
    The server only see connections with source IP address = CSS ip address.
    With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
    You have a performance issue because the traffic will cross 2 times the one-armed interface.
    If this is a new design, it is strongly recommended not to use one-armed setup.
    Regards,
    Gilles.

  • IPS Appliance (4500 and 4300) interface redundancy

    Hello all,
    Around interface redundancy (A.K.A. interface bonding): our design actually includes a catalyst switch and a couple of IPS appliances 4500, an etherchannel configured with 2 SPF+ cables, one to each IPS. As you might know this are 10Gbps links. This as you see has a layer of resilience by having 2 IPS etherchanneled into the Catalyst.
    Now, if one cable fails or interface fails, can we configure any sort of interface bonding or semi-automatic setup with a extra link (in standby or not active) given that we might have spare 10Gbps ports on the switch AND on the IPS? Is there a best practise or something around this? I think the ASA firewalls have a command called "member-interface" which allow this type of redundancy but I think I have not seen this on the CR for the IPS OS. ( see http://yurisk.info/2010/08/23/redundant-interfaces-in-cisco-asa/)
    Cheers!
    Heber

    Cyrus,
    It kinda does, it is called Event action filters, where you can excempt host/subnets for triggering certain signatures.
    http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_event_action_rules.html
    Whatever you put on them, wont trigger the signatures you dont want it to trigger.
    Hope it helps.
    Mike

  • Can VIP and Rservers be in the same subnet in ACE Routed Mode

    Good Day,
    Sorry for the lengthy post.
    Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
    I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
    The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
    Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
    I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
    Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
    I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
    For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
    From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
    Unfortunately I don't have a spare ACE to test scenario.
    As always any help would greatly be appreciated.
    Regards,
    Raman

    Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
    If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
    The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
    If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
    As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

  • Weired issue odd IP's can ping the VIP and even can't on the Nexus 9K switch.

    Hello experts!
    we have two nexus 9k core, attached to the HP Blade v7000 chasis and VPC configured. All Vlans are HSRP are configured. VPC is configured successfully. But the weird this is that source IP address 10.1.2.3 can ping the dest VIP (on the loadblanacer) but 10.1.2.4 can't ie all odd IP's can ping the vip and even IP's can't ping and this is happening in all other Vlans. No firewall no security applience ... windows firewalls are turned off, no ACL's on the swtiches. If I shut down the interface on nexus 1 then all IP's can ping the VIP, as soon as I unshut the interface then .4 stops pinging, and if I shutdown the interface on nexus 2 then all IP's can ping. 10 gig links are connected to Flex fabric card and vpc port channel is up. Any thoughts or help ?
                                   Nexus 1                                                                                                                        Nexus 2

    Hello experts!
    we have two nexus 9k core, attached to the HP Blade v7000 chasis and VPC configured. All Vlans are HSRP are configured. VPC is configured successfully. But the weird this is that source IP address 10.1.2.3 can ping the dest VIP (on the loadblanacer) but 10.1.2.4 can't ie all odd IP's can ping the vip and even IP's can't ping and this is happening in all other Vlans. No firewall no security applience ... windows firewalls are turned off, no ACL's on the swtiches. If I shut down the interface on nexus 1 then all IP's can ping the VIP, as soon as I unshut the interface then .4 stops pinging, and if I shutdown the interface on nexus 2 then all IP's can ping. 10 gig links are connected to Flex fabric card and vpc port channel is up. Any thoughts or help ?
                                   Nexus 1                                                                                                                        Nexus 2

  • Weired issue odd IP's can ping the VIP and even can't!

    Hello experts!
    we have two nexus 9k core, attached to the HP Blade v7000 chasis and VPC configured. All Vlans are HSRP are configured. VPC is configured successfully. But the weird this is that source IP address 10.1.2.3 can ping the dest VIP (on the loadblanacer) but 10.1.2.4 can't ie all odd IP's can ping the vip and even IP's can't ping and this is happening in all other Vlans. No firewall no security applience ... windows firewalls are turned off, no ACL's on the swtiches. If I shut down the interface on nexus 1 then all IP's can ping the VIP, as soon as I unshut the interface then .4 stops pinging, and if I shutdown the interface on nexus 2 then all IP's can ping. 10 gig links are connected to Flex fabric card and vpc port channel is up. Any thoughts or help ?
                                   Nexus 1                                                                                                                        Nexus 2

    Nexus 1
    show hsrp active brief
                         P indicates configured to preempt.
                         |
    Interface   Grp Prio P State    Active addr      Standby addr     Group addr
    Vlan99      1   120  P Active   local            10.104.0.3       10.104.0.1      (conf)
    Vlan160     5   120  P Active   local            10.104.5.3       10.104.5.1      (conf)
    Vlan200     6   120  P Active   local            10.104.6.3       10.104.6.1      (conf)
    Vlan210     7   120  P Active   local            10.104.7.3       10.104.7.1      (conf)
    Vlan310     9   120  P Active   local            10.104.9.3       10.104.9.1      (conf)
    Vlan350     11  120  P Active   local            10.104.11.3      10.104.11.1     (conf)
    Vlan450     13  120  P Active   local            10.104.13.3      10.104.13.1     (conf)
    Vlan700     14  120  P Active   local            10.104.14.6      10.104.14.4     (conf)
    Vlan750     15  120  P Active   local            10.104.15.3      10.104.15.1     (conf)
    =======================
    Nexus 2
    show hsrp active brief
                         P indicates configured to preempt.
                         |
    Interface   Grp Prio P State    Active addr      Standby addr     Group addr
    Vlan100     3   120  P Active   local            10.104.2.2       10.104.2.1
      (conf)
    Vlan150     4   120  P Active   local            10.104.4.2       10.104.4.1
      (conf)
    Vlan199     2   120  P Active   local            10.104.1.2       10.104.1.1
      (conf)
    Vlan300     8   120  P Active   local            10.104.8.2       10.104.8.1
      (conf)
    Vlan320     10  120  P Active   local            10.104.10.2      10.104.10.1
      (conf)
    Vlan400     12  120  P Active   local            10.104.12.2      10.104.12.1
      (conf)
    Vlan760     16  120  P Active   local            10.104.16.2      10.104.16.1

  • CSS sticky and load redundancy

    CSS has been configured with one VIP which has four real servers behind the VIP. We would like that clients always being dispatched to server #1 for application access, and be able to access the rest of servers if server 1 fails, in other word, we just like the CSS support sticky base on Soruce IP and load redundancy, not load sharing, is this feasible? is there is any parameter could be twicked? Thanks in advance

    The CSS allows you to use cookies or URL strings to stick to a particular server. In the past, this has required the Web hosters to modify their applications to set particular cookies or strings in the URL. For more information have a look at the following URL.
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080094398.shtml

  • Diff b/w msg mapping and interface mapping

    hi
      i have some doubt's:
       1. diff b/w msg mapping and interface mapping
       2. What is product in SLD? usually who creates the product,technical,business system??
    thx in advance..

    hI Smartsoft General User  ,
    The following r excellent websites on mapping which differentiate msg mapping and interface mapping in detail:
    Excellent PDF Document on Mapping
    http://help.sap.com/bp_bpmv130/Documentation/Operation/MappingXI30.pdf
    Mapping Development with the ABAP Workbench
    http://help.sap.com/saphelp_nw04/helpdata/en/10/5abb2d9df242f6a62e22e027a6c382/content.htm
    ABAP Mappings
    http://help.sap.com/saphelp_nw04/helpdata/en/ba/e18b1a0fc14f1faf884ae50cece51b/content.htm
    how to create a flat file out of an IDoc-XML by means of an ABAP mapping program and the J2EE File Adapter.
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/46759682-0401-0010-1791-bd1972bc0b8a
    How to Use ABAP Mapping in XI 3.0
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/e3ead790-0201-0010-64bb-9e4d67a466b4
    These r excellent websites in SLD:
    How To…Handle the SLD for SAP XI
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/9e76e511-0d01-0010-5c9d-9f768d644808
    How To…Handle Caches in SAP XI 3.0
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/1a69ea11-0d01-0010-fa80-b47a79301290
    http://www.sap-press.de/download/dateien/751/sap_press_exchange_infra_engl.pdf
    cheers!
    gyanaraj
    ****Pls reward points if u find this helpful

  • What is diff b/w abstarct and interface

    what is diff b/w abstarct and interface in real time where we come across, give a best real time example

    I think there have been lots of threads in this forum discussing interfaces and abstract classes.
    http://forum.java.sun.com/thread.jspa?forumID=256&threadID=389830
    http://forum.java.sun.com/thread.jspa?forumID=54&threadID=5120074
    http://forum.java.sun.com/thread.jspa?forumID=54&threadID=499077
    http://forum.java.sun.com/thread.jspa?forumID=31&threadID=546668
    Interfaces define a contract for what an implementing class should provide. Abstract classes do the same but they can also provide some common part of the implementation.

  • Names of interface tables and interface programs of oracle modules

    Hi all,
    i need urgent and accurate information about the names of interface tables and interface programs of the following oracle modules,R12, or either ther are custom made. Any accurate link refering to the desire information would be much appreciated.
    Plus i need a clear and simple definition and purpose of interface tables and interface program and by what other names are they known in industry.
    Data Object,Oracle Module
    Chart of Accounts,Oracle General Ledger
    Trial Balance,Oracle General Ledger
    Supplier Master,Oracle Payables
    Open Supplier Invoices,Oracle Payables
    Open Supplier Credit/ Debit Memos,Oracle Payables
    Open Supplier Advances,Oracle Payables
    Bank Master,Oracle Cash Management
    Customer Master,Oracle Receivable
    Asset Categories,Oracle Assets
    Asset Master,Oracle Assets
    Item Master,Oracle Inventory
    Item Categories,Oracle Inventory
    Sub Inventory and Locators,Oracle Inventory
    Item On Hand Balances,Oracle Inventory
    Item wise Per unit Cost,Oracle Inventory
    Bill of Material,Oracle Discrete Manufacturing
    Departments,Oracle Discrete Manufacturing
    Operations,Oracle Discrete Manufacturing
    Routings,Oracle Discrete Manufacturing
    Resources,Oracle Discrete Manufacturing
    Overheads,Oracle Discrete Manufacturing
    Employee Master,Approval Hierarchy
    Approval Hierarchy,Approval Hierarchy
    Open Customer Invoices,Oracle Receivables
    Open Customer Credit/ Debit Memos,Oracle Receivables
    Open Customer Advances,Oracle Receivables
    Pending Requisitions,Oracle Purchasing
    Pending Purchase Orders,Oracle Purchasing
    Open Sales Orders,Oracle Order Management
    Price List,Oracle Order Management

    Hi;
    Its metalink note you need to login metalink wiht valid CSI(customer Support Identifier) number to can se note via using note number.
    Please see:
    Oracle EBS Based and Interface tables
    Oracle EBS Based and Interface tables
    Regard
    Helios

  • Receiver Determination and Interface Determination Condition conflict in ICO

    Hi,
    I found a strange issue today while configuring two receivers using the Receiver and Interface Determination conditions.
    Sender - Proxy Service
    Receiver1 - ReceiverA
    Receiver2 - ReceiverB
    Receiver Determination Condition : When Field1 = 100, message should flow to ReceiverA and ReceiverB
    Interface Determination Condition (ReceiverA) : When Field1=100 and Field2=50 message should flow to a specific interface in ReceiverA
    There is no Interface Determination condition for ReceiverB, for all messages having Field1=100, it should go to ReceiverB.
    Test Scenarios:
    1) Field1=100, Field2=50 : Message flows successfully to ReceiverA and ReceiverB
    2) Field1=100, Field2=89 : Message fails to process from ECC itself throwing Interface Determination not found error. Ideally this is a positive scenario for ReceiverB and it should send the message to ReceiverB without any errors. But, this did not happen in this case
    I tried the same by configuring the conditions completely in Receiver Determination itself without using the Interface Determination, it worked perfectly fine. But, just wanted to understand that if this is an expected behavior.

    Hi Sherin,
    As there are two receivers Receiver A and Receiver B.You need to create two bussiness components and two communcication channels for two receivers and one Reciver Determination, two Interface Determination,two Receiver Agreement.In Receiver Determination you need to keep the below and condition.
    In the above screenshot the two receiver are Receiver B and Receiver C and Field 1 is Key_Value and Field2 is Emp_ID.
    If the Key_Value=100 and Emp_ID =22 then the message should go to both the receivers B & C by keeping the following AND condition
    If the Key_Value=100 and Emp_ID is not equal to 22 then the message should go only to Receiver B by keeping the following condition
    You need not keep any condition in Interface Determination just create 2 Interface determination for two receivers.
    Hope this helps you.
    Thanks,
    Durga.

  • I have installed succesfully a PCI cards seen by windows but it does not appears in the device and interfaces tools of the Measurement and automation manager?

    Cannot install new objects in device and interface to use the ni-imaq library and to take image from my camera.

    Which PCI card did you install? The PCI-8252 and PXI-8252 will not appear in MAX. Does your card appear in the Windows Device Manager?

  • How to failover SCAN VIP and SCAN Listener from one node to another?

    Environment:
    O.S :          HP-UX  B.11.31 U ia64
    RDBMS:   Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
    It is a 2 Node RAC.
    Question:
    How to failover the SCAN VIP and SCAN LISTENER running on node 1 to node 2?
    What is the relation between standard LISTENER and SCAN LISTENER ?
    Why do we need LISTENER, when we have SCAN LISTENER ?
    When I tried with SRCVTL STOP LISTENER , I thought the SCAN LISTENER adn SCAN IP will failover, but it did not?
    Also please clarify if I use SRVCTL RELOCATE SCAN -i 1 -n Node1
    Actalluy I am trying that by moving the SCAN listeners so that when I do PSU 7 patching on 1 node, no incoming attempt to connect will spawn
    a process and thereby opening files in $ORACLE_HOME (which would prevent the patch from occurring)
    Please clarify my queries.
    Thanks,  Sivaprasad.S

    Hi Sivaprasad,
    1. The following link will help you for SCAN VIP and SCAN LISTENER failover from 1 node to another.
    http://heliosguneserol.wordpress.com/2012/10/19/how-to-relocate-scan_listener-from-one-node-to-another-node-on-rac-system/
    http://oracledbabay.blogspot.co.uk/2013/05/steps-to-change-scan-ip-address-in.html
    2. The Standard LISTENER is specific for particular node for which it is running. It cannot be relocated as its specific for the node its running. SCAN listeners are not replacements for the node listeners.A new set of cluster processes called scan listeners will run on three nodes in a cluster (or all nodes if there are less than 3).  If you have more than three nodes, regardless of the number of nodes you have, there will be at most three scan listeners. So no relation for standard LISTENER and SCAN LISTENER.
    3. Hmmm. let me put it in easy way for this question. All the RAC services like, asm, db , services, nodeapps registers with this SCAN_LISTENER. So if any of these services (asm, db , services, nodeapps) got down/not running, the SCAN_LISTENER will know the down status, and if any client requests to access the node/service which is down, the SCAN_LISTENER will redirect the client request to the least loaded node. So here all these process will happen without the knowledge of client. And As usual the standard LISTENER looks only for incoming request to connect with the database. So we need both LISTENER and SCAN LISTENER.
    4. If you provide SRCVTL STOP LISTENER,  it stops the default listener on the specified node_name, or the listeners represented in a given list of listener names, that are registered with Oracle Clusterware on the given node. No failover will happen under this case.
    5. Yes you can relocate if you want to relocate the scan.
    Hope this helps!!
    Regards,
    Pradeep. V

  • Compiling Nested Classes and Interfaces

    I am looking for documentation about compiling nested classes and interfaces. I have found something in the JVM Specification, but there does not explain how a nested class is compiled and what is included in the top level class to mark a "place holder" to the nested class. The JVM Specification in this topic cite the web page http://java.sun.com/products/jdk/1.1/docs/guide/innerclasses/spec/innerclasses.doc.html that does not exists any more.
    My root problem is that: I am compiling a class with a private nested class, but in the class file generated TopLevelClass$NestedClass.class the class does not have the private modifier. So I am not understanding why the "private" modifier was removed during compilation.
    I performed the same test with a protected nested class and the result was the nested class with the public modifier. So I am not understanding why the "protected" modifier was changed to "public".
    Thanks in advance,
    Mardoqueu.

    This should not be happening. What compiler are you using? If it's a reasonably recent Sun compiler, could you post a minimal example?

Maybe you are looking for