07-26-2013 01:43 PM
I am new to ACE in our company there is ACE modules installed on 6509 switches as VSS configured and we are running ver A4(2.3) for ACE. Please guide me some good http link to start reading about ACE.
-Atul
07-29-2013 11:33 AM
Hi,
Here are a couple links to get you started:
Product page:
http://www.cisco.com/en/US/products/ps6906/index.html
Getting started guide:
A4 Admin guide:
Load balancing guide:
Config documents and release notes:
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html
Regards,
Alex
08-01-2013 07:29 AM
Hello Alex
Working in new enviornment and need to configure and confirm traffic restricted to only ssh and https, here is what I have come up with so far from reading other configs and document examples. I believe that part of the problem is the permit ip any any
interface gigabitEthernet 1/1
description REAL SERVERS SDE
speed 1000M
duplex FULL
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
speed 1000M
duplex FULL
switchport access vlan 500
no shutdown
access-list ACL_10 line 8 extended permit ip any host 10.24.96.4
access-list ACL_10 line 16 extended permit icmp any host 10.24.96.4
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_30 line 8 extended permit ip any any
access-list ACL_30 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.24.96.64 255.255.255.224 any eq ssh
access-list ACL_40 line 16 extended permit ip 10.24.96.64 255.255.255.224 any eq https
probe icmp SERVICE_ICMP_PROBE
interval 10
passdetect interval 5
parameter-map type http cisco_avs_parametermap
persistence-rebalance
length-exceed continue
rserver host Arges
ip address 10.24.96.68
probe SERVICE_ICMP_PROBE
inservice
rserver host vsuiteFrontEnd-A
ip address 10.24.96.67
probe SERVICE_ICMP_PROBE
inservice
action-list type optimization http WEB-ACTION-LIST
flashforward
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward
action-list type optimization http cisco_avs_obj_latency
flashforward
serverfarm host VIRTUAL-SERVER-FARM
rserver Arges 80
backup-rserver Brontes 80
conn-limit max 4000000 min 4000000
inservice
rserver Brontes 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host rule-vsuiteFrontEnd-A
rserver vsuiteFrontEnd-A
inservice
serverfarm host rule-vsuiteSsh-A
rserver ssh-vsuiteA 22
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
set timeout inactivity 6400
parameter-map type connection rule-vsuiteSsh-A_CONN_PARAM
set timeout inactivity 6400
class-map match-any SERVERSOURCED
2 match access-list ACL_40
class-map match-all rule-vsuiteFrontEnd-A_CLASS
2 match virtual-address 10.24.96.4 tcp eq https
class-map match-all rule-vsuiteSsh-A_CLASS
2 match virtual-address 10.24.96.4 tcp eq 22
class-map type http loadbalance match-all cisco_avs_container_latency ??????
2 match http url http://10.10.10.*/browser/*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
6 match http url .*aspx
7 match http url .*aspd
8 match http url .*axd
9 match http url .*axs
10 match http url .i*
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*aspx
16 match http url .*aspd
17 match http url .*axd
18 match http url .*axs
19 match http url .*
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteSsh-A_POLICY
class class-default
serverfarm rule-vsuiteSsh-A
policy-map multi-match POLICY
class rule-vsuiteFrontEnd-A_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteFrontEnd-A_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
class rule-vsuiteSsh-A_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteSsh-A_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteSsh-A_CONN_PARAM
policy-map multi-match SERVERSOURCED
class SERVERSOURCED
nat dynamic 1 vlan 500
policy-map type optimization http first-match VIRTUAL-SERVER-20-l7opt
class cisco_avs_obj_latency
action cisco_avs_obj_latency
class cisco_avs_img_latency
action cisco_avs_img_latency
class cisco_avs_container_latency
action cisco_avs_container_latency
policy-map multi-match int500
class VIRTUAL-SERVER-20
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-20-l7slb
optimize http policy VIRTUAL-SERVER-20-l7opt
loadbalance vip icmp-reply active
appl-parameter http advanced-options cisco_avs_parametermap
class VIRTUAL-SERVER-11
loadbalance vip inservice
loadbalance policy VIRTUAL-SERVER-11-l7slb
loadbalance vip icmp-reply active
interface vlan 200
description "REAL SERVERS"
ip address 162.16.103.1 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 500
description ACE CLIENT VLANE_Client VLAN
ip address 10.10.10.5 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int500
no shutdown
interface vlan 820
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
snmp-server contact "CHARLES"
snmp-server location "DEP"
snmp-server community DEP group Network-Monitor
snmp-server trap-source vlan 820
08-02-2013 12:13 PM
Hi Charles,
If you are talking about management traffic you need a configuration like this:
class-map type management match-any NSS-MGT
3 match protocol https any
6 match protocol ssh any
policy-map type management first-match MGT
class NSS-MGT
permit
interface vlan 144
ip address 10.198.44.11 255.255.255.0
peer ip address 10.198.44.15 255.255.255.0
service-policy input MGT
no shutdown
If you want to restric even more and specify the IP address that are going to be permitted you can configure the policy like this:
class-map type management match-any NSS-MGT
3 match protocol https source x.x.x.x z.z.z.z
6 match protocol ssh source x.x.x.x z.z.z.z
---------------------
Cesar R
ANS Team
08-02-2013 12:42 PM
Hello Cesar
I greatly appreciate your response and will give this a go, then reply if I need further help.
Thank you
08-02-2013 01:41 PM
It appears that ssh is not for management but for sending data to us.
08-07-2013 11:53 AM
I can not get rservers up or the VIPs active.... Help Me....
logging enable
logging timestamp
logging trap 5
logging history 5
logging buffered 6
logging persistent 5
logging monitor 5
logging queue 5000
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
hostname x86ACE03
interface gigabitEthernet 1/1
switchport access vlan 700
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 701,704
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
ntp server 157.127.103.139
access-list ACL_10 line 8 extended permit ip any host 10.22.6.117
access-list ACL_10 line 16 extended permit icmp any host 10.22.6.117
access-list ACL_10 line 24 extended permit ip any host 10.22.6.116
access-list ACL_10 line 32 extended permit icmp any host 10.22.6.116
access-list ACL_10 line 34 extended permit icmp any host 10.22.6.118
access-list ACL_10 line 38 extended permit ip any host 10.22.6.118
access-list ACL_10 line 40 extended permit ip any host 10.22.6.119
access-list ACL_10 line 48 extended permit icmp any host 10.22.6.119
access-list ACL_20 line 8 extended permit ip any any
access-list ACL_20 line 16 extended permit icmp any any
access-list ACL_40 line 16 extended permit ip 10.22.7.2 255.255.255.224 any
access-list ACL_50 line 16 extended permit ip 10.22.7.34 255.255.255.224 any
access-list FILTER line 10 extended permit tcp any any eq https
access-list FILTER line 20 extended permit tcp any any eq www
probe icmp SERVICE_ICMP_PROBE
interval 10
passdetect interval 5
rserver host vsuiteFrontEnd-A
ip address 10.22.6.116 ! 10.22.7.2
probe SERVICE_ICMP_PROBE
inservice
rserver host vsuiteFrontEnd-CoreA
ip address 10.22.6.118 ! 10.22.7.34
probe SERVICE_ICMP_PROBE
inservice
serverfarm host rule-vsuiteFrontEnd-A
rserver vsuiteFrontEnd-A
conn-limit max 4000000 min 1
inservice
serverfarm host rule-vsuiteFrontEnd-CoreA
rserver vsuiteFrontEnd-CoreA
conn-limit max 4000000 min 1
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
parameter-map type connection rule-vsuiteFrontEnd-A_CONN_PARAM
set timeout inactivity 6400
parameter-map type connection rule-vsuiteFrontEnd-CoreA_CONN_PARAM
set timeout inactivity 6400
class-map type management match-any REMOTE_ACCESS_CLASS
description Enable remote management
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
8 match protocol https any
class-map match-any SERVERSOURCED
2 match access-list ACL_40
class-map match-any SERVERSOURCED-CoreA
2 match access-list ACL_50
class-map match-all rule-vsuiteFrontEnd-A_CLASS
2 match virtual-address 10.22.6.117 tcp eq https
class-map match-all rule-vsuiteFrontEnd-CoreA_CLASS
2 match virtual-address 10.22.6.119 tcp eq https
policy-map type management first-match REMOTE_ACCESS_POLICY
class REMOTE_ACCESS_CLASS
permit
policy-map type loadbalance first-match rule-vsuiteFrontEnd-A_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-A
policy-map type loadbalance first-match rule-vsuiteFrontEnd-CoreA_POLICY
class class-default
serverfarm rule-vsuiteFrontEnd-CoreA
policy-map multi-match POLICY
class rule-vsuiteFrontEnd-A_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteFrontEnd-A_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteFrontEnd-A_CONN_PARAM
policy-map multi-match POLICY-CoreA
class rule-vsuiteFrontEnd-CoreA_CLASS
loadbalance vip inservice
loadbalance policy rule-vsuiteFrontEnd-CoreA_POLICY
loadbalance vip icmp-reply active
connection advanced-options rule-vsuiteFrontEnd-CoreA_CONN_PARAM
policy-map multi-match SERVERSOURCED
class SERVERSOURCED
nat dynamic 1 vlan 700
policy-map multi-match SERVERSOURCED-CoreA
class SERVERSOURCED-CoreA
nat dynamic 2 vlan 700
service-policy input POLICY
service-policy input POLICY-CoreA
interface vlan 700
ip address 10.22.6.2 255.255.255.224
no icmp-guard
access-group input ACL_10
nat-pool 1 10.22.6.117 10.22.6.117 netmask 255.255.255.255 pat
nat-pool 2 10.22.6.119 10.22.6.119 netmask 255.255.255.255 pat
service-policy input REMOTE_ACCESS_POLICY
no shutdown
interface vlan 701
ip address 10.22.7.2 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED
no shutdown
interface vlan 704
ip address 10.22.7.34 255.255.255.224
no icmp-guard
access-group input ACL_20
service-policy input SERVERSOURCED-CoreA
no shutdown
ip route 0.0.0.0 0.0.0.0 10.22.6.1
x86ACE03/Admin#
x86ACE03/Admin# sh probe
probe : SERVICE_ICMP_PROBE
type : ICMP
state : ACTIVE
----------------------------------------------
port : 0 address : 0.0.0.0
addr type : - interval : 10 pass intvl : 5
pass count: 3 fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ----------------------+----+--------+------+------+------+------
rserver : vsuiteFrontEnd-A
10.22.6.116 0 -- 78 78 0 FAILED
rserver : vsuiteFrontEnd-CoreA
10.22.6.118 0 -- 459 459 0 FAILED
x86ACE03/Admin#
x86ACE03/Admin# sh service-policy
Policy-map : POLICY
Status : ACTIVE
-----------------------------------------
Context Global Policy:
service-policy: POLICY
class: rule-vsuiteFrontEnd-A_CLASS
loadbalance:
L7 loadbalance policy: rule-vsuiteFrontEnd-A_POLICY
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : - , drop-count : -
bandwidth-rate-limit : - , drop-count : -
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
rule-vsuiteFrontEnd-A_CONN_PARAM
Policy-map : POLICY-CoreA
Status : ACTIVE
-----------------------------------------
Context Global Policy:
service-policy: POLICY-CoreA
class: rule-vsuiteFrontEnd-CoreA_CLASS
loadbalance:
L7 loadbalance policy: rule-vsuiteFrontEnd-CoreA_POLICY
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
conns per second : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : - , drop-count : -
bandwidth-rate-limit : - , drop-count : -
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
rule-vsuiteFrontEnd-CoreA_CONN_PARAM
Policy-map : SERVERSOURCED
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 701
service-policy: SERVERSOURCED
class: SERVERSOURCED
nat:
nat dynamic 1 vlan 700
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
Policy-map : SERVERSOURCED-CoreA
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 704
service-policy: SERVERSOURCED-CoreA
class: SERVERSOURCED-CoreA
nat:
nat dynamic 2 vlan 700
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
x86ACE03/Admin# sh serverfarm
serverfarm type rservers predictor current conns
+--------------------+---------+--------+------------------+---------------
rule-vsuiteFrontEnd-A
HOST 1 ROUNDROBIN 0
rule-vsuiteFrontEnd-CoreA
HOST 1 ROUNDROBIN 0
x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A
serverfarm : rule-vsuiteFrontEnd-A, type: HOST
total rservers : 1
state : INACTIVE
DWS state : DISABLED
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: vsuiteFrontEnd-A
10.22.6.116:0 8 PROBE-FAILED 0 0 0
x86ACE03/Admin# sh serverfarm rule-vsuiteFrontEnd-A
serverfarm : rule-vsuiteFrontEnd-A, type: HOST
total rservers : 1
state : INACTIVE
DWS state : DISABLED
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: vsuiteFrontEnd-A
10.22.6.116:0 8 PROBE-FAILED 0 0 0
x86ACE03/Admin#
07-31-2013 04:21 PM
08-02-2013 02:15 PM
Thanks Alex and Jorge,
I have to configure ACE for Riverbed and our ACE is on blade in 6509 and 6509 is in VSS. ACE is configured in context. Can any one please help, I know its small thing for you guys but big for me as new to ACE.
-Atul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide