Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1038
Views
0
Helpful
1
Replies

ACE30 - PING to VIP and Client side SVI not working

sgonsalv
Level 1
Level 1

‎09-07-2011 08:40 PM

Hi Guys,

Having setup the ACE30 based on the configuration guides, I've been able to get basic load balancing working, probes, stickness etc.  However in testing connectivty, I've noticed that from the real server on the backend I cannot seem to PING:

1. The VIP for the web service that the server is a part of

2. The Client side SVI

I'd like this to work to ensure full connectivity.

I've applied ACLs to the Client side SVI (on the ACE) to allow this in both directions, and also removed any ACLs attached to the client side SVI on the MSFC where the subnet is actually homed.  However I just cannot seem to PING the Client side SVI on the ACE, or the VIP.  Trying to understand if this is normal behavior.

Have inserted my config below for completeness.

ACE30 Config

------------------

login timeout 60

hostname ACE1

boot system image:c6ace-t1k9-mz.A90_6_3_5.bin

boot system image:c6ace-t1k9-mz.A4_1_0.bin

resource-class RC_1

  limit-resource all minimum 10.00 maximum unlimited

access-list all line 8 extended permit ip any any

access-list v6-any line 8 extended permit ip anyv6 anyv6

class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match

  2 match protocol telnet any

  3 match protocol ssh any

  4 match protocol icmp any

  5 match protocol https any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

interface vlan 768

  description Management connectivity

  ip address 10.20.40.72 255.255.255.0

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.20.40.254

context VC_1

  allocate-interface vlan 11

  allocate-interface vlan 186

  member RC_1

username admin password 5 $1$STizNv5q$i96.Qrt4C4SfHkbLyVT74.  role Admin domain default-domain

username www password 5 $1$ZAn8bOtv$xmmNlH8akF6iYfXdQCKMo1  role Admin domain default-domain

ssh key rsa1 1024 force

!!!!!!!!!!!!!!!!!!!

! VC_1

!!!!!!!!!!!!!!!!!!!

ACE1/VC_1# sh run

probe http HTTP_PROBE1

  interval 15

  passdetect interval 60

  expect status 200 200

  open 1

rserver host RS_MONASH_WEB1

  description Test Monash Web Server 1

  ip address 10.194.27.177

  inservice

serverfarm host SF_MONASH_WEB

  probe HTTP_PROBE1

  rserver RS_MONASH_WEB1 80

    inservice

sticky ip-netmask 255.255.255.255 address source STICKY_MONASH_WEB

  timeout 3600

  serverfarm SF_MONASH_WEB

class-map type management match-any REMOTE_ACCESS

  description Remote access traffic match

  2 match protocol ssh any

  3 match protocol telnet any

  4 match protocol icmp any

  5 match protocol https any

class-map match-all VS_MONASH_WEB

  2 match virtual-address 10.194.11.1 tcp eq www

access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit ip any any

access-list ALLOW_TRAFFIC_TOWARDS_ACE extended permit icmp any any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type loadbalance first-match PM_MONASH_WEB_LB

  class class-default

    sticky-serverfarm STICKY_MONASH_WEB

policy-map multi-match PM_MULTI_MATCH_CLIENT_VIP

  class VS_MONASH_WEB

    loadbalance vip inservice

    loadbalance policy PM_MONASH_WEB_LB

service-policy input REMOTE_MGMT_ALLOW_POLICY

interface vlan 11

  description Client connectivity on Vlan 11

  ip address 10.194.11.250 255.255.255.0

  access-group input ALLOW_TRAFFIC_TOWARDS_ACE

  access-group out ALLOW_TRAFFIC_TOWARDS_ACE       ! not sure if this is required as well?

  service-policy input PM_MULTI_MATCH_CLIENT_VIP

  no shutdown

interface vlan 186

  description CSM www monash

  ip address 10.194.27.189 255.255.255.240

  access-group input ALLOW_TRAFFIC_TOWARDS_ACE    ! not sure if this is required?

  access-group out ALLOW_TRAFFIC_TOWARDS_ACE      ! not sure if this is required?

  ip dhcp relay server 130.194.15.17

  ip dhcp relay server 130.194.15.1

  ip dhcp relay enable

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.194.11.254

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

6500s

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! test-clay1-gw - ACE connects to this 6500

svclc multiple-vlan-interfaces

svclc module 2 vlan-group 2

svclc vlan-group 2  11,171-499,768

! test-clay0-gw - Where Client side subnet, VLAN11 is homed

interface Vlan11

description Testlab server subnet

ip address 10.194.11.253 255.255.255.0

no shut

ip route 10.194.27.176 255.255.255.240 10.194.11.250

thanks

Sheldon

Labels:
0 Helpful
1 Reply 1

Marko Leopold
Level 1
Level 1

‎09-08-2011 04:05 AM

To ping your VIP of the webserver, you should apple the service-policy input command on VLAN 186 too. Currently the VIP only listens on VLAN 11. For the SVI i think that was forbidden by security reason, but i cant remember anymore. Maybe you just need to put the management policy on the interface VLAN 186. If it dont work, then my first guess was right

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card