Cisco ACE modules support virtualized architecture to increase datacenter scalability. You can create upto 250 virtualized contexts on an ACE module. Each context behaves like an independent ACE appliance with its own policies, interfaces, domains, server farms, real servers, and administrators. You can divide each context into multiple partitions called domains, which allow you to manage user access to the objects within a context. ACE modules are usually put in failover configuration to increase reliability.
Failover is not working properly. ACE modules in failover pair may end up both in active state for some context. L2 connectivity, like arp resolution, works but L3 connectivity is an issue.
Each peer appliance in a redundant group can contain one or more fault-tolerant (FT) groups. Each FT group consists of two members: one active context and one standby context. When a switchover occurs, the active member in the FT group becomes the standby member and the original standby member becomes the active member. The ACE uses the heartbeat to probe the peer ACE, rather than probe each context. Cisco ACE replicates flows on the active FT group member to the standby group member per connection for each context. Note that the ACE does not replicate SSL and other terminated (proxied) connections from the active context to the standby context.
Surge in normal user traffic may cause the resource manager to drop the Admin traffic if no reservation is configured for the Admin context. When Admin traffic gets dropped the secondary assumes that primary failed and becomes active; although the primary is still active and has not failed. The drops can be seen in the following output
Check the resource allotted to the admin context. The problem happens when there is very little or no resources allotted to the admin context, which causes issues when there is heavy load. When all resources are reserved on the ACE by the members of the resource group, this leaves the Admin context, which is not configured in a resource group, without resources. Allocating resources to Admin context will resolve the issue.
Hello,We have one fabric composed by only 1 MDS 9148 switches, and now, we want to add a new 9148 S MDS switch to this fabric.one VSAN (100) and one zone set activated on this switch.Now, we need to add a new switch in fabric. This new switch is also one ...
Hi All, Spine Leaf designs I have seen so far show a single link from Leaf to each Spine and the recommended solution to increase aggregate fabric throughput is to add another Spine. Is it a valid design to have multiple links from Leaf to Spine to a...
I found two different theory to handle l3 traffic for unknown IP in ACI one is stated below which is from White Paper 739989 and in other cisco live document I have seen that this will be treated via spine proxy method. "For (L3) routed traffic to an...
I found below note in cisco white paper i.e 739989 - end point learning but unable to understand it. "An exception exists for remote MAC address learning when a packet is incoming from L3Out to Cisco ACI. If ARP traffic is coming from an L3Out SVI ra...
Dears ,Please check as the ACI sandbox does not accept any simple action on it from yesterday ? even creation of a tenant returns "Error: 400 - the messaging layer was unable to deliver the stimulus (connection error, Connection refused)"