Syed, as far as I can tell, yes you will need a GEO DB per device. They are not transferrable between devices (actually you can transfer and install without error, but they dont work). If you are commissioning you will need to contact Cisco licensing...
CharlesYou need to sit down and determine what traffic you want to permit into the device. There is an implicit "deny ip any any" at the end of each acl. The access-lists below permit- anyone external to reach the vips for https- anyone local (ie: ...
You'll probably need to open a tac case so someone can check the css & tac configs and you'll probably need to get concurrent traces either side of the ace (and maybe css for comparison). Are both css and ace configured for the same behaviour. I had ...
Charles, I would do this with the interface access-list. You will need to explicitly permit the traffic to be load balanced, mgmt traffic and all https/ssh and deny everything else. Matthew
Can you clarify what you mean by "traffic restricted to ssh & https" ? Ie: do you mean only ssh & https mgmt traffic to the ace, only https and ssh towards the vip or only ssh & https through the box (not load balanced) ? Matthew