I've installed two Ironport S660 proxyservers to handle all webtraffic. As the Ironport apparently doesn't come with its own loadbalancing/redundacy feature (like VRRP), I've decided to let the ACE handle loadbalancing. 90% of all the traffic is destined to be proxied, but a small portion of specific url's are not suitable for proxying, e.g. sites that provides stockinformation, financial realtimedata etc. For that purpose, I'm trying to configure a method to detect theese url's and simply forward them toward our internet-firewall. But so far, I've unsuccessful in my attempts.
The basic loadbalancing works like a charm. The issue here is, that all traffic hits the vip on port 8080. I've tried to configure a class-map to detect the specific urls and used the action=forward under the loadbalance policy-map. For routing purposes, I've tried to apply PAT, so firewall won't have to be aware of all internal addresses. Sadly, it never worked. I did get the class-map for url-detecting to work, but the actual forwarding failed.
I'm thinking, that maybe there's problem related to the fact, that all traffic arrives with 8080 as dst.port. And this goes for both http and https. So even if I manage to correctly configure a class-map til detect theese urls, how do I forward the traffic and "rewrite" the dst.port? I would somehow need to inspect the header for either http:// og https:// in order to forward the traffic with the correct dst.port (80 or 443).
Has anyone configured ACE for Ironport loadbalancing and faced the same problems? If so, I'd be very interested in knowing, how you made it work.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...