This is what I am trying to do in a One arm config topology
( As the CSS guide ( cntntgd.pdf ) says under Configuring a Domain Name content rule)
The CSS allows you to use a domain name in place of, or in conjunction with, a
VIP address in a content rule. Using a domain name in a content rule enables you
Enable service provisioning to be independent of IP-to-domain name
Provision cache bandwidth as needed based on domain names
So I am trying to create a content rule with a domain name instead of VIP address. For ex.
add service Serv1
add destination service Serv1
VIP address ???????? ( what shd we put in here )
In this case what do we put as VIP address in source groups and how does the traffic flows from Client to actual Server in One arm topology. I am trying this topology where we have multiple sites configured with the same IP address with host headers
My assumption is that I shd configure DNS servers with VIP address for domain.com and use that as VIP address in source group. But how does the actual traffic flows from client to servers
This is what the traffic flow will look like in a one-armed config.
Traffic will enter the CSS with the source IP of the Client destined to the VIP address that it receives from DNS. The CSS will need to spoof the connection until it gets the client request. At that time it can make the load balance decision since it can reads the host header of the packet and decides what content rule it matches. Once it finds the correct content rule it will load balance to the server. At this point the packet will have the source IP of the VIP in the group, destined to the server that it load balanced to. CSS will use it's routing table to forward this packet to the sever. The reason you need the group is so that the server responds back to the CSS rather that directly back to the client.
The address you put in the group can be any address that routes back to the CSS. Usually this is the same as the content rule vip, or any local IP in the CSS curcuit vlan subnet.
DNS is still going to be resolving these domains to some IP address. You would need to have routing set up to forward those IPs to the CSS interface/redundant-interface. You can also add the VIP address to the content rule along with the domain. If multiple domains resolve to the same IP you can create a content rule for each domain name all containing the same VIP address.
The CSS will parse the client request for the host header and match it to the correct rule.
Why do you need native HA: The native HA feature allows two Cisco DCNM
appliances to run as active and standby applications, with their
embedded databases synchronized in real time. Therefore, when the active
DCNM is not functioning, the standby DCNM will...
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...