I have a client with a CSS 11151 content switch. In front of the CSS (the "outside" interface), the client has a PIX and a 3060 VPN concentrator. Some of the traffic comes in from the 3060 and some from the PIX, hence the reply traffic needs to go through two different gateways depending on where it came from. Up to this point, they put a 7120 router on the segment (its only connection) for the sole purpose of sending ICMP redirects to the CSS. The 7120 is the default gateway for the CSS. Obviously, this is not the greatest arrangement and has been made worse since they are experiencing significant performance issues when traffic begins to exceed about 4.5Mbps through the CSS.
The client says they tried to configure a default route to the PIX and another static route to the 3060 but then *all* of their traffic began following the route to the 3060. To further complicate the issue, they are running redundant SCAs. Their current routing configuration is this:
ip route 0.0.0.0 0.0.0.0 220.127.116.11 1
ip route 0.0.0.0 0.0.0.0 192.168.102.5 1
ip route 0.0.0.0 0.0.0.0 192.168.102.6 1
ip route 192.168.100.0 255.255.255.0 18.104.22.168 1
ip route 10.0.0.55 255.255.255.255 22.214.171.124 1
192.168.102.5 and .6 are the two SCAs. 126.96.36.199 is the 7120. 188.8.131.52 is the PIX and 184.108.40.206 is the 3060.
Logically, it seems that I could add a route to 10.7.0.0/16 via 220.127.116.11, 192.168.102.5, and 192.168.102.6. I would think this would allow the CSS to send the traffic through the appropriate gateway instead of having to use the 7120 for ICMP redirects.
Since this is such a strange CSS deployment, I have not been able to find anything on CCO that I could use as a reference configuration. But, according to the documentation, it seems that the "ip route" statement in the CSS works just like it would in any other device so I do not understand why the client would have had problems.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...