The CSS is configured with Global VIP's, and local (RFC1918) IP's on the servers. During intial testing we bypassed the firewall / 2950 and had the traffic pass directly to the CSS, then onto the servers. This worked fine.
Now (using the new [supplied] config) we're having problems getting to the VIP's on the CSS. We can telnet directly to the CSS through the firewall. We have all the ACL's set up on the PIX 525 that we can think of.
The PIX can ping all of the VIP's, but you can't ping them from outside the PIX. It's seems odd to me that all of the ACL's are set up the same, but yet only one of them is passing traffic?
Does anyone have experience with the above type of configuration? Any help would be greatly appreciated.
access-list outside-access permit tcp any host 220.127.116.11 eq https
access-group outside-access in interface outside
This is how we have our VIPs configured to work through our PIX firewalls and it works good. As far as the 2950 switch is concerned that you have, we are not using a switch behind our CSS. All of our servers utilizing the CSS are directly connected to it. I don't see any issues with the 2950 behind the CSS, but I could be wrong. Hope this helps.
Moquery is the command line cousin of Vizore, it's very helpful and efficient sometimes during the troubleshooting. This article aims to provide moquery cheat sheet to the users for some most common seen scenarios.
Here is the checklist before customers/partners contact Cisco TAC:
Firmware Version of APIC and Switch
Download Switch and APIC techsupport logs
Problem description (Symptoms with details)
Business impact (eg, what kind of services...
moquery usageAPIC moquerySwitchmoquery
This document discuss a common issue observed during the VMM integration & VM workload migration to ACI fabric.
VMware Virtual machines are hosted in Cisco UCS-B seri...