ACE 4710 in bridge mode
Hi,
We got new ACE 4710 device and i am trying to configure that in Bridging mode.
I am trying to loadbalance between two servers which is connected as shown below:
Servers -> Switch -> Router (with subinterface).
Servers IP: 172.16.11.1 and 172.16.11.2
Router IP: 172.16.11.254
Default route is router IP address for servers.
I am new to ACE and I am confused about how to assign interface on ACE so that ACE can bridge the traffic between router and servers VLAN.
We have some more servers which are on different VLAN but can connect to these servers as router is doing inter-vlan routing too.
I want inter-vlan routing and load balancing between above two servers concurrently. Pls. help in this regard.
Also attaching the ACE config file.
Here is the config, hope this will help.
Admin Context
=============
resource-class ngmp_rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 10,13
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.16.254
context apps
allocate-interface vlan 10
allocate-interface vlan 13
member apps_rc1
APPS Context
============
rserver host srv1
ip address 192.168.10.1
inservice
rserver host srv2
ip address 192.168.10.2
inservice
rserver host srv3
ip address 192.168.10.3
inservice
serverfarm host apps_srv
rserver srv1
inservice
rserver srv2
inservice
rserver srv3
inservice
class-map match-all ftp-vip
2 match virtual-address 172.16.10.10 tcp eq ftp
class-map match-all http-vip
2 match virtual-address 172.16.10.11 tcp eq 8080
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm apps_srv
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp
class http-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 10
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 192.168.10.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
Thanks,
Pawan
Similar Messages
-
ACE 4710 in bridge mode not working
I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router (vlan 13: IP 172.16.11.254)
|
ACE (int gig1/2)
|
L2 Switch
|
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
inservice
rserver srv2
inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan" I tried trunk port also but it got disabled" <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles. -
ACE MODULE IN BRIDGE MODE NOT LOADBALANCING
Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
AttachCheck my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles. -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
ACE redundancy with bridge mode
I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
Please rate if this was useful for you.
Kind regards,
Dario -
SNAT on ACE 4700 in bridging mode
Hi,
I would like to implement Source-NAT for some traffic, but not all traffic for the ACE 4700. The ACE 4700 will be configured as a bridge.
Can I configure Source-NAT using an extended access-list when the ACE 4700 is used as a bridge? I need Source-NAT for servers that need to access the VIPs on the ACE. All VIPs and real servers are on the same IP subnet. I was going to configure the ACE as a bridge so that IP addresses don't have to change.
Let me know how Source-NAT will work in this bridging scenario. If not, what examples or options do I have?
Thank you.Thanks, Gilles!
So, does it mean I can just use a standard access-list to identify traffic for Source-NAT? Meaning, I can just Source-NAT based on source IP addresses instead of using an extended access-list to specify both source address and destination VIP? -
ACE in bridged mode and multicast
We have configured an ACE SM in bridge mode and have a requirement to enable multicast on one of the networks where the back-end servers are residing. Will ACE support multicast out of the box, or will we need to do any tweaking on the ACE to enable the multicast support?
Thanks..Hi Gilles,
Is it also supported in routed mode?
The ace isn't doing multicast routing right?
Actually, the server-side vlan is being routed on the C6500 and has pim sparse-dense mode enabled.
We want to move this server-side vlan behind the ace in routed mode. What about the pim?
Any ideas?
thanks,
Dario -
ACE bridge mode , FWSM routed mode
i have the following senario:
MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
vlan 180 is the server side vlan
i want he FWSM ip address to be the Server gateway while ACE module in
bridge mode
i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
ACE
if i change ACE to routed mode , i can ping to FWSM
any body can help me in this issue?The config looks good.
I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
Is evertyhing else working ?
Like ping through the ACE module ?
Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
Gilles. -
I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advanceGood afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel -
Firewall Load Balance using bridged mode ACE
Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help ThanksThank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much -
ACE in bridge mode with FWSM as gateway
our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
ThanksFirst, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles. -
Need help to Configure Cisco ACE 4710 Cluster Deployment
Dear Experts,
I'm newbie for Cisco ACE 4710, and still I'm in learning stage. Meanwhile I got chance at my work place to deploy a Cisco ACE 4710 cluster which should load balance the traffic between two Application Servers based on HTTP and HTTPS traffic. So I was looking for good deployment guide in Cisco SBA knowledge base then finall found this guide.
http://www.cisco.com/en/US/docs/solutions/SBA/February2013/Cisco_SBA_DC_AdvancedServer-LoadBalancingDeploymentGuide-Feb2013.pdf
This guide totally fine with my required deployment model. I have same deployment environment as this guide contains with ACE cluster that connects to two Cisco 3750X (Stack) switches. But I have some confusion places in this guide
This guide follow the "One-armed mode" as a deployment method. But when I go through it further I have noticed that they have configured server VLAN as a 10.4.49.0/24 (all servers reside in it) and Client side VIP also in same VLAN which is 10.4.49.100/24 (even NAT pool also).
My confusion is, as I have learned about Cisco ACE 4710 one-armed mode deployment method, it should has two VLAN segments, one for Client side which client request come and hit the VIP and then second one for Server side. which means besically two VLANs. So please be kind enough to go through above document then tell me where is wrong, what shoud I need to do for the best. Please this is an urgent, so need your help quickly.
Thanks....!
-Amal-Dear Kanwal,
I need quick help for you. Following are the Application LB requirements which I received from my clinet side.
Following detail required for configuring Oracle EBS Apps tier on HA:
LBR IP and Name required to configure EBS APPS Tier (i.e, ap1ebs & ap2ebs nodes)
Suggested IP and Name for LBR:
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm detail for LBR Setup
Following detail will be use for configuring the LBR:
LBR IP and Name :
IP : 172.25.45.x [should be on same 172.25.45 subnet of ap1ebs & ap2ebs nodes]
ebiz.xxxx.lk [on port 80 for http protocol accessibility]
This LBR IP & name must be resolve and respond on DNS network
Server Farm Detail for LBR setup:
Server 1 (EBS App1 Node, ap1ebs):
IP : 172.25.45.19
Server Name: ap1ebs.xxxx.lk [ap1ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Server 2 (EBS App2 Node, ap2ebs):
IP : 172.25.45.20
Server Name: ap2ebs.xxxx.lk [ap2ebs hostname is an example, actual hostname will be use]
Protocol: http
Port: 8000
Since my client needs to access URL ebiz.xxxx.lk which should be resolved by IP 172.25.45.21 (virtual IP) via http (80) before they deploy the app on the two servers I just ran web service on both servers (Linux) and was trying to access http://172.25.45.21 it was working fine and gave me index.html page. Now after my client has deployed the application then when he tries to access the page http://172.25.45.21 he cannot see his main login page. But still my testing web servers are there on both servers when I type http://172.25.45.21 it will get index.html page, but not my client web login page. What can I do for this ?
Following are my latest config :
probe http Get-Method
description Check to url access /OA_HTML/OAInfo.jsp
interval 10
faildetect 2
passdetect interval 30
request method get url /OA_HTML/OAInfo.jsp
expect status 200 200
probe udp http-8000-iRDMI
description IRDMI (HTTP - 8000)
port 8000
probe http http-probe
description HTTP Probes
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
request method get url /index.html
expect status 200 200
probe https https-probe
description HTTPS traffic
interval 10
faildetect 2
passdetect interval 30
passdetect count 2
ssl version all
request method get url /index.html
probe icmp icmp-probe
description ICMP PROBE FOR TO CHECK ICMP SERVICE
rserver host ebsapp1
description ebsapp1.xxxx.lk
ip address 172.25.45.19
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
rserver host ebsapp2
description ebsapp2.xxxx.lk
ip address 172.25.45.20
conn-limit max 4000000 min 4000000
probe icmp-probe
probe http-probe
inservice
serverfarm host ebsppsvrfarm
description ebsapp server farm
failaction purge
predictor response app-req-to-resp samples 4
probe http-probe
probe icmp-probe
inband-health check log 5 reset 500
retcode 404 404 check log 1 reset 3
rserver ebsapp1 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
rserver ebsapp2 80
conn-limit max 4000000 min 4000000
probe icmp-probe
inservice
sticky http-cookie jsessionid HTTP-COOKIE
cookie insert browser-expire
replicate sticky
serverfarm ebsppsvrfarm
class-map type http loadbalance match-any default-compression-exclusion-mime-type
description DM generated classmap for default LB compression exclusion mime types.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map match-all ebsapp-vip
2 match virtual-address 172.25.45.21 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match ebsapp-vip-l7slb
class default-compression-exclusion-mime-type
serverfarm ebsppsvrfarm
class class-default
compress default-method deflate
sticky-serverfarm HTTP-COOKIE
policy-map multi-match int455
class ebsapp-vip
loadbalance vip inservice
loadbalance policy ebsapp-vip-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 455
interface vlan 455
ip address 172.25.45.36 255.255.255.0
peer ip address 172.25.45.35 255.255.255.0
access-group input ALL
nat-pool 1 172.25.45.22 172.25.45.22 netmask 255.255.255.0 pat
service-policy input remote_mgmt_allow_policy
service-policy input int455
no shutdown
ft interface vlan 999
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
no preempt
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 172.25.45.1
Hope you will reply me soon
Thanks....!
-Amal- -
ACE 4710 and load balancing with sticky cookie
Configuring load balancing with SSL termination and stickiness for a couple of citrix xenapp servers. I'm doing a source-NAT as the ACE resides in the DMZ and these particular servers reside on the inside arm of the firewall. The ACE is in bridged mode to load balance web servers that reside in the DMZ. Everything seems to work just fine, but the cookie stickiness does not seem to be working.
Hi David,
As you may know, using Wireshark to look at an HTTPS capture is only useful if you've installed the server SSL key.This is why I find it easier to use something like LiveHTTPHeaders or HTTPWatch.
When using cookie-insert, the ACE will not create any dynamic cookie entries. It will simply create one static entry for each rserver with a cookie value, such as R3911631338, and any client that gets load balanced to that rserver will receive a cookie with that value. So what you see there is what is expected.
You are correct in that when using location cookies that the server supplies, the ACE will create a dynamic entry when it sees the server response with the cookie. The cookie is included in the server's response, and the ACE will look for the value as configured. The cookie will also be sent to the client. If the cookie is not in the server's first response, you will need enable persistence-rebalance so that it will look in subsequent server responses. If the browser opens new connections with that cookie, then the ACE will stick to the same server.
My suggestion would be to get sticky working with cookie-insert first. Then if that meets your needs, go with that permanently. If you need to use server cookies, then once cookie insert is working, migrate your sticky to cookie location.
Sean -
Design question: ACE module connected to 2 different L3 engine while in bridge mode
fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizianHi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300 RSERVER 4775 239 sec up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1 00.23.33.6a.bf.80 vlan802 RSERVER 4785 5 sec up
Regards
Mats -
ACE problem - bridge mode - behind a firewall
Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
DamianThanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
⢠Traffic is coming from a separate local subnet
⢠Traffic is not coming from the internet so it does not required a NAT
⢠We need 1 VIP listening on two ports
⢠The backend servers are four Linux boxes
Thanks again,
Damian
Maybe you are looking for
-
CRS issue after upgrade of CRS to 10.2.0.5.0
we have 3 node cluster HP -UX 10.2.0.3.0. We have upgraded the CRS to 10.2.0.5.0 on all the 3 nodes. 2 of the nodes are up and running. But on the 3rd node the CRS does not startup. Below is the error we see in the log file: 2010-11-28 08:10:33.806:
-
Namespace problem while updating a desktop app
Hello, I've searched on a lot of forums but didn't find anything accurate on my problem. I have an old AIR 2.0 desktop app that updated itself. I want to update it to the last 3.4 framework. So I followed instructions for the intermediate application
-
I am having trouble setting up the wireless connection on a hp deskjet 3520. I upgraded to os x.10.9 recently. I have updated to the most recent HP software update which is version 2.16.1. However, according to the os x: printer and scanner softw
-
Simple JS works in Acrobat 7, but not 8 - why?
I have a simple form with 2 fields: "myname" and "phone". "myname" is a drop down list populated with 3 names. I want to be able to populate the "phone" field with a phone number corresponding to the "myname" field automatically. I have the following
-
How to increase number ptys in Solaris 10?
Hi, How do I increase number of ptys in Solaris 10, also what command to view how many total currently set? I try to put set pt_cnt = X and rebooted, seems to be not working. Thanks!