ACE loadbalancing design dilemma
Hi,
We have an ACE in 6509 connected to a FW(TRUNK). FW connected to 3560 switch(DMZ) rservers connected to 3560 need to be loadbalanced by the ACE(Layer 3 LB)
Is this possible and is this the best way to do it how do the rest of you tackle the DMZ LB dilemma if the LB is on the inside network?
Security issues I need to be thinking of?
Appreciate your time.
You can operate your ACE strictly as an LB device. If you want to use LB only, you must configure certain parameters and disable some of the ACE security features as described in the below URL. By default, the ACE performs TCP/IP normalization checks and ICMP security checks on traffic entering the ACE interfaces. Using the following configuration will also allow asymmetric routing as required by your network application.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/overview.html#wp1004320
Similar Messages
-
Cisco ACE loadbalancing matching more than one header in L7 class map
Dear All,
This is regarding Cisco ACE loadbalancing matching more than one header in L7 class map. I have a small setup with ACE 30 module in Cisco6500. I have got three webservers. Presently I have following configuration where I am mathing one url header.
class-map type http loadbalance match-all L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
So for above configuration, when traffic is coming for abhisar.com, it is working fine.
Now, I have following headers and DNS entry is pointing to same virtual IP for all http url header same as abhisar.com
abhisarindia.com
indiaabhi.com
So new configuration will be
class-map type http loadbalance match-any L7_WEB_HEADER_MATCH
description MATCH THE HOST HEADER OF HTTP REQUEST
2 match http header Host header-value ".*abhisar.com*"
4 match http header Host header-value ".*abhisarindia.com*"
6 match http header Host header-value ".*indiaabhi.com*"
So just want to confirm if this is fine.
Thank You,
Abhisar.Dear Rajesh,
Thank you for reply. I will let you know once I carry out this activity.
Thank You,
Abhisar. -
Hi - I'm designing the network topology for a multi tiered application using a 6509 with ACE and FWSM. Each tier will be in it's own VLAN and IP subnet and communications between tiers needs to be firewalled and in some cases loadbalanced.
I propose to do this by using a different context on both the ACE and the FWSM and using bridging mode within each context on both the FWSM and ACE as per Cisco's verified design for ACE/FWSM. It's perfectly feasable that a connection could be made for example to a server in the web tier, which would then need to make a connection to a server in the Application tier, which would in turn need to make a connection to a server in the database tier.
As far as I can see, the design I've proposed should work. Is anyone in a position to comment on whether there is anything wrong with this design, or a better way to do it?
There is no NAT to consider within this network
I've attached a JPG showing an example of the sort of connectivity that could be expected.
Many Thanks in advanceThanks for your responses. I'm half way through implemeting this and there have been no problems so far.
With regards design & config notes for this, this document has most of what you need - http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078de90.pdf -
Standby cisco ACE loadbalancer issues (network connectivity)
Hi ALL,
We are having issues with the secondary (standby) load balancer ACE module on a 6500 switch. We see that the loadblanacer is not able to get onto the network which leads to problem with fault tolerance as well. Following is the ft status found on the load balancer for one of the contexts (this is the same pattern seen on all the contexts).
switch/Admin# sh ft group status
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
Peer State : FSM_FT_STATE_UNKNOWN
Peer Id : 1
No. of Contexts : 1
Sh arp on all the contexts shows the gateway/rserver to be unreachable. Please find the screenshot below for one of the contexts (the same pattern is seen on the LB for all other contexts)
switch/1_Context# sh arp
Context CSD_Context
================================================================================
IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status
================================================================================
172.21.128.97 00.00.00.00.00.00 vlan942 GATEWAY - dn
172.21.128.103 00.0b.fc.fe.1b.09 vlan942 ALIAS LOCAL _ up
172.21.128.105 00.12.43.dc.93.23 vlan942 INTERFACE LOCAL _ up
7.0.0.4 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.6
172.21.147.196 00.0b.fc.fe.1b.09 vlan943 ALIAS LOCAL _ up
172.21.147.198 00.12.43.dc.93.24 vlan943 INTERFACE LOCAL _ up
172.21.147.200 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.202 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.204 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.206 00.00.00.00.00.00 vlan943 RSERVER - dn
172.21.147.208 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
172.21.147.210 00.00.00.00.00.00 vlan943 RSERVER - * 2 req dn
172.21.147.212 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.214 00.00.00.00.00.00 vlan943 RSERVER - * 1 req dn
172.21.147.216 00.00.00.00.00.00 vlan943 RSERVER - * 3 req dn
7.0.0.1 00.0b.fc.fe.1b.09 vlan943 NAT LOCAL _ up
- 7.0.0.3
The problem is that we see the problem only on the secondary loadbalancer. primary is just running file
also i can see some traffic denial in admin context for resource usage
switch/Admin# sh resource usage
Allocation
Resource Current Peak Min Max Denied
Context: Admin
conc-connections 9 9 160000 6560000 0
mgmt-connections 0 46 2000 82000 0
proxy-connections 0 4 20972 859830 0
xlates 0 0 20972 859830 0
bandwidth 0 17715713 10000000 535000000 5799749
throughput 0 17710993 10000000 410000000 5799749
mgmt-traffic rate 0 4720 0 125000000 0
connection rate 0 43 20000 820000 0
ssl-connections rate 0 0 100 4100 0
mac-miss rate 0 1 40 1640 0
inspect-conn rate 0 0 120 4920 0
acl-memory 56336 56336 1570072 64460552 6
sticky 0 0 83886 0 0
regexp 0 0 20972 859832 0
syslog buffer 82944 82944 82944 3447808 0
syslog rate 0 44 2000 82000 25
Context: INTEGRATION_Context
conc-connections 0 3934 160000 0 0
mgmt-connections 0 98 2000 0 0
proxy-connections 0 33 20972 0 0
xlates 0 0 20972 0 0
bandwidth 0 10019910 10000000 125000000 40857
throughput 0 10000000 10000000 0 40857
mgmt-traffic rate 0 19910 0 125000000 0
connection rate 0 49 20000 0 0
ssl-connections rate 0 0 100 0 0
mac-miss rate 0 32 40 0 0
inspect-conn rate 0 58 120 0 0
acl-memory 11920 11920 1570072 0 0
sticky 0 1 83886 0 0
regexp 0 0 20972 0 0
syslog buffer 0 82944 82944 3447808 0
syslog rate 0 312 2000 0 0
these above 2 contexts are the only one which has bandwidth resource usage exceeding the limit. but i somehow am not sure if this is the issue. as there is just no traffic on the secondary .. then how can the bandwidth reach the threshold? can anyone throw some light on the below issue?
thanks and regards
kiranvlan on Standby_ACE switch
svclc multiple-vlan-interfaces
svclc module 1 vlan-group 1,4,12,13,
svclc vlan-group 1 968
svclc vlan-group 12 132
svclc vlan-group 13 367-372,374,375,379,380,538,805,807,808,818,913,915
svclc vlan-group 13 917-920,922-924,933,934,937,938,942-949,972,976-979,983
svclc vlan-group 13 984
ip subnet-zero
no ip source-route
vlans on standby ACE
switch/Admin# sh vlans
Vlans configured on SUP for this module
vlan132 vlan360 vlan367-375 vlan379-380 vlan538 vlan805 vlan807-808 vlan818 vlan913 vlan91
5 vlan917-920 vlan922-924 vlan930 vlan933-934 vlan937-938 vlan942-949 vlan968 vlan971-972 v
lan976-979 vlan983-984
switch/Admin#
Active_LB_host_switch is the switch hosting the active ACE thats connected on ten7/4 and 8/4 which is bundeled and made into
port-channel (po72)
CDP neighbor hosting the active ACE
Active_LB_host_switch
Ten 7/4 148 R S I WS-C6513 Ten 7/4
Active_LB_host_switch
Ten 8/4 156 R S I WS-C6513 Ten 8/4
Po72 allows all the vlans which is the configured for ACE modules.
Port Vlans allowed on trunk
Po72 132,140,181,359-383,538,668,702,805-808,815-816,818-820,836,907,909-920,922-925,
929-935,937-949,967-973,976-984,987,3212
vlan 968 is the FT vlan and the same hass been allowed on the trunk port.
everything looks good to me but still not sure why isnt the ACE module not coming to the network. it was working fine
a few months back but all of a sudden it lost the network connectivity. i am not even able to ping the physical ip of the
ACE module.
thanks and regards
kiran -
How to test a cisco ACE loadbalancer.
Hello guys, I am new on this site. I have deployed a Cisco ACE 4710 loadbalancer, and it is loadbalancing 2 real servers. Is there any way or commands I can use to see if it is loadbalancing properly.
"show serverfarm" will show you the load-balanced connections to each real. Also try "show service-policy <> class-map <> detailed" and check client and server hits counts.
"show connection" also. -
To pursue ACE (graphic design) or pursue Web Design knowledge
I have over 15 years of graphic design experience (corporate and non-profit sector) in the print world. I have about 5 years of basic web maintenance. At this point I'd like to take the next step in the professional world. Shall I pursue ACE (likely focused on InDesign) or take the time to learn all about web design? Any suggestions are welcomed, thanks in advance.
Sorry... This forum is to discuss how the forums operate, not specific products
You need to ask your question in the forum for the Adobe product you are using
Please go to http://forums.adobe.com/index.jspa and select the forum you need -
Ace Loadbalancing of Forefront UAG Direct Access Connections
Hi All,
Has anyone managed to successfully load balancing Microsoft Direct Access connectivity for Toredo and https connections? Looks like a big issue, I have configged it at the moment and testing is unsuccessful so looking for pointers.
This is the Microsoft gumpf on the external loadbalancing:
http://technet.microsoft.com/en-us/library/ee690463.aspx
Regards
AdrianHi Adrian,
I think this MS blog post might help if your network is IPv4 capable only and you have just one ACE doing the LB in front of the UAG array:
http://xrl.us/bkzs5n
HTH
Pablo -
ACE loadbalancing : cannot get to the same farm with http / ssl ?
Hello there,
I configured 2 farms, and one call on a specific host adress is redirected to farm 2.
This is working, but only for HTTP traffic : for HTTPS, it's redirected to farm 1 !
I need help, if someone can help...
I post my configuration here :
probe tcp PROBE_TCP interval 30rserver host MTP01 ip address 172.16.0.1 inservicerserver host MTP02 ip address 172.16.0.2 inservicerserver host MTP03 ip address 172.16.0.3 inserviceserverfarm host FARM01 predictor leastconns probe PROBE_TCP rserver MTP01 inservice rserver MTP02 inserviceserverfarm host FARM02 predictor leastconns probe PROBE_TCP rserver MTP02 inservice rserver MTP03 inserviceparameter-map type http HTTP_PARAMETER_MAP persistence-rebalanceclass-map match-all CLASSMAP_L3L4 2 match virtual-address 178.xx.xx.xx tcp eq wwwclass-map type http loadbalance match-all CLASSMAP_L7 3 match http header Host header-value "theurloftheserver.com"class-map match-all L4-HTTPS-IP 2 match virtual-address 178.xx.xx.xx tcp eq httpsclass-map match-all L4-WEB-IP 2 match virtual-address 178.xx.xx.xx tcp eq wwwpolicy-map type loadbalance http first-match HTTPS_POLICY class CLASSMAP_L7 serverfarm FARM02 class class-default serverfarm FARM01 insert-http x-forward header-value "%is"policy-map type loadbalance http first-match WEB_L7_POLICY class CLASSMAP_L7 serverfarm FARM02 class class-default serverfarm FARM01 insert-http x-forward header-value "%is"policy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP class L4-HTTPS-IP loadbalance vip inservice loadbalance policy HTTPS_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 2369 appl-parameter http advanced-options HTTP_PARAMETER_MAP
What is really weird is that traffic to http (CLASSMAP_L7) is ok, so I don't get it : this should match on HTTPS_POLICY, where am I wrong ?
Thanks a lot !Hi,
You are not getting match for https since with https header would be encrypted and ACE cannot read the URL and defaults to Farm01. HTTPS is encrypted HTTP.
ACE should be able to decrypt the traffic to look into the packet and take decision. SSL termination on ACE is a feature for that. I would recommend going to the SSL guide for more details.
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/ssl/guide/terminat.html
Regards,
Kanwal -
ACE Loadbalancing Microsoft's "Lync 2010"
Greetings. My Enterprise/Email team is looking to implement Microsoft's Lync 2010 series of products. They provided a link http://technet.microsoft.com/en-us/lync/gg269419 that indicates the ACE has yet to be tested by Cisco to use with this product. We currently have two 4710's in a failover deployement. Can anyone confirm that Lync 2010 will work with ACE's, or point me in a direction that I could use to provide the Enterprise team documentation on ACE LB'ing of the Lync platform? My searches have turned up very little.
Thanks,
-bBrian,
To get a definite answer you will probably need to talk to your local Cisco account manager. However, I checked our old cases database and there are customer running lync through the ace. The only consistent issue appears to be a requirement to configure "loadbalance vip udp-fast-age" due to the way that Lync returns the server IP address in a UDP reply.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/command/reference/policy.html#wp1393857
Most other issues are basic config (not Lync related).
Matthew -
A Design Dilemma by a net Admin turning into Architect
In a big hierarchical network architecture (Core-Distribution-Access) is right to have ospf routing running on core switches? I mean... should I build an high speed L2 Core or should I connect the Core to the different distributions using small interconnection subnets (interface VLANs) and a routing protocol (OSPF)? In this case is the use of a distributed default route originated by all core switches suggested?
If you are starting from scratch consider a High Availability Routed Campus Design completely Layer3 all the way up to the Access Layer. You will be able to have multiple VLANs at each Access switch with no Spanning Trees.
Run EIGRP with Access switches as Stubs. Summarize Access routes on the Distribution to Core, and the Core summarizes Distribution routes to WAN, Datacenter, and Internet Layers.
As the previous poster mentioned, OSPF is an option too, but this requires manual tuning of the timers to match the convergence time of EIGRP.
Do not put dual supervisors in the Distribution or Core layers, only the Access Layer (assuming a chassis based Access). Dual Sups in the Dist/Core slows down convergence in a High Availability Routed Campus design.
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns432/c649/ccmigration_09186a00805fccbf.pdf
Give a read to the linked document.
Please rate all helpful posts.
Regards,
Brad -
Design Dilemma - create sophisticated page
Hi,
Sometimes the solution for a specific problem just eludes you, so in this circumstance I'm
falling at the feet of the group to beg for inspiration please.
The application I'm tinkering with is for our local junior Ice Hockey club.
I have a database table called "teams", and there's one record per unique team in the club.
Now I want to make a "display" page that only shows one team - a sort of Report but limited
to only a single record. With the wizards, this is easily achievable, but here's the rub: I want it
to look more sophisticated than a single line in a page - I want to make this single row report
look much more like a Form, or even more sophisticated if possible.
I could use the Form wizard then switch off all updating capability, but I don't want to stray
near any "update" code - this will be a read-only page for the end users to view.
How would I tackle this problem - do I create separate Items and have each of them perform
a query on the database to retrieve their single piece of data? This doesn't sound optimal.
If folks could just point me in the right direction I will stumble off down the given route...
Thankyou in advance for any kind replies.
Regards
MungoThanks for the reply.
I had (and probably still have) a vague notion regarding "Themes" and "Templates", so the
natural reluctance was to stay away from the scary unknown stuff... :-)
I've now tinkered with the system and created my own report template. Just waiting for the further
inspiration to make it look "nice"...
Many thanks again.
Regards
Mungo -
Ace loadbalancer alerting (4710 standalone unit)
Hello
I wandered if someone can help me with this query.
If i set up a VIP with rate-limiting, i want to be able to send the ops a team an alert to say the threshold has been reached, is this possible by syslog or snmp traps? Or what is the best way to achieve this?
ThanksHi
Thanks Gaurav, below is the two configs rserver or VIP rate limiting, it similar config and hoping it does generate a log, guess i will have to test this out and find out. Do you have to configure any additional or it will just send the syslog message if syslog server is configured?
Also once the threhold is reached, all other traffic is discarded? How does the server reset it status to recieve traffic again?
rserver based rate limiting
serverfarm host api-farm
rserver api-server
rate-limit connection 300
Vserver based rate limiting
parameter-map type connection api-map
rate-limit connection 300
policy-map multi-match vlanx-vips
class VIP80
connection advanced-options api-map
Thanks -
ACE: design/config question: trans.slb + slb + mngt
Hi,
Could this ACE setup/design work?
I want PROXIED sessions (to VIP proxy 10.0.0.10) to be loadbalanced
All other sessions (eg. Some public ip's) will have to transparent loadbalanced to proxy servers. Thus not destinations NAT
ACE is inline between firewalls and proxy servers.
Vip definitions:
class-map match-all P_PXYVIP_VS_LB
2 match virtual-address 10.0.0.10 255.255.255.255 tcp 8080
class-map match-all P_PXYTRANS_VS_LB
2 match virtual-address 0.0.0.0 0.0.0.0 tcp any
Question in this case: would it still be possible to have management sessions towards proxy servers routed by the ACE ? (physical ip addresses of proxy)
Probably the classmap PXYTRANS is catching those sessies also.
Are there other design/config solutions to solve this one?
Thank you!
WimLet me repose the question:
How could one still be able to access the realserver IP (which is directly connected
to the ACE) for manangement.
Knowing that there is 1 VIP which (normal) loadbalance to the realservers
and
there is 1 VIP 0.0.0.0 tcp any which is configure to catch all other traffic to be
transparant loadbalanced.
The VIP 0.0.0.0 is always catching the sessions which need only to be routed
to the real servers ip. -
ACE: SourceIP-based Loadbalancing
Hi There,
I'm new to this forum and have a question regarding ACE Loadbalancing based on Source-IP.
The customer wants there internal client having full access to the VIP, while clients from Extranet should be limited/redirected to a special URL.
Both (internal/Extranet) should use the same VIP and the same realservers (costs). So far I have only seen configuration examples where based on source-ip, requests were send to different serverfarm with different realservers.
Could I rewrite the URL based on source address as well?
Thanks in advance,
AnkeHi Pablo,
I tried to adopt your configuration, but get an redirection error (never ending redirection). Maybe I explained not detailed enough ... I want to have a class like your "Internal" - based on source IP. These clients should use rserver like your Web-1 and Web-2 in serverfarm HTTP, but restricted to only one subdomain. Alle other should use every subdomain possible. My class ist called Wiki_Extranet.
I tried the following, but it seems not completely work as I wanted:
rserver redirect Wiki_Extranet_Redirect
webhost-redirection http://7it.wiki.intra.de
inservice
serverfarm redirect Wiki_Extranet_Redirect
rserver Wiki_Extranet_Redirect
inservice
serverfarm host Wiki_SF
probe HTTP_Wiki
probe PING_Wiki
rserver Wiki1
inservice
rserver Wiki2
inservice
rserver Wiki3
inservice
sticky http-cookie JSESSIONID Wiki_http_stickgroup
replicate sticky
serverfarm Wiki_SF
class-map type http loadbalance match-any Wiki_Extranet
10 match source-address 10.127.31.68 255.255.255.255
class-map match-all VIP_Wiki_http
description filter http traffic
2 match virtual-address 10.37.13.10 tcp eq www
policy-map type loadbalance first-match LB_Wiki_http
class Wiki_Extranet
serverfarm Wiki_Extranet_Redirect
nat dynamic 401 vlan 401 serverfarm primary
class class-default
sticky-serverfarm Wiki_http_stickgroup
nat dynamic 401 vlan 401 serverfarm primary
policy-map multi-match Wiki_Balancing
class VIP_Wiki_http
loadbalance vip inservice
loadbalance policy LB_Wiki_http
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options HTTP_Parameter
If you had time to have a look, would be so helpful.
Thank you - Anke -
ACE: Server-to-Server loadbalancing
Dear All,
I have to provide ACE loadbalancing for a new multitier application which has server-to-server loadbalancing.
The user communicates with loadbalanced webservers which in turn communicate with loadbalanced application servers. I
don't have the freedom to change existing IP addresses and I have to use source NAT to prevent asymmetric traffic. Can
I achieve the loadbalancing in one context or do I need separate contexts for web and app? The diagram illustrates the
server relationships.
Thank you
CathyYou could do everything in one context. I have a similar setup and I used multiple contexts in order to keep the individual configs smaller and simpler, large configs on the ACE can get complicated and ugly:) I set up the following:
APP-PROD and APP-NON-PROD non slb segments off FWSM, APP-LB-PROD and APP-LB-NON-PROD slb segments using ACE contexts. This gives app owners flexibility to use load balancing or not in parallel tiers.
Maybe you are looking for
-
Sender SOAP Adapter with Https
Hi, can any one give me information on how my Sender SOAP adapter to be configured with HTTPS port. please give me the what are all different ways to make my Sender SOAP Adapter secure and give me the steps to achieve the functionality. Thank You, M
-
Export mpeg-2 movie for Internet streaming
I have QuickTime Pro 7 with the mpeg-2 playback component. My source files are in a DVD movie. I am able to play the DVD fine in Windows Media player and Real Media Player, but Quicktime is able to play only the video and there is no audio output. My
-
Backing up WHOLE workspace and all ape apps
HI all I want to backup all my workspace (different) with all the apps (20 in each ). Is there a way to do it , without doing it one by one. I found this proc on grassroot-oracle.com grassroot-oracle.com if this is the only way then #1 where should t
-
I,m new to x-code,and mac and want to ask something. When i work on visual studio on XP it's not necessary to create "new project" to test some little program on c++,I just click on "new file" or something,and go on.. is it possible in x-code to do t
-
I am hoping I am posting to the correct forum. We are currently using a hosted Exchange 2010 service through Intermedia and due to continuing issues with them and the pricing, we are getting ready to migrate to Microsoft's Office 365 Enterprise E1 p