ACE: Routing in addition to Loadbalancing

Similar Messages

• Can VIP and Rservers be in the same subnet in ACE Routed Mode

  Good Day,
  Sorry for the lengthy post.
  Currently I have a 6509s running in VSS mode with ACE30 in each chassis.
  I have 5 vlans, which the VSS is the L3 interface for each. 1 Vlan is for management, the others are the data vlans for the servers.
  The ACE is configured in bridge mode, with all VLANs going to a specific context (non Admin).
  Some of the Host on each VLANs are not utilized for load-balancing. The default gateway for each VLAN is configured on the VSS.
  I would like to setup the ACE in the routed mode, without having to change the IP address of each servers on different VLANs.
  Basically I want to turn off the SVIs on VSS and move the L3 interface on the ACE Context, and let it perform the local routing for all the hosts.
  I was going to add a new /30 L3 interface between the VSS and ACE to be utilized for default route traffic coming from the ACE Context, and static routes from VSS to ACE for traffic destined to host that are being load-balanced and not being load-balanced. Basically force the traffic through the load-balancer in/out.
  For future deployment, I was planning on using different IP address for the VIPs, and Real servers (most likely RFC 1918).
  From most of the examples I have seen the VIP and Rservers are in different Subnets. But because I am trying to not change the IP address of the rservers and VIP, I wanted to know if the VIP and Rservers can be configured to be in the same subnet where the ACE is in routed mode.
  Unfortunately I don't have a spare ACE to test scenario.
  As always any help would greatly be appreciated.
  Regards,
  Raman

  Link-local addresses are usually the self assigned IP address that a device will set when a DHCP server cannot be found. These are the addresses with 169.254.x.x subnet.
  If the router is assigning IP addresses for your network, then they will usually have a different IP subnet, possibly 192.168.0 for D-Link. And this subnet would be for the wired and wireless connections. So it would be more a case of bridging the two network topolgies rather than routing them.
  The network host is busy message could be more to do with the driver and the IP protocol selected when creating the queue than the connection being broken between the Mac and printer. If you were to open Network Utility and select the Ping tab, enter the IP address of the HP and set the pings to 4, pressing the Ping button will soon show if there is a path through the wireless to the printer.
  If you get a response to the ping you could then open Safari and type the ip address as the URL. This would then connect to the internal web page of the printer and possibly let you enable an IP protocol like LPR so that you can use LPD on the Mac instead of Bonjour to connect to the printer.
  As for the driver, you could look at using a Gutenprint driver instead of the HP driver or the hpijs package to get past the limitations that some printer drivers have with network connections.

• Ace routing mode desging issue

  need some assistance in configuring an application using routing mode on cisco ace
          clients ---asa--3750--cisco ace--- servers behind vip
                                                              |
                                                            visa card transaction servers
  i am able to setup a vip on ace using routing mode on ACE,as the  servers need to see the client ip ,so we are not  performing SNAT,this  part is working fine
  when a request comes from the client ,it goes to the vip and to one of the backend servers ,and the request will be forwaded back to the ace ,as the default gateway on the servers is pointing to the server vlan on ace.
  but if the transaction from the servers need to go to the visa card transaction servers ,how can we acheive this ,and after fetching the data from visa servers,does the reply will be fwd to the ACE or ASAs directly
  Or do we need to have static routes defined on the visa servers to point to ASA
  please advise me on this

  Clint
  No they are completely in a different network ,
  When a client hits the VIP ,the request goes to the ASA
  ASA fwd the  vip traffic to the ACE (VIP) interface  ,and from there it fwd the traffic to the (server vlan) interface and to the appropriate backend servers.
  Backend server responds back to the (server vlan ) interface and the traffic fwd back to the ASA.
  But when  visa card transaction need to take place ( farm servers ) need to route the traffic to the visa servers which will be in different subnet range .
  Do the farm serevrs send the request back to the ASA and can we configure static routes on ASA to point to the visa servers.
  Are on the farm servers can we have static routes for the visa servers
  Or can I defind static routes on ACEs for the visa servers.

• Example Config ACE routed mode with NAT

  Hi all,
  i have a two-arm loadbalancer (routed mode).
  client ->vlan100->[VIP]Loadbalancer[NAT] ->vlan200-> serverfarm
  But i have my problems to configure the NAT. Can anybody show me a example configuration of a two-arm loadbalancer with NAT?
  Especially the access-list, class-map, policy-map and on which interface the NAT-Policy must be added.
  BR
  Dominik

  Hi Dominik,
  Something like this:
  access-list ANYONE line 10 extended permit ip any any
  rserver host SERVER_01
    ip address 10.198.16.2
    inservice
  rserver host SERVER_02
    ip address 10.198.16.3
    inservice
  rserver host SERVER_03
    ip address 10.198.16.4
    inservice
  serverfarm host REAL_SERVERS
    rserver SERVER_01
      inservice
    rserver SERVER_02
      inservice
    rserver SERVER_03
      inservice
  class-map match-all VIP-30
    2 match virtual-address 192.168.1.30 tcp eq www
  class-map type management match-any REMOTE_ACCESS
    description remote-access-traffic-match
    2 match protocol telnet any
    3 match protocol ssh any
    4 match protocol icmp any
  policy-map type management first-match REMOTE_MGT
    class REMOTE_ACCESS
      permit
  policy-map type loadbalance first-match SLB_LOGIC
    class class-default
      serverfarm REAL_SERVERS
  policy-map multi-match CLIENT_VIPS
    class VIP-30
      loadbalance vip inservice
      loadbalance policy SLB_LOGIC
      loadbalance vip icmp-reply active
      nat dynamic 1 vlan 452
  interface vlan 451
      ip address 192.168.1.2 255.255.255.0
    access-group input ANYONE
    service-policy input CLIENT_VIPS
    no shutdown
  interface vlan 452
    description Servers vlan
    ip address 10.198.16.1 255.255.255.0
    access-group input ANYONE
    nat-pool 1 10.198.16.5 10.198.16.5 netmask 255.255.255.0 pat
    no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.1.1
  Cesar R
  ANS Team

• Sharing a VLAN between FWSM and ACE (Routed Mode)

  Anybody in here with experience on sharing a Vlan between an ACE and a FWSM module?
  I have a transfer network between the ACE and the FWSM in the same chassis. FWSM gets several vlans and ACE gets some Vlans.
  I wanted to configure it like this.
  firewall vlan group 10 <FWSM only vlans>
  firewall vlan group 20 <shared FWSM and ACE vlan>
  or
  svclc vlan group 20 <shared FWSM and ACE vlan>
  svclc vlan group 30 <ACE only vlans>
  The design hides the client side network and the server side network for the ACE behind the FWSM module.
  Layout:
  |-- Clients <--> MSFC <--> FWSM <--> ACE <--> Server --|
  So allocation on the 65xx would be like this.
  firewall module n vlan-group 10,20
  svclc module n vlan-group 20,30
  Any obvious issues with this design if you share the vlan(s) referred in group 20 with both modules?
  FWSM and ACE will be in routed mode.
  Thanks for reading...
  Roble

  Never mind...
  Just found the perfect answer for this in a another posting from Syed.
  http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Data%20Center&topic=SNA%20Data%20Center%20Networking&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1dddee0b/0#selected_message
  Roble

• ACE routed mode design issue

  I am configuring ACE in routing mode ,
  Below is my ACE interface config.
  interface vlan 28
    description "CLIENT VLAN"
    ip address 192.168.10.11 255.255.255.248
    peer ip address 192.168.10.12 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  interface vlan 29
    description "SERVER VLAN"
    ip address 192.168.10.19 255.255.255.248
    peer ip address 192.168.10.20 255.255.255.248
    mtu 1500
    mac-sticky enable
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    service-policy input POLICY
    no shutdown
  When I  configuring my servers in vlan 29 and  point the default gateway to 192.168.10.19  it works fine no issues,but when this ACEs goes down and the standby becomes active ,my servers default gateway will be still pointing to 192.168.10.19  do i need to manually change it .20
  or can I configure HSRP,Please advise me on this

  Hi ,
  Yes the alias should be set as gateway for the servers.
  The alias is a shared address between the peers. This address will be on the ACTIVE ace. 
  Regards
  Dan

• ACE Routed Mode - Servers

  Is it possible in a routed setup for clients to talk to the servers in the Server Farm directly? IE - Not through the VIP. IE - I want to ping the real server or access a file share, etc.
  As you know, in a routed setup, the server gateway is the ACE. It appears that when I try to talk to the server directly, the server talks back to the ACE and traffic is dropped/lost.
  I ask because our servers run many applications. I need to load balance to just one of the applications (WWW) but not to the other several apps that are running.

  Yes it is possible.
  You need to have an ACL applied to ACE that allows traffic to the real servers.
  Yourd upstream routers should be configured such that they route the traffic destined to he real servers to the ACE.
  Syed Iftekhar Ahmed

• ACE router or source NAT

  Can anyone tell me what the best practice is for the ACE 4710 appliance. Should I deploy it in routed mode or source NAT mode. And what can be the pros and cons of each method....

  The advantage of running SNAT is the ACE is deployed in a "one-arm" mode. In this deployment the advantage is the ACE does not have to process all traffic as oppossed to being directly in the transit path when deployed inline (routed).
  In one arm mode you can use either PBR or SNAT for server return traffic. One arm mode also allows for direct server return butlimited to L4 load balance.
  In routed mode the ACE acts as the server default gateway.
  Routed mode is the easier of the two to configure.

• ACE routed mode

                Two  ACEs LoadBalancers    are setup as active standby    in routed mode.
  serverfarm host s1
    predictor leastconns
    probe PROBE_HTTP
    rserver app1
      inservice
    rserver app2
      inservice
  class-map match-all s1_CLASS
    2 match virtual-address 10.12.7.11 tcp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  policy-map type loadbalance first-match s1_POLICY
    class class-default
      serverfarm s1
  policy-map multi-match POLICY
    class s1_CLASS
      loadbalance vip inservice
      loadbalance policy s1_POLICY
      loadbalance vip icmp-reply active
  we had one connection  from client to app2 server
  performed a code upgrade  on LB2 ,did a swithover to make LB2 active,.the client connection was still on app2 server
  when LB1 was upgraded  and made it primary , the connection was still on app2 .
  but after couple mins was seeing the connection on app1 ,instead of app2 .
  please help me on this
  when
  when

  Hi,
  What you saw it is totally expected behavior.
  What happens is that the ACE will keep the connections active and they will be served until the either the connection is closed by the client( by closing the browser) or times out due to inactivity, then if you switchover to another ACE then all "NEW" connections will be handled by the new master ACE since there´s no reason to send the traffic to the previous master ACE because it is not longer the Primary.
  Again, this is expected.
  Hope this helps
  Jorge

• ACE Routed mode - cannot see serverside network

  Hi all,
  I'm having a problem with the first context I've set up in pure routed mode without NAT. Taking advice from this forum I've defined the interface for the serverside VLAN only in the ACE context. Trouble is this doesn't seem to have propagted into the routing table.
  The ACE can see the servers - they are in the ARP cache and can be PINGed from the context.
  A show IP route on the 6500 doesn't find the serverside subnet in the routing table.
  Am I missing something obvious. I've attached the config if that helps.
  Thank you
  Cathy

  I am not sure what your question is
  Are you not seeing the VIPs in 6500 routing table? If its about vip the RHI (Route health injection (loadbalance vip advertise) should take care of it.
  Or you want to see the Server vlan in the routing table of 6500?.
  If thats the case then that is not going to happen. You will have to add static routes and redistribute them in the network (on upstream router).
  Syed Iftekhar Ahmed

• ACE Routing Load-Balance problem

  I'm trying to configure a routing load-balance with Cisco ACE Module based on the following scenario:
  local users has a router (R1) as it default gateway, this router (R1) has a default route to the VIP that represent the serverfarm with two linux servers that should be used for Data Shaping over the WAN. I need to balance the traffic over the two linux servers and not necessary over the WAN.
  The problem is that when I set up the local network router default route to VIP the routing process simply stop work ! If I change the route to the real server ip address everything start working again without any problem.
  Follow the configs:
  Local network Router - Static route
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Follow the ACE configs:
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  access-list 100 line 8 extended permit ip any any
  rserver host rout001
  ip address 10.0.0.32
  inservice
  rserver host rout002
  ip address 10.0.0.31
  inservice
  serverfarm host BLC_ROUTING
  predictor leastconns
  rserver rout001
  inservice
  rserver rout002
  inservice
  class-map match-any VIP
  2 match virtual-address 10.0.0.1 any
  class-map type management match-any mgmt
  2 match protocol icmp any
  3 match protocol telnet any
  4 match protocol ssh any
  policy-map type management first-match access
  class mgmt
  permit
  policy-map type loadbalance first-match INT_router
  class class-default
  serverfarm BLC_ROUTING
  policy-map multi-match VIP
  class VIP
  loadbalance vip inservice
  loadbalance policy INT_router
  loadbalance vip icmp-reply
  interface vlan 6
  bridge-group 10
  access-group input 100
  service-policy input access
  service-policy input VIP
  no shutdown
  interface vlan 8
  bridge-group 10
  access-group input 100
  service-policy input access
  service-policy input VIP
  no shutdown
  interface bvi 10
  ip address 10.0.0.5 255.255.255.0
  no shutdown
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  I tried to change some parameters like "transparent" at serverfarm config and change the "predictor" method to "hash address source" but there was no good results at all.
  Anyone has any idea why this process is not working ?
  Is there any special configuration for this scenario ?
  Regards,
  Ricardo

  Ricardo,
  What is this route ??
  ip route 0.0.0.0 255.255.255.0 10.0.0.1 (VIP address)
  You can't have 0.0.0.0/24.
  You must be missing something ?
  Also, since the vip is part of a vlan with subnet 10.0.0.0/24 you don't need to add a static route to reach that vip.
  It should normally be directly connected to your router.
  With the static route, do you see traffic coming to the ACE module ?
  Does it loadbalance to the server ?
  'show service-policy detail' check the packet counters
  Gilles.

• 4 ACE's to get 64Gbps loadbalancing

  Hi,
  How are 4 ACE's aggregated together to combine to give a total of 64Gbps throughput?
  I have a need to loadbalance around 40G.
  Loadbalancing will be done based on Client source IP with 4 server each of 10G capability.
  This also implies that another set of ACE's are used for the FWLB feature, in order the make sure that the return trafic hits the same server
  TIA
  Alan

  Because it's built-in to the iP4S only.  Only Apple knows why but perhaps the iP4 does not have enough processing power to run it as well as Apple requires.

• Status-Tracking on ACE

  Hello
  On the CSM there was a feature called status tracking, it's description:
  Router(config-module-csm)# vserver
  dependent_virtserver_name
  Identifies the dependent virtual server and enters the virtual server configuration mode.
  Router(config-slb-vserver)#
  virtual ip-address [ip-mask]
  protocol port-number [service {ftp
  | rtsp | termination}]
  Sets the IP address for the dependent virtual server optional port number or name and the connection coupling and type2. The protocol value is tcp, udp, any (no port number is required), or a number value (no port number is required).
  Router(config-slb-vserver)#
  status-tracking
  tracked_virtserver_name
  Identifies the tracked virtual server. When this virtual server is taken out of service or fails, the dependent virtual server identified in Step 1 is automatically taken out of service.
  From http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csm/4.2.x/configuration/guide/mapolcy.html
  I am wondering if anyone knows of a similar feature in ACE?
  The additional complexity is now the dependant vserver and tracked vserver are in different ACE contexts, does anybody know if there is way to track vservers in a different context?
  Got to admit I'm relatively new to ACE but hope this makes sense.
  Thanks for any replies in advance
  Martin

  Hi Ulrich
  Thanks for the reply. I'm not sure I was clear on my question, the PROBE would allow me to check the first service is up. What I want to do is make the internal server unavalaible if the external is not PROBING correctly or vice versa. I recognise now this is not identical to status-tracking which operates at a VIP level.
  In an example I have two FTP servers which are dual homed with internal and external interfaces in a DMZ both of which are load balanced using the ACE. If the external interface goes down I would want the internal real server to be marked out of service so as FTP traffic is no longer sent there and vice versa if the internal went down I would want to mark the external as down. The configuration in this case is there are different contexts for the internal and external - not saying that's ideal from a security perspective but you can only play with the cards your dealt!.
  Thanks
  Martin
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;}

• Basic ACE Design Question

  Hi All,
  In the network layout below, does the ACE need to be setup in a routed mode to work? can it be also be setup in a bridged mode in this scenario?
  Network Cloud <--> Firewall <--> ACE <--> Router <--> Server Farm.
  Any refences would also be greatly appreciated.
  Thanks in advance.
  HH

  you only need the server adjacent if you do transparent loadbalancing. Which means you do not nat the virtual ip to the server ip.
  Instead the servers are configured with a loopback ip address the same as the vip on the loadbalancer.
  You can always bridge between 2 vlans and this is possible in your case.
  However, I don't see the need to insert a router between the ace module and the servers.
  Can't you have the ace module inserted between the router and the servers ?
  Or get it rid of the router and have the servers directly connected to the ACE vlan and using the firewall as gateway ?
  Gilles.

• ACE 4710 Deployment Guidance

  Hi,
  Appreciate there may not be a right or wrong answer here, as this varies from topology to topology, but I’m looking for some notes from the field guidance here from those that have much more deployment experience.
  I have a GSS and an ACE, and its the ACE that's primarily giving me something to think about, in terms of placement and what mode to adopt.
  The traffic flow will look loosely like this:-
  Client---Internet---Firewall---GSS---ACE---Servers
  Physically, it's like this. The RED line denotes a boundary, and pretty much anything North of that is not accessible to us, we simply have a L3 trunk between our switches and "their" switches (S3/S4) and talk using EIGRP.
  There are other servers in the top tier, some that also require load balancing, some that don’t. Typically, I want to load balance https requests from the internet, to one of the 3 servers in the top half.
  I’m not sure what mode to select, routed, one arm? What about placement of the ACE? At the moment, I’ve just configured 1/1 on it and made it part of the MGMT VLAN, it's SVI exists on the S1/S2 switches, so I’m open to change as it's still all in the lab.
  What  suggestions for easy deployment can you give me?

  Hi
  As you correctly mentioned there is no right or wrong answer.
  Regarding your particular situation I guess you should check these 2 modes :
  1) Routed
  2) One Arm
  Bridge mode doesn't make a lot of sense in your case as anyway you have servers somewhere behind L3 point.
  Regarding GSS - it shouldn't be considered as something between FW and ACE , as GSS is just a DNS server, so we can remove it from picture completely (you don't do loadbalacong between GSSes on ACE I presume)
  So, back to our 2 modes
  In Routed mode, ACE can be considered as a simple L3 router which can do loadbalancing. You can put it as an L3 hop between FW and your routers which are doing EIGRP. So, good thing here - with a right placement you don't need to wary about backward traffic getting to ACE (usually it's important) , bad thing - ACE will need to process all traffic between your 2 sides , even that one which is not supposed to be loadbalanced.
  One ARM mode is a bit more flexible , as in this case you redirect to ACE only traffic  which is supposed to be loadbalanced (by applying correct routing in your network) , however you need to make sure that return traffic from real servers comes back to ACE. The only way to do it is basically doing Source NAT on ACE, that real servers receives packets from ACE, not from Internet and send replies back to ACE.
  Problem you may hit here , sometimes applications need to know from what IP request came. Here it won't work. For HTTP traffic you can insert IP into HTTP header and then check it on client side. For other protocols - unfortunately client IP will be hidden
  Of course you can implement one mode from one set of networks/vlans and another for another set of network/vlans. For comfortable management you may use different contexts on ACE.