CSS - must real servers be in seperate Vlan?

I am to install 2xCSS11503, one at each datacentre. The objective is to give datacentre resilience for Web clients.
However, the Web server (real server)is NOT in its own Vlan and it shares it with approx 30 other hosts. Some of these other hosts feed data into the Web server, but other hosts are nothing at all to do with this application.
Apparently to move the Web server (and associated database server) into their own separate Vlan is going to be a problem (or indeed moving the other hosts off this Vlan) - because of changing IP addresses etc.
The question is, can the Web server and database server remain in the same Vlan as these other hosts when depolying CSSs?
Thanks in anticipation to any responses.
regards Mark

Mark,
it is better to have the CSS in setup such as that you have an outside(Internet) interface/vlan and an inside/private vlan.
This is because the CSS MUST see both flows of a connection - client -> server and server->client.
With a setup as mentioned, it is always the case since to get out, the servers must go through the CSS.
This is the reason why the servers need to be in their own vlan. But it does not mean they have to be alone in the vlan. It also does not mean they must be in a vlan directly attached to the CSS. It could several next-hops away. As long as the only exit is through the CSS.
This is what I explained in my previous post. If you share the vlan with other devices, and those devices need to use multicase [I'm not talking about the servers], then you will need a separate router to handle this traffic.
Gilles.

Similar Messages

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

CSS 11501 7.40 Monitoring the services on real servers?

Hi,
Just want to ask some basic questions, How can i monitor the services (ie 80 and 443) of the real servers. So that when the CSS11501 detects that one of the services of one of the real servers is down, it will not forward the traffic to that server. Or is the CSS is configured to monitor the services by default?
Because we are planning to upgrade one of the webservers (web01) while web02 is running, if we shutdown the service 80 and 443, does it affect the end-user, will CSS automatically redirect it to web02?
Regards,
Marlon

Here is my sample configuration
!************************** SERVICE **************************
service WEB01-79-HTTP
ip address 172.20.13.4
keepalive type tcp
keepalive port 80
active
service WEB01-79-HTTPS
ip address 172.20.13.4
keepalive type tcp
keepalive port 443
active
service WEB01-80-HTTP
ip address 172.20.13.5
keepalive type tcp
keepalive port 80
active
service WEB01-80-HTTPS
ip address 172.20.13.5
keepalive type tcp
keepalive port 443
active
service WEB01-82-HTTP
ip address 172.20.13.6
keepalive type tcp
keepalive port 80
active
service WEB01-82-HTTPS
ip address 172.20.13.6
keepalive type tcp
keepalive port 443
active
service WEB01-83-HTTP
ip address 172.20.13.7
keepalive type tcp
keepalive port 80
active
service WEB01-83-HTTPS
ip address 172.20.13.7
keepalive type tcp
keepalive port 443
active
service WEB01-79
ip address 172.20.13.4
active
service WEB01-80
ip address 172.20.13.5
active
service WEB02-82
ip address 172.20.13.6
active
service WEB02-83
ip address 172.20.13.7
active
!*************************** OWNER ***************************
owner VRL
content VIP
redundancy-l4-stateless
content WEB-HTTP1
vip address 172.20.10.85
protocol tcp
port 80
advanced-balance sticky-srcip
add service WEB01-79-HTTP
add service WEB01-82-HTTP
redundancy-l4-stateless
active
content WEB-HTTP2
vip address 172.20.10.86
port 80
protocol tcp
advanced-balance sticky-srcip
add service WEB01-80-HTTP
add service WEB01-83-HTTP
redundancy-l4-stateless
active
content WEB-HTTPS1
advanced-balance sticky-srcip
vip address 172.20.10.85
protocol tcp
port 443
add service WEB01-79-HTTPS
add service WEB01-82-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB-HTTPS2
advanced-balance sticky-srcip
vip address 172.20.10.86
protocol tcp
port 443
add service WEB01-80-HTTPS
add service WEB01-83-HTTPS
redundancy-l4-stateless
application ssl
sticky-inact-timeout 20
active
content WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
content WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
content WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
content WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active
!*************************** GROUP ***************************
group WEB01-79
add service WEB01-79
vip address 172.20.10.79
redundancy-l4-stateless
active
group WEB01-80
add service WEB01-80
vip address 172.20.10.80
redundancy-l4-stateless
active
group WEB02-82
add service WEB02-82
vip address 172.20.10.82
redundancy-l4-stateless
active
group WEB02-83
add service WEB02-83
vip address 172.20.10.83
redundancy-l4-stateless
active

[ACE] Real servers and VIP in the same VLAN

Hello.
I´m facing an issue because the real servers and the VIP address are in the same VLAN, when a request comes from an external client to the VIP (crossing an ASA firewall) , the ACK gets back using the IP of one of the real servers instead of the VIP so this traffic is blocked by our WAN firewall probably due the inspection rules.
My question is if there is some way make the VIP the address who ACK´s that requests? Creating a new VLAN would be complicated because there are other services already running on those real servers.
Thanks a lot,
Miquel

Hi Miquel,
Please do source nat on ACE so that return traffic gets sent to ACE and not FW. Pasting an example for you.
     ==========================================================================
     One-Armed Load Balancing with VIP, Servers, & NAT Pool on the Same Subnet
     ==========================================================================
login timeout 0
access-list ANYONE line 10 extended permit ip any any
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
    inservice
rserver SERVER_02
    inservice
rserver SERVER_03
    inservice
class-map match-all VIP-30
2 match virtual-address 192.168.1.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
policy-map type management first-match REMOTE_MGT
class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 451
interface vlan 451
description Servers vlan
ip address 192.168.1.2 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
Let me know if you have any question.
Regards,
Kanwal

Real Servers not connected to ACE VLAN and Real Servers are clients accessing the VIP

Hi,
I have a very strange set up and need some help to get my config working
I have a ASA firewall with three VLANs
VLAN 1 = Internet
VLAN 2 = DMZ
VLAN 3 = Goes to ACE
On the ACE I have four VLANs
VLAN 3 = Goes to ASA
VALN 4 = Web Server Tier
VALN 5 = DB Tier
VALN 6 = VIPs
Our Application team have asked us to create a New VIP on the ACE with real servers in DMZ (Server A and Server B)
And they have told us that the cleints accessing the VIP will be Server A and Server B
I have always created VIPs with real servers directly connected to the ACE but not connected elsewhere.
I belive I have a big challenge of opening ports on the firewall etc to get this set up working. Also, should i use some sort of NAT / SNAT?
Could anyone guide me on this setup please?
Raj

Hi Raj,
First of all it is possible to add servers in ACE which are HOP away from ACE interfaces. Here servers are HOP away but there VIP is part of ACE interface subnet. The only need is that servers return traffic towards client should be passed through ACE (so that ACE can manitain states and chage the source IP of the reply packet from server IP to VIP on which client has requested the connection).
When servers are HOP away and ACE do not come in path between server and client then we have to to do SNAT for intial client request. This configuration will force the return traffic from server to ACE (as server will NAT IP as client IP).
In your case DMZ-VIP which is created for two real servers A and B, will be accesses by these servers only. So it is a situation of server accessing there own VIP. For this scenario to work we have to have SNAT (no matter whether servers are directly connected or HOP away). So best solution here is VIP in VLAN 3, Rserevrs for this VIP in DMZ, and SNAT client request, using free IP in VLAN 3.
Also you have to open ports on firewall for both "real server Probes" and actual application ports, moreover policies modification on firewall for allowing traffic from DMZ to ACE VIP, DMZ to NAT IP and there vice versa traffic.

How to reach real servers direcly behind CSS?

Hi,
I have a webserver in DMZ behind Application firewall and CSS.Now I need to reach real server behind CSS directly. Basicaly this is required for developers and also real server to comminicate to APP and DB servers within our network.
Kinsly suggest.
Regards
KP

KP,
This all depends on how you have this setup. As long as the real servers have routeable
addresses you should be able to directly access the reals. The most common reason
for this failing is simply due to routing (i.e. using private ip addresses).
If the reals are using private addresses then you could also create content rules
with public virtual ip addresses and perform a one-to-one load balancing setup
to be able to directly access the servers.
-Chip
If this answers your question please mark this as Answered.

How to 'fail-over' CSS11503-AC when ALL 5 Reals Servers (Services) die

Hi all,
Could anyone out there possibly provide an idea/config, of how it is possible to'fail-over' a CSS11503 set-up in Active/Standby mode with "ASR" enabled when:-
- ALL your real servers(Services) for a particular VIP 'die'/OR nic is faulty.
- So NOT just 1 of the real servers, but when ALL 5 are not reachable, I need to 'failover'
My initial thought are to use the "critical reporter" or "critical service" to report back to the 'active' CSS.
Anyone who has done this scenario before , please advise..
thanks

Thanks very much Syed fo rthis.I was thiking that no-one could answer this query.
After a little tsting, I set the following config in the lab and it works but is different to yours. I cannot seem to configure the servive as "type local". When I input 'type ?; I get options such as nci-direct-return, nci-info-only, proxy-cache, redirect etc...etc..NO 'local'...!!
Please advise..Thanks in advance
************************* INTERFACE ************************* interface 1/1 bridge vlan 800 phy 1Gbits-FD-no-pause
nterface 1/2
phy 1Gbits-FD-no-pause
bridge vlan 20
nterface Ethernet-Mgmt
description "Management Interface"
nterface 2/1
description "1st ASR Link"
isc-port-one
nterface 2/3
description "2nd ASR Link"
isc-port-two
************************** CIRCUIT ************************** circuit VLAN800
description "FE_CORE"
ip address 192.168.83.249 255.255.255.0
ip virtual-router 1 priority 110
ip redundant-vip 1 192.168.83.148
ip redundant-vip 1 192.168.83.158
ip critical-service 1 DTSFE01
ip critical-service 1 DTSFE02
ip critical-service 1 DTSFE03
ip critical-service 1 DTSFE04
ip critical-service 1 DTSFE05
ip critical-reporter 1 Physical_if_DWN
ip critical-reporter 1 r1
ircuit VLAN20
description "LBAL"
ip address 192.168.20.1 255.255.255.0
ip virtual-router 2 priority 110
ip redundant-interface 2 192.168.20.3
ip critical-service 2 DTSFE01
ip critical-service 2 DTSFE02
ip critical-service 2 DTSFE03
ip critical-service 2 DTSFE04
ip critical-service 2 DTSFE05
ip critical-reporter 2 Physical_if_DWN
ip critical-reporter 2 r1
************************** REPORTER **************************
reporter Physical_if_DWN
type critical-phy-all-up
phy 1/1
phy 1/2
active
reporter r1
type vrid-peering
vrid 192.168.83.249 1
vrid 192.168.20.1 2
active
************************** SERVICE **************************
service FE01
ip address 192.168.20.183
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 4
service FE02
ip address 192.168.20.184
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 5
service FE03
ip address 192.168.20.185
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 6
service FE04
ip address 192.168.20.186
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 7
service NWFE02
ip address 192.168.20.204
keepalive frequency 2
keepalive retryperiod 2
keepalive maxfailure 2
redundant-index 10
active
!*************************** OWNER *************************** owner SERVICES
content DTS_192.168.83.148_443
add service DTSFE01
add service DTSFE02
add service DTSFE03
add service DTSFE04
add service DTSFE05
vip address 192.168.83.148
port 443
protocol tcp
advanced-balance sticky-srcip
redundant-index 1
sticky-inact-timeout 5
owner NW_SERVICES
content NWCS_192.168.83.158_443
add service NWCSFE01
add service NWCSFE02
vip address 192.168.83.158
protocol tcp
port 443
sticky-inact-timeout 5
redundant-index 2
advanced-balance sticky-srcip
active

ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE module client and real servers on same subnet

I am working on a ACE load balancing implementation,which has following requirement? Can someone let me know if this can be implemented and how?
Configuration
test context
real server vlan 233
real server subnet - 167.6.233.x
VIP vlan - 539
VIP subnet - 167.6.238.128/25
production context
real server vlan 232
real server subnet - 167.6.232.x
VIP vlan - 538
VIP subnet - 167.6.238.0/25
Load balancing is coinfigured in routed mode with ACE as gateway for test and prod real sever subnets (233 and 232 subnets).
Test and production servers are mixed in these subnets. So we need to configure source NAT to access the test servers in the production subnet (232) and vis versa.
Here are the scenarios and questions
1. clients need to access the real servers in prod subnet (232) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 539 and working.
2. real servers in test subnet (233) needs to access real servers in same subnet (233) through VIP configured in test context (vlan 539) - this is done by SNAT at vlan 233 and working
3. real servers in prod subnet (232) need to access the real servers in test subnet (233) through VIP configured in test context (vlan 539) - this appears to be working fine without any additional configuration
4. real servers in test subnet (233) needs to access another real servers in prod subnet (232) through VIP configured in test context (539) - this is not working
5. real servers in test subnet (233) needs to access another real server which is not on one of the subnet (167.6.56.x) behind ace - this is not working.
Can we implement the scenarios 4 and 5?

Hi Suresh,
I see it's a bit complex and we do not have the config at hand.
However for the scenario 4 if you apply the policy already applied on vlan 539 on the interface vlan233 then the ACE should catch the packets and apply the policy (i.e. forward the packets to the serverfarm you want)
Alessandro
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Allowing Multicast to work between real servers behind the CSM??

Hi,
Just want to know if it is possible to use IP Multicast between real servers on a server subnet that is configured on the CSM. If so how could this be setup?
I've attached a copy of the our CSM config. In particular, the server subnet in question is "vlan 386 server". The Real servers belong to "serverfarm FARM-VISTA-TEST".
I suspect that maybe an interface vlan 386 needs to be created on the router, with pim sparse-mode enabled?
Any ideas?
thanks
Sheldon

the CSM does not know ip multicast, so your multicast needs to find another way to reach the servers.
You will also need a static route on the servers to point 224.x.x.x to the MSFC and keep the rest of the traffic going to the CSM.
Another solution is to use bridge mode.
Create a duplicate vlan 386 on the CSM and the MSFC.
ie:
MSFC---vlan387-----CSM-----Vlan386
On the CSM, you configure vlan387 with the same ip as vlan 386 - this will tell the CSM to bridge the 2 vlans.
Configure an ip from the same subnet on the msfc int vlan 387.
configure multicast on vlan 387.
The CSM should normally bridge all unknown traffic including multicast.
All you have to do on the servers is change the default gateway to be the MSFC instead of the CSM.
Gilles.

Maximum number of Real Servers and Server Farms in ACE30 Module

Hi All,
Need help for below queries.
What are the maximum number of real servers, server farms and virtual servers i can configure on ACE30 module?
Is there any documentation available on cisco site where i can check this?
Does it depend on the hardware or does it depend on the software version?
Quick response would be really appreciated.
Regards,
Rachit.

Hello Rachit,
On the ACE module 30 you can have a maximum of: 16,383 rservers and 16,384 serverfarms
This is not the same exact version which you have but here you have some addtional details:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/slb/guide/rsfarms.html#wp1014522
The ACE supports a system-wide maximum of 8192 class maps, here you have the reference about it:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/classmap.html
Jorge

ACE 4710 same real servers, different ports.

Hi! I have the following question based on a new site requirement. The following sites use the same back end servers. Names changed to protect the innocent and my finger fumbling with pretty names for my actual config.
I have two real servers being load balanced: 10.0.0.1 and 10.0.0.2
They have:
Site A URL= www.testsite.com:80
Site B URL= www.newstuff.com:81
I want Site B answering on port 81 for anything referencing the URL match for either port :80, and :81, then redirect to :81 anything that is on :80.
I want Site A answering on port 80 for anything not referencing the Site B URL.
How do I split the traffic coming in while also redirecting if only needed for the one site?
Also, one further question, how do I handle monitoring the ports up for each as validation for the VIP? If either port goes down is that going to take both of them offline?

Hi,
Since they are two different URL's, they would be resolving to two different VIPs. You can create two serverfarms with same servers but listening on ports 81 and 80 and create a class-map for different IP's or even same IP, listening on port 81 and 80. Any client coming with port 80 as destination would be loadbalanced to serverfarm_80 and any client coming on port 81 as destination would be loadbalanced to serverfarm_81.
class-map match-all Test_80
2 match virtual-address 10.1.1.1 tcp eq www
class-map match-all Test_81
3 match virtual-address 10.1.1.2 tcp eq 81
rserver r1
ip address 10.0.0.1
inservice
rserver r2
ip address 10.0.0.2
inservice
serverfarm_80
rserver r1 80
inservice
rserver r2 80
inservice
serverfarm_81
rserver r1 81
inservice
rserver r2 81
inservice
policy-map type loadbalance http first-match http
class class-default
    serverfarm serverfarm_80
policy-map type loadbalance http first-match http_81
class class-default
    serverfarm serverfarm_81
policy-map multi-match Test
class Test_80
    loadbalance vip inservice
    loadbalance policy http
    loadbalance vip icmp-reply active
   class Test_81
    loadbalance vip inservice
    loadbalance policy http_81
    loadbalance vip icmp-reply active
Let me know if you have any questions.
Regards,
Kanwal
Note: Please mark answers if they are helpful.

Localdir 416 real servers not failing..

We have a localdirector sitting in front of two real servers(IIS).
Load balancing works fine with both backend servers connected, and show real produces:
# show real
Real Machines:
No Answer TCP Reset DataIn
Machine Connect State Thresh Reassigns Reassigns Conns
server2:0:0:tcp 2 IS 8 0 0 0
server1:0:0:tcp 0 IS 8 0 0 0
But if one backend server is disconnected, show real does not change (No OOS, or TESTING under STATE), and nothing is displayed in syslog?
ping server1
real_server_ip_1 NO response received -- 1000ms
real_server_ip_1 NO response received -- 1000ms
real_server_ip_1 NO response received -- 1000ms
show real
Real Machines:
No Answer TCP Reset DataIn
Machine Connect State Thresh Reassigns Reassigns Conns
server2:0:0:tcp 2 IS 8 0 0 0
server1:0:0:tcp 1 IS 8 0 0 0
Is this normal?
Minimal config, just for testing:
virtual virt_ip:0:0:tcp is
real real_server_ip_1:0:0:tcp is
real real_server_ip_2:0:0:tcp is
name real_server_ip_1 server1
name real_server_ip_2 server2
name virt_ip domain
bind virt_ip:0:0:tcp real_server_ip_1:0:0:tcp
bind virt_ip:0:0:tcp real_server_ip_2:0:0:tcp
Regards,
MB

Depending on your version, here is a good document how servers are failed and brought back on LD.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/localdir/ld33rns/ld334con/ld3_ch01.htm#xtocid275378
The reassign command controls how many times a connection synchronization (TCP SYN) packet from a requesting client is sent to a nonresponsive server before it is reassigned to another server. The default is three TCP SYN packets. After the third packet receives no response or a TCP RST from the server, the fourth packet is sent to another server.
Each reassign process increments the reassign tally by one. When the tally reaches the threshold value, the server is considered failed. With a default threshold value of 8, the reassign process will happen eight times before the server is considered failed. "
In other words, the LD doesn't ping and check the server if its up or down, it takes the client(end-user). Depending on your site, if you have a very slow active site... it could take that much more time for LD to fail the down server.
-jan

ACE keep probing real servers using "https get 302"

Hi all,
I got one problem with cisco ACE in my company. Currently, two ACE appliances are working as HA redundancy. Previously I enabled some https and http probing using get 302 for some servers and services. But then I was told to remove all https or http probing, and instead use tcp port 443 and 80. After that, one of the serverfarm (server groups) is receiving https get 302 and I already checked in the monitoring and see whether there's any https probing regarding the respected real servers. But I could not find any. Even I disable all probing to that serverfarm, all the server members still receiving https get 302. Is this behavior a bug?
The ACE version is A3(2.1). And the HA status is on standby cold. Can standby cold cause this kind of trouble?

Hi Daniel,
I just corrected the cert problem and made the state peer into standby hot. But still it still keep probing the get 302. And then I tried to restart both ACEs. The first step is to restart the second ACE (standby) and then switched over all context to the second one. The problem is that when I made the second one to be active, some services were not working, especially the ones with ssl terminated in ACE. I'm pretty sure that both ACEs were in sync.
Any idea what is the problem?

WRT54G on 2900 switch, seperate VLAN, out same firewall

Our current network (subnet 10.24.167.0) uses a Sonic Wall firewall (10.24.167.254) as the gateway and PAT device to our router.
The owner wants guests to be able to use our internet wirelessly but have no chance of getting on our network.
I want to put the wireless Linksys router (WRT54G) on a seperate VLAN and give it (and the DHCP pool) a different subnet (192.168.1.0). Is that wireless "router" going to be good enough to get the data from the guest subnet out our firewall (which is on the company subnet) and out the router?
Can you please explain the best way to get this to work?
I was also considering a bridge off the router with 1 port going to the firewall and our company subnet, and another port going to the WRT54G, but I think there is a better way.

Hi,
Just addition to the earlier post, see if your firewaal supports trunking and use the trunking feature instead of a separate interface, whihc can be used later for some more specific purpose.
Rest is the same as above.
regards,
-amit singh

CSS - must real servers be in seperate Vlan?

Similar Messages

Maybe you are looking for