Fresh ACE config...
Hi All,
Im going for ACE config in few days time, have been reading the documents for last 2 weeks, would appreciate some heads-up to my queries:
1. On the ACE module we have this hidden ports NP1, NP2, ...etc , do we need to configure that or is it used for special cases.
2. In terms of HTTP load balancing to caching-servers, which predictor complies with best practice format, VIP, L4 (src or dst port nos ), L7 ??
3. Have also been trying to get some sample configs and some online hands-on if possible, any pointers, most welcome ?
Thanx in advance .... Gentlemen :-)
Thanx
Shukla.
1. NP1/NP2 are the CPUs. The ports on the module are consoles for debugging. These ports should remain covered. I believe they are disabled.
2. You will want to use predictor hash source mask x.x.x.x. This will ensure that each client always balances to the same cache engine. This will better utilize your disk cache and increase your chances of cache hits.
In terms of L4 or L7, I would always try to keep the load balancing rules at layer4 if possible. This will maximize the performance of any load balancer since the LB decision can be made on the TCP syn packet.
3. Take a look at example A of this FWLB config. It is pretty much the same thing you would use for a cache:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/fwldbal.html#wp1088204
Similar Messages
-
Request - Perl script that can parse an ACE config from a VIP
Has anyone ever written a Perl script that can take the VIP from an ACE config and parse it out into the component parts of the config, ACLs, NATs, Class-map, policy-map, etc. ?
This seems like something someone must have written already.
Thanks in advance!Any reason you dont want to use XML instead of doing just PERL ? Its lot easier to do with XML scripts as ACE has a XML interface to query whatever is needed. So that said, you can use a perl to interface ACE via XML. Here's a simple Perl that uses LibCurl:
#!/usr/bin/perl
use WWW::Curl::Easy;
my $numArgs = $#ARGV + 1;
if ($numArgs<4)
die("Usage: shusers.pl ip_address username password command\n");
my $ip = @ARGV[0];
my $uname = @ARGV[1];
my $pwd = @ARGV[2];
my $cmd = @ARGV[3];
my $curl = new WWW::Curl::Easy;
my $posturl = "http://$ip/bin/xml_agent/";
my $xml_cmd = "xml_cmd=<$cmd/>";
$curl->setopt(CURLOPT_HEADER, 0);
$curl->setopt(CURLOPT_FRESH_CONNECT, 1);
$curl->setopt(CURLOPT_URL, $posturl);
$curl->setopt(CURLOPT_RETURNTRANSFER,1);
$curl->setopt(CURLOPT_USERPWD,"$uname:$pwd");
$curl->setopt(CURLOPT_POST,1);
$curl->setopt(CURLOPT_POSTFIELDS, $xml_cmd);
$curl->perform;
my $info = $curl->getinfo(CURLINFO_RESPONSE_CODE);
print $info;
Hope this helps.
Cheers
V.K -
INTERESTING - ACE config and URL manipulation
Hi
My customer has an interesting requirement for his web/java based application (SAP).
There are multiple services (each has its own domain) running on the same server all services sharing the same TCP port. All of them require a correct path in the HTTP(S) header to display a desired web page. However if somebody is accessing (via HTTP or HTTPS) the service without any path in the URL (for a login page) the ACE should redirect a correct URL and path for the login page to the client. In other words...
1) http://sap.mydomain.com ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
2) https://sap.mydomain.com ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
3) http://sap.mydomain.com/abc/init.do?language=de ---redirect to---> https://sap.mydomain.com/abc/init.do?language=de
4) https://sap.mydomain.com/abc/AnythingElse ---NOT to be redeirected but sent unchanged---> https://sap.mydomain.com/abc/AnythingElse
Do you have any ideas how can I achieve this?
I tried something but it still doesn't work. Relevant config is attached.
Thanks in advance for your replies and happy to reward you 5* when we get it up and running
drslDsliz,
One of them may look like this:
policy-map multi-match SAP-HTTP-REDIRECT-POLICY-MAP
class SAP-REDIRECT-CM
loadbalance vip inservice
loadbalance policy SAP-REDIRECT-POLICY
loadbalance vip icmp-reply
class-map match-any SAP-REDIRECT-CM
3 match virtual-address 10.148.185.249 tcp eq ww
policy-map type loadbalance first-match SAP-REDIRECT-POLICY
class class-default
serverfarm SAP-HTTP-REDIRECT
serverfarm redirect SAP-HTTP-REDIRECT
rserver SAP-HTTP-REDIRECTOR
inservice
rserver redirect SAP-HTTP-REDIRECTOR
conn-limit max 4000000 min 4000000
webhost-redirection https://sap.mydomain.com/abc/init.do?language=de 301
inservice
You did not include the rest of the configuration for example for this:
class L7CM-B2C-DEMOSHOP
Additionally, you may need to see about matching seconday cookies as shown here, since it is required to match after "?" sometimes.
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/command/reference/policy.html#wp2336441
Jorge -
Hi,
I am an ACE newbie - I have a two-tier ACE setup and I am basically trying to get the front-end ACE to divert to a sorry page if the back end servers hanging of the Back-end ACE do not reply to their probes.
I have the following setup...
Internet
|
DMZ ACE (doing SSL termination)
|
Reverse Proxy Server farm
|
Corporate LAN ACE
|
Application Server farm
DMZ ACE is probing Rev Proxy farm on TCP 2000 - and using sticky cookie insertion.
Corporate LAN ACE is probing App Server farm on TCP 2000 - and using sticky cookie insertion.
If the Application server farm becomes unavailable, I would like the DMZ ACE to detect this and then redirect the clients to a 'service unavailable' page hosted on the Reverse Proxy Servers.
My thought so far is the following...
DMZ ACE
rserver Rev_proxy1
rserver Rev_proxy2
probe icmp probe_icmp
ip address <App_Server_VIP>
serverfarm Rev_proxy_farm
probe probe_icmp
prove probe_tcp_2000
rserver Rev_proxy1, Rev_proxy2
So the above Rev_proxy_farm availability is tied to the appearance of the App Server vip due to the directed icmp probe to the Corporate LAN ACE VIP - the VIP will disappear if the App Server farm does not respond to it's TCP probe.
I am then not sure how to redirect the HTTP request to the Reverse Proxy Server seeing as though these have already been flagged unavailable.
Should I then follow 'Configuring a Sorry Server Farm' as per http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1049254 to divert the connections from the Reverse_proxy:2000 to Reverse_proxy:3000 (which serves Service unavailable page)?
Any advice on whether this is the best way to go would be much appreciated.
Cheers,
Alyou need to create a redirect host and serverfarm and use this serverfarm as a backup serverfarm for your main serverfarm.
I'm not sure that the icmp ping will work.
Because the ping will be sent to dest ip address of the vip, but the dest mac-address ill the rev-proxy where your configured the probe.
Give it a try.
Gilles. -
SG500 ACL / ACE config with many VLANs
Good day!
My hardware:
Four SG500 52 and SG500 52P switches are in one stack with many vlans configured.
WLC which routes the internet ports. Static route on the sg500 stack.
DHCP Server
APs on trunk ports
Now I would like to put up some intervlan routing rules.
I would put the following ACEs into one ACL:
Copy machine 100: 192.168.0.0 - 0.0.255.255 permit 192.168.0.9 - 0.0.0.1
DHCP server 101: 192.168.0.0 - 0.0.255.255 permit 192.168.0.10 - 0.0.0.1
for 1 to vlan count: 192.168.vlanid.0 - 0.0.0.255 permit 192.168.vlanid.0 - 0.0.0.255
Internet access: 192.168.0.0 - 0.0.255.255 permit any
Kindly point me to the right direction.
Essentially each VLAN should access a centralized copy machine/ vlan internal traffic shall be allowed / vlan internet traffic shall be allowed.
VLAN X to VLAN Y traffic should be blocked.
Thanks a lot. A link to manuals / tutorials are highly appreciated.Hi,
I follow the rule "the simpler the better" and would create only 2 ACL one to block the traffic on VLAN X when DST subnet is VLAN Y and the second rule - the opposite direction.
You could even work with one of those ACL since most of the protocols would require return traffic anyway.
But with 2 ACL you limit unwanted traffic closer to source and also it is much more clear and understandable if you look at this settings a year later.
Regards,
Aleksandra -
ACE 4710: Possible to allow a user to clear counters but nothing else?
Hello all,
Using an ACE 4710 we have a user setup with the Network-Monitor role which allows the user to view config, interface status, etc. We would also like to allow this user to clear the interface error counters as well, but nothing else. Is this possible?
Thanks!Hello Brandon-
Network-Monitor only lets you browse outputs, it is a not a role that allows a user to make any changes including clearing stats. You can create custom roles and domains to get closer to what you want, but you cannot zero in on a single command like that.
i.e.
ACE# conif t
ACE(config)# role MyRole
ACE(config-role)# rule 1 permit modify feature ?
AAA AAA related commands
access-list ACL related commands
connection TCP/UDP related commands
fault-tolerant Fault tolerance related commands
inspect Appln inspection related commands
interface Interface related commands
loadbalance Loadbalancing policy and class commands
pki PKI related commands
probe Health probe related commands
rserver Real server related commands
serverfarm Serverfarm related commands
ssl SSL related commands
sticky Sticky related commands
vip Virtual server related commands
You can create a permit or deny rule, within that, create/debug/modify/monitor each feature seperately.
Domains allow you to create containers for objects. You can place specific rservers, serverfarms, etc. into it - then apply it to a role so that the user assigned to it can only touch those objects.
Regards,
Chris Higgins -
Design help related to ACE to Switch connectivity using Port-Channel
Hi,
I have a Cisco ACE 4710 configured in One-Arm mode. This ACE is getting connected with 2 3750 switches. These 2 3750 switches connected in trunk mode.
ACE is connected to these 3750 switches using Port-channel.
ACE Config:
================================
interface gigabitEthernet 1/1
description One-arm mode port to DMZ Switch 1 port 20
channel-group 1
no shutdown
interface gigabitEthernet 1/2
description One-arm mode port to DMZ Switch 2 port 20
channel-group 1
no shutdown
interface port-channel 1
switchport access vlan 51
port-channel load-balance src-dst-ip
no shutdown
interface vlan 51
ip address 10.40.56.131 255.255.255.128
access-group input everyone
access-group output everyone
nat-pool 1 10.40.56.215 10.40.56.215 netmask 255.255.255.255 pat
service-policy input LB
service-policy input remote-access
no shutdown
===========================================================
The problem is that 3750 switches are not stacked.
Application is working fine. But i am getting a lot of MAC flapping messages..
kindly suggest whether this design is OK or something needs to be done to rectify it...
Attached a small diagram..Hello acharyr123,
I don't think this design is ok, and it would cause mac flapping since the two indepedendent 3750 switches will learn the ace mac addresses off of two different interfaces. The 3750s would have to be stacked so that they would act as one switch then this should work correctly.
Thanks
Joel Lamousnery
TAC CSE -
My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations? Not just how-to scenarios.
And the primary question that brings me here:
I've got an ACE module in a 6500 chassis that's configured for routed mode. For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers. vIP VLAN is 12 and rserver VLAN is 101. I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.
When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver. The same if user devices are sending traffic to the App servers vIP.
When a Web server tries to send over to the App servers vIP, I get no response. In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101). How do I get the Web server to send traffic loadbalanced across the App servers?
Here's an example ACE config:
access-list ALL line 8 extended permit ip any any
probe tcp 5555
port 5555
interval 5
passdetect interval 30
probe http HTTP
interval 5
passdetect interval 30
expect status 200 200
rserver host APP01
description App Server 1
ip address 10.10.101.15
probe 5555
inservice
rserver host APP02
description App Server 2
ip address 10.10.101.16
probe 5555
inservice
rserver host WEB01
description Web Server 1
ip address 10.10.101.17
probe HTTP
inservice
rserver host WEB02
description Web Server 2
ip address 10.10.101.18
probe HTTP
inservice
serverfarm host APP-SERVERS
predictor leastconns
rserver APP01
inservice
rserver APP02
inservice
serverfarm host WEB-SERVERS
predictor leastconns
rserver WEB01
inservice
rserver WEB02
inservice
sticky ip-netmask 255.255.255.255 address both WEB-STICKY
replicate sticky
serverfarm WEB-SERVERS
sticky ip-netmask 255.255.255.255 address both APP-STICKY
replicate sticky
serverfarm APP-SERVERS
class-map match-any APP-VIP
description App Servers VIP
2 match virtual-address 10.10.12.21 tcp eq 5555
class-map match-any WEB-VIP
description Web Servers VIP
2 match virtual-address 10.10.12.20 tcp eq https
3 match virtual-address 10.10.12.20 tcp eq www
policy-map type loadbalance first-match L7-APP-SERVERS
class class-default
sticky-serverfarm APP-STICKY
policy-map type loadbalance first-match L7-WEB-SERVERS
class class-default
sticky-serverfarm WEB-STICKY
policy-map multi-match L4-CONTEXT-A-VLAN
class WEB-VIP
loadbalance vip inservice
loadbalance policy L7-WEB-SERVERS
loadbalance vip icmp-reply
class APP-VIP
loadbalance vip inservice
loadbalance policy L7-APP-SERVERS
loadbalance vip icmp-reply
interface vlan 12
description ACE-CONTEXT-A-vIPs
ip address 10.10.12.5 255.255.252.0
alias 10.10.12.4 255.255.252.0
peer ip address 10.10.12.6 255.255.252.0
access-group input ALL
service-policy input MGMT-ACCESS
service-policy input L4-CONTEXT-A-VLAN
no shutdown
interface vlan 101
description ACE-CONTEXT-A-SERVERS
ip address 10.10.101.2 255.255.255.0
alias 10.10.101.1 255.255.255.0
peer ip address 10.10.101.3 255.255.255.0
access-group input ALL
no shutdownHi Adam,
You can check Gilles' DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check
the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.
Now going back to your issue, you problem can be splitted in two parts.
1. Web server not able to ping VLAN 101 ACE's SVI.
ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy
to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new
one just for ICMP, that's up to you.
2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)
Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets
for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do
load balancing for clients reaching it out through VLAN 101.
In order to do load balancing between APP & Web Servers you need to configure L4-CONTEXT-A-VLAN on SVI 101 as well.
Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.
I've attached a sample with NAT based on your config.
HTH
Pablo -
Ace module in bridged mode with client nat
Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
inservice
real 10.36.3.102 443
inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
inservice
real 10.36.3.102 80
inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
inservice
rserver 10-36-3-102 443
inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
inservice
rserver 10-36-3-102 80
inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
serverfarm WEBMAIL-80
nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
sticky-serverfarm 30
nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdownHello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-80
loadbalance vip inservice
loadbalance vip icmp-reply active
class WEBMAIL-443
appl-parameter http advanced-options HTTP_ADV_OPT
loadbalance policy WEBMAIL-443
loadbalance vip inservice
loadbalance vip icmp-reply active
class class-default
nat dynamic 1025 vlan 436
Regards,
Chris Higgins -
Traceroute not happening to ACE from Oracle Server
Hi,
Our ACE is configured in One-ARM Mode. I have Oracle Serverfarm been loadbalanced by ACE from where traceroute to ACE is not happening.
Oracle Server in VLAN 10 with Gateway configured at Core Switch: 10.10.10.21
VLAN 60: 10.10.60.21 in Core switch & ACE ip: 10.10.60.1
If from ACE i doa traceroute at one of the Oracle DB servers (10.10.10.5 & 10.10.10.6) it's going nicely. But sitting at Oracle DB servers if i do trace to ACE IP: 10.10.60.1 it gets dropped at Core switch: 10.10.10.21
This probem is not happening from any other Windows machines....
Can someone highlight....
Attached the ACE config...some machine use icmp to do traceroute and others use udp.
Your oracle machine might be using udp and your core switch as a security acl to block this udp traffic.
G. -
HI:
It is work normally when have finish ACE config .But the ACE has show some error message:(May 5 2011 11:05:44 : %ACE-4-400000: IDS:1000 IP Option Bad Option List from 192.168.2.198 to 224.0.0.22 on interface vlan51 May 5 2011) recently,so the clients can not get respons form servers vip ip address 192.168.2.72;
I have shutdown the IDS machine and this message still shows;
How i do can resolve this problem and let clients get respons server vip normaly?
---------------------------The follow is my config on ACE!------------------------------
logging enable
logging timestamp
logging history 5
logging buffered 5
peer hostname TJHQCB01DLB02
hostname TJHQCB01DLB01
boot system image:c6ace-t1k9-mz.A2_2_3.bin
resource-class all
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
clock timezone BJT 8 0
context Admin
member all
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
rserver host 115-116-s1
ip address 192.168.2.115
inservice
rserver host 115-116-s2
ip address 192.168.2.116
inservice
rserver host 204-205-s1
ip address 192.168.2.204
inservice
rserver host 204-205-s2
ip address 192.168.2.205
inservice
rserver host 68-69-s1
ip address 192.168.2.68
inservice
rserver host 68-69-s2
ip address 192.168.2.69
inservice
serverfarm host 115-116_pool
rserver 115-116-s1
inservice
rserver 115-116-s2
inservice
serverfarm host 204-205_pool
rserver 204-205-s1
inservice
rserver 204-205-s2
inservice
serverfarm host 68-69_pool
rserver 68-69-s1
inservice
rserver 68-69-s2
inservice
class-map match-any 115-116-vip
2 match virtual-address 192.168.2.117 any
class-map match-any 204-205-vip
2 match virtual-address 192.168.2.207 any
class-map match-any 68-69-vip
2 match virtual-address 192.168.2.72 any
class-map type management match-any admin
2 match protocol https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol snmp any
6 match protocol ssh any
7 match protocol http any
policy-map type management first-match admin
class admin
permit
policy-map type loadbalance first-match 115-116-policy
class class-default
serverfarm 115-116_pool
policy-map type loadbalance first-match 204-205-policy
class class-default
serverfarm 204-205_pool
policy-map type loadbalance first-match 68-69-policy
class class-default
serverfarm 68-69_pool
policy-map multi-match tiens-vip
class 68-69-vip
loadbalance vip inservice
loadbalance policy 68-69-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
class 204-205-vip
loadbalance vip inservice
loadbalance policy 204-205-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
class 115-116-vip
loadbalance vip inservice
loadbalance policy 115-116-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
service-policy input admin
service-policy input tiens-vip
interface vlan 51
ip address 192.168.2.250 255.255.255.0
alias 192.168.2.253 255.255.255.0
peer ip address 192.168.2.251 255.255.255.0
access-group input anyone
access-group output anyone
nat-pool 1 192.168.2.252 192.168.2.252 netmask 255.255.255.255 pat
no shutdown
ft interface vlan 999
ip address 10.1.69.125 255.255.255.252
peer ip address 10.1.69.126 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 2
peer 1
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 192.168.2.254hi:
everyone ,the up of config have changed.i have update the config about ACE,and about the ids:1000 still shows on it;
the fllow is my ace config:
logging enable
logging standby
logging timestamp
logging history 5
logging buffered 5
peer hostname TJHQCB01DLB02
hostname TJHQCB01DLB01
boot system image:c6ace-t1k9-mz.A2_2_3.bin
resource-class all
limit-resource all minimum 5.00 maximum unlimited
limit-resource sticky minimum 5.00 maximum unlimited
clock timezone BJT 8 0
context Admin
member all
access-list anyone line 8 extended permit ip any any
access-list anyone line 16 extended permit icmp any any
probe tcp 68-69_pool-tcp-http
interval 2
faildetect 2
passdetect interval 5
passdetect count 2
rserver host 115-116-s1
ip address 192.168.2.115
inservice
rserver host 115-116-s2
ip address 192.168.2.116
inservice
rserver host 204-205-s1
ip address 192.168.2.204
inservice
rserver host 204-205-s2
ip address 192.168.2.205
inservice
rserver host 68-69-s1
ip address 192.168.2.68
inservice
rserver host 68-69-s2
ip address 192.168.2.69
inservice
serverfarm host 115-116_pool
rserver 115-116-s1
inservice
rserver 115-116-s2
inservice
serverfarm host 204-205_pool
rserver 204-205-s1
inservice
rserver 204-205-s2
inservice
serverfarm host 68-69_pool
probe 68-69_pool-tcp-http
rserver 68-69-s1
inservice
rserver 68-69-s2
inservice
sticky ip-netmask 255.255.255.255 address source 68-69_pool
timeout 720
timeout activeconns
replicate sticky
serverfarm 68-69_pool
class-map match-any 115-116-vip
2 match virtual-address 192.168.2.117 any
class-map match-any 204-205-vip
2 match virtual-address 192.168.2.207 any
class-map match-any 68-69-vip
2 match virtual-address 192.168.2.72 any
class-map type management match-any admin
2 match protocol https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol snmp any
6 match protocol ssh any
7 match protocol http any
policy-map type management first-match admin
class admin
permit
policy-map type loadbalance first-match 115-116-policy
class class-default
serverfarm 115-116_pool
policy-map type loadbalance first-match 204-205-policy
class class-default
serverfarm 204-205_pool
policy-map type loadbalance first-match 68-69-policy
class class-default
sticky-serverfarm 68-69_pool
policy-map multi-match tiens-vip
class 68-69-vip
loadbalance vip inservice
loadbalance policy 68-69-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
class 204-205-vip
loadbalance vip inservice
loadbalance policy 204-205-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
class 115-116-vip
loadbalance vip inservice
loadbalance policy 115-116-policy
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 51
service-policy input admin
service-policy input tiens-vip
interface vlan 51
ip address 192.168.2.250 255.255.255.0
alias 192.168.2.253 255.255.255.0
peer ip address 192.168.2.251 255.255.255.0
access-group input anyone
access-group output anyone
nat-pool 1 192.168.2.252 192.168.2.252 netmask 255.255.255.255 pat
no shutdown
ft interface vlan 999
ip address 10.1.69.125 255.255.255.252
peer ip address 10.1.69.126 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 2
peer 1
priority 110
associate-context Admin
inservice
ip route 0.0.0.0 0.0.0.0 192.168.2.254
username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/ role Admin domain default-domain
username www password 5 * role Admin domain default-domain -
Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
loadbalance vip inservice
loadbalance policy Internet-FMP
loadbalance vip icmp-reply active
Hope this helps!
Pablo -
Hi all,
I am looking for a rtsp solution, and currently i cann't find an answer.
The problem we got:
We are using a ace to loadbalance streaming traffic, which uses rtsp/rtcp.
rtsp is not a problem, simple vip on port 554 and forwarding to the servers.
but when it gets to rtcp it gets complicated
i configured a vip for udp high-ports, which works fine for messages from the client to the streamer.
but streaming data, which are sent from the server to the client , need to use the same source-ip as the vip
for that i created a nat-pool with the same ip as the vip.
so the ace takes all packets from the servers and creates a pat.
the thing is, that the clients get a problem with that.
within the rtsp-setup there is a negotation of ports to use.
if the source/ports, which are changed trough the pat, are different from the negotation, some clients wont work.
so the question is:
is there a way to do a pat with "fixed" ports, like: a port-range for server a, next range for server b and so on.
or is there a better solution for rtcp on the ace?
thanks a lot.ACE supports RTSP over TCP Loadbalanacing only.
You can use RTSP headers
RTSP stickiness is based on information in the RTSP session header. With RTSP header stickiness, you can specify a header offset to provide stickiness based on a unique portion of the RTSP header.
*Real Time Streaming Protocol (RTSP) is a network control protocol designed for use in entertainment and communications systems to control streaming media servers. The protocol is used to establish and control media sessions between end points.
(config) sticky rtsp-header
To create an RTSP header sticky group to enable the ACE to stick client connections to the same real server based on the RTSP Session header field, use the sticky rtsp-header command. The prompt changes to the sticky header configuration mode prompt (config-sticky-header). Use the no form of this command to remove the sticky group from the configuration.
sticky rtsp-header name1 name2
no sticky rtsp-header name1 name2
Syntax Description
name1
RTSP header field. The ACE supports only the RTSP Session header field for stickiness. Enter Session.
name2
Unique identifier of the sticky group. Enter an unquoted text string with no spaces and a maximum of 64 alphanumeric characters.
Command Modes
Configuration mode
Admin and user contexts
Command HistoryRelease Modification
A3(1.0)
This command was introduced.
Usage Guidelines
This command requires the sticky feature in your user role. For details about role-based access control (RBAC) and user roles, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
To use the stickiness feature, you must allocate a minimum percentage of system resources to stickiness. Otherwise, the feature will not work. For more information about allocating resources, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.
The ACE supports only the RTSP Session header field for stickiness.
For information about the commands in RTSP sticky header configuration mode, see the "Sticky RTSP Header Configuration Mode Commands" section.
Examples
To create a group for RTSP header stickiness, enter:
host1/Admin(config)# sticky rtsp-header Session RTSP_GROUP
host1/Admin(config-sticky-header)#
To remove the sticky group from the configuration, enter:
host1/Admin(config)# no sticky rtsp-header Session RTSP_GROUP
Example of an RTSP Load-Balancing Configuration
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_Server_Load-Balancing_Configuration_Examples#Example_of_an_RTSP_Load-Balancing_Configuration
As per cisco
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1165238
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1114235
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1114691
Similarly for RTSP Inspection its clearly stated at
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/appinsp.html#wp1318637
For RTSP inspection
The ACE supports TCP only in conformity with RFC 2326.
More on Ace configs:
http://docwiki.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
http://www.cisco.com/en/US/products/hw/modules/ps2706/prod_configuration_examples_list.html
http://docwiki.cisco.com/wiki/Category:Configuration_Examples
Please Rate
HTH
Sachin Garg -
Hi,
I need to do url redirection. I've worked on CSS alot so far but I'm new bie to ACE.
for example - my CSS config for url rediction is as follow:
service server1:443
ip address 192.168.1.1
protocol tcp
port 443
keepalive type ssl
active
service server2:443
ip address 192.168.1.2
protocol tcp
port 443
keepalive type ssl
active
service server1:80
type redirect
redirect-string "https://mail.google.com/exchange"
ip address 192.168.1.1
no prepend-http
active
service server2:80
type redirect
redirect-string "https://mail.google.com/exchange"
ip address 192.168.1.2
no prepend-http
active
owner mail
content mail.google.com:443
vip address 10.10.10.1
port 443
protocol tcp
application ssl
add service server1:443
add service server2:443
advanced-balance sticky-srcip
active
content mail.google.com:80
vip address 10.10.10.1
protocol tcp
port 80
url "/*"
add service server1:80
add service server2:80
active
what would be equivalent ACE config? please advise....probe tcp generic-tcp
interval 5
passdetect interval 20
passdetect count 2
connection term forced
exit
rserver server1
ip add 192.168.1.1
inservice
exit
rserver server2
ip add 192.168.1.2
inservice
exit
rserver redirect https-target
webhost-redirection https://mail.google.com/exchange
inservice
exit
serverfarm redirect secure-redirect
rserver https-target
inservice
exit
serverfarm host SF443
failaction purge
predictor leastconns
probe generic-tcp
rserver server1 443
inservice
rserver server2 443
inservice
exit
exit
sticky ip-netmask 255.255.255.255 address source SF443-SG
timeout 3600
replicate sticky //only required if HA is in use
serverfarm SF443
exit
class-map match-any www-CM
2 match virtual-address 10.10.10.1 255.255.255.255 tcp eq www
exit
class-map match-any https-CM
2 match virtual-address 10.10.10.1 255.255.255.255 tcp eq 443
exit
policy-map type loadbalance first-match http-PM
class class-default
serverfarm secure-redirect
exit
exit
policy-map type loadbalance first-match https-PM
class class-default
sticky-serverfarm SF443-SG
exit
exit
policy-map multi-match LBR-LB
class www-CM
loadbalance vip inservice
loadbalance policy http-PM
loadbalance vip icmp-reply
class https-CM
loadbalance vip inservice
loadbalance policy https-PM
loadbalance vip icmp-reply
exit
exit
interface vlan xxx
ip address xxx
alias xxx
peer ip address xxx
access-group input xxx
service-policy input LBR-LB
no shutdown
exit -
ACE Problem after restarting Application
Hi,
we have an ACE20 and have set it up to balance 4 Containers on a Oracle Application Server. Every time we stop all Containers at the same time for longer than an hour it takes forever (hours) until the Load Balancer starts balancing the Containers again. I can see that the ACE Module is checking the Containers in the Apache Logfiles on the Application Server and gets a 200, but still we can't access the Application for a few hours. If I connect direct to the Container it also works fine... just the ACE does not work. Like it has a timeout and is waiting.
Any idea how to give it a kick?
While accessing the Application I can see that it connects, but nothing happens...
sh conn detail
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
68155 2 in TCP 191 10.200.101.73:35777 10.200.101.64:80 ESTAB
[ idle time : 00:00:18, byte count : 888 ]
[ elapsed time: 00:00:18, packet count: 3 ]
68156 2 out TCP 195 10.200.105.33:80 10.200.101.73:35777 INIT
[ conn in reuse pool : FALSE]
[ idle time : 00:00:18, byte count : 0 ]
[ elapsed time: 00:00:18, packet count: 0 ]
Thanks for any help!
JasonHi,
I'm still having problems with the ACE Laodbalancer. At the moment it doesn't seem to recover after having restarted the Application the last time.
Can someone look at the Config and tell me if they see a mistake in it?
I have three instances accesst, accesst2 and accesst3. Each instance has 4 Oracle Application Server Containers Deployed on 2 different Apllication Servers. The Site is split between 2 DMZ which are seperated by a Firewall. The Cisco Ace has one leg in each vlan (191 and 195). We always had a problem after taking the Applcation Servers down Updates that it takes forever untill the ACE Server starts blancing agian. For the last 4 Days it hasn't started reblancing yet. As far as I know nothing has changed in the Configuration of the Server or of the ACE. The Firewall Admin said he tried t find a problem, but didn't change anything.
Do I maybe have a mistake in the ACE Config? Am I missing something here?
MS4_ACE_PU/MY-APP# sh running-config
Generating configuration....
logging buffered 7
access-list anyone line 8 extended permit ip any any
probe http HEAD_1
port 7791
interval 10
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_2
port 7792
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_3
port 7793
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_4
port 7794
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_5
port 7795
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_6
port 7796
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_7
port 7797
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
probe http HEAD_8
port 7798
interval 5
faildetect 15
passdetect interval 15
receive 2
request method head url /APPLICATION/images/probe.gif
expect status 200 200
open 2
parameter-map type http PERSIST-REBALANCE
persistence-rebalance
action-list type modify http LOCATION-RW-VIP-2
header rewrite response location header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst3.my-site.de:.....(.*)" replace "https://accesst3.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP-1
header rewrite response content-lokation header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
header rewrite response location header-value "http://accesst2.my-site.de:.....(.*)" replace "https://accesst2.my-site.de/%1"
action-list type modify http LOCATION-RW-VIP
header rewrite response location header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
header rewrite response content-lokation header-value "http://accesst.my-site.de:.....(.*)" replace "https://accesst.my-site.de/%1"
rserver host server103
description KS ApplicationServer
ip address 10.200.105.33
inservice
rserver host server104
description KS ApplicationServer
ip address 10.200.105.34
inservice
serverfarm host HTTP-APPL
rserver server103 7791
probe HEAD_1
inservice
rserver server103 7792
probe HEAD_2
inservice
rserver server104 7791
probe HEAD_1
inservice
rserver server104 7792
probe HEAD_2
inservice
serverfarm host HTTP-APPL-1
rserver server103 7795
probe HEAD_5
inservice
rserver server103 7796
probe HEAD_6
inservice
rserver server104 7795
probe HEAD_5
inservice
rserver server104 7796
probe HEAD_6
inservice
serverfarm host HTTP-APPL-2
rserver server103 7797
probe HEAD_7
inservice
rserver server103 7798
probe HEAD_8
inservice
rserver server104 7797
probe HEAD_7
inservice
rserver server104 7798
probe HEAD_8
inservice
sticky http-header TranSON_Cert_Subject group1
replicate sticky
serverfarm HTTP-APPL
sticky http-header TranSON_Cert_Subject group2
replicate sticky
serverfarm HTTP-APPL-1
sticky http-header TranSON_Cert_Subject group3
replicate sticky
serverfarm HTTP-APPL-2
class-map type http inspect match-any HTTP-INS-VIP
2 match header Host header-value "accesst.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-1
2 match header Host header-value "accesst2.my-site.de"
class-map type http inspect match-any HTTP-INS-VIP-2
2 match header Host header-value "accesst3.my-site.de"
class-map match-all HTTP-VIP
2 match virtual-address 10.200.101.64 tcp eq www
class-map match-all HTTP-VIP-1
2 match virtual-address 10.200.101.68 tcp eq www
class-map match-all HTTP-VIP-2
2 match virtual-address 10.200.101.69 tcp eq www
policy-map type loadbalance first-match HTTP-SF
class class-default
sticky-serverfarm group1
action LOCATION-RW-VIP
policy-map type loadbalance first-match HTTP-SF-1
class class-default
sticky-serverfarm group2
action LOCATION-RW-VIP-1
policy-map type loadbalance first-match HTTP-SF-2
class class-default
sticky-serverfarm group3
action LOCATION-RW-VIP-2
policy-map type inspect http all-match INS-PM-VIP
class HTTP-INS-VIP
permit
policy-map type inspect http all-match INS-PM-VIP-1
class HTTP-INS-VIP-1
permit
policy-map type inspect http all-match INS-PM-VIP-2
class HTTP-INS-VIP-2
permit
policy-map multi-match SLB-logic
class HTTP-VIP
loadbalance vip inservice
loadbalance policy HTTP-SF
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-1
loadbalance vip inservice
loadbalance policy HTTP-SF-1
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options PERSIST-REBALANCE
class HTTP-VIP-2
loadbalance vip inservice
loadbalance policy HTTP-SF-2
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter http advanced-options PERSIST-REBALANCE
interface vlan 191
ip address 10.200.101.65 255.255.255.0
alias 10.200.101.67 255.255.255.0
peer ip address 10.200.101.66 255.255.255.0
access-group input anyone
service-policy input SLB-logic
no shutdown
interface vlan 195
ip address 10.200.105.65 255.255.255.0
alias 10.200.105.63 255.255.255.0
peer ip address 10.200.105.66 255.255.255.0
access-group input anyone
no shutdown
Destination Gateway Interface Flags
10.200.101.0/24 0.0.0.0 vlan191 IA [0x30]
10.200.105.0/24 0.0.0.0 vlan195 IA [0x30]
Maybe you are looking for
-
Printing emails date/time in headings
How do I adjust the header : left, middle, right etc to select date/time that is the same as that of the message on sending msgs. Cannot find the list of format controls for such when in print preview, print, options (say centre),, custom, format con
-
Playback glitch when touch trackpad
Hi I post here as it may help diagnose what I think to be a system or hardware issue. Have logic 7.2 on macbook pro,have external sound card usb. When playing multitracks back allgood, then I touch the track pad and a static glitch occurs in the play
-
Where can i see current temperature and the like of the MB?
hi, the subject name pretty much sais what i would like to know. i saw this mooning pb and some videos abt it, and there was this window displaying the current temperature. where can i find that? furthermore would i like to know if the cpu is running
-
New to Sun - How to get username and password
Hi, I bought a computer on a closing company auction, which is Sun Sparc 5 and containing Sun Solaris 8. I am able to boot the computer and it is prompting the user name and password. Neither do I have it nor the company folks had it. Does any one ha
-
Billing document is showing in the billing due list
Hi I have done the PGi and i have done Billing document But still it is appearing the billig due list can any body help me chakri