Load balancing based on source IP address
Hi,
I configured a CSS to balance the load depending on source IP address to suppport a application feature in the server.
We have two firewalls and behind we have different users. We have also two servers behind the CSS.
Firewalls perform NAT with a unique outside IP address. So, for example, in these conditions the CSS balances requests coming from FW 1 to server 1 and requests coming from FW 2 to server 2. Is it correct this scenario?
Is it possible that requests coming from FW 1 could be forwarded to Server 2 and viceversa?
Could anyone answer me?
Thanks in advance.
Best regards.
Giuseppe.
Giuseppe,
it all depends on how you configured your CSS.
Did you use an ACL to force traffic from SRC1 to server1 and traffic from SRC2 to server2 ?
Or did you simply configure sticky based on source ip or a source ip hash loadbalancing ?
Except the ACL, all other methods do not guarantee that the traffic will be splitted in 2.
Gilles.
Similar Messages
-
ACE load balance based on Source IP Address
Hi Cisco Support,
I have question related to Cisco ACE behavior in term to taking a decision based on source address
I currently have two servers sits behind ACE part of one server farm, these servers are load balanced via one VIP on ACE module and every things looks fine.
Now service owners want to replace these old servers with new hardware hence before the migration we need to make sure these new servers are working as required standard hence need to create a testing scenario for new servers along with old server. The problem is that number of third party partners are accessing existing servers by hitting VIP on ace and we can't engage all our partner to participate in this test therefore decided to engage only one partner to carry our test with us.
For that reason can we some how configure the ACE so when packet arrive on ACE from one test partner mentioned above, ACE send only that partner's traffic based on it's source address (define via class/policy map on ACE if possible) towards new servers in the existing server farm and not to the old server in the same server farm.
Thanks for your supportHi,
Just to put some config sample that might help you to get this done.
First create the new rservers and include them under a new serverfarm (New-APP)/
serverfarm host Webfarm
rserver SVR1
inservice
rserver SVR2
inservice
serverfarm host New-APP
rserver New-1
inservice
rserver New-2
inservice
- Same VIP already working.
class-map match-all VIP-HTTP
2 match virtual-address 10.10.10.10 tcp eq www
- Create a new class that will include your partner's IP(s).
class-map type http loadbalance match-any 3rd-Party
2 match source-address 200.200.200.1 255.255.255.255
3 match source-address 200.200.200.10 255.255.255.255
Modify your current first-match policy to put the new class on top so that all the traffic matched by the statement above (IP) will be redirected to the new farm with the new APP, any other traffic that does not match the "rule" will be sent to the old serverfam with the old app.
policy-map type loadbalance first-match L7-SLB
class 3rd-Party
serverfarm New-APP
class class-default
serverfarm Webfarm
Since you already have LB working then this is it, nothing needs to be added under the multi-match policy nor interface.
HTH
Pablo -
HOWTO: load balance based on source subnet
Hi Guys,
We are currently working out if there is a way to load balance specific subnets to a specific rserver within a server farm behind the one VIP.
For example (all Rservers within one serverfarm Serv_farm001):
Subnet 10.10.10.0/24 load balance to Rserver A ( with Rserver B as backup )
Subnet 20.20.20.0/24 load balance to Rserver B ( with Rserver A as backup )
I can see from the configuration guide that you could maybe use sticky src IP to do this, but I haven't seen anything to confirm this.
Any takers on this, I'm sure it would be a familar common thing that others are doing out there?
Looking fwd to the responses!
Cheers
RHi Rob,
You can either do this on the incoming-interface ACL or for easier management you can do the following:
class-map type http loadbalance match-any Subnet-A
2 match source-address 10.10.10.0 255.255.255.0
class-map type http loadbalance match-any Subnet-B
2 match source-address 20.20.20.0 255.255.255.0
policy-map type loadbalance first-match SLB
class Subnet-A
serverfarm A
class Subnet-B
Serverfarm B
HTH
Pablo -
ACE30 Load balancing based on IP and using x-forward-for header
Hi Guys,
We currently have a load balancing policy setup to direct traffic to say FARM-A based on a particular range of source (client) IP addresses, and the default FARM-B for all the other traffic.
We are now looking to introduce a web application firewall (WAF) before the ACE. The WAF will be inserting the client IP address into the x-forward-for http header. Now I was wondering how best can be achieve the load balancing based on source IP given that we'll have to parse the HTTP header for this x-forward-for field? Are there any examples that anyone can point me to?
let me know if you have any questions.
thanks
SheldonHi Sheldon,
You might try creating a class map that matches on the XFF header. Then use that as the L7 load balance criteria (based on the hash value of the XFF header), using the predictor hash header.
-Alex -
Route call based on source IP address
Hello Guys,
Is there a way to route calls based on source IP address?
I want to redirect calls to specific queues based on the ip of the phone who's starting it.
Any ideas?
Thanks in advance.
Filipe LeiteHi Filipe
I'm assuming here that you are using CallManager rather than CME?
One option might be to use the 'device mobility' feature to assign a specific CSS to devices based on their IP subnet. That CSS could have the appropriate partitions to route to a seperate trigger that directs calls to a separate CSQ.
Of course, whether you can do this depends on whether it would be appropriate to override the device CSS in this way.
Aaron -
ACE Load balancing with different source IP
Dear All ,
I am very much new to ACE . We are deploying it on our enterprise infrastructure (10.x.x.x/8) . I have a setup like this, we have 5 Proxy server which is supporting for our enteprise internet needs . Load balancing to this 5 blue coat proxy server is done via ACE module .
My customer is having special requirement based on specfic source subnet , ACE need to redirect the that specific source subnet to a particular proxy server . Is this possible in ACE ?? or we need to have separate Virtual server group for that specific source subnet range . kindly correct me if am worng on my understanding .
Thanks
Santhoshkumar SaravananHi Saravanan,
Please refer the following link :
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA4_2_0/configuration/slb/guide/sticky.pdf
Look at section :
IP Address Stickiness Configuration Quick Start
For example :
8. (Optional) Configure static IP address sticky entries up to a maximum of
65535 static entries per context.
host1/Admin(config-sticky-ip)# static client source 192.168.12.15
destination 172.16.27.3 rserver SERVER1 2000
The above may fulfill your requirement.
regards,
Ajay Kumar -
Is it possible to load balance incoming requests based on client's operating system on ACE?
For example, we have different web pages specifically for Blackberry or iPhones.
Instead of having multiple URL's & VIP's, we'd like to have a single VIP, but load balance traffic to different serverfarms based on client's OS.You can loadbalance based on User-Agent header, first you need to quantify what Iphone and blackberry use for user-agent for instance from a regular browser you might see:
User-AgentT=Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)
from an iphone you will typically see:
User-Agent=Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en)
AppleWebKit/420+ (KHTML, like Gecko) Version/3.0 Mobile/1C25 Safari/419.3
you can go to http://www.user-agents.org to find out what strings are used
That being the case you can make classes on the header to match for loadbalancing decisions:
class-map type http loadbalance match-any mobile
2 match http header User-Agent header-value .*iphone
4 match http header Uswer-Agent header-value .*blackberry
then in LB policy say we want to go to farmA for mobile and farmB for pc's
policy-map type loadbalance first-match L7POLICY
class mobile
serverfarm farmA
class class-default
serverfarm farmB
see:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1021388 -
ACE load balancing based on URL
I am trying to send traffic to one server or another based on the URL. I want traffic to foo.com/selfserv to direct to server A and traffic to foo.com/webui to direct to server B. I found URL inspection etc but I am not sure how to apply it the scenario as I do not want the ACE to inspect all inbound HTTP requests.
The ACE performs regular expression matching against the received packet data from a particular connection based on the HTTP URL string. To configure a class map to make Layer 7 SLB decisions based on the URL name and, optionally, the HTTP method, use the match http url command in class-map HTTP load balance configuration mode.
The ACE performs regular expression matching against the received packet data from a particular connection based on the RTSP URL string. You can configure a class map to make Layer 7 SLB decisions based on the URL name and optionally, the RTSP method, by using the match rtsp url command in class-map RTSP load balance configuration mode.
Configuring Traffic Policies for Server Load Balancing:
http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html -
Redirect based on source IP address????
I have a site that I don't want our competitors to view! By
tracking code, I have managed to obtain their source IP addresses.
After looking around, there is a .php solution to my problem
but my host is not well suited to .php files (although it does some
processing).
My pages are in .shtml (to process css drop-down menus
correctly) and I understand that this attached code, if put at the
top of the page before anything else, will work.
I have managed to get one working
http://www.donbur.co.uk/gb/newindex.php
but am having difficulty getting this code to work elsewhere.
The problem is, when I try to put this code into either a
template or as an include, it won't process correctly or the page
won't render at all.
Do I have to use .php files or can I insert php script into
an .shtml document.
Getting really confused now.... HELPThanks for the constructive advice...
quote:
>After looking around, there is a .php solution to my
problem but my host is not well
>suited to .php files (although it does some processing).
What does this mean? Does your hosting plan include php
support or not?
You can't just put a php script into any page. It needs to be
a .php page or you need to reconfigure the server to parse other
pages for php. But if your hosting plan doesn't support php then it
won't work in any case.
My host is BT Internet and they claim not to process .php
files which is why our main .php site is hosted elsewhere; however,
it seems that, although it has difficulty (to clarify: doesn't
render) with main full scripts, it does seem to process simple
<?php echo commands for example.
It has been suggested on another forum that the .shtml files
are set to be recognised by .php in the cpanel but our host will
not do this...
Our competitors are not particularly smart or up-to-date and
this would have been reasonably effective; however, I bow to better
judgement and close this topic. -
Re-direct based on source ip address
Dear all,
i wish to redirect url traffic to another server based on their ip address. We currently have sharepoint server and was hoping to utilise it facilities to redirect to another server. https://www.abc.com to
http://www.abc.com/def
we have iis7 runnin in the backgroup if that help.. Would iis be a better choice?
Thanks in advance..
N DHANRAJHi Dhanraj,
I understand that you want to redirect the url from
https://www.abc.com to http://www.abc.com/def, you can try URL Rewrite rules to achieve this goal.
Here are some posts about this topic, you can take a look.
http://stackoverflow.com/questions/22182087/iis-rewrite-rule-to-redirect-specific-domain-url-to-different-url-on-same-domain
http://social.technet.microsoft.com/wiki/contents/articles/23074.sharepoint-2013-url-rewrite.aspx
Supportability of Rewrite and Redirects with SharePoint 2007/2010/2013
More about the IIS redirect, I would recommend you post in IIS forum below, there will be more experts assisting on this issue.
http://forums.iis.net/t/1153050.aspx?URL+Rewrite+for+SSL+redirection
Thanks
Daniel Yang
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Load Balancing based on website not on Interface
LocalDIrector 416
LOcalDirector is load balancing 2 IIS web servers ServerA and ServerB. The servers are running in round robin. If a client requests a webpage and is sent to ServerA and the site is not servicing requests but the interface is still up I want Local Director to fail over to ServerB. Is this possible?
Thanksyou need http probe.
Check the following url:
http://www.cisco.com/en/US/products/hw/contnetw/ps1894/products_configuration_example09186a0080093df4.shtml
Gilles. -
Sticky load balancing not working because of Address Translation
This came up before - see below. I don't understand what the
soltion is/was.
WL Server puts it's ip address in the WebLogicSession cookie
which is an internal address 192.168.201.41
WL proxy knows WL Server only by an external address like 139.141.38.21. Since
it does not know of any WLS with an IP
address of 192.168.201.41, it round-robins the request instead
of sending it to the primary WLS.
Any help is much appreciated.
Mike Reiche
Robert Patrick <[email protected]> wrote:
>Hi,
>
>A very typical configuration is to put the web server in the DMZ (i.e.,
>between
>an outer and inner firewall) and proxy the requests from the web server
>to the
>WebLogic server (which sits behind the inner firewall). Since all of
>these
>proxied requests use HTTP and a single port, the only port that needs
>to be
>opened in the inner firewall is an HTTP port (the outer firewall will
>only need
>an HTTP and/or HTTPS port opened).
>
>Hope this helps,
>Robert
>
>Eytan Ben-Meir wrote:
>
>> Thanks Patrick,
>>
>> May be you can suggest options for securing a WLS behind a firewall?
>>
>> Thanks again,
>>
>> Eytan
>>
>> Robert Patrick wrote:
>>
>> > Hi,
>> >
>> > The problem is that we encode location information (e.g., IP address(es))
>> > in the session id. If the plugin sees a session id, it decodes the
>> > session id to find out where to route the request (i.e., which server
>in
>> > the cluster contains the HttpSession object for that session). Since
>the
>> > plugin cannot find the machine whose IP address is encoded in the
>session
>> > id (because of the network address translation), this will not work.
> In
>> > general, distributed application software needs to be modified to
>be
>> > capable of handling network address translation -- to my knowledge,
>> > WebLogic Server has not been modified to support this feature (though
>the
>> > Enterprise version of the product has had this support for years).
>> >
>> > Hope this helps,
>> > Robert
>> >
>> > Eytan Ben-Meir wrote:
>> >
>> > > Hi,
>> > >
>> > > Configuration:
>> > > WLS 4.5.1 on Solaris 2.7 inside a firewall.
>> > > SonicWall firewall with NAT (Network Address Translation).
>> > > Netscape Enterprise Server 4.0 outside the firewall with Weblogic
>> > > NSAPI-BRIDGE (sp 5)
>> > >
>> > > The problem:
>> > > When a browser request is sent to the NE web-erver (directed to
>the
>> > > firewall who then redirects to a Weblogic servlet).
>> > > IF The servlet creates a httpsession (with or without cookies)
>the
>> > > request fails (the firewall blocks a request directed directly
>at the
>> > > non-routable ip address of the Weblogic machine inside the firewall.
>> > > IF on the other hand the servlet does not create a http session,
>all
>> > > works fine.??????????
>> > > Does any body know something about this????
>> > >
>> > > Thanks,
>> > >
>> > > Eytan
>
This isn't my problem.
"Mike Reiche" <[email protected]> wrote:
>
>This came up before - see below. I don't understand what the
>soltion is/was.
>
>WL Server puts it's ip address in the WebLogicSession cookie
> which is an internal address 192.168.201.41
>
>WL proxy knows WL Server only by an external address like 139.141.38.21.
> Since
>it does not know of any WLS with an IP
>address of 192.168.201.41, it round-robins the request instead
>of sending it to the primary WLS.
>
>Any help is much appreciated.
>
>Mike Reiche
>
>Robert Patrick <[email protected]> wrote:
>>Hi,
>>
>>A very typical configuration is to put the web server in the DMZ (i.e.,
>>between
>>an outer and inner firewall) and proxy the requests from the web server
>>to the
>>WebLogic server (which sits behind the inner firewall). Since all of
>>these
>>proxied requests use HTTP and a single port, the only port that needs
>>to be
>>opened in the inner firewall is an HTTP port (the outer firewall will
>>only need
>>an HTTP and/or HTTPS port opened).
>>
>>Hope this helps,
>>Robert
>>
>>Eytan Ben-Meir wrote:
>>
>>> Thanks Patrick,
>>>
>>> May be you can suggest options for securing a WLS behind a firewall?
>>>
>>> Thanks again,
>>>
>>> Eytan
>>>
>>> Robert Patrick wrote:
>>>
>>> > Hi,
>>> >
>>> > The problem is that we encode location information (e.g., IP address(es))
>>> > in the session id. If the plugin sees a session id, it decodes
>the
>>> > session id to find out where to route the request (i.e., which server
>>in
>>> > the cluster contains the HttpSession object for that session).
>Since
>>the
>>> > plugin cannot find the machine whose IP address is encoded in the
>>session
>>> > id (because of the network address translation), this will not work.
>> In
>>> > general, distributed application software needs to be modified to
>>be
>>> > capable of handling network address translation -- to my knowledge,
>>> > WebLogic Server has not been modified to support this feature (though
>>the
>>> > Enterprise version of the product has had this support for years).
>>> >
>>> > Hope this helps,
>>> > Robert
>>> >
>>> > Eytan Ben-Meir wrote:
>>> >
>>> > > Hi,
>>> > >
>>> > > Configuration:
>>> > > WLS 4.5.1 on Solaris 2.7 inside a firewall.
>>> > > SonicWall firewall with NAT (Network Address Translation).
>>> > > Netscape Enterprise Server 4.0 outside the firewall with Weblogic
>>> > > NSAPI-BRIDGE (sp 5)
>>> > >
>>> > > The problem:
>>> > > When a browser request is sent to the NE web-erver (directed to
>>the
>>> > > firewall who then redirects to a Weblogic servlet).
>>> > > IF The servlet creates a httpsession (with or without cookies)
>>the
>>> > > request fails (the firewall blocks a request directed directly
>>at the
>>> > > non-routable ip address of the Weblogic machine inside the firewall.
>>> > > IF on the other hand the servlet does not create a http session,
>>all
>>> > > works fine.??????????
>>> > > Does any body know something about this????
>>> > >
>>> > > Thanks,
>>> > >
>>> > > Eytan
>>
>
-
Hi guys,
I put this question on Spiceworks and someone chimed in and said it wasn't possible due to the nature of how etherchanel balances, but I wanted to double check. Here is my question:
I have a cisco SG200-18 managed switch configured with LAG with LACP and a new Supermicro X9SCM-F motherboard that uses two Intel NICs (82579LM & 82574L). The server is running Server 2012 r2 standard and I'm teaming the NICs via intel's driver. The team type is set to IEEE 802.3ad Dynamic Link Aggregation. From my understand that means that inbound and outbound packets should be able to utilize the increased bandwidth (thus the dynamic part). So far in my testing coping files to and from the server from multiple PCs at the same time only files being copied from the server utilize the increased bandwidth. I can see in task manager on the server that the ethernet is using over 1 Gbps. However, files going TO the server from multiple computers at the same time max out at 1Gbps.
Any insight on why this would be?
Edit: Also want to note that the switch is running the most recent version of the firmware.
Attached you'll find some screen setups of the different windows on the server & the switch. Thanks!Hello,
This is a common question with LACP and LAGs in general.
It all comes down to this. Any single connection will only ever be able to use a single member of the LAG. Meaning that whatever the maximum speed (1Gbps) of one physical link is, that is the limit of the transfer.
It is because of how the load balancing algorithm works. When a packet comes in, the switch hashes either the IP or MAC address of the source and destination, and comes up with a number. If your LAG has 4 links, it is a number from 1-4. That determines which link in the LAG gets used in that connection. That connection will only ever use that LAG member, and cannot spill over, even if the link it is using gets full.
The load balancing algorithm can be changed to better utilize the links, however the test of a single computer transferring to another computer will always give the results you saw.
There are several enterprise level Cisco switches which can load balance based on source and destination port number, which could enable two computers to utilize multiple links, if they were transferring data on different TCP ports. However the small business switches are only able to load balance by MAC/IP. You can experiment with the load balancing setting to see which setting optimizes your link usage. You may also be able to tweak this setting on the server side, but that one is up to you.
Hope that helps a bit, you've done some nice testing already, so I'm really just confirming what you've already seen.
Thank you for choosing Cisco,
Christopher Ebert
Network Support Engineer - Cisco Small Business Support Center -
Windows Network Load Balancing - Virtual MAC Address
Hi All,
I have environment that running 2 Exchange 2010 server with CASHT and join windows network load balancing as a node.
My question is,
If NLB service is restart, is it virtual MAC Address for NLB will change to new virtual MAC Address?
Thanks for response,
Best Regards,
Henry StefanusHi Henry Stefanus,
The NLB work mechanism will not change whether what higher application we used and I am not very familiar with Exchange NLB architecture, may the following KB and article
may help you.
When you use the unicast method, all cluster hosts share an identical unicast MAC address. Network Load Balancing overwrites the original MAC address of the cluster adapter
with the unicast MAC address that is assigned to all the cluster hosts.
When you use the multicast method, each cluster host retains the original MAC address of the adapter. In addition to the original MAC address of the adapter, the adapter is
assigned a multicast MAC address, which is shared by all cluster hosts. The incoming client requests are sent to all cluster hosts by using the multicast MAC address.
Selecting the Unicast or Multicast Method of Distributing Incoming Requests
http://technet.microsoft.com/en-us/library/cc782694(v=ws.10).aspx
The related third party article:
Building NLB Exchange 2010 RTM CAS / HT Servers (Hyper-V) – Part 1
http://blog.morecoffeeany1.com/2010/03/19/building-nlb-exchange-2010-rtm-cas-ht-servers-hyper-v-%E2%80%93-part-1/
I’m glad to be of help to you!
*** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these
sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use
of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Load balancing UDP application in ACE
Hi all,
What's the proper way to load balance a UDP application (NTP protocol) using ACE? We used to do it in our CSS using a content to load-balance and a source group to source-NAT the UDP replies from the servers to the VIP. I guess this should be implemented using NAT in the ACE, but I can't find any example.
According to the manual, src-natting to VIPs is supported only in A1(8) and it is supposed to be used "when there is a limited number of real-world IP addresses on the client-side network".
This is not our case, we just need to ensure that the client receives the UDP replies as coming from the VIP, not from real IP address of the server. This is not a problem in TCP-based applications, because the NAT from the rserver IP to the VIP is automatic. What is the proper way to obtain this behaviour for UDP applications? Thanks a lot!
Regards,
PedroPedro,
reverse nating is not required in ACE world.
This is done automatically.
So, the server response will be automatically nated to the vip address when going back to the client.
If you have an appliance and are just deploying now, I would recommend version A3(2.1).
If you have a module go for A2(1.3).
Gilles
Maybe you are looking for
-
How do I get an itunes connect account
how do I get an itunes connect account
-
How do I get my photos off photo stream on my I phone 5 onto my mac computer
I just got the I phone 5 and already had a mac computer and an ipad. My photostream went right to my ipad but not my computer. How do I get them there other than plugging it into the computer?
-
Hello, When we are trying to post in f-53 for out going payment system prompting the message: The entry in company code 3640 is missing table T043G. Please suggest to complete this posting. Regards, Anantha.
-
I have a Powerbook G4 and just purchased the new airport extreme (802.11n). I have been able to connect to the internet with it, but when I go into the Airport Utility, I recieve an alert that states my version doesnt support this one. When searching
-
I need to attach a document in CJ20N. Does anyone know please tell me how can I do this? thank you