05-16-2007 05:59 AM
I am trying to do transparent caching with IP spoofing. Assume the following topology:
Internet
VLAN 50 (192.168.20.1)
|
|
6509---------------VLAN 30 (192.168.30.1)
| Caches (192.168.30.10, 192.168.30.11, etc)
|
VLAN 20 (192.168.10.1)
|
|
ACE
|
|
VLAN 10
Clients (192.168.10.2, 192.168.10.3, etc)
Here is a config I have hacked up and I think it could work. Please let me know if this looks like a valid configuration.
The idea is to do tcp port 80 redirection of all traffic from clients to the cache, and then when traffic comes back from the
internet, also send it to the cache if its tcp port 80. It is important since we are doing IP Spoofing that traffic
symetrically comes back to the ACE, and not directly to the client.
assume:
VLAN 10 is client
VLAN 20 is on 6509
VLAN 30 is configured off the 6500 and has the cache servers in it
access-list anyone line 10 extended permit ip any any
access-list BPDU ethertype permit bpdu
probe icmp ICMP
interval 10
faildetect 2
passdetect interval 60
passdetect count 2
rserver host Cache_01
ip address 192.168.30.10
inservice
serverfarm host Web-Farm
transparent
probe ICMP
rserver Cache_01
inservice
class-map match-any L4-WWW-Traffic
2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
class-map type management match-any mgmt_class
2 match protocol https any
3 match protocol ssh any
4 match protocol snmp any
5 match protocol telnet any
6 match protocol icmp any
policy-map type management first-match mgmt
class mgmt_class
permit
policy-map type loadbalance first-match L7-WWW-Traffic
class class-default
serverfarm Web-Farm
policy-map multi-match WWW-SLB
class L4-WWW-Traffic
loadbalance vip inservice
loadbalance policy L7-WWW-Traffic
loadbalance vip icmp-reply
service-policy input mgmt
access-group input anyone
interface vlan 10
description "Client Side"
no ip address
bridge-group 1
access-group input BPDU
access-group input anyone
no normalization
mac-sticky enable
no icmp-guard
service-policy input WWW-SLB
no shutdown
interface vlan 20
description "Internet Side Interface"
no ip address
bridge-group 1
access-group input BPDU
access-group input anyone
service-policy input WWW-SLB
no shutdown
interface bvi 1
ip address 192.168.10.100 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.20.1
One question I have, is do I have to exempt the caches from being cached, or is the ace smart enough to handle that?
For example, a client makes a web request, this gets intercepted and sent to a cache. The cache goes to the internet
using the clients IP, and grabs the page. The page comes back to the cache. Now the cache would like to give the page
to the client. when it does this, its going to cross vlan 20, and trigger the service-policy that says "send all port 80
tcp to the cache", so this is possible recursion. Do I have to put like a "deny" of some sort in that class map so that
the cache itself doesn't try to get cached?
Right now its 1 cache. I think they could add a second rserver and using the mac sticky feature which I showed configured,
my thought is that the ace would keep track of which cache made the request to the internet, and ensure that traffic went
back to that same cache. Is this a correct assumption?
05-18-2007 01:55 AM
Is vlan 30 attached to the ACE module or to the MSFC ?
If the ACE module and if you did not configure "service-policy input WWW-SLB " on the vlan 30 interface, than the traffic from the cache would not be loadbalanced back to the cache.
Instead it should be routed.
And you are correct that with mac-sticky enable the ACE module will keep connections to the appropriate cache.
Gilles.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide