ACE Transparent Redirection to Web Cache with IP Spoofing

bfeeny · ‎05-16-2007

I am trying to do transparent caching with IP spoofing. Assume the following topology:

Internet

VLAN 50 (192.168.20.1)

|

6509---------------VLAN 30 (192.168.30.1)

| Caches (192.168.30.10, 192.168.30.11, etc)

|

VLAN 20 (192.168.10.1)

|

ACE

|

VLAN 10

Clients (192.168.10.2, 192.168.10.3, etc)

Here is a config I have hacked up and I think it could work. Please let me know if this looks like a valid configuration.

The idea is to do tcp port 80 redirection of all traffic from clients to the cache, and then when traffic comes back from the

internet, also send it to the cache if its tcp port 80. It is important since we are doing IP Spoofing that traffic

symetrically comes back to the ACE, and not directly to the client.

assume:

VLAN 10 is client

VLAN 20 is on 6509

VLAN 30 is configured off the 6500 and has the cache servers in it

access-list anyone line 10 extended permit ip any any

access-list BPDU ethertype permit bpdu

probe icmp ICMP

interval 10

faildetect 2

passdetect interval 60

passdetect count 2

rserver host Cache_01

ip address 192.168.30.10

inservice

serverfarm host Web-Farm

transparent

probe ICMP

rserver Cache_01

inservice

class-map match-any L4-WWW-Traffic

2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

class-map type management match-any mgmt_class

2 match protocol https any

3 match protocol ssh any

4 match protocol snmp any

5 match protocol telnet any

6 match protocol icmp any

policy-map type management first-match mgmt

class mgmt_class

permit

policy-map type loadbalance first-match L7-WWW-Traffic

class class-default

serverfarm Web-Farm

policy-map multi-match WWW-SLB

class L4-WWW-Traffic

loadbalance vip inservice

loadbalance policy L7-WWW-Traffic

loadbalance vip icmp-reply

service-policy input mgmt

access-group input anyone

interface vlan 10

description "Client Side"

no ip address

bridge-group 1

access-group input BPDU

access-group input anyone

no normalization

mac-sticky enable

no icmp-guard

service-policy input WWW-SLB

no shutdown

interface vlan 20

description "Internet Side Interface"

no ip address

bridge-group 1

access-group input BPDU

access-group input anyone

service-policy input WWW-SLB

no shutdown

interface bvi 1

ip address 192.168.10.100 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.20.1

One question I have, is do I have to exempt the caches from being cached, or is the ace smart enough to handle that?

For example, a client makes a web request, this gets intercepted and sent to a cache. The cache goes to the internet

using the clients IP, and grabs the page. The page comes back to the cache. Now the cache would like to give the page

to the client. when it does this, its going to cross vlan 20, and trigger the service-policy that says "send all port 80

tcp to the cache", so this is possible recursion. Do I have to put like a "deny" of some sort in that class map so that

the cache itself doesn't try to get cached?

Right now its 1 cache. I think they could add a second rserver and using the mac sticky feature which I showed configured,

my thought is that the ace would keep track of which cache made the request to the internet, and ensure that traffic went

back to that same cache. Is this a correct assumption?

Gilles Dufour · ‎05-18-2007

Is vlan 30 attached to the ACE module or to the MSFC ?

If the ACE module and if you did not configure "service-policy input WWW-SLB " on the vlan 30 interface, than the traffic from the cache would not be loadbalanced back to the cache.

Instead it should be routed.

And you are correct that with mac-sticky enable the ACE module will keep connections to the appropriate cache.

Gilles.