ACE - Can not get it to work

p.buitelaar · ‎06-13-2007

All,

I am trying to configure simple load balancing to 4 servers on a ACE (ver 3.0.0A13B), but I can't get it to work.

See config below. I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.

Can anyone spot the issue?

Thanks, Pieter-Jon

probe tcp TCP

description TCP PROBE

interval 2

faildetect 2

passdetect interval 2

connection term forced

open 2

parameter-map type connection IDLE

set timeout inactivity 600

rserver host INFO-Realserver-1

ip address 38.22.175.1

probe TCP

inservice

rserver host INFO-Realserver-2

ip address 38.22.175.2

probe TCP

inservice

rserver host INFO-Realserver-3

ip address 38.22.175.3

probe TCP

inservice

rserver host INFO-Realserver-4

ip address 38.22.175.4

probe TCP

inservice

serverfarm host INFO2008

predictor leastconns slowstart 15

probe TCP

rserver INFO-Realserver-1

inservice

rserver INFO-Realserver-2

inservice

rserver INFO-Realserver-3

inservice

rserver INFO-Realserver-4

inservice

class-map match-all L4_VIP_ADDRESS_CLASS

2 match virtual-address 38.29.250.250 tcp any

class-map type management match-any MGMT-Class

2 match protocol icmp any

3 match protocol ssh any

4 match protocol telnet any

class-map type management match-all SNMP_ALLOW_CLASS

2 match protocol snmp any

class-map type management match-all TELNET_ALLOW_ALL

2 match protocol telnet any

policy-map type management first-match MGMT-Policy

class MGMT-Class

permit

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class TELNET_ALLOW_ALL

permit

policy-map type management first-match SNMP_ALLOW_POLICY

class SNMP_ALLOW_CLASS

permit

policy-map type loadbalance first-match L7_VIP_LB_ORDER_POLICY

class class-default

serverfarm INFO2008

policy-map multi-match L4_LB_VIP_POLICY

class L4_VIP_ADDRESS_CLASS

loadbalance vip inservice

loadbalance policy L7_VIP_LB_ORDER_POLICY

loadbalance vip icmp-reply

loadbalance vip advertise

interface vlan 22

description Info Servers vlan

ip address 38.22.1.250 255.255.0.0

no shutdown

interface vlan 29

description Info Front End vlan

ip address 38.29.1.250 255.255.0.0

service-policy input L4_LB_VIP_POLICY

service-policy input REMOTE_MGMT_ALLOW_POLICY

no shutdown

interface vlan 121

ip address 38.121.6.1 255.255.0.0

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input SNMP_ALLOW_POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 38.121.1.1

Roble Mumin · ‎06-14-2007

> I have L3 vlan interfaces on my Cat6513 for vlan 22, 29 and 121.

That is your problem first of all.

If i get it right from your config.

VLAN 121 is your transfer network / or client side vlan

VLAN 22 and VLAN 29 are Server VLANS?

What you should keep in mind is that you define the server side vlans only on the ACE contexts with L3. You don't define them on the supervisor.

If you use the ACE in routed mode you have to assign networks exclusive to the ace like routing networks to a layer 3 device in your network. If you use those vlans (22,29) on other parts of your net you should subnet them or take another network.

Your setup should look like this.

6513

L3 ~ VLAN 121

L2 ~ VLAN 22,29,121

ACE Module

L3 ~ VLAN 22,29,121

You assign the 3 vlans or any other to a vlan group and assign this group to the ace module.

Create a new context -> assign the vlan 22,29 and 121 to this context.

6513(L3) <-- vlan 121 --> ACE (L3) /Admin Context

6513(L3) <-- vlan 121 --> ACE(L3) / Server Context --> VLAN 22,29

----------

ACE Admin Context (VLAN121)

----------

ACE Server Context (VLAN 121,22,29)

---

After you have a working L2/L3 setup start troubleshooting the ace config itself. :)

Hope it helps

Roble

Syed Iftekhar Ahmed · ‎06-14-2007

create an access-list for all traffic

access-list anyone line 10 extended permit ip any any

and apply it to client and server vlans using

access-group input anyone

Ace by default blocks all traffic.You need to assign acl to vlans to gurantee traffic passing through ACE.

Syed

Roble Mumin · ‎06-14-2007

Syed is right if your L2/L3 Setup is okay, then ACL needs to be there.

But i am not sure if that is the only problem. If yes ignore my first post. :)

Roble

p.buitelaar · ‎06-14-2007

Got it working now.

Thanks for your very useful replies!

Gilles Dufour · ‎06-14-2007

check the probe status.

check the arp table.

Do you have connectivity with the servers ?

If not, make sure your svlc-vlan group are correctly setup on the switch.

Then, verify your topology.

Your default route point to vlan 121.

So, I assume your client will be coming on that vlan.

But you did not configure the policy L4_LB_VIP_POLICY on that vlan.

I think you should get rid of vlan 29 or vlan 121. Use only one of them and set the default route correctly.

Let the default gateway do the routing between the vlans.

Gilles.