loadbalancing using waas with ace

eng.usama · ‎02-25-2008

i tried this configuraion for load balance all tcp traffic to waas in datacenter and it worked

ACE(config)# class-map match-any ALL-TCP

ACE(config-cmap)# 10 match virtual-address 0.0.0.0 0.0.0.0 tcp any

ACE(config-cmap)# exit

ACE(config)# policy-map type loadbalance first-match TCP-POLICY-TYPE

ACE(config-pmap-lb)# class class-default

ACE(config-pmap-lb-c)# serverfarm WAAS

ACE(config-pmap-lb-c)# exit

ACE(config)# policy-map multi-match WAAS-INTERCEPT

ACE(config-pmap)# class ALL-TCP

ACE(config-pmap-c)# loadbalance vip inservice

ACE(config-pmap-c)# loadbalance policy TCP-POLICY-TYPE

ACE(config-pmap-c)# exit

the question now i do not want to redirect all tcp traffic of datacenter i want to deny some traffic from being intercepted so i think the solution

in make class-map ALL-TCP to match access-list (not virtual-address) do you think it will work or have any limitation for that

the new configuration "that i want to apply"

ACE(config-pmap-c)ip access-list extn all-tcp

ACE(config-pmap-c)permit tcp any any

ACE(config-pmap-c)exit

ACE(config)# class-map match-any ALL-TCP

ACE(config-cmap)# 10 match access-group all-tcp

ACE(config-cmap)# exit

ACE(config-pmap-c)policy-map type loadbalance first-match TCP-POLICY-TYPE

ACE(config-pmap-c)class class-default

ACE(config-pmap-c)serverfarm WAAS

ACE(config-pmap-c)exit

ACE(config-pmap-c)policy-map multi-match WAAS-INTERCEPT

ACE(config-pmap-c)class ALL-TCP

ACE(config-pmap-c)# loadbalance vip inservice

ACE(config-pmap-c)# loadbalance policy TCP-POLICY-TYPE

ACE(config-pmap-c)# exit

jsivulka · ‎02-29-2008

you have to confirm that, you are running WAAS version 4.0.13, correct. If it is incorrect please install it.Please make sure that the EPM Adaptor is disabled through the CLI on each WAE. In the waas-ace design guide the traffic flow is from client to rserver

with a redirect to a wae-farm in the middle. for traffic leaving the waas interface that does not match a service policy to be load-balanced, ace would just route it. then would the mac-sticky which is associated with that outbound connection cause the return traffic to come back to the same wae, even though it is not a defined rserver endpoint?

Zach Seils · ‎02-29-2008

Usama,

You can create another wildcard VIP that matches the ports you want to bypass, then set and action of 'forward' in the loadbalance policy map for that traffic.

Zach

Kristopher Martinez · ‎03-04-2008

You will need to create a HTTP loadbalance classmap to match the source address of this traffic. The configuration would look something like this:

class-map match-all TCP_ANY

2 match virtual-address 0.0.0.0 tcp any

class-map type http loadbalance match-any ROUTE

2 match source-address 1.1.1.0 255.255.255.0

policy-map type loadbalance first-match TCP-POLICY-TYPE

class ROUTE

forward

class class-default

serverfarm WAAS

policy-map mulit-match WAS-INTERCEPT

class TCP_ANY

loadbalance policy TCP-POLICY-TYPE

loadbalance vip inservice

Due to the nature of the WAAS traffic, you will also need to turn on mac-sticky on the and disable TCP normalization on the interface.