Basic ACE-4710 questions.

Answered Question
Jul 6th, 2008

Hello,

I have been asked to configure an ACE-4710, but I have not had any previous experience with these types of devices. I want to implement a fairly simply configuration, but the documentation seems a little confusing - I am hoping someone can please help me.

What I want to achieve is for the 4710 to load balance web connections to 2 real servers in a server farm. I want to use the least connections predictor/algorithm, with a 70/30 weight. The 4710 has only the one physical and one vlan connection to the network - I guess that eliminates any idea of different client and server side connections. Given this setup here are my questions;

- given that all web requests are to be treated the same, do I need to configure any class/policy maps to enable load-balancing, or will simply specifying the above parameters (predictor, weight, real and server farm details) be suffice.

- VIP address, what is is/what's it used for - is it the “alias” ip address of the 4710's in failover/redundant configuration, or is it an address on the web server side of things?

I am sure that I will have some other questions, but if anyone can help out with the above I would be most grateful. Please let me know if you need any further details to help explain my setup.

Thanks in advance,

Jeremy

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 8 years 4 months ago

Jeremy,

The server response will indeed be sent to the client. It will however use the real server ip address as the source and the client expects a connection from the virtual ip. SO it will reject the response if it does not go through the Ace4710 first to be reverse-nated to the virtal ip.

The ACE appliance/blade will work as a router by default as long as you permit the traffic in an access-list.

It should therefore be no problem for your servers to be in a vlan behind the 4710.

The only concern would be if you add traffic consuming all your available BW.

In this case one-armed would be the solution, but as I said it requires some particular attention.

Gilles.

Correct Answer by Gilles Dufour about 8 years 4 months ago

Jeremy,

the vip address is the virtual address.

That's your website address for the rest of the world and your dns name should resolved to it.

This ip address will then be nated to one of the server ip address when the connection comes to the loadbalancer.

You will need a class-map to CATCH the traffic matching the virtual address.

You also need a policy-map to assign your serverfarm to the virtual-address.

This is done in 2 steps.

First create a type loadbalancing policy-map and under the class-default configure your serverfarm.

Then you create a multimatch policy and under the match-vip class-map you assign the first policy-map.

Finally, you need to put your multimatch policy on the vlan interface where the traffic will be coming in.

The design looks easy but you will soon discover it requires special config and attention.

It is actually easier to have a client vlan and a server vlan.

This is because the server response MUST go through the ACE and in one-armed mode the server response will by default go directly to the client bypassing the loadbalancer.

You then need to configure client nat or policy based routing on your gateway.

Gilles

Correct Answer by diro about 8 years 4 months ago

The vip address is the virtual address, that address is given to the clients that want to connect to the sfarm. So yes you must create policies because that's the way how we create a vip.

So clients send traffic to the vip address that is connected to a serverfarm (policies). A server is selected according the predictor, and at that time the destination address from the client (vip) is than translated to that one of the server.

Now the problem is that you are working with a one arm config or ace on a stick that's prop going to give problems for the return traffic. therefore you need to enable dynamic source nat.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
diro Mon, 07/07/2008 - 04:54

The vip address is the virtual address, that address is given to the clients that want to connect to the sfarm. So yes you must create policies because that's the way how we create a vip.

So clients send traffic to the vip address that is connected to a serverfarm (policies). A server is selected according the predictor, and at that time the destination address from the client (vip) is than translated to that one of the server.

Now the problem is that you are working with a one arm config or ace on a stick that's prop going to give problems for the return traffic. therefore you need to enable dynamic source nat.

Correct Answer
Gilles Dufour Mon, 07/07/2008 - 05:07

Jeremy,

the vip address is the virtual address.

That's your website address for the rest of the world and your dns name should resolved to it.

This ip address will then be nated to one of the server ip address when the connection comes to the loadbalancer.

You will need a class-map to CATCH the traffic matching the virtual address.

You also need a policy-map to assign your serverfarm to the virtual-address.

This is done in 2 steps.

First create a type loadbalancing policy-map and under the class-default configure your serverfarm.

Then you create a multimatch policy and under the match-vip class-map you assign the first policy-map.

Finally, you need to put your multimatch policy on the vlan interface where the traffic will be coming in.

The design looks easy but you will soon discover it requires special config and attention.

It is actually easier to have a client vlan and a server vlan.

This is because the server response MUST go through the ACE and in one-armed mode the server response will by default go directly to the client bypassing the loadbalancer.

You then need to configure client nat or policy based routing on your gateway.

Gilles

jeremy-keen Tue, 07/08/2008 - 04:28

Gilles,

Firstly thanks for your reply. I can now understand the VIP address, and the need to identify/catch/class the “interesting” traffic destined for the web-servers and apply a policy to send it to the real servers in a serverfarm.

I still have some questions regarding the “one-armed” design;

- my assumption was that the 4710 proxied requests for the client, however given the requirement for nat, I presume it is spoofing the clients request/connection? If that is the case, is it correct that all traffic leaving the real web-servers must go to the 4710, so it can then forward it on to the client?

- I am considering changing the design to have different client and server vlan's, however I am concerned that all traffic (such a back-up's, website admin/content uploads) will be forced to traverse through the 4710 (to act as a router). Can this be avoided with the servers having multiple ip address on different subnets that the non-web traffic can use? Are there other solutions to stop non-web traffic to the real servers traveling through the 4710?

I can find the various configuration guides, but are there any design document's describing the requirements, and the pro's and con's of a “one-armed” verses a “ different client and server vlan” design?

Thanks again,

Jeremy

Correct Answer
Gilles Dufour Tue, 07/08/2008 - 08:24

Jeremy,

The server response will indeed be sent to the client. It will however use the real server ip address as the source and the client expects a connection from the virtual ip. SO it will reject the response if it does not go through the Ace4710 first to be reverse-nated to the virtal ip.

The ACE appliance/blade will work as a router by default as long as you permit the traffic in an access-list.

It should therefore be no problem for your servers to be in a vlan behind the 4710.

The only concern would be if you add traffic consuming all your available BW.

In this case one-armed would be the solution, but as I said it requires some particular attention.

Gilles.

Actions

This Discussion