ACE in one-arm model. VIP on Client Side, servers in other vlan

Unanswered Question
Aug 25th, 2008
User Badges:

Hello All


i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.


i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)

the servers are in vlan 503 (10.12.3.0/24)


it mi first design with ONE-arm but i thinks something is missing, because doesn't work.


the configuration is the next:


MSFC:

svclc module 1 vlan-group 1,2,

svclc vlan-group 1 503,900-902

svclc vlan-group 2 511


interface Vlan503

description OSS_&_Otros

ip address 10.12.3.253 255.255.255.0

standby 10 ip 10.12.3.254

standby 10 priority 150

standby 10 preempt delay minimum 305


interface Vlan900

description MSF_<->_ACE

ip address 10.0.9.126 255.255.255.192

end


access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63

access-list 101 deny ip any any


route-map From_Server_OSS_to_ACE permit 10

match ip address 101

set ip next-hop 10.0.9.125

!


ACE_1/admin#

ip route 0.0.0.0 0.0.0.0 10.0.9.126


context OSS

allocate-interface vlan 511

allocate-interface vlan 900

allocate-interface vlan 902

member Max20


ACE_1/OSS# sh run

Generating configuration....





access-list EVERYONE line 10 extended permit ip any any

access-list EVERYONE line 20 extended permit icmp any any







rserver host OSS_FES_1

description OSS_Front_End_Server_1

ip address 10.12.3.140

inservice

rserver host OSS_FES_2

description OSS_Front_End_Server_2

ip address 10.12.3.150

inservice



serverfarm host SERVER_farm_OSS

rserver OSS_FES_1

inservice

rserver OSS_FES_2

inservice




class-map match-all VIP-OSS

2 match virtual-address 10.0.9.66 any




policy-map type loadbalance first-match OSS-LB-POLICY

class class-default

serverfarm SERVER_farm_OSS


policy-map multi-match OSS-POLICY-MAP

class VIP-OSS

loadbalance vip inservice

loadbalance policy OSS-LB-POLICY

loadbalance vip icmp-reply




interface vlan 900

description Clients-side

ip address 10.0.9.125 255.255.255.192

access-group input EVERYONE

access-group output EVERYONE

service-policy input OSS-POLICY-MAP

no shutdown


ip route 0.0.0.0 0.0.0.0 10.0.9.126



maybe a i need to allocate the vlan 503 in OSS Context, any advice?

Thanks in advace,

Gianni From Chile

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gianni2006 Mon, 08/25/2008 - 13:00
User Badges:

sorry it's my first post here and when i read all the post that i wrote, i figured out that the next command was missing on Vlan503:

ip policy route-map From_Server_OSS_to_ACE


i didn't know how to erase my post.

i hope the problem is going to be solved adding this comand.


anyway any advice of configuration or model to be used is welcome.

thanks gianni



chris.pomeroy Sun, 09/07/2008 - 16:46
User Badges:

Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.


This is how one-armed mode works.


ACE_1/OSS# sh run

Generating configuration....





access-list EVERYONE line 10 extended permit ip any any

access-list EVERYONE line 20 extended permit icmp any any







rserver host OSS_FES_1

description OSS_Front_End_Server_1

ip address 10.12.3.140

inservice

rserver host OSS_FES_2

description OSS_Front_End_Server_2

ip address 10.12.3.150

inservice



serverfarm host SERVER_farm_OSS

rserver OSS_FES_1

inservice

rserver OSS_FES_2

inservice




class-map match-all VIP-OSS

2 match virtual-address 10.0.9.66 any




policy-map type loadbalance first-match OSS-LB-POLICY

class class-default

serverfarm SERVER_farm_OSS


policy-map multi-match OSS-POLICY-MAP

class VIP-OSS

loadbalance vip inservice

loadbalance policy OSS-LB-POLICY

loadbalance vip icmp-reply

nat dynamic 10 vlan 900





interface vlan 900

description Clients-side

ip address 10.0.9.125 255.255.255.192

nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat

access-group input EVERYONE

access-group output EVERYONE

service-policy input OSS-POLICY-MAP

no shutdown

Syed Iftekhar Ahmed Mon, 08/25/2008 - 13:02
User Badges:
  • Blue, 1500 points or more

route-map missing on vlan 900 SVI on MSFC.



Also ACL 101 doesnt feel right.

access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63


This ACL will forward all server response traffic to ACE. Which is against the reason of using One-arm mode. You should have a specific ACL entry which only take the traffic from Servers liastening on specific ports to ACE and all the remaining traffic should be allowed to bypass ACE.


For example if the servers 10.12.3.150 & 140 are listening on port 80 then the ACL should only say


access-list 100 permit tcp host 10.12.3.150 eq www any

access-list 100 permit tcp host 10.12.3.140 eq www any




Syed Iftekhar Ahmed

Actions

This Discussion