ACE traffic filter

Unanswered Question
Oct 21st, 2008

Hello

i have to migrate an service from an alteon to the ace.

The traffic from different known sources is going over an transparent proxy into the internet. Based on the source address the traffic should be loadbalanced to different severfarms.

My config:

Application Context:

class-map match-all CLASS_A

2 match virtual-address 0.0.0.0 0.0.0.0 any

class-map match-all CLASS_B

2 match virtual-address 0.0.0.0 0.0.0.0 any

class-map type generic match-any CLASS_A

10 match source-address 1.2.3.4 255.255.255.0

class-map type generic match-any CLASS_B

10 match source-address 5.6.7.8 255.255.255.0

policy-map type loadbalance generic first-match POL_A

class CLASS_PEPLB_APN_WEB-52

serverfarm LIVE

policy-map type loadbalance generic first-match POL_B

class CLASS_PEPLB_APN_WEB-99

serverfarm TEST

policy-map multi-match POL_SLB_IF

class CLASS_A

loadbalance vip inservice

loadbalance policy POL_A

class CLASS_B

loadbalance vip inservice

loadbalance policy POL_B

-------------------------------

Internet Context:

class-map match-any CLASS_A

2 match virtual-address 1.2.3.4 255.255.255.0 any

class-map match-any CLASS_B

2 match virtual-address 5.6.7.8 255.255.255.0 any

policy-map type loadbalance first-match POL_A

class class-default

serverfarm LIVE

policy-map type loadbalance first-match POL_B

class class-default

serverfarm TEST

policy-map multi-match POL_SLB_IF

class CLASS_A

loadbalance vip inservice

loadbalance policy POL_A

class CLASS_B

loadbalance vip inservice

loadbalance policy POL_B

The Problem is that in the application Context only the last statement in the multi policy is matching. So only the last entry is working at all.

Right now im using one context for the LIVE serverfarm traffic and one context for the TEST serverfarm traffic. This is working but i can't spend two context for each serverfarm i have. I have to do it with one context.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Syed Iftekhar Ahmed Tue, 10/21/2008 - 14:11

Where are the following classes defined

CLASS_PEPLB_APN_WEB-52

CLASS_PEPLB_APN_WEB-99

How does the two context interact, what is the traffic flow wrt these tow contexts?

Syed Iftekhar Ahmed

eberhard-schulz Wed, 10/22/2008 - 05:20

There were an copy/paste failure

class-map match-all L3_CLASS_A

2 match virtual-address 0.0.0.0 0.0.0.0 any

class-map match-all L3_CLASS_B

2 match virtual-address 0.0.0.0 0.0.0.0 any

class-map type generic match-any L7_CLASS_A

10 match source-address 1.2.3.4 255.255.255.0

class-map type generic match-any L7_CLASS_B

10 match source-address 5.6.7.8 255.255.255.0

policy-map type loadbalance generic first-match POL_A

class L7_CLASS_A

serverfarm LIVE

policy-map type loadbalance generic first-match POL_B

class L7_CLASS_B

serverfarm TEST

policy-map multi-match POL_SLB_IF

class CLASS_A

loadbalance vip inservice

loadbalance policy POL_A

class CLASS_B

loadbalance vip inservice

loadbalance policy POL_B

The two context do not interact.

Traffic flow is as follow:

<<<< >>>> Terminated connection

1.2.3.4 (Context IN)

<<<< >>>>

Transparent Proxy A

<<<< >>>>

Internet (Context OUT)

Internet (Context OUT)

<<<< >>>>

Transparent Proxy A

<<<< >>>>

1.2.3.4 (Context IN)

5.6.7.8 (Context IN)

<<<< >>>>

Transparent Proxy B

<<<< >>>>

Internet (Context OUT)

Internet (Context IN)

<<<< >>>>

Transparent Proxy B

<<<< >>>>

5.6.7.8 (Context OUT)

The way to and back has to be the same but this is not

the problem cause it already work.

This should be realized in just 2 Contexts right know i have

to use 4.

The Problem occured in the Context IN:

policy-map multi-match POL_SLB_IF

class CLASS_A

loadbalance vip inservice

loadbalance policy POL_A

class CLASS_B

loadbalance vip inservice

loadbalance policy POL_B

Here only the CLASS_B is taking the traffic, traffic to CLASS_A do not make

an connection entry but on the sniff you can see incomming/outgoing packets.

Only the last entry is getting all the traffic.

This is something i could not understand if only the first statent is getting all

the Traffic OK but why the last one ?

If you put in C only C is working.

Alteon Konfig is very easy:

Proxy A:

IN Side:

/c/slb/filt 321

name "A"

ena

action redir

sip 1.2.3.4

smask 255.255.255.0

proto tcp

dport http

group 240 //Serverfarm A

vlan 363

/c/slb/filt 321/adv

thash sip //source ip hash

Out Side:

/c/slb/filt 1321

name "A"

ena

action redir

dip 1.2.3.4

dmask 255.255.255.0

proto tcp

sport http

group 240 //Serverfarm A

vlan 362

/c/slb/filt 1321/adv

thash dip //destination ip hash

-----------------------------------------------

Proxy B:

IN side

/c/slb/filt 421

name "A"

ena

action redir

sip 5.6.7.8

smask 255.255.255.0

proto tcp

dport http

group 241 //Serverfarm B

vlan 363

/c/slb/filt 421/adv

thash sip //source ip hash

Out Side:

/c/slb/filt 1421

name "A"

ena

action redir

dip 5.6.7.8

dmask 255.255.255.0

proto tcp

sport http

group 241 //Serverfarm B

vlan 362

/c/slb/filt 1421/adv

thash dip //destination ip hash

Actions

This Discussion