ACE source IP based predictor

Unanswered Question
Dec 3rd, 2008

Hi

I know that if we use source IP based predictors, the ACE would use a hash of the source IP to load balance the traffic. Is there is capability to make this process deterministic. In other words, I have tthree client subnets accessing the web servers on the same VIP. I want the traffic from subnet 1 to go to server 1 and traffic from subnets 2 and 3 to be loadbalanced to the rest of the servers

any idea on how to get this done ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sachinga.hcl Thu, 12/04/2008 - 00:00

HI Dinuka,

Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.

IP Address Stickiness

You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.

Here can be the sample configuration:

resource-class websrv

limit-resource all minimum 0.00 maximum unlimited

limit-resource sticky minimum 20.00 maximum equal-to-min

rserver host webserver1

ip address 10.10.10.1

inservice

rserver host webserver2

ip address 10.10.10.2

inservice

rserver host webserver3

ip address 10.10.10.3

inservice

serverfarm host werbsrv1only

probe websrv

rserver webserver1 1000

inservice

serverfarm host werbsrv123

probe websrv

rserver webserver1 1000

inservice

rserver webserver2 1000

inservice

rserver webserver3 1000

inservice

ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.

The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:

probe http websrv

port 1000

interval 2

faildetect 2

passdetect interval 2

request method get url /index.html

expect status 200 200

Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.

Create a sticky-group

sticky ip-netmask 255.255.255.255 address source Client_subnet_1

timeout 10

serverfarm werbsrv1only

Change the server farm to the sticky-group:

policy-map type loadbalance first-match basic-slb

class class-default

sticky-serverfarm werbsrv1only

sticky ip-netmask 255.255.255.255 address source Client_subnet_2

timeout 10

serverfarm werbsrv123

sticky ip-netmask 255.255.255.255 address source Client_subnet_3

timeout 10

serverfarm werbsrv123

Here you can find the details in the below url :

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411

I have also attached a jpeg for your reference.

Hope you will get the idea how to use the sticky based on IP address.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411

Here you can find sample config of similar type:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html

Thanks and regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

http://www.hclcomnet.co.in

A-10, Sector 3, Noida- 201301

INDIA

Mob: +91-9911757733

Email: [email protected]

thedinuka Thu, 12/04/2008 - 00:54

Hi Sachin

Thanks for the detailed response. Still a small detail is not clear to me. hope you wouldn't mind me asking another question.

I see that the server farms are defined with sticky configurations based on source ip and the netmask. But with this do i have specific control over to which serverfarm a specific clients request would go to.

For example, i need client subnet 192.168.1.0/24 to go to rserver1 and client subnet 192.168.2.0 to be load balanced to rserver2 and rserver3. clients in both subnets are sending packets to the same destination VIP

hope this is clear

Gilles Dufour Thu, 12/04/2008 - 01:07

you will need to create 2 serverfarms.

1 with rservers to be used by clients from subnet 192.168.1.0/24 and the other serverfarm with rserver2 and rserver3 to be used by other clients.

You then need to create class-map to match on src ip ie:

class-map type http loadbalance match-all ClientX

2 match source-address 192.168.1.0 255.255.255.0

Finally, in your policy-match, you assign the src class-map with the appropriate serverfarm

ie:

policy type loadbalance first-match MyPolicy

class ClientX

serverfarm1

class class-default

serverfarm2

If you need stickyness, you can replace the serverfarm with a sticky-serverfarm.

You can also configure serverfarm2 as a backup-serverfarm for serverfarm1.

Gilles.

sachinga.hcl Thu, 12/04/2008 - 01:37

HI here is the syntax for :

Sticky IP configuration mode commands allow you to create a sticky group for IP address stickiness. To

create a sticky group and access sticky IP configuration mode, use the sticky ip-netmask command. The

prompt changes to (config-sticky-ip). Use the no form of this command to remove the sticky group from

the configuration.

sticky ip-netmask netmask address {source | destination | both} name

no sticky ip-netmask netmask address {source | destination | both} name

Actions

This Discussion