Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2471
Views
0
Helpful
6
Replies

ACE load balancing servers on different subnets...

javiercastro
Level 1
Level 1

‎05-27-2009 06:44 AM

Hello,

I have the following issue.... need to load balance traffic between two servers already working in two different subnets (vlans), at this point is highly desirable to avoid changing IP addresses. Is it possible to accomplish this goal using ACE? routed or bridged mode? is it strictly necessary to have all servers belonging to a serverfarm in the same subnet?

Thanks in advanced for your support.

Labels:
0 Helpful
6 Replies 6

ciscocsoc
Level 4
Level 4

‎05-27-2009 07:31 AM

Hi,

You can do this, but you have to use client-NAT (Source-NAT) to force the return traffic to pass back through the ACE. You also then need static routes in the ACE context to point at each server. PBR is an alternative approach but I have not implemented that in a live network. The important thing is that the ACE sees both sides of the conversation.

The following extract from a configuration shows the basic principle:

rserver host master

ip address 10.199.95.2

inservice

rserver host slave

ip address 10.199.38.68

inservice

serverfarm host FARM-web2-Master

description Serverfarm Master

probe PROBE-web2

rserver master

inservice

serverfarm host FARM-web2-Slave

description Serverfarm Slave

probe PROBE-web2

rserver slave

inservice

class-map match-any L4VIPCLASS

2 match virtual-address 10.199.80.12 tcp eq www

3 match virtual-address 10.199.80.12 tcp eq https

policy-map type management first-match REMOTE-MGMT-ALLOW-POLICY

class REMOTE-ACCESS

permit

policy-map type loadbalance first-match LB-POLICY

class class-default

serverfarm FARM-web2-Master backup FARM-web2-Slave

policy-map multi-match L4POLICY

class L4VIPCLASS

loadbalance vip inservice

loadbalance policy LB-POLICY

loadbalance vip icmp-reply active

loadbalance vip advertise

nat dynamic 1 vlan 384

service-policy input L4POLICY

interface vlan 383

description ACE-web2-Clientside

ip address 10.199.80.13 255.255.255.248

alias 10.199.80.12 255.255.255.248

peer ip address 10.199.80.14 255.255.255.248

access-group input ACL-IN

access-group output PERMIT-ALL

no shutdown

interface vlan 384

description ACE-web2-Serverside

ip address 10.199.80.18 255.255.255.240

alias 10.199.80.17 255.255.255.240

peer ip address 10.199.80.19 255.255.255.240

access-group input PERMIT-ALL

access-group output PERMIT-ALL

nat-pool 1 10.199.80.20 10.199.80.20 netmask 255.255.255.240 pat

no shutdown

ip route 0.0.0.0 0.0.0.0 10.199.80.9

ip route 10.199.95.2 255.255.255.255 10.199.80.21

ip route 10.199.38.68 255.255.255.255 10.199.80.21

HTH

Cathy

0 Helpful

javiercastro
Level 1
Level 1
In response to ciscocsoc

‎05-27-2009 08:01 AM

Then, I suppose that interface vlan 384 (server side) is also configured in the 6500 since you are forwarding traffic destined to the realservers to IP address 10.199.80.21. Is that correct?

0 Helpful

ciscocsoc
Level 4
Level 4
In response to javiercastro

‎05-27-2009 08:04 AM

Hi,

That is correct.

Kind Regards

Cathy

0 Helpful

ropethic
Level 4
Level 4

‎06-02-2009 04:18 AM

You can use either bridge or routed mode as long as the the vlans are trunked across the ACE interfaces by creating a port channel to carry to carry the trunked vlans.

0 Helpful

javiercastro
Level 1
Level 1
In response to ropethic

‎06-02-2009 08:04 AM

Thanks for the comment.

Actually, I already configured in routed mode using source-nat. Works pretty good.

I just have one doubt, when using "show conn" command I see all the new connection being load-balanced to the servers but after probably only 30 seconds (or less) the connections are no longer listed in that command eventhough the clients are still connected to the servers, is this the right behaviour? what command should be used to see the current connections? I thought that any TCP connection default time out was 3600 seconds (1 hour), should it be explicitly configured using a parameter-map?

Also, if i needed to configure several more serverfarms in order to load-balance other services (tcp, most of them HTTP) is it possible to add more VIPs to my current L4VIPCLASS in order to achieve this goal?

I have the following configuration:

class-map match-all L4VIPCLASS

2 match virtual-address X.X.X.X tcp eq www

policy-map type loadbalance http first-match WEB_POLICY

class class-default

sticky-serverfarm app-ipstky

insert-http x-forward header-value "%is"

policy-map multi-match VIPs

class L4VIPCLASS

loadbalance vip inservice

loadbalance policy WEB_POLICY

loadbalance vip icmp-reply active

loadbalance vip advertise active

nat dynamic 1 vlan 71

interface vlan 70

ip address A.A.A.A 255.255.255.0

alias B.B.B.B 255.255.255.0

peer ip address C.C.C.C 255.255.255.0

access-group input any

service-policy input REMOTE_MGMT_ALLOW_POLICY

service-policy input VIPs

no shutdown

Regards,

0 Helpful

ciscocsoc
Level 4
Level 4
In response to javiercastro

‎06-02-2009 11:10 PM

Hi,

You need to create more class-maps to match whatever services you load-balance. These can then be added to the existing policy-map. For example:

class-map match-any L4VIPCLASS

2 match virtual-address 10.199.253.188 tcp eq 636

class-map match-any L4VIPCLASS-389

2 match virtual-address 10.199.253.188 tcp eq 389

class-map match-any L4VIPCLASS-636

2 match virtual-address 10.199.253.187 tcp eq 636

class-map match-any L4VIPCLASS-Auth

2 match virtual-address 10.199.253.185 tcp eq 636

class-map match-any L4VIPCLASS-Auth-389

2 match virtual-address 10.199.253.185 tcp eq 389

class-map match-any L4VIPCLASS-Auth-636

2 match virtual-address 10.199.253.186 tcp eq 636

policy-map multi-match L4POLICY

class L4VIPCLASS

loadbalance vip inservice

loadbalance policy LB-POLICY

loadbalance vip icmp-reply active

nat dynamic 1 vlan 395

ssl-proxy server PSERVICE_SERVER

class L4VIPCLASS-389

loadbalance vip inservice

loadbalance policy LB-POLICY

loadbalance vip icmp-reply active

nat dynamic 1 vlan 395

class L4VIPCLASS-636

loadbalance vip inservice

loadbalance policy LB-POLICY-636

loadbalance vip icmp-reply active

nat dynamic 1 vlan 395

ssl-proxy server PSERVICE_SERVER

class L4VIPCLASS-Auth

loadbalance vip inservice

loadbalance policy LB-POLICY-Auth-389

loadbalance vip icmp-reply active

nat dynamic 2 vlan 395

ssl-proxy server PSERVICE_SERVER

class L4VIPCLASS-Auth-389

loadbalance vip inservice

loadbalance policy LB-POLICY-Auth-389

loadbalance vip icmp-reply active

nat dynamic 2 vlan 395

class L4VIPCLASS-Auth-636

loadbalance vip inservice

loadbalance policy LB-POLICY-Auth-636

loadbalance vip icmp-reply active

nat dynamic 2 vlan 395

ssl-proxy server PSERVICE_SERVER

HTH

Cathy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents