load balancing FTP/HTTP on same VIP

Answered Question
Jan 29th, 2010

Hi,

Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?

class-map match-any WCVS
  2 match virtual-address 20.0.0.1 tcp eq www
  4 match virtual-address 20.0.0.1 tcp eq ftp

policy-map multi-match int3
  class WCVS
    loadbalance vip inservice
    loadbalance policy VS-l7slb
    inspect ftp
    nat dynamic 5 vlan 20

int vl20
service-policy input int3

I have this problem too.
0 votes
Correct Answer by Sean Merrow about 6 years 10 months ago

Hello,

I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.

Let me know how it goes...

logging enable
logging buffered 6

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe http Probe_HTTP
  interval 5
  passdetect interval 60
  expect status 200 200
  open 2
  receive 2

probe tcp Probe_FTP
  port 21
  interval 5
  passdetect interval 60
  open 2
  receive 2

rserver host Server1
  ip address 10.10.10.10
  conn-limit max 4000000 min 4000000
  inservice
rserver host Server2
  ip address 10.10.10.11
  conn-limit max 4000000 min 4000000
  inservice

serverfarm host FARM-HTTP
  probe Probe_HTTP
  rserver Server1 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver Server2 80
    conn-limit max 4000000 min 4000000
    inservice

serverfarm host FARM-FTP
  probe Probe_FTP
  rserver Server1
    conn-limit max 4000000 min 4000000
    inservice
  rserver Server2
    conn-limit max 4000000 min 4000000
    inservice

sticky http-cookie XXX_tempCookie XXX_tempCookie
  cookie insert
  serverfarm FARM-HTTP


class-map type management match-any Management
  201 match protocol http any
  202 match protocol https any
  203 match protocol icmp any
  204 match protocol kalap-udp any
  205 match protocol ssh any
  206 match protocol telnet any
  207 match protocol xml-https any

class-map match-any XXX-WCVS-WWW
  2 match virtual-address 10.10.10.100 tcp eq www

class-map match-any XXX-WCVS-FTP
  2 match virtual-address 10.10.10.100 tcp eq ftp
  3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this

class-map match-any NAT-VIP
  2 match destination-address 10.10.10.100 255.255.255.255

policy-map type management first-match Management
  class Management
    permit

policy-map type loadbalance first-match XXX_VS-l7slb-WWW
  class class-default
    sticky-serverfarm XXX_tempCookie

policy-map type loadbalance first-match XXX_VS-l7slb-FTP
  class class-default
    Serverfarm FARM-FTP

policy-map multi-match int3
  class XXX-WCVS-WWW
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-WWW
  class XXX-WCVS-FTP   
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-FTP
    inspect ftp   
  class NAT-VIP
    nat dynamic 5 vlan 12
   

interface vlan 12
  ip address 10.10.10.1 255.255.255.0
  alias 10.10.10.3 255.255.255.0
  peer ip address 10.10.10.2 255.255.255.0
  access-group input ALL
  nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
  service-policy input Management
  service-policy input int3
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.254

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Sean Merrow Mon, 02/01/2010 - 06:01

Hello Muhammad,

Two points on your config:

  1. It is recommended to perform protocol inspection (ie.  inspect ftp) only on the required protocol, so it is better to separate them out.
  2. Your config requirement is a bit more complex than normal due to the client NAT and one-armed. 

I would recommend trying this with the following config.  This way, both the FTP and HTTP will be source-NAT'd as desired, then the passive FTP data channel will also be NAT'd.  This config will likely be required if you are using passive FTP.

class-map match-any WCVS-WWW
  2 match virtual-address 20.0.0.1 tcp eq www
class-map match-any WCVS-FTP
  2 match virtual-address 20.0.0.1 tcp eq ftp
class-map match-all NAT-VIP
  2 match destination-address 20.0.0.1 255.255.255.255

policy-map type loadbalance first-match VS-l7slb
  class class-default
    serverfarm SERVERS

policy-map multi-match int3
  class WCVS-WWW
    loadbalance vip inservice
    loadbalance policy VS-l7slb
  class WCVS-FTP
    loadbalance vip inservice
    loadbalance policy VS-l7slb
    inspect ftp
  class NAT-VIP
    nat dynamic 5 vlan 20

int vl20
  service-policy input int3

Don't forget that your VLAN interface will also need an ACL applied that will permit the traffic to this VIP.

Hope this helps,

Sean

Muhammad Khan Mon, 02/01/2010 - 09:55

Hi Sean,

Thank you for your reply.

I have tested the config. HTTP part seems to be working well but FTP is failing. When I try to establish a FTP connection I get connected message but nothing beyone:

C:\>ftp www.xxx.com
Connected to www.xxx.com.

I have attached device config if you get a chance to review.

Attachment: 
Correct Answer
Sean Merrow Mon, 02/01/2010 - 10:53

Hello,

I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used.  The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP.  Below is your config with some modifications.  I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map.  There is one line that I would like you to remove and see if it works.  If it does not, then add this line and see if it works.

Let me know how it goes...

logging enable
logging buffered 6

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe http Probe_HTTP
  interval 5
  passdetect interval 60
  expect status 200 200
  open 2
  receive 2

probe tcp Probe_FTP
  port 21
  interval 5
  passdetect interval 60
  open 2
  receive 2

rserver host Server1
  ip address 10.10.10.10
  conn-limit max 4000000 min 4000000
  inservice
rserver host Server2
  ip address 10.10.10.11
  conn-limit max 4000000 min 4000000
  inservice

serverfarm host FARM-HTTP
  probe Probe_HTTP
  rserver Server1 80
    conn-limit max 4000000 min 4000000
    inservice
  rserver Server2 80
    conn-limit max 4000000 min 4000000
    inservice

serverfarm host FARM-FTP
  probe Probe_FTP
  rserver Server1
    conn-limit max 4000000 min 4000000
    inservice
  rserver Server2
    conn-limit max 4000000 min 4000000
    inservice

sticky http-cookie XXX_tempCookie XXX_tempCookie
  cookie insert
  serverfarm FARM-HTTP


class-map type management match-any Management
  201 match protocol http any
  202 match protocol https any
  203 match protocol icmp any
  204 match protocol kalap-udp any
  205 match protocol ssh any
  206 match protocol telnet any
  207 match protocol xml-https any

class-map match-any XXX-WCVS-WWW
  2 match virtual-address 10.10.10.100 tcp eq www

class-map match-any XXX-WCVS-FTP
  2 match virtual-address 10.10.10.100 tcp eq ftp
  3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this

class-map match-any NAT-VIP
  2 match destination-address 10.10.10.100 255.255.255.255

policy-map type management first-match Management
  class Management
    permit

policy-map type loadbalance first-match XXX_VS-l7slb-WWW
  class class-default
    sticky-serverfarm XXX_tempCookie

policy-map type loadbalance first-match XXX_VS-l7slb-FTP
  class class-default
    Serverfarm FARM-FTP

policy-map multi-match int3
  class XXX-WCVS-WWW
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-WWW
  class XXX-WCVS-FTP   
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-FTP
    inspect ftp   
  class NAT-VIP
    nat dynamic 5 vlan 12
   

interface vlan 12
  ip address 10.10.10.1 255.255.255.0
  alias 10.10.10.3 255.255.255.0
  peer ip address 10.10.10.2 255.255.255.0
  access-group input ALL
  nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
  service-policy input Management
  service-policy input int3
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.254

Muhammad Khan Tue, 02/02/2010 - 07:28

Hi Sean,

Thank you for your reply it works perfect.

It works without range so inspect takes care of Active FTP connection.

  3 match virtual-address 10.10.10.100 tcp range 1023 65535 [Not required]

For FTP probe I would assume it only checks the successful hand-shake as oppose to establishing a TCP connection to the server and then issues a quit command as it would do in an FTP type probe?

"A TCP probe makes a connection, and if the connection through a 3-way handshake (SYN, SYN-ACK, and ACK) is successful, the server is marked as passed" [Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]

An FTP probe establishes a TCP connection to the server and then issues a quit command.[Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]

Thank you for your help.

Muhammad.

Sean Merrow Tue, 02/02/2010 - 07:34

Hi Muhammad,

Thanks for the follow-up, and glad to hear it is working.  You are correct about the TCP probe.  I only wanted to get across the idea of using a unique probe for each application.  You would be better off using the FTP probe for the FTP servers, rather than using a TCP probe.

- Sean

Actions

This Discussion