cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2647
Views
0
Helpful
13
Replies

Setting up IP Based Sticky Sessions on ACE 4710

justin.shields
Level 1
Level 1

Hello,

I am trying to setup a new VIP with two servers and IP Based Sticky Sessions.  In following the config guides, I came to point where it indicated I needed to have a resource class configured with a certain chunk of resources assigned to stickiness.  Since all of my previous SLB configs have been done in the Admin context, and I got a message saying that I cant assign the Admin context to an RC, I deduced that I would need to create a new context for this to work.  I followed the virtualization config guide, but I am having trouble getting this to work.  Currently, the VIP I have defined in the new context is not reachable on port 80 from the firewall which sits in front of the ACE.  The same config was working when applied to the Admin context, so I believe this is a problem with the new context.  I suspect that I need to configure some sort of policy map to point traffic to this new context, but I havent been able to find anything in the docs to indicate how to do this.  Any help appreciated.

SC5-ACE/Admin# wr t
Generating configuration....


logging enable
logging trap 5
logging buffered 7

resource-class RC1
  limit-resource all minimum 20.00 maximum equal-to-min

boot system image:c4710ace-mz.A3_2_3.bin

hostname SC5-ACE
interface gigabitEthernet 1/1
  description Management
  switchport access vlan 106
  no shutdown
interface gigabitEthernet 1/2
  description Client-side
  speed 1000M
  duplex FULL
  switchport access vlan 406
  no shutdown
interface gigabitEthernet 1/3
  description Server-side
  speed 1000M
  duplex FULL
  switchport access vlan 107
  no shutdown
interface gigabitEthernet 1/4
  shutdown


crypto csr-params CSR_PARAMS_1
  country US
  state CALIFORNIA
  locality SAN MATEO
  organization-name ******
  organization-unit SSL ACCELERATOR
  common-name ********
  serial-number 1001
  email *********

access-list ALL line 8 extended permit ip any any

probe tcp http
  description check http port
  port 80
  interval 5
  passdetect interval 10
  open 1
probe tcp tomcat
  description check tomcat port
  port 8080
  interval 5
  passdetect interval 10
  open 1

rserver host msuper
  ip address 10.107.0.75
  inservice
rserver host sc-ss-1
  ip address 10.107.0.120
  inservice
rserver host sl9
  ip address 10.107.0.52
  inservice
rserver host superko
  ip address 10.107.0.71
  inservice
rserver host vm-beatit-1
  ip address 10.107.0.48
  inservice
rserver host vm-beatit-2
  ip address 10.107.0.49
  inservice
rserver host vm-ghero-01
  ip address 10.107.0.50
  inservice
rserver host vm-ghero-02
  ip address 10.107.0.51
  inservice
rserver host vm-ghero-03
  ip address 10.107.0.55
  inservice
rserver host vm-mrc
  ip address 10.107.0.65
  inservice
rserver host vm-mrc-2
  ip address 10.107.0.66
  inservice
rserver host vm-mx-test
  ip address 10.107.0.41
  inservice
rserver host vm-web-01
  ip address 10.107.0.33
  inservice
rserver host vm-web-05
  ip address 10.107.0.72
  inservice
rserver host vm-web-06
  ip address 10.107.0.76
  inservice
rserver host vm-web-07
  ip address 10.107.0.77
  inservice
rserver host vm-wsop3i-1
  ip address 10.107.0.62
  inservice
rserver host vm-wsop3i-2
  ip address 10.107.0.63
  inservice
rserver host vm-wsop3i-3
  ip address 10.107.0.64
  inservice
rserver host vm-wsop3i-4
  ip address 10.107.0.67
  inservice
rserver host wsop3-stage
  ip address 10.107.0.60
  inservice


serverfarm host beatit
  probe tomcat
  rserver vm-beatit-1 8080
    inservice
  rserver vm-beatit-2 8080
    inservice
serverfarm host ghero
  probe tomcat
  rserver vm-ghero-01 8080
    inservice
  rserver vm-ghero-02 8080
    inservice
  rserver vm-ghero-03 8080
    inservice
serverfarm host gam.com
  probe http
  rserver vm-web-01 80
    inservice
  rserver vm-web-05 80
    inservice
serverfarm host m
  rserver msuper 80
    inservice
serverfarm host mrc
  probe tomcat
  rserver vm-mrc 8080
    inservice
  rserver vm-mrc-2 8080
    inservice
serverfarm host mx
  rserver vm-mx-test 25
    inservice
serverfarm host sl9
  rserver sl9
    inservice
serverfarm host sl9-udp
  rserver sl9
    inservice
serverfarm host spunt.gam.com
  probe http
  rserver vm-web-06 80
    inservice
  rserver vm-web-07 80
    inservice
serverfarm host superko2
  rserver superko 80
    inservice
serverfarm host swervenet
  probe http
  rserver sc-ss-1 80
    inservice
serverfarm host wsop3-stage
  rserver wsop3-stage 8080
    inservice
serverfarm host wsop3i-gm1
  probe tomcat
  rserver vm-wsop3i-3 8080
    inservice
serverfarm host wsop3i-gm2
  probe tomcat
  rserver vm-wsop3i-4 8080
    inservice
serverfarm host wsop3i-statroom
  probe tomcat
  rserver vm-wsop3i-1 8080
    inservice
  rserver vm-wsop3i-2 8080
    inservice

ssl-proxy service SSL_PSERVICE_SERVER
  key MYRSAKEY.PEM
  cert MYCERT.PEM

class-map match-any VIP_msuper
  2 match virtual-address 10.106.0.8 any
class-map match-any VIP_superko
  2 match virtual-address 10.106.0.7 any
class-map match-any beatit
  2 match virtual-address 10.106.0.16 tcp eq 8080
class-map match-any ghero
  2 match virtual-address 10.106.0.6 tcp eq 8080
class-map match-any glu.com
  2 match virtual-address 10.106.0.10 tcp eq www
class-map match-any mrc
  2 match virtual-address 10.106.0.11 tcp eq 8080
class-map match-any mrc-ssl
  3 match virtual-address 10.106.0.22 tcp eq https
class-map match-any mx
  2 match virtual-address 10.106.0.12 tcp eq smtp
class-map type management match-any remote_access
  2 match protocol xml-https any
  4 match protocol icmp any
  5 match protocol telnet any
  6 match protocol ssh any
  7 match protocol http any
  8 match protocol https any
  9 match protocol snmp any
class-map match-any sl9
  2 match virtual-address 10.106.0.18 tcp eq 8888
class-map match-any sl9-udp
  2 match virtual-address 10.106.0.19 udp eq 9876
class-map match-any sprint.glu.com
  3 match virtual-address 10.106.0.20 tcp eq www
class-map match-any swervenet
  2 match virtual-address 10.106.0.21 tcp eq www
class-map match-any wsop3-stage
  2 match virtual-address 10.106.0.15 tcp eq 8080
class-map match-any wsop3i-gm1
  2 match virtual-address 10.106.0.13 tcp eq 8080
class-map match-any wsop3i-gm2
  2 match virtual-address 10.106.0.17 tcp eq 8080
class-map match-any wsop3i-statroom
  2 match virtual-address 10.106.0.14 tcp eq 8080

policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
    permit

policy-map type loadbalance first-match VIP_msuper-17slb
  class class-default
    serverfarm m
policy-map type loadbalance first-match VIP_superko-17slb
  class class-default
    serverfarm superko2
policy-map type loadbalance first-match beatit-17slb
  class class-default
    serverfarm beatit
policy-map type loadbalance first-match ghero-l7slb
  class class-default
    serverfarm ghero
policy-map type loadbalance first-match gam.com-l7slb
  class class-default
    serverfarm glu.com
policy-map type loadbalance first-match mrc-17slb
  class class-default
    serverfarm mrc
policy-map type loadbalance first-match mx-17slb
  class class-default
    serverfarm mx
policy-map type loadbalance first-match sl9-l7slb
  class class-default
    serverfarm sl9
policy-map type loadbalance first-match sl9-udp-l7slb
  class class-default
    serverfarm sl9-udp
policy-map type loadbalance first-match spunt.gam.com-l7slb
  class class-default
    serverfarm sprint.glu.com
policy-map type loadbalance first-match swervenet-17slb
  class class-default
    serverfarm swervenet
policy-map type loadbalance first-match wsop3-stage-17slb
  class class-default
    serverfarm wsop3-stage
policy-map type loadbalance first-match wsop3i-gm1-17slb
  class class-default
    serverfarm wsop3i-gm1
policy-map type loadbalance first-match wsop3i-gm2-17slb
  class class-default
    serverfarm wsop3i-gm2
policy-map type loadbalance first-match wsop3i-statroom-17slb
  class class-default
    serverfarm wsop3i-statroom

policy-map multi-match int406
  class ghero
    loadbalance vip inservice
    loadbalance policy ghero-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class VIP_superko
    loadbalance vip inservice
    loadbalance policy VIP_superko-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class VIP_msuper
    loadbalance vip inservice
    loadbalance policy VIP_msuper-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class glu.com
    loadbalance vip inservice
    loadbalance policy gam.com-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class mrc
    loadbalance vip inservice
    loadbalance policy mrc-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class mx
    loadbalance vip inservice
    loadbalance policy mx-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class wsop3i-gm1
    loadbalance vip inservice
    loadbalance policy wsop3i-gm1-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class wsop3i-statroom
    loadbalance vip inservice
    loadbalance policy wsop3i-statroom-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class wsop3-stage
    loadbalance vip inservice
    loadbalance policy wsop3-stage-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class beatit
    loadbalance vip inservice
    loadbalance policy beatit-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class wsop3i-gm2
    loadbalance vip inservice
    loadbalance policy wsop3i-gm2-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class sl9
    loadbalance vip inservice
    loadbalance policy sl9-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class sl9-udp
    loadbalance vip inservice
    loadbalance policy sl9-udp-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class sprint.glu.com
    loadbalance vip inservice
    loadbalance policy spunt.gam.com-l7slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class swervenet
    loadbalance vip inservice
    loadbalance policy swervenet-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
  class mrc-ssl
    loadbalance vip inservice
    loadbalance policy mrc-17slb
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 107
    ssl-proxy server SSL_PSERVICE_SERVER

interface vlan 106
  ip address 10.106.0.131 255.255.255.128
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown
interface vlan 107
  ip address 10.107.0.2 255.255.255.0
  access-group input ALL
  nat-pool 1 10.107.0.254 10.107.0.254 netmask 255.255.255.255 pat
  no shutdown
interface vlan 406
  ip address 10.106.0.2 255.255.255.128
  mac-sticky enable
  access-group input ALL
  service-policy input int406
  no shutdown

ip route 10.105.0.0 255.255.255.0 10.106.0.130
ip route 192.168.0.0 255.255.0.0 10.107.0.1
ip route 10.0.0.0 255.0.0.0 10.107.0.1
ip route 0.0.0.0 0.0.0.0 10.106.0.130

context appdev
  description app dev
  member RC1

SC5-ACE/appdev# wr t
Generating configuration....

access-list ALL line 8 extended permit ip any any

probe tcp http
  description check http port
  port 80
  interval 5
  passdetect interval 10
  open 1

rserver host vm-fbdev-1
  ip address 10.107.0.82
  inservice
rserver host vm-fbdev-2
  ip address 10.107.0.83
  inservice


serverfarm host rockmania-stage
  probe http
  rserver vm-fbdev-1 80
    inservice
  rserver vm-fbdev-2 80
    inservice

sticky ip-netmask 255.255.255.0 address source GROUP1
  timeout 720
  timeout activeconns
  serverfarm rockmania-stage

class-map match-any rockmania-stage
  2 match virtual-address 10.106.0.23 tcp eq www

policy-map type loadbalance first-match rockmania-stage-17slb
  class class-default
    sticky-serverfarm GROUP1

policy-map multi-match int406
  class rockmania-stage
    loadbalance vip inservice
    loadbalance policy rockmania-stage-17slb
    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 107

interface vlan 107

2 Accepted Solutions

Accepted Solutions

vlan sharing means you can configure the same vlan on multiple contexts.

But you still need to explicitly configure the vlan and add a different ip to each context.

You should see a context as a separate device with absolutely no information about the other devices/contexts.

Gilles.

View solution in original post

The allocate-interface commands tells the admin content to allocate that vlan to another content. The other content logically now sees that vlan. You then need to configure that content to add an interface on that vlan, etc...

Eric Rose

View solution in original post

13 Replies 13

Eric Rose
Cisco Employee
Cisco Employee

Hi,

It sounds like you are looking to allocate vlan to a content.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/virtualization/guide/config.html#wp1054866

Configuring a VLAN for a Context

The ACE uses class maps and policy maps to classify (filter) traffic and  direct it to different interfaces (VLANs) using a service policy. A  context uses VLANs to receive packets classified for that VLAN. You  allocate one or more existing VLANs on which a user context can receive  packets by using the allocate-interface command in  context configuration mode in the Admin context.

I've done that already, but I removed the allocate statements for

troubleshooting and forgot to put them back in. It makes no difference. Any

other ideas?

On Feb 16, 2010 6:44 PM, "erirose"

I don't see any information under the interface vlan for the new context. Was it just left off of the paste into the message?

Eric Rose

Consulting Systems Engineering

Data Center Commercial East

-- Mobile Mail -- sorry for any typos. Thanks

No, that interface line in the appdev context was added automatically when I

added the policy map config, presumably from the nat command.

On Feb 16, 2010 7:43 PM, "erirose"

Since each context is unique. You still need an interface vlan 107 for that context with an ip address, service policy, no shut, etc...

I read that its possible to share a vlan between contexts which is what I'm

trying to do.

On Feb 16, 2010 8:01 PM, "erirose"

vlan sharing means you can configure the same vlan on multiple contexts.

But you still need to explicitly configure the vlan and add a different ip to each context.

You should see a context as a separate device with absolutely no information about the other devices/contexts.

Gilles.

Interesting.  The virtualization config guide doesn't mention anything about that.  Do I still need the allocate-interface statements in the admin context?  And do i need to configure a physical interface also, or just the vlan?

The allocate-interface commands tells the admin content to allocate that vlan to another content. The other content logically now sees that vlan. You then need to configure that content to add an interface on that vlan, etc...

Eric Rose

I assume you mean context not content?  And do I need to configure a new physical interface?  This is a live system so I don't want to play around too much.

Thanks for the help.

Sorry - yes I mean context.

How you get the vlans into the ACE (admin context) doesn’t make a difference for another context perspective. The admin context just needs to allocate any vlan over to any other context. Then that context can now see the vlan and can use the vlans.

Eric Rose

justin.shields
Level 1
Level 1

Got it working, just needed to define the vlan's on different IP's in the new context.  I guess the docs assume you would know this already.  Thanks for the help.

Glad to hear that it is working.

Eric Rose

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: