02-16-2010 06:35 PM
Hello,
I am trying to setup a new VIP with two servers and IP Based Sticky Sessions. In following the config guides, I came to point where it indicated I needed to have a resource class configured with a certain chunk of resources assigned to stickiness. Since all of my previous SLB configs have been done in the Admin context, and I got a message saying that I cant assign the Admin context to an RC, I deduced that I would need to create a new context for this to work. I followed the virtualization config guide, but I am having trouble getting this to work. Currently, the VIP I have defined in the new context is not reachable on port 80 from the firewall which sits in front of the ACE. The same config was working when applied to the Admin context, so I believe this is a problem with the new context. I suspect that I need to configure some sort of policy map to point traffic to this new context, but I havent been able to find anything in the docs to indicate how to do this. Any help appreciated.
SC5-ACE/Admin# wr t
Generating configuration....
logging enable
logging trap 5
logging buffered 7
resource-class RC1
limit-resource all minimum 20.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_3.bin
hostname SC5-ACE
interface gigabitEthernet 1/1
description Management
switchport access vlan 106
no shutdown
interface gigabitEthernet 1/2
description Client-side
speed 1000M
duplex FULL
switchport access vlan 406
no shutdown
interface gigabitEthernet 1/3
description Server-side
speed 1000M
duplex FULL
switchport access vlan 107
no shutdown
interface gigabitEthernet 1/4
shutdown
crypto csr-params CSR_PARAMS_1
country US
state CALIFORNIA
locality SAN MATEO
organization-name ******
organization-unit SSL ACCELERATOR
common-name ********
serial-number 1001
email *********
access-list ALL line 8 extended permit ip any any
probe tcp http
description check http port
port 80
interval 5
passdetect interval 10
open 1
probe tcp tomcat
description check tomcat port
port 8080
interval 5
passdetect interval 10
open 1
rserver host msuper
ip address 10.107.0.75
inservice
rserver host sc-ss-1
ip address 10.107.0.120
inservice
rserver host sl9
ip address 10.107.0.52
inservice
rserver host superko
ip address 10.107.0.71
inservice
rserver host vm-beatit-1
ip address 10.107.0.48
inservice
rserver host vm-beatit-2
ip address 10.107.0.49
inservice
rserver host vm-ghero-01
ip address 10.107.0.50
inservice
rserver host vm-ghero-02
ip address 10.107.0.51
inservice
rserver host vm-ghero-03
ip address 10.107.0.55
inservice
rserver host vm-mrc
ip address 10.107.0.65
inservice
rserver host vm-mrc-2
ip address 10.107.0.66
inservice
rserver host vm-mx-test
ip address 10.107.0.41
inservice
rserver host vm-web-01
ip address 10.107.0.33
inservice
rserver host vm-web-05
ip address 10.107.0.72
inservice
rserver host vm-web-06
ip address 10.107.0.76
inservice
rserver host vm-web-07
ip address 10.107.0.77
inservice
rserver host vm-wsop3i-1
ip address 10.107.0.62
inservice
rserver host vm-wsop3i-2
ip address 10.107.0.63
inservice
rserver host vm-wsop3i-3
ip address 10.107.0.64
inservice
rserver host vm-wsop3i-4
ip address 10.107.0.67
inservice
rserver host wsop3-stage
ip address 10.107.0.60
inservice
serverfarm host beatit
probe tomcat
rserver vm-beatit-1 8080
inservice
rserver vm-beatit-2 8080
inservice
serverfarm host ghero
probe tomcat
rserver vm-ghero-01 8080
inservice
rserver vm-ghero-02 8080
inservice
rserver vm-ghero-03 8080
inservice
serverfarm host gam.com
probe http
rserver vm-web-01 80
inservice
rserver vm-web-05 80
inservice
serverfarm host m
rserver msuper 80
inservice
serverfarm host mrc
probe tomcat
rserver vm-mrc 8080
inservice
rserver vm-mrc-2 8080
inservice
serverfarm host mx
rserver vm-mx-test 25
inservice
serverfarm host sl9
rserver sl9
inservice
serverfarm host sl9-udp
rserver sl9
inservice
serverfarm host spunt.gam.com
probe http
rserver vm-web-06 80
inservice
rserver vm-web-07 80
inservice
serverfarm host superko2
rserver superko 80
inservice
serverfarm host swervenet
probe http
rserver sc-ss-1 80
inservice
serverfarm host wsop3-stage
rserver wsop3-stage 8080
inservice
serverfarm host wsop3i-gm1
probe tomcat
rserver vm-wsop3i-3 8080
inservice
serverfarm host wsop3i-gm2
probe tomcat
rserver vm-wsop3i-4 8080
inservice
serverfarm host wsop3i-statroom
probe tomcat
rserver vm-wsop3i-1 8080
inservice
rserver vm-wsop3i-2 8080
inservice
ssl-proxy service SSL_PSERVICE_SERVER
key MYRSAKEY.PEM
cert MYCERT.PEM
class-map match-any VIP_msuper
2 match virtual-address 10.106.0.8 any
class-map match-any VIP_superko
2 match virtual-address 10.106.0.7 any
class-map match-any beatit
2 match virtual-address 10.106.0.16 tcp eq 8080
class-map match-any ghero
2 match virtual-address 10.106.0.6 tcp eq 8080
class-map match-any glu.com
2 match virtual-address 10.106.0.10 tcp eq www
class-map match-any mrc
2 match virtual-address 10.106.0.11 tcp eq 8080
class-map match-any mrc-ssl
3 match virtual-address 10.106.0.22 tcp eq https
class-map match-any mx
2 match virtual-address 10.106.0.12 tcp eq smtp
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
class-map match-any sl9
2 match virtual-address 10.106.0.18 tcp eq 8888
class-map match-any sl9-udp
2 match virtual-address 10.106.0.19 udp eq 9876
class-map match-any sprint.glu.com
3 match virtual-address 10.106.0.20 tcp eq www
class-map match-any swervenet
2 match virtual-address 10.106.0.21 tcp eq www
class-map match-any wsop3-stage
2 match virtual-address 10.106.0.15 tcp eq 8080
class-map match-any wsop3i-gm1
2 match virtual-address 10.106.0.13 tcp eq 8080
class-map match-any wsop3i-gm2
2 match virtual-address 10.106.0.17 tcp eq 8080
class-map match-any wsop3i-statroom
2 match virtual-address 10.106.0.14 tcp eq 8080
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VIP_msuper-17slb
class class-default
serverfarm m
policy-map type loadbalance first-match VIP_superko-17slb
class class-default
serverfarm superko2
policy-map type loadbalance first-match beatit-17slb
class class-default
serverfarm beatit
policy-map type loadbalance first-match ghero-l7slb
class class-default
serverfarm ghero
policy-map type loadbalance first-match gam.com-l7slb
class class-default
serverfarm glu.com
policy-map type loadbalance first-match mrc-17slb
class class-default
serverfarm mrc
policy-map type loadbalance first-match mx-17slb
class class-default
serverfarm mx
policy-map type loadbalance first-match sl9-l7slb
class class-default
serverfarm sl9
policy-map type loadbalance first-match sl9-udp-l7slb
class class-default
serverfarm sl9-udp
policy-map type loadbalance first-match spunt.gam.com-l7slb
class class-default
serverfarm sprint.glu.com
policy-map type loadbalance first-match swervenet-17slb
class class-default
serverfarm swervenet
policy-map type loadbalance first-match wsop3-stage-17slb
class class-default
serverfarm wsop3-stage
policy-map type loadbalance first-match wsop3i-gm1-17slb
class class-default
serverfarm wsop3i-gm1
policy-map type loadbalance first-match wsop3i-gm2-17slb
class class-default
serverfarm wsop3i-gm2
policy-map type loadbalance first-match wsop3i-statroom-17slb
class class-default
serverfarm wsop3i-statroom
policy-map multi-match int406
class ghero
loadbalance vip inservice
loadbalance policy ghero-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class VIP_superko
loadbalance vip inservice
loadbalance policy VIP_superko-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class VIP_msuper
loadbalance vip inservice
loadbalance policy VIP_msuper-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class glu.com
loadbalance vip inservice
loadbalance policy gam.com-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class mrc
loadbalance vip inservice
loadbalance policy mrc-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class mx
loadbalance vip inservice
loadbalance policy mx-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class wsop3i-gm1
loadbalance vip inservice
loadbalance policy wsop3i-gm1-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class wsop3i-statroom
loadbalance vip inservice
loadbalance policy wsop3i-statroom-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class wsop3-stage
loadbalance vip inservice
loadbalance policy wsop3-stage-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class beatit
loadbalance vip inservice
loadbalance policy beatit-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class wsop3i-gm2
loadbalance vip inservice
loadbalance policy wsop3i-gm2-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class sl9
loadbalance vip inservice
loadbalance policy sl9-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class sl9-udp
loadbalance vip inservice
loadbalance policy sl9-udp-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class sprint.glu.com
loadbalance vip inservice
loadbalance policy spunt.gam.com-l7slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class swervenet
loadbalance vip inservice
loadbalance policy swervenet-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
class mrc-ssl
loadbalance vip inservice
loadbalance policy mrc-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
ssl-proxy server SSL_PSERVICE_SERVER
interface vlan 106
ip address 10.106.0.131 255.255.255.128
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 107
ip address 10.107.0.2 255.255.255.0
access-group input ALL
nat-pool 1 10.107.0.254 10.107.0.254 netmask 255.255.255.255 pat
no shutdown
interface vlan 406
ip address 10.106.0.2 255.255.255.128
mac-sticky enable
access-group input ALL
service-policy input int406
no shutdown
ip route 10.105.0.0 255.255.255.0 10.106.0.130
ip route 192.168.0.0 255.255.0.0 10.107.0.1
ip route 10.0.0.0 255.0.0.0 10.107.0.1
ip route 0.0.0.0 0.0.0.0 10.106.0.130
context appdev
description app dev
member RC1
SC5-ACE/appdev# wr t
Generating configuration....
access-list ALL line 8 extended permit ip any any
probe tcp http
description check http port
port 80
interval 5
passdetect interval 10
open 1
rserver host vm-fbdev-1
ip address 10.107.0.82
inservice
rserver host vm-fbdev-2
ip address 10.107.0.83
inservice
serverfarm host rockmania-stage
probe http
rserver vm-fbdev-1 80
inservice
rserver vm-fbdev-2 80
inservice
sticky ip-netmask 255.255.255.0 address source GROUP1
timeout 720
timeout activeconns
serverfarm rockmania-stage
class-map match-any rockmania-stage
2 match virtual-address 10.106.0.23 tcp eq www
policy-map type loadbalance first-match rockmania-stage-17slb
class class-default
sticky-serverfarm GROUP1
policy-map multi-match int406
class rockmania-stage
loadbalance vip inservice
loadbalance policy rockmania-stage-17slb
loadbalance vip icmp-reply active
nat dynamic 1 vlan 107
interface vlan 107
Solved! Go to Solution.
02-17-2010 12:24 AM
vlan sharing means you can configure the same vlan on multiple contexts.
But you still need to explicitly configure the vlan and add a different ip to each context.
You should see a context as a separate device with absolutely no information about the other devices/contexts.
Gilles.
02-17-2010 11:29 AM
The allocate-interface commands tells the admin content to allocate that vlan to another content. The other content logically now sees that vlan. You then need to configure that content to add an interface on that vlan, etc...
Eric Rose
02-16-2010 06:44 PM
Hi,
It sounds like you are looking to allocate vlan to a content.
The ACE uses class maps and policy maps to classify (filter) traffic and direct it to different interfaces (VLANs) using a service policy. A context uses VLANs to receive packets classified for that VLAN. You allocate one or more existing VLANs on which a user context can receive packets by using the allocate-interface command in context configuration mode in the Admin context.
02-16-2010 07:36 PM
I've done that already, but I removed the allocate statements for
troubleshooting and forgot to put them back in. It makes no difference. Any
other ideas?
On Feb 16, 2010 6:44 PM, "erirose"
02-16-2010 07:43 PM
I don't see any information under the interface vlan for the new context. Was it just left off of the paste into the message?
Eric Rose
Consulting Systems Engineering
Data Center Commercial East
-- Mobile Mail -- sorry for any typos. Thanks
02-16-2010 07:52 PM
No, that interface line in the appdev context was added automatically when I
added the policy map config, presumably from the nat command.
On Feb 16, 2010 7:43 PM, "erirose"
02-16-2010 08:01 PM
Since each context is unique. You still need an interface vlan 107 for that context with an ip address, service policy, no shut, etc...
02-16-2010 08:39 PM
I read that its possible to share a vlan between contexts which is what I'm
trying to do.
On Feb 16, 2010 8:01 PM, "erirose"
02-17-2010 12:24 AM
vlan sharing means you can configure the same vlan on multiple contexts.
But you still need to explicitly configure the vlan and add a different ip to each context.
You should see a context as a separate device with absolutely no information about the other devices/contexts.
Gilles.
02-17-2010 11:17 AM
Interesting. The virtualization config guide doesn't mention anything about that. Do I still need the allocate-interface statements in the admin context? And do i need to configure a physical interface also, or just the vlan?
02-17-2010 11:29 AM
The allocate-interface commands tells the admin content to allocate that vlan to another content. The other content logically now sees that vlan. You then need to configure that content to add an interface on that vlan, etc...
Eric Rose
02-17-2010 11:34 AM
I assume you mean context not content? And do I need to configure a new physical interface? This is a live system so I don't want to play around too much.
Thanks for the help.
02-17-2010 11:41 AM
Sorry - yes I mean context.
How you get the vlans into the ACE (admin context) doesn’t make a difference for another context perspective. The admin context just needs to allocate any vlan over to any other context. Then that context can now see the vlan and can use the vlans.
Eric Rose
02-17-2010 12:22 PM
Got it working, just needed to define the vlan's on different IP's in the new context. I guess the docs assume you would know this already. Thanks for the help.
02-17-2010 12:42 PM
Glad to hear that it is working.
Eric Rose
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: