09-20-2010 01:11 PM
Hello everyone,
I need to balance L3 (routing) traffic using a cisco ace 4710 appliance with a "A3(2.5)" system version.
My rserver are some BlueCoat Proxy-SG in "proxy-transparent" mode.
My question is: is cisco ACE able to balance basic L3 traffic?
I followed this tutorial found on docwiki.cisco.com, but i cannot solve my problem.
can someone help me?
thank you in advance
Giorgio
Solved! Go to Solution.
10-07-2010 02:17 AM
Ah, my mistake... "match virtual-address 0.0.0.0 0.0.0.0" is correct config.
I am glad it is working now. Please mark the thread as "Answered".
09-21-2010 03:25 AM
Can you attach your config so we can see what you have done and if there is something wrong ?
10-03-2010 09:34 AM
Hi,
so, follow there is the configuration i've applied on the ACE:
access-list VLAN-2 line 8 extended permit ip any any
access-list VLAN-3 line 8 extended permit ip any any
rserver host Server-A
ip address 192.168.6.132
probe testa-tcp-Server-A
inservice
rserver host Server-B
ip address 192.168.6.133
probe testa-tcp-Server-B
inservice
rserver host Server-C
ip address 192.168.6.134
probe testa-tcp-Server-C
inservice
serverfarm host serverefarm-TRANSPARENT-PROXY
rserver Server-A
inservice
rserver Server-B
inservice
rserver Server-C
inservice
class-map match-all vip-prova-transpa
2 match virtual-address 192.168.6.78 any
policy-map type loadbalance first-match policy-transparent
class class-default
serverfarm serverefarm-TRANSPARENT-PROXY
policy-map multi-match bilancia-transparent
class vip-prova-transpa
loadbalance vip inservice
loadbalance policy policy-transparent
interface vlan 2
ip address 192.168.6.70 255.255.255.224
alias 192.168.6.72 255.255.255.224
peer ip address 192.168.6.71 255.255.255.224
access-group input VLAN-532
service-policy input bilancia-transparent
no shutdown
interface vlan 3
ip address 192.168.6.130 255.255.255.240
alias 192.168.6.129 255.255.255.240
peer ip address 192.168.6.131 255.255.255.240
access-group input VLAN-3
no shutdown
the router has got as nex-hop the vip created with the class-map named "vip-prova-transpa"
the service policy is active and the Vserver IP (192.168.6.78) is issued but it doesn't seem to receive the L3 traffic from router.
Thank-You for every answer!
Giorgio Romano
10-03-2010 03:48 PM
Hi Giorgio,
Seems to me you are trying to do transparent load-balancing in a wrong way. With this config the ACE is expecting traffic destined to VIP 192.168.6.78. However, the concept of transparent LB is based on the fact the you have to load-balance connection to any destination. Therefore, what you actually need is a "catch-all" VIP:
class-map match-all vip-prova-transpa
2 match virtual-address 0.0.0.0 0.0.0.0
Also, the serverfarm needs to be trasparent (ACE should not change the destination IP to the rserver IP):
serverfarm host serverefarm-TRANSPARENT-PROXY
transparent
You should also point your router to the ACE alias address 192.168.6.72 on vlan2. You might also need to enable mac-sticky on your interfaces and some other features depending on your L2 topology and design requirements.
Ivan
10-04-2010 04:37 AM
Hi Ivan,
thank you for your answer.
As soon as possible I'm gonna apply your configuration to the ACE.
I'll keep you posted.
Thank you
Giorgio
10-05-2010 06:01 AM
I understand the ACE config. If two transparent proxies are used behind the ACE bridging two vlans, how do you prevent spanning-tree from blocking one port and have traffic flowing through both proxies?
10-05-2010 06:08 AM
The ACE is not bridging the two vlans
10-07-2010 01:48 AM
Hi Ivan,
it works, but in the class-map named "vip-prova-transpa" I had to enter the string "0.0.0.0" in virtual ip-address mask field.
without this string it doesn't work.
thank-you very much ivan!
Giorgio Romano
10-07-2010 02:17 AM
Ah, my mistake... "match virtual-address 0.0.0.0 0.0.0.0" is correct config.
I am glad it is working now. Please mark the thread as "Answered".
10-07-2010 05:21 AM
I am confused about the subnet masks he used on the two vlans. We are trying to do this with a /24 network. The client will be 192.168.200.10 and have to pass throught the ACE -> Proxy -> 192.168.200.1 (gateway). Did he just pick 2 subnet masks that are inside of the /24 subnet?
10-07-2010 12:36 PM
In this case the ACE is in routed mode, and we could use any IP addresses on it's interfaces (like 1.1.1.1 and 10.10.10.10).
In your case, if all the devices need to be L2 between the client and the DG, then ACE needs be in bridged mode. The config stays as it is shown above (with my corrections), except the interface part:
interface vlan 2 bridge-group 1 access-group input VLAN-532 service-policy input bilancia-transparent no shutdown interface vlan 3 bridge-group 1 access-group input VLAN-3 no shutdown interface bvi 1 ip address 192.168.200.x 255.255.255.0 no shutdown
Of course, real server IPs also need to be from 192.168.200.0/24 subnet.
Now for all this to work, we need to do a trick: for the clients, the DG needs to be the ACE BVI address 192.168.200.x. This is because the clients need to send the packet with the destination MAC address of the ACE. After that ACE creates a connection and load-balances the packet to one of the proxy-servers and send the packet with destination MAC address of the proxy-server where the connection is load-balanced. After this the transparent proxy-server should do it's thing and forward the packet with the destination MAC address of the real DG 192.168.200.1. During whole this process packet's source and destination IPs are unchanged.
10-08-2010 12:24 AM
done!!
thank you very much again
Giorgio Romano
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide