cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4902
Views
0
Helpful
11
Replies

Cisco ACE: Basic L3 load balancing

Giorgio Romano
Level 1
Level 1

Hello everyone,

I need to balance L3 (routing) traffic using a cisco ace 4710 appliance with a "A3(2.5)" system version.

My rserver are some BlueCoat Proxy-SG in "proxy-transparent" mode.

My question is:  is cisco ACE able to balance basic L3 traffic?

I followed this tutorial found on docwiki.cisco.com, but i cannot solve my problem.

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

can someone help me?

thank you in advance

Giorgio

1 Accepted Solution

Accepted Solutions

Ah, my mistake... "match virtual-address 0.0.0.0 0.0.0.0" is correct config.

I am glad it is working now. Please mark the thread as "Answered".

View solution in original post

11 Replies 11

david.stout
Level 1
Level 1

Can you attach your config so we can see what you have done and if there is something wrong ?

Hi,

so, follow there is the configuration i've applied on the ACE:

access-list VLAN-2 line 8 extended permit ip any any
access-list VLAN-3 line 8 extended permit ip any any

rserver host Server-A
  ip address 192.168.6.132
  probe testa-tcp-Server-A
  inservice
rserver host Server-B
  ip address 192.168.6.133
  probe testa-tcp-Server-B
  inservice
rserver host Server-C
  ip address 192.168.6.134
  probe testa-tcp-Server-C
  inservice

serverfarm host serverefarm-TRANSPARENT-PROXY
  rserver Server-A
    inservice
  rserver Server-B
    inservice
  rserver Server-C
    inservice

class-map match-all vip-prova-transpa
  2 match virtual-address 192.168.6.78 any

policy-map type loadbalance first-match policy-transparent
  class class-default
    serverfarm serverefarm-TRANSPARENT-PROXY

policy-map multi-match bilancia-transparent
  class vip-prova-transpa
    loadbalance vip inservice
    loadbalance policy policy-transparent

interface vlan 2
  ip address 192.168.6.70 255.255.255.224
  alias 192.168.6.72 255.255.255.224
  peer ip address 192.168.6.71 255.255.255.224
  access-group input VLAN-532
  service-policy input bilancia-transparent
  no shutdown

interface vlan 3
  ip address 192.168.6.130 255.255.255.240
  alias 192.168.6.129 255.255.255.240
  peer ip address 192.168.6.131 255.255.255.240
  access-group input VLAN-3
  no shutdown

the router has got as nex-hop the vip created with the class-map named "vip-prova-transpa"

the service policy is active and the Vserver IP (192.168.6.78) is issued but it doesn't seem to receive the L3 traffic from router.

Thank-You for every answer!

Giorgio Romano

Hi Giorgio,

Seems to me you are trying to do transparent load-balancing in a wrong way. With this config the ACE is expecting traffic destined to VIP 192.168.6.78. However, the concept of transparent LB is based on the fact the you have to load-balance connection to any destination. Therefore, what you actually need is a "catch-all" VIP:

class-map match-all vip-prova-transpa
  2 match virtual-address 0.0.0.0 0.0.0.0

Also, the serverfarm needs to be trasparent (ACE should not change the destination IP to the rserver IP):

serverfarm host serverefarm-TRANSPARENT-PROXY

   transparent

You should also point your router to the ACE alias address 192.168.6.72 on vlan2. You might also need to enable mac-sticky on your interfaces and some other features depending on your L2 topology and design requirements.

Ivan

Giorgio Romano
Level 1
Level 1

Hi Ivan,

thank you for your answer.

As soon as possible I'm gonna apply your configuration to the ACE.

I'll keep you posted.

Thank you

Giorgio

I understand the ACE config.  If two transparent proxies are used behind the ACE bridging two vlans, how do you prevent spanning-tree from blocking one port and have traffic flowing through both proxies?

The ACE is not bridging the two vlans

Hi Ivan,

it works, but in the class-map named "vip-prova-transpa" I had to enter the string "0.0.0.0" in virtual ip-address mask field.

without this string it doesn't work.

thank-you very much ivan!

Giorgio Romano

Ah, my mistake... "match virtual-address 0.0.0.0 0.0.0.0" is correct config.

I am glad it is working now. Please mark the thread as "Answered".

I am confused about the subnet masks he used on the two vlans.  We are trying to do this with a /24 network.  The client will be 192.168.200.10 and have to pass throught the ACE -> Proxy -> 192.168.200.1 (gateway).  Did he just pick 2 subnet masks that are inside of the /24 subnet?

In this case the ACE is in routed mode, and we could use any IP addresses on it's interfaces (like 1.1.1.1 and 10.10.10.10).

In your case, if all the devices need to be L2 between the client and the DG, then ACE needs be in bridged mode. The config stays as it is shown above (with my corrections), except the interface part:

interface vlan 2   bridge-group 1   access-group input VLAN-532   service-policy input bilancia-transparent   no shutdown interface vlan 3   bridge-group 1   access-group input VLAN-3   no shutdown interface bvi 1   ip address 192.168.200.x 255.255.255.0   no shutdown

Of course, real server IPs also need to be from 192.168.200.0/24 subnet.

Now for all this to work, we need to do a trick: for the clients, the DG needs to be the ACE BVI address 192.168.200.x. This is because the clients need to send the packet with the destination MAC address of the ACE. After that ACE creates a connection and load-balances the packet to one of the proxy-servers and send the packet with destination MAC address of the proxy-server where the connection is load-balanced. After this the transparent proxy-server should do it's thing and forward the packet with the destination MAC address of the real DG 192.168.200.1. During whole this process packet's source and destination IPs are unchanged.

done!!

thank you very much again

Giorgio Romano

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: