08-26-2015 03:43 AM
Hi,
Greetings. I can see Mr Siva is helping a lot on the discussions. Thank you so much for your contributions.
We have configured Cisco ACE 4710 LB on our environment. One leg of LB is going to firewall for client side and another leg is connected to servers for server side connectivity
internet
|
|
firewall ------- LB
| |
| |
________________
|
Server farm
We have following queries which needs your expert advise
1> http connection to the server is working as expected, but not the https.
2> Also we need to have best practices which needs to be follow to protect the ACE4710 from the external world.
3> Please find the configuration. Also is it mandatory we need to configure context on ACE4710?. Is it necessary on our environment?
4> When we enable probe, the server farm became inactive and out of service. What for probe is used and how effectively we can use them
interface gigabitEthernet 1/1
description ***** Connected to ASA5505 FW Ethernet 2 ****
switchport access vlan 200
no shutdown
interface gigabitEthernet 1/2
description ***** Connected to Server FARM LAN ****
switchport access vlan 300
no shutdown
rserver host RS_1
ip address 192.168.10.10
inservice
rserver host RS_2
ip address 192.168.10.11
inservice
serverfarm host SF_T
description **** Server Farm ****
rserver RS_1
inservice
rserver RS_2
inservice
class-map type management match-any REMOTE_ACCESS
description Remote Access Traffic Match
201 match protocol ssh any
202 match protocol https any
203 match protocol icmp any
204 match protocol http any
class-map match-all VIP
2 match virtual-address 10.10.10.10 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match PM_LB
class class-default
serverfarm SF_T
policy-map multi-match PM_multi_match
class VIP
loadbalance vip inservice
loadbalance policy PM_LB
loadbalance vip icmp-reply active
interface vlan 200
description Client & Management connectivity on VLAN 200
ip address 10.10.10.2 255.255.255.0
access-group input ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input PM_multi_match
no shutdown
interface vlan 300
description Server Server connectivity on VLAN 300
ip address 192.168.10.2 255.255.255.0
access-group input ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
08-28-2015 06:31 PM
Hello, can you confirm which mode you are in, are you in bridged mode?
09-01-2015 02:33 PM
Hi Kamal,
1) Are your servers listening for HTTPS? If yes, then it should work fine. You are matching on ANY and traffic coming on any port will be forwarded without changing the destination port to real server.
2)From the external world for security you already have firewall in place and you can restrict traffic there for loadbalancer. Also, refer LB security guide for more information like TCP normalization.
3)It is not necessary to configure "contexts" and you can use Admin context. More contexts may be needed in future depending upon the requirements.
4)What is the probe configuration that you are using? Does it fail even when you use icmp? More can be said by knowing what kind of probe configuration is being used.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: