cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
2
Replies

Cisco ACE 4710 configuration help

kamalbabu
Level 1
Level 1

Hi,

Greetings. I can see Mr Siva is helping a lot on the discussions. Thank you so much for your contributions.

 

We have configured Cisco ACE 4710 LB on our environment. One leg of LB is going to firewall for client side and another leg is connected to servers for server side connectivity

 

internet

   |

   |

firewall ------- LB

  |                    |

  |                    |

________________

             |

Server farm

 

We have following queries which needs your expert advise

1> http connection to the server is working as expected, but not the https.

2> Also we need to have best practices which needs to be follow to protect the ACE4710 from the external world.

3> Please find the configuration. Also is it mandatory we need to configure context on ACE4710?. Is it necessary on our environment?

4> When we enable probe, the server farm became inactive and out of service. What for probe is used and how effectively we can use them

 


interface gigabitEthernet 1/1
  description ***** Connected to ASA5505 FW Ethernet 2 ****
  switchport access vlan 200
  no shutdown
interface gigabitEthernet 1/2
  description ***** Connected to Server FARM LAN ****
  switchport access vlan 300
  no shutdown

rserver host RS_1
  ip address 192.168.10.10
  inservice
rserver host RS_2
  ip address 192.168.10.11
  inservice


serverfarm host SF_T
  description **** Server Farm ****
  rserver RS_1
    inservice
  rserver RS_2
    inservice

class-map type management match-any REMOTE_ACCESS
  description Remote Access Traffic Match
  201 match protocol ssh any
  202 match protocol https any
  203 match protocol icmp any
  204 match protocol http any
class-map match-all VIP
  2 match virtual-address 10.10.10.10 any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

policy-map type loadbalance first-match PM_LB
  class class-default
    serverfarm SF_T

policy-map multi-match PM_multi_match
  class VIP
    loadbalance vip inservice
    loadbalance policy PM_LB
    loadbalance vip icmp-reply active

interface vlan 200
  description Client & Management connectivity on VLAN 200
  ip address 10.10.10.2 255.255.255.0
  access-group input ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input PM_multi_match
  no shutdown
interface vlan 300
  description Server Server connectivity on VLAN 300
  ip address 192.168.10.2 255.255.255.0
  access-group input ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.1

 

 

2 Replies 2

TIM JUDGE
Level 1
Level 1

Hello, can you confirm which mode you are in, are you in bridged mode?

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Kamal,

1) Are your servers listening for HTTPS? If yes, then it should work fine. You are matching on ANY and traffic coming on any port will be forwarded without changing the destination port to real server.

2)From the external world for security you already have firewall in place and you can restrict traffic there for loadbalancer. Also, refer  LB security  guide for more information like TCP normalization.

3)It is not necessary to configure "contexts" and you can use Admin context. More contexts may be needed in future depending upon the requirements.

4)What is the probe configuration that you are using? Does it fail even when you use icmp? More can be said by knowing what kind of probe configuration is being used.

 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: