cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1090
Views
0
Helpful
2
Replies

ACE configuration - VLAN

pbolduc77
Level 1
Level 1

Hi,

We want to use 2 ACE for load balancing traffic between 2 services (port 8008) on 2 servers (1 service by server).

We have 3 paths:

Admin = VLAN64

Server side = VLAN64

Client side = VLAN65

We don't want to change the real servers ip adresses.

Our setup doesn't works right now. We are able to ping the VIP, but the traffic doesn't seem to pass the ACE (not able to reach the real servers).

Someone told us that we need to have 3 different VLAN...because our setup cause a loop...

Could you help please?

Here are the show run for the VC1:

Generating configuration....

logging enable

logging standby

logging timestamp

logging trap 7

logging history 7

logging buffered 3

logging persistent 7

logging device-id context-name

no logging message 251006

no logging message 251010

crypto chaingroup GESTION-CHAIN

crypto csr-params GESTION_2012

access-list PERMIT-ALL remark PERMIT-ALL

access-list PERMIT-ALL line 1 extended permit ip any any

access-list PERMIT-ALL line 2 extended permit icmp any any

probe http APPKIN

  interval 5

  passdetect interval 10

  passdetect count 2

  request method get url /itg/dashboard/app/portal/PageView.jsp

  expect status 200 200

probe http APPS_LOCAL_LOGIN

  interval 5

  passdetect interval 10

  passdetect count 2

  expect status 200 200

rserver redirect DESOLE-GESTION

  webhost-redirection https://gestion.home.qc/desole/page_redirection_sc.html

  inservice

rserver host SESEGX13

  ip address 172.29.64.135

  inservice

rserver host SESEGX14

  ip address 172.29.64.137

  inservice

serverfarm redirect DESOLE-GESTION

  rserver DESOLE-GESTION

    inservice

serverfarm host GESTION-GKIN05-4420-8008

  description GESTION Environnement GKIN05

  probe APPS_LOCAL_LOGIN

  rserver SESEGX13 8008

    inservice

  rserver SESEGX14 8008

    inservice

parameter-map type http GESTION-PARAM-MAP

  no persistence-rebalance

  length-exceed continue

sticky http-cookie GKIN05-STICK STICKY-GESTION-GKIN05-4420-8008

  cookie insert browser-expire

  replicate sticky

serverfarm GESTION-GKIN05-4420-8008 backup DESOLE-GESTION

  8 static cookie-value "SESEGX13-8008" rserver SESEGX13 8008

  16 static cookie-value "SESEGX14-8008" rserver SESEGX14 8008

ssl-proxy service GESTION.home.QC

  key GESTION2048-KEY.PEM

  cert GESTION_2012_2048.pem

  chaingroup GESTION-CHAIN

class-map match-all CM-VIP-GESTION-GKIN05-4420-8008

  2 match virtual-address 172.29.240.110 tcp eq 4420

class-map type management match-any remote_access

  2 match protocol icmp any

policy-map type management first-match remote_mgmt_allow_policy

  class remote_access

    permit

policy-map type loadbalance http first-match PM-LB-GESTION-GKIN05-4420-8008

  class class-default

    sticky-serverfarm STICKY-GESTION-GKIN05-4420-8008

policy-map multi-match VIPS-HTTPS

  class CM-VIP-GESTION-GKIN05-4420-8008

    loadbalance vip inservice

    loadbalance policy PM-LB-GESTION-GKIN05-4420-8008

    loadbalance vip icmp-reply

    appl-parameter http advanced-options GESTION-PARAM-MAP

    ssl-proxy server GESTION.home.QC

interface vlan 64

  description SERVER-SIDE

  ip address 172.29.68.44 255.255.240.0

  alias 172.29.68.46 255.255.240.0

  peer ip address 172.29.68.45 255.255.240.0

  no normalization

  access-group input PERMIT-ALL

  service-policy input remote_mgmt_allow_policy

  no shutdown

interface vlan 65

  description IC-FIREWALL

  ip address 172.29.240.101 255.255.255.0

  alias 172.29.240.105 255.255.255.0

  peer ip address 172.29.240.103 255.255.255.0

  no normalization

  no icmp-guard

  access-group input PERMIT-ALL

  service-policy input remote_mgmt_allow_policy

  service-policy input VIPS-HTTPS

  no shutdown

ft track interface TRACK_VLAN64

  track-interface vlan 64

  priority 150

ft track interface TRACK_VLAN65

  peer track-interface vlan 65

  peer priority 150

ip route 0.0.0.0 0.0.0.0 172.29.240.104

ip route 172.27.48.0 255.255.252.0 10.74.24.1

ip route 172.27.252.0 255.255.255.0 10.74.24.1

ip route 172.27.97.160 255.255.255.255 10.74.24.1

ip route 172.27.96.166 255.255.255.255 10.74.24.1

ip route 172.27.96.167 255.255.255.255 10.74.24.1

ip route 172.28.123.192 255.255.255.224 10.74.24.1

Thanks,

1 Accepted Solution

Accepted Solutions

Hi the way round this is to use NAT, then only one interface is required

For each VIP I have a vlan (dont know how easy it is for you to generate dedicated vlans)

the clients IP  address gets Natted to the same vlan

for example

class-map match-any testing

  2 match virtual-address 172.17.1.7 tcp eq www

then on the policy map

policy-map multi-match multi-vips

  class testing

    loadbalance vip inservice

    loadbalance policy JDEURL

    loadbalance vip icmp-reply

    nat dynamic 7 vlan 171 <----- note nat statement

then on the interface

interface vlan 171
  description client server vlan
  ip address 172.17.1.4 255.255.255.0
  peer ip address 172.17.1.1 255.255.255.0
  access-group input ALL
  nat-pool 7 172.17.1.18 172.17.1.30 netmask 255.255.255.0 pat
  service-policy input MAN 
  service-policy input multi-vips
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.17.1.254 < gateway on router.

so a real client goes from say 172.16.1.1 to the VIP 172.17.1.7 in LB the LB then does a NAT on the client IP address when going to the real server.so it is 172.17.1.xx to real server IP

HTH

View solution in original post

2 Replies 2

Hi the way round this is to use NAT, then only one interface is required

For each VIP I have a vlan (dont know how easy it is for you to generate dedicated vlans)

the clients IP  address gets Natted to the same vlan

for example

class-map match-any testing

  2 match virtual-address 172.17.1.7 tcp eq www

then on the policy map

policy-map multi-match multi-vips

  class testing

    loadbalance vip inservice

    loadbalance policy JDEURL

    loadbalance vip icmp-reply

    nat dynamic 7 vlan 171 <----- note nat statement

then on the interface

interface vlan 171
  description client server vlan
  ip address 172.17.1.4 255.255.255.0
  peer ip address 172.17.1.1 255.255.255.0
  access-group input ALL
  nat-pool 7 172.17.1.18 172.17.1.30 netmask 255.255.255.0 pat
  service-policy input MAN 
  service-policy input multi-vips
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.17.1.254 < gateway on router.

so a real client goes from say 172.16.1.1 to the VIP 172.17.1.7 in LB the LB then does a NAT on the client IP address when going to the real server.so it is 172.17.1.xx to real server IP

HTH

Hi,

It works!

Thanks!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: