Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACE in one-arm model. VIP on Client Side, servers in other vlan

Hello All

i have a LAN whit many servers,but only 2 need to be balanced. So i think in one-arm model, due to the higth trafic that not be pass trought ACE.

i have a vlan 900 where is the client side and the VIP also. (10.0.9.64/26)

the servers are in vlan 503 (10.12.3.0/24)

it mi first design with ONE-arm but i thinks something is missing, because doesn't work.

the configuration is the next:

MSFC:

svclc module 1 vlan-group 1,2,

svclc vlan-group 1 503,900-902

svclc vlan-group 2 511

interface Vlan503

description OSS_&_Otros

ip address 10.12.3.253 255.255.255.0

standby 10 ip 10.12.3.254

standby 10 priority 150

standby 10 preempt delay minimum 305

interface Vlan900

description MSF_<->_ACE

ip address 10.0.9.126 255.255.255.192

end

access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63

access-list 101 deny ip any any

route-map From_Server_OSS_to_ACE permit 10

match ip address 101

set ip next-hop 10.0.9.125

!

ACE_1/admin#

ip route 0.0.0.0 0.0.0.0 10.0.9.126

context OSS

allocate-interface vlan 511

allocate-interface vlan 900

allocate-interface vlan 902

member Max20

ACE_1/OSS# sh run

Generating configuration....

access-list EVERYONE line 10 extended permit ip any any

access-list EVERYONE line 20 extended permit icmp any any

rserver host OSS_FES_1

description OSS_Front_End_Server_1

ip address 10.12.3.140

inservice

rserver host OSS_FES_2

description OSS_Front_End_Server_2

ip address 10.12.3.150

inservice

serverfarm host SERVER_farm_OSS

rserver OSS_FES_1

inservice

rserver OSS_FES_2

inservice

class-map match-all VIP-OSS

2 match virtual-address 10.0.9.66 any

policy-map type loadbalance first-match OSS-LB-POLICY

class class-default

serverfarm SERVER_farm_OSS

policy-map multi-match OSS-POLICY-MAP

class VIP-OSS

loadbalance vip inservice

loadbalance policy OSS-LB-POLICY

loadbalance vip icmp-reply

interface vlan 900

description Clients-side

ip address 10.0.9.125 255.255.255.192

access-group input EVERYONE

access-group output EVERYONE

service-policy input OSS-POLICY-MAP

no shutdown

ip route 0.0.0.0 0.0.0.0 10.0.9.126

maybe a i need to allocate the vlan 503 in OSS Context, any advice?

Thanks in advace,

Gianni From Chile

3 REPLIES
New Member

Re: ACE in one-arm model. VIP on Client Side, servers in other v

sorry it's my first post here and when i read all the post that i wrote, i figured out that the next command was missing on Vlan503:

ip policy route-map From_Server_OSS_to_ACE

i didn't know how to erase my post.

i hope the problem is going to be solved adding this comand.

anyway any advice of configuration or model to be used is welcome.

thanks gianni

New Member

Re: ACE in one-arm model. VIP on Client Side, servers in other v

Since you server are not behind the ACE in either bridge or routed mode add the follwoing to your config and use nat to get the traffic back to the ace.

This is how one-armed mode works.

ACE_1/OSS# sh run

Generating configuration....

access-list EVERYONE line 10 extended permit ip any any

access-list EVERYONE line 20 extended permit icmp any any

rserver host OSS_FES_1

description OSS_Front_End_Server_1

ip address 10.12.3.140

inservice

rserver host OSS_FES_2

description OSS_Front_End_Server_2

ip address 10.12.3.150

inservice

serverfarm host SERVER_farm_OSS

rserver OSS_FES_1

inservice

rserver OSS_FES_2

inservice

class-map match-all VIP-OSS

2 match virtual-address 10.0.9.66 any

policy-map type loadbalance first-match OSS-LB-POLICY

class class-default

serverfarm SERVER_farm_OSS

policy-map multi-match OSS-POLICY-MAP

class VIP-OSS

loadbalance vip inservice

loadbalance policy OSS-LB-POLICY

loadbalance vip icmp-reply

nat dynamic 10 vlan 900

interface vlan 900

description Clients-side

ip address 10.0.9.125 255.255.255.192

nat-pool 10 0.9.126 10 0.9.126 netmask 255.255.255.192 pat

access-group input EVERYONE

access-group output EVERYONE

service-policy input OSS-POLICY-MAP

no shutdown

Re: ACE in one-arm model. VIP on Client Side, servers in other v

route-map missing on vlan 900 SVI on MSFC.

Also ACL 101 doesnt feel right.

access-list 101 permit ip 10.12.3.0 0.0.0.255 10.0.9.64 0.0.0.63

This ACL will forward all server response traffic to ACE. Which is against the reason of using One-arm mode. You should have a specific ACL entry which only take the traffic from Servers liastening on specific ports to ACE and all the remaining traffic should be allowed to bypass ACE.

For example if the servers 10.12.3.150 & 140 are listening on port 80 then the ACL should only say

access-list 100 permit tcp host 10.12.3.150 eq www any

access-list 100 permit tcp host 10.12.3.140 eq www any

Syed Iftekhar Ahmed

277
Views
0
Helpful
3
Replies
CreatePlease to create content