cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1311
Views
0
Helpful
7
Replies

ACE - Inter-context traffic flow.

Martin Charles
Cisco Employee
Cisco Employee

Experts ,

Could you please guide me for a traffic-flow mentioned below ?

Connection flow:

client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}
                                                                                                         
 

[Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8]  <= {User Context test2}

There are two context test1 & test2 on the same ACE box resides in a  CAT6k ..  Just curious to know how to redirect the server (10.106.24.133) context test1   to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..

context test 1

rserver redirect OASIS-SSO-STG2_OOS_REDIRECT

  webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag

  inservice

rserver host SITMA21

  ip address 10.106.24.133

  probe PING

  inservice

rserver host SITMA22

  ip address 10.106.24.138

  probe PING

  inservice

serverfarm host L17SVWOASIS03_FARM

  description oasis-sso-stg2 server farm

  failaction purge

  probe TCP-80

  rserver SITMA21 80

    inservice

  rserver SITMA22 80

serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM

  rserver OASIS-SSO-STG2_OOS_REDIRECT

    inservice

sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY

  serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM

  timeout 10

  replicate sticky

Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..

If that is the case then

rserver redirect OASIS-SSO-STG2_OOS_REDIRECT

  webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag

  inservice

The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in  this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?

Or this can done with a default route to the VIP  on  the contexts?

7 Replies 7

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Martin,

Your understanding regarding redirect server is correct. When serverfarm L17SVWOASIS03_FARM, any requests coming for that VIP which corresponded to L17SVWOASIS03_FARM will be redirected to a different URL and client must now come on a different VIP. That shouldn't be a problem because ACE here is not routing the traffic to a different context. It is just telling the client to come on a different URL which resolves to a different VIP in a different context. So client should come to that VIP and that is like any other request to that VIP which i assume is already working.

Regarding your question of inter -context routing ACE does not allow intercontext communication. This is the behavior.

However, you can still achieve communication by going through an external gateway.


If a rserver S in vlan 10 of context A wants to communicate with vlan 20, VIP-B, you should configure context A with a static host route, pointing VIP-B to the default gateway.  This default gateway will then forward the traffic to context B and for ACE it is like the connection comes from outside and not another context. Same for response. You need on context B a route for vlan 10  via the gateway

.

Logically this should work.

Give it a try and let me know how it goes.

Regards,

Kanwal

Hi Kanwal ...

Gr8!!! ... Cool its works!!! Many thanks mate... It's happening even without a route!!! ( Not sure)

I now undestand how server redirect works , however i have seen some configuration  as below

Client ---> VIP (20)-----Rserver (30)

But the same Rserver has been configured as a VIP in the other context , also both the context where in the same ACE box..

please let me know , how to make this work ? ASAIK the the first request which we send will get loadbalnced and it hits the rserver , but how the request goes to the VIP ( rserver ) in the other context , Will it traverse by default ?  or as you said above we need to add static route?

If you have sample config to do the above can u please share ? Many thanks in Advance...

Martin

Hi Martin,

Hmm. I am not sure but what i am not understanding is why you want the request to be loadbalanced to a Rserver in one context and then same Rserver is VIP in another context in same ACE. I have seen that a VIP of another ACE is Rserver in another and of course that is a different and simple scenario.

So what you are saying is client comes to Vip(20) in context A and gets loadbalanced to Rserver(30) but Rserver 30 is actually a VIP in another context which loadbalances the traffic to another serverfarm. Never done that:)

Why don't you send the request to Rserver(vip in another context) directly. Why do you need to go to VIP20 and get it LB to Rserver(30)? Honestly i am not sure. May be someone else has better ideas.

Regards,

Kanwal

Hi Kanwal,

Thanks for your time & reply ... Yes the topology is bit complex , but i have seen a  customer configuration , which exactly states above... Not sure whether i can attach the same in the forum...

Hoping to see other views on this ... Thanks Again ..

Regards

Martin Charles A.

Hi Martin,

I was thinking about it and it is like loadbalancing to a server which is a HOP away. So how to do you that by doing routing so i guess in this case also you would need a route to VIP of different through another GATEWAY and vice-versa.

Can you try that and let me know how it goes. So my first reply suggestion should hold good here.

Regards,

Kanwal

Hi Kanwal ...

First of all thanks for your time and suggestion on this case.. Yes  i tried with the route , but the customer is in One-Arm mode and already a default route has been added , which is pointing to the CAT6k , since routing decision has been done by CAT6k ...

Here we go .. The customer config doesn't stop @ the place whether rserver of one context is the VIP in other context , it continues...      .. Let me explain you with what i understood so far....

CSS - Context 1   -------> SCA - Context 2  ---> CSS - Context 1

1. A connection hitting from a firewall to CSS - Context 1 VIP i.e 10.99.1.76 (https) which will get load-balanced to Rservers (10.99.0.13 & 10.99.0.14) Port 475

2. The above mentioned two rserver were the VIP in SCA Context 2 ,  which will get loadbalanced to 10.99.1.76 Port 8080

My head started to Spin when i found d third...

3. The above mentioned Rserver 10.99.1.76 8080 is the VIP again CSS - Context 1 , which gets finally loadbalanced into

10.99.1.217

I made this config up and running in my lab , and the VIP and rservers are up .... Since its one-arm mode i have given the static route to CAT6k , but still i am unable to fetch the page as required ...

Will post the configs on the next thread..

Thanks

Martin

Configs

=====

CSS - Context 1

============

probe tcp qaahmapp1-ssl-475_PROBE

  port 475

  interval 5

  passdetect interval 5

  connection term forced

rserver host HS_PROD.sanovia_447-ssl-a

  ip address 10.99.0.13

  inservice

rserver host HS_PROD.sanovia_447-ssl-b

  ip address 10.99.0.14

  inservice

serverfarm host sanovia.qaahm.ssl

  probe qaahmapp1-ssl-475_PROBE

  rserver HS_PROD.sanovia_447-ssl-a 475

    conn-limit max 4000000 min 4000000

    inservice

  rserver HS_PROD.sanovia_447-ssl-b 475

    conn-limit max 4000000 min 4000000

    inservice

parameter-map type http cisco_avs_parametermap

  case-insensitive

  persistence-rebalance

  parsing non-strict

action-list type optimization http cisco_avs_bandwidth_and_latency

  delta

  flashforward

action-list type optimization http cisco_avs_img_latency

  flashforward-object

action-list type optimization http cisco_avs_obj_latency

  flashforward-object

class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency

  2 match http url .*

class-map type http loadbalance match-any cisco_avs_img_latency

  2 match http url .*jpg

  3 match http url .*jpeg

  4 match http url .*jpe

  5 match http url .*png

class-map type http loadbalance match-any cisco_avs_obj_latency

  2 match http url .*gif

  3 match http url .*css

  4 match http url .*js

  5 match http url .*class

  6 match http url .*jar

  7 match http url .*cab

  8 match http url .*txt

  9 match http url .*ps

  10 match http url .*vbs

  11 match http url .*xsl

  12 match http url .*xml

  13 match http url .*pdf

  14 match http url .*swf

class-map match-all sanovia.qaahm.ssl_CLASS

  2 match virtual-address 10.99.1.76 tcp eq https

policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb

  class class-default

    serverfarm sanovia.qaahm.ssl

    insert-http x-forward header-value "%is"

policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt

  class cisco_avs_obj_latency

    action cisco_avs_obj_latency

  class cisco_avs_img_latency

    action cisco_avs_img_latency

  class cisco_avs_bandwidth_and_latency

    action cisco_avs_bandwidth_and_latency

policy-map multi-match POLICY

  class sanovia.qaahm.ssl_CLASS

    loadbalance vip inservice

    loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb

    optimize http policy sanovia.qaahm.ssl_CLASS-l7opt

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 20

    appl-parameter http advanced-options cisco_avs_parametermap

interface vlan 20

  ip address 10.99.1.240 255.255.255.0

  alias 10.99.1.241 255.255.255.0

  nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat

  nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat

  no shutdown

ip route 0.0.0.0 0.0.0.0 10.99.1.1

========================================================================================

SCA - Context 2

============

crypto chaingroup GoDaddy

  cert cisco-sample-cert

probe tcp AHM_QA-PROBE

  port 8080

  interval 5

  passdetect interval 5

  connection term forced

rserver host AHM_QA

  ip address 10.99.1.76

  conn-limit max 4000000 min 4000000

  inservice

serverfarm host AHM_QA

  rserver AHM_QA 8080

    conn-limit max 4000000 min 4000000

    probe AHM_QA-PROBE

    inservice

parameter-map type ssl sanovia-ssl-parms

  description This is where you tweak your SSL parms, cert, etc.

  cipher RSA_WITH_RC4_128_MD5 priority 4

  cipher RSA_WITH_RC4_128_SHA priority 5

  cipher RSA_WITH_DES_CBC_SHA priority 3

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6

  cipher RSA_WITH_AES_128_CBC_SHA priority 7

  cipher RSA_WITH_AES_256_CBC_SHA priority 8

ssl-proxy service sanovia-ssl-proxy

  key cisco-sample-key

  cert cisco-sample-cert

  chaingroup GoDaddy

  ssl advanced-options sanovia-ssl-parms

class-map match-any AHM_QA-CLASS

  2 match virtual-address 10.99.0.13 tcp eq 475

  3 match virtual-address 10.99.0.14 tcp eq 475

policy-map type loadbalance first-match AHM_QA-CLASS-l7slb

  class class-default

    serverfarm AHM_QA

policy-map multi-match POLICY

  class AHM_QA-CLASS

    loadbalance vip inservice

    loadbalance policy AHM_QA-CLASS-l7slb

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 10

    ssl-proxy server sanovia-ssl-proxy

interface vlan 10

  ip address 10.99.0.17 255.255.255.0

  peer ip address 10.99.0.11 255.255.255.0

  nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat

  service-policy input POLICY

  no shutdown

  ip route 0.0.0.0 0.0.0.0 10.99.0.1

========================================================================================

CSS - Context 1 ( another VIP)

=======================

rserver host qaahmapp1-8080

  ip address 10.99.1.217

  conn-limit max 4000000 min 4000000

  inservice

serverfarm host sanovia.qaahm.postssl

  rserver qaahmapp1-8080 8080

    conn-limit max 4000000 min 4000000

    inservice

parameter-map type http HTTP_PARAMETER_MAP

  persistence-rebalance

sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY

  cookie insert

  serverfarm sanovia.qaahm.postssl

  timeout 45

  replicate sticky

class-map match-all sanovia.qaahm.postssl_CLASS

  2 match virtual-address 10.99.1.76 tcp eq 8080

policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb

  class class-default

    sticky-serverfarm qanovia.qaahm.postssl-STICKY

policy-map multi-match POLICY

  class sanovia.qaahm.postssl_CLASS

    loadbalance vip inservice

    loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 20

    appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 20

  ip address 10.99.1.240 255.255.255.0

  alias 10.99.1.241 255.255.255.0

  nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat

  nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat

  no shutdown

=============================================================================

I have configured two vlans in CAT6k i.e vlan 10  & vlan 20 with the following ip's as mentioned in the route of ACE

10.99.0.1 & 10.99.1.1

Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page...  there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....

Let me know if i am missing anything here.... Many thanks in advance...

thanks

Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: