Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
9
Replies

ACE multiple loadbalancing policies help

laurent55
Level 1
Level 1

‎12-15-2011 08:01 AM

Hi

I've configured my ACE to loadbalance all hits on a 2 servers farm. It's working, fine.

Now I want to loadbalance hits with a specific url on another farm, and it's not working (hits with the specific url are not logged in the new policy)

Here is what I've added :

1. A class-map to get my url :

class-map type http loadbalance match-all CLASSMAP_L7
match http header Host header-value my.domain.com

2. A policy-map :

policy-map type loadbalance first-match POLICYMAP_L7
  class CLASSMAP_L7
    serverfarm FARM_2

3. A policy-map to get the L7 policy map :

policy-map multi-match POLICYMAP_L3L4
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy POLICYMAP_L7
    appl-parameter http advanced-options HTTP_PARAMETER_MAP

4. added the service policy on my interface

interface vlan 265
  service-policy input ALREADY_EXISTING_POLICIES
  service-policy input POLICYMAP_L3L4

I have to precise my class-map L4-WEB-IP is defined as

class-map match-all L4-WEB-IP
  2 match virtual-address 17x.xx.xxx.xxx tcp eq www

So basically, when I'm trying a show service-policy POLICYMAP_L3L4 summary, I've got 0 hits.

So the other service policy (implementing the same class L4-WEB-IP, of course) is taking all the traffic.

Any thoughts ? Thanks for the help.

Labels:
0 Helpful
9 Replies 9

laurent55
Level 1
Level 1

‎12-15-2011 08:36 AM

precision : if I add the same class-map as L4-WEB-IP named CLASSMAP-L3L4 to integrate that classmap instead in the policy-map, it doesn't change anything...

0 Helpful

pablo.nxh
Level 3
Level 3

‎12-15-2011 09:55 AM

Hi Laurent

I'm thinking this is just a matter of how your policies and classes are applied on that SVI. Would be possible for you to attach a sanitized copy of your configuration so we can try to figure what's wrong?

Tnx

-- --

Pablo

Sent from Cisco Technical Support iPhone App

0 Helpful

laurent55
Level 1
Level 1
In response to pablo.nxh

‎12-16-2011 02:42 AM

Thanks Pablo !

This is my full configuration below

access-list ANY line 24 extended permit icmp any any
access-list ANY line 32 extended permit ip any any
probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
rserver host 55LABS
  ip address 172.16.0.1
  inservice
rserver host MICHELINE
  ip address 172.16.0.2
  inservice
serverfarm host FARM_55LABS
  predictor leastconns
  probe PROBE_TCP
  rserver 55LABS
    inservice
  rserver MICHELINE
    inservice
serverfarm host FARM_PHP
  predictor leastconns
  probe PROBE_TCP
  rserver MICHELINE
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all CLASSMAP_L3L4
  2 match virtual-address 178.xxx.xxx.xxx tcp eq www
class-map type http loadbalance match-all CLASSMAP_L7
  2 match http header Host header-value "subdomain.domain.com"
class-map match-all L4-HTTPS-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq https
class-map match-all L4-WEB-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type loadbalance http first-match HTTPS_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map type loadbalance first-match POLICYMAP_L7
  class CLASSMAP_L7
    serverfarm FARM_PHP
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map multi-match POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance policy POLICYMAP_L7
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  no shutdown
interface vlan 2369
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  access-group input ANY
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  no shutdown
ft track interface  VLAN265
  track-interface vlan 265
  peer track-interface vlan 265
  priority 50
  peer priority 5
0 Helpful

pablo.nxh
Level 3
Level 3
In response to laurent55

‎12-16-2011 09:00 AM

Hi Laurent,

Thanks for the info. From the configuration I noticed a couple of things missing,

1. The new class under the multi-match policy has not been yet activated with the command "loadbalance vip inservice", even if the policy is already applied under the interface the ACE is not ARP'ing for that new VIP.

2. I see that you're using the same rserver/SF for this new VIP so I'm assuming NAT is also required for this new implementation.

Not sure if you're doing all the config through the GUI, if using CLI you can copy and past the commands below and let us know if you get positive results.

policy-map multi-match POLICYMAP_L3L4

  class CLASSMAP_L3L4

    loadbalance vip inservice

     loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2369

HTH

__ __

Pablo

0 Helpful

laurent55
Level 1
Level 1
In response to pablo.nxh

‎12-16-2011 09:33 AM

Hi Pablo

Thanks for the answer.

You're right, I'd deleted it since I was testing. I have put it back now, and... same result.

(loading subdomain.domain.com)

show service-policy POLICYMAP_L3L4 summary => Hit Count doesn't change

show service-policy WEB-to-vIPs summary          => Hit Count increase

To be ok, here is the full configuration again, with the corrections.

probe tcp PROBE_TCP
  interval 30
  passdetect interval 60
rserver host 55LABS
  ip address 172.16.0.1
  inservice
rserver host MICHELINE
  ip address 172.16.0.2
  inservice
serverfarm host FARM_55LABS
  predictor leastconns
  probe PROBE_TCP
  rserver 55LABS
    inservice
  rserver MICHELINE
    inservice
serverfarm host FARM_PHP
  predictor leastconns
  probe PROBE_TCP
  rserver MICHELINE
    inservice
parameter-map type http HTTP_PARAMETER_MAP
  persistence-rebalance
class-map match-all CLASSMAP_L3L4
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type http loadbalance match-all CLASSMAP_L7
  2 match http header Host header-value "subdomain.domain.com"
class-map match-all L4-HTTPS-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq https
class-map match-all L4-WEB-IP
  2 match virtual-address xxx.xxx.xxx.161 tcp eq www
class-map type management match-all REMOTE_ACCESS
  2 match protocol ssh any
class-map type management match-all TEST
  2 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit
policy-map type management first-match TEST_ALLOW
  class TEST
    permit
policy-map type loadbalance http first-match HTTPS_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map type loadbalance first-match POLICYMAP_L7
  class CLASSMAP_L7
    serverfarm FARM_PHP
policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm FARM_55LABS
    insert-http x-forward header-value "%is"
policy-map multi-match POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance vip inservice
    loadbalance policy POLICYMAP_L7
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  class CLASSMAP_L3L4
    loadbalance vip inservice
    loadbalance policy POLICYMAP_L7
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
policy-map multi-match WEB-to-vIPs
  class L4-WEB-IP
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
  class L4-HTTPS-IP
    loadbalance vip inservice
    loadbalance policy HTTPS_POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 2369
    appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 265
  ip address xxx.xxx.xxx.170 255.255.255.240
  peer ip address xxx.xxx.xxx.171 255.255.255.240
  access-group input ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input WEB-to-vIPs
  service-policy input POLICYMAP_L3L4
  no shutdown
interface vlan 2369
  ip address 172.31.255.250 255.240.0.0
  alias 172.31.255.249 255.240.0.0
  peer ip address 172.31.255.251 255.240.0.0
  access-group input ANY
  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
  service-policy input TEST_ALLOW
  no shutdown
ft track interface  VLAN265
  track-interface vlan 265
  peer track-interface vlan 265
  priority 50
  peer priority 5

Thanks again.

Laurent

0 Helpful

pablo.nxh
Level 3
Level 3
In response to laurent55

‎12-16-2011 09:37 AM

Hi Laurent,

Thanks for trying that out. Something that just called my attention is this:

class-map match-all CLASSMAP_L3L4

  2 match virtual-address xxx.xxx.xxx.161 tcp eq www

class-map match-all L4-WEB-IP

  2 match virtual-address xxx.xxx.xxx.161 tcp eq www

Are these two class-maps using the same VIP by any chance? All points out they are but want to make sure.

Tnx.

__ __

Pablo

0 Helpful

laurent55
Level 1
Level 1
In response to pablo.nxh

‎12-16-2011 09:55 AM

Hey Pablo,

Yes they are.

Unfortunately, I presume :/

0 Helpful

pablo.nxh
Level 3
Level 3
In response to laurent55

‎12-16-2011 10:19 AM

Hey Laurent,

In this case I'd say fortunately, this will make things way easier =)

Long story short, you don't need the new policies to get this working, since both policies are using the same VIP the ACE will inspect both policies under the interface but it would match the first one that was applied, that's why you're not seeing any hits for the new L7 policy.

The easy way to get this working is under the "first-match" policy, you just need to put the most specific match on top of the policy so all the specific matches will be layer 5 inspected, if a request comes with the host header

subdomain.domain.com then it will be sent to farm PHP otherwise the hit  will be caught by the class-default and sent to the 55LABS farm.

The configuration should look like this:

policy-map type loadbalance http first-match WEB_L7_POLICY

  class CLASSMAP_L7

    serverfarm FARM_PHP

  class class-default

    serverfarm FARM_55LABS

    insert-http x-forward header-value "%is"

I'd recommend you to remove the new policy from the interface then apply these changes (test it works) and finally remove the unnecesary lines so you can keep the config as simple/clean as possible.

HTH

__ __

Pablo

0 Helpful

laurent55
Level 1
Level 1
In response to pablo.nxh

‎12-19-2011 12:52 AM

Thanks Pablo, this helps a lot !

This is currently working as a charm, I was far to imagine this was as simple

Thanks again, and merry christmas !

Laurent

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents