I am presented with a design requirement and would like some advice.
There will be say two servers in a serverfarm (message brokers). All traffic will be directed to this serverfam. The challenage is that there are potentially dozens and dozens of applications/services that will be fronted by these message brokers. How do we manage and monitor resouces on the ACE (the Data Power servers do this themselves but we need to do this on the ACE as well surely) and troubleshooting could end up being a bit of a nightmare.
- Could we create a context per application/service with the same real servers in each (being the data power message brokers), so VIP per service?
- We would need to have the server's in each context on the same network, so a shared vlan. Is this and issue?
- Could we have a unique subnet per application/service for client side and the shared vlan for the server side per context?
- Or shared vlan on client and server side? Which is prefered or best practice?
- Are there any issue's with this type of implementation besides the shared-vlan-hostid?
- I am sure there would be issues around the different serverfarm's not being aware of each other if something like least-connections is used, but if round-robin is used? Also how would fuctionality like stickiness etc. be affected? I don't think so as this is context specific in my understanding.
As always, thank you for your response and suggestions.
The DataPower message brokers will mostly be listening for HTTP (so say 7080) and HTTPS(so say 7443). There may instances where a particular application/service has it's own port. With an application service using it's own port, we can implement as you suggested. The Data Power's are essentially XML security Gateway's.The brokers provide integration with transaction processing systems such as CICS and IMS, advanced messaging and performing variuos other functions. These form part of an ESB.
My concern is how we can manage and monitor the resource allocation and usage for a given application/service that the Data Power and message brokers are front ending for. If say 20 applications/services are all connecting on HTTP port 7080 and 10 of these applications potentially require more cps, tps, bandwdith, etc. than the remaining 10, how would we manage this. Also if a problem arises for a particular application/service, and resource usage stats indicate a problem (say denies), how would we be able to identify the application/service in question (which would then be impacting other applications/services).
Just posing the potential issues as would not like to run into these later and have to present to the client that a re-design may be required.
I wonder if you could shed some light on a developement here.
We have service that is currently being load balanced. Very basic -
2. port 9081
3. two servers
4. one serverfarm
5. stickines required (originally and currently on source IP)
Issue now is that the client connects via the Data Power servers mentioned previuosly, which first of all proxies tha connections making source IP stickiness pointless (we are not getting any load balancing) and the client connection via HTTP gets modified by Data Power into SOAP/HTTP xmlns.
My question is could we use Layer 4 payload stickiness? I have attached the data portion of the first frame after the TCP setup (all traffic seem as TCP), have also added port 9081 to Wireshark and only see two HTTP frames once all data transaction has completed), no cookies.
What could we use from this, if anything, for the stickiness on layer 4 payload? I was thinking of theFE_GEN_USER_ID if it is unique for each user, so config something like:
sticky layer4-payload PAS-STICKY
policy-map type loadbalance generic first-match LB-POLICY
Am a bit stuck on this one. Many of the other existing servics that are currently being load balanced will eventually migrate to be front-ended by the Data Power devices, so I am sure we will run into this again.
Any assitance would be greatly appreciated as always.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...