08-30-2013 01:45 PM
Hi experts,
i need your help. I have a two-arm Loadbalancer concept for ldap and ldaps. The LDAP Clients talk to the VIP of the Loadbalancer on port 389 or 636 in the Frontend VLAN of the Loadbalancer. The Loadbalancer distribute the TCP Connection (L4) Roundrobin to the LDAP Server Farm in the Loadbalancer Backend VLAN. For this it is required, that the Loadbalancer perform SRC-NAT and DST-PAT. DST-PAT means the LDAP Clients talk to Port 389 or 636 of the VIP, but the Loadbalancer send the TCP connection to Port 3389 or 6636 to the LDAP Server. This depends on the used port by the LDAP Clients.
My problem is, that i do not know how to configure the DST-PAT on the ACE for 389->3389 and 636->6636.
Could you please show me an example?
BR,
Sebastian
08-30-2013 03:04 PM
Hi Sebastian,
If I understand this correctly you need to send the traffic from the ACE to the servers in port 3389 and 6636
If this is correct you just need to configure a couple of serverfarms and specified the port number, like this:
serverfarm host sample
rserver server 1 3389
inservice
---------------------
Cesar R
ANS Team
08-31-2013 12:37 AM
Hi Cesar Roque
thanks for your reply.
LDAP CLient 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy (3389)
LDAP Client 2 ---> Loadbalancer VIP(636) ----> LDAP Proxy (6639)
If I understand you correctly, th config should look like this?
class-map match-all LDAP
2 match virtual-address 10.70.136.161 tcp eq 389
class-map match-all LDAPS
2 match virtual-address 10.70.136.161 tcp eq 636
policy-map multi-match LDAP-Service
description traffic LDAP VIP
class LDAP
loadbalance vip inservice
loadbalance policy LDAP
loadbalance vip icmp-reply
loadbalance vip advertise
class LDAPS
loadbalance vip inservice
loadbalance policy LDAPS
loadbalance vip icmp-reply
loadbalance vip advertise
rserver host LDAPPROXYBAM#1
ip address 192.168.2.129
inservice
rserver host LDAPPROXYBAM#2
ip address 192.168.2.130
inservice
rserver host LDAPPROXYFFM#1
ip address 192.170.2.193
inservice
rserver host LDAPPROXYFFM#2
ip address 192.170.2.194
inservice
serverfarm host LDAPPROXY
probe LDAP-3389
rserver LDAPPROXYBAM#1 3389
inservice
rserver LDAPPROXYBAM#2 3389
inservice
rserver LDAPPROXYFFM#1 3389
inservice
rserver LDAPPROXYFFM#2 3389
inservice
serverfarm host LDAPPROXYS
probe LDAPS-6636
rserver LDAPPROXYBAM#1 6636
inservice
rserver LDAPPROXYBAM#2 6636
inservice
rserver LDAPPROXYFFM#1 6636
inservice
rserver LDAPPROXYFFM#2 6636
inservice
policy-map type loadbalance first-match LDAP
class class-default
serverfarm LDAPPROXY
policy-map type loadbalance first-match LDAPS
class class-default
serverfarm LDAPPROXYS
But now I think the load is not distributed correctly any longer.
Example:
Not correct
LDAP Client 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy 1 (3389)
LDAP Client 2 ---> Loadbalancer VIP(389) ----> LDAP Proxy2 (3389)
LDAP Client 3 ---> Loadbalancer VIP (636) ----> LDAP Proxy1 (6636)
LDAP Client 4---> Loadbalancer VIP(636) ----> LDAP Proxy2 (6639)
Correct
LDAP Client 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy 1 (3389)
LDAP Client 2 ---> Loadbalancer VIP(389) ----> LDAP Proxy2 (3389)
LDAP Client 3 ---> Loadbalancer VIP (636) ----> LDAP Proxy3 (6636)
LDAP Client 4---> Loadbalancer VIP(636) ----> LDAP Proxy4 (6639)
My thoughts are so right? How can i solve this?
09-01-2013 08:32 AM
Hi Sebastian
Please clear the serverfarm counters and then gather a couple of outputs of show serverfarm {name} detail while you send traffic to the VIPs.
---------------------
Cesar R
ANS Team
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: