Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
525
Views
0
Helpful
3
Replies

CISCO ACE: LAYER 7 POLICY QUESTION

lmaia-nextel
Level 1
Level 1

‎10-02-2014 12:51 PM

Hi Folks, 

I have a layer 7 policy at Cisco ACE 4710 working in that scenario:

 

1 - One VIP address used for 5 websites, responding in DNS to the same VIP address;

2 - 5 class-map type http, matching the host header for each web site;

3 - One Policy Map type http configured, matching 5 class-maps and 5 serverfarms, one for each website.

 

This layer 7 policy is working fine for 4 websites, but one in particular is not working. Using wireshark, I can see that for this particular site is requesting not just the http://website.com.br, but also some / atributes, like http://website.com.br/images/css/content and something else.

I was checking with Web guys and this behavior is expected from the application view, since the web page is requesting all images and directories to mount all content.

 

Class Map example, matching the host header of htttp:

class-map type http loadbalance match-all L7-SITE-5
  2 match http header Host header-value "site5.domain.com"

Also, I was trying to match class map using complete url, but no success.

Basically, seems to be that ACE needs to understand that site5.domain.com/anyother command, needs to hit the class map created and sends traffic to the serverfarm.

I am trying, but its comming a challenge...

Thanks

Luiz

Labels:
Preview file
2 KB
0 Helpful
3 Replies 3

Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎10-02-2014 05:21 PM

Hi Luiz,

As long as the http header "host" value is site5.domain.com, it will match the class-map condition and it will be loadbalanced to the serverfarm. What user requests in the URL doesn't matter. That is for the server to serve. Do you see the host header and value "site5.domain.com" in the wireshark and still that packet is not loadbalanced to appropriate serverfarm?

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

 

0 Helpful

lmaia-nextel
Level 1
Level 1
In response to Kanwaljeet Singh

‎10-06-2014 01:53 PM

Hi Kanwal, 

Thanks a lot, but checking at wireshark capture, seems to be that the packet is trying to reach real servers and ACE is sending to the host a connection reset.

 

When we removed the layer 7 policy and change that to layer 4 policy, the web page is working properly.

 

Is there any situation that Cisco ACE, using layer 7 policy, is trying to inject something at HTTP packet ?

0 Helpful

Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to lmaia-nextel

‎10-07-2014 01:03 PM

Hi,

Unless ACE is configured for inserting or modifying anything, it will not touch anything. In L7 loadbalancing, ACE just needs to wait for the HTTP GET and once it sees what it is configured for, it will take the loadbalancing decision and open a new connection at the backend.

Can you send me the pcaps you have taken and mention where were they taken and what is the client IP and server IP and VIP in question?

Regards,

Kanwal
 

Note: Please mark answers if they are helpful.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents