We have a need to load-balance requests within the same VLAN, but need to make sure it only happens then. We have multiple web servers all members of the same subnet, these servers are grouped differently in 5 different VIPS whose IPs are also part of the same subnet.
Example: We need server A, who is a member of VIP Z, to talk to VIP Y and be load-balanced. These servers and VIPs are all part of the same subnet. however, when that same server A talks to host C somewhere else we don't want it to be translated.
We'll obviously need to use groups and ACLs, but would we be using 'add service XX' in the group command or the 'add destination service XX' command? Should we NAT these connections as a new IP address, or just fake out the dest VIP so that it thinks the sender's MAC is the CSS?
Anyone have a sample config from doing this before?
Thanks for the info, Steve. I have looked at a couple of online references including that one, but they all seem to be just a percentage of what I'm looking to do. It's probably a combination of them all put together, but because these VIPs are production websites I want to make sure I don't have to try this a second time. To make it make more sense I'll paste in what I'm trying to do below.
First, I have these 2 content VIPs:
vip address 10.28.128.30
add service lt-bw02-80
add service lt-bw04-80
add service lt-bw06-80
add service lt-bw08-80
add service lt-bw10-80
add service lt-bw12-80
add service lt-bw14-80
add service lt-bw16-80
add service lt-bw18-80
add service lt-bw20-80
add service lt-bw22-80
add service lt-bw24-80
add service lt-bw26-80
add service lt-bw28-80
add service lt-bw30-80
add service lt-bw32-80
vip address 10.28.128.38
add service rc-pub08-80
add service rc-pub06-80
add service rc-pub04-80
add service rc-pub02-80
Second, these are the services in each VIP respectively. I'll only paste 1 service from each VIP, all the others are the same just with incrementing IPs:
keepalive type script ap-kal-httptag "10.28.128.171 /keepalive.asp rc.lendingtree.com"
keepalive frequency 15
Goal to achieve:
I need the lt-bwXX-80 services that are members of the first VIP to be able to talk to the second (RC) VIP and be load-balanced. The caveat is that when these lt-bwXX-80 services talk to other hosts through the CSS I do not want them being NATted at all, for reporting reasons their IPs need to stay the same. To touch on your earlier comment, all of these VIPs are also load-balanced to the Internet for web browsing. Basically, I need some form of address translation, whether it be IP or MAC, but only on specific to/from relationships.
Does that help make it more clear? Thanks in advance for any assistance.
I've been going through the information provided and playing with this a little in a lab. How does the below scenario look?
We want any host in our 10.28.128.0/24 subnet that connects to a local (IP address) VIP of 'LendingTree_Web/rc-LT-80' to be load-balanced. In doing this we must perform some form of NAT since the clients and VIP are all in the same network.
1. Create a new group for the client machines. In all documentation I see that the source group has the same IP as the content rule, but is this necessary? I don't want to place any services in this group because I don't want them being source NATted when they communicate outbound, just when they talk to local VIPs. Should this new group be a completely new IP address to the environment since we're not NATting the service outbound connections?
vip address 10.28.128.29
2. We currently have ACLs enabled on our CSS(s) with ANY ANY rules at clause 50. If we add the below clause to our ACL would be saying that when any source in the 128 subnet connects to this specific content rule to source NAT the connection as 10.28.128.29? This should cause all traffic to now go through the CSS and create proper flows, right?
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...