Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FWLB question

I am a new user with the Cisco 4710 appliance and am trying to load balance Microsoft ISA servers with our 4710s. They are currently deployed in routed mode with one acting as a hot standby.

My issue is that the traffic doesn't seem to be getting to the ISA servers, although I have attempted to follow the documentation in the FWLB guidelines.

access-list EVERYONE line 10 extended permit ip any any

rserver host ISA_INSIDE_1

ip address 192.168.254.254

inservice

rserver host ISA_INSIDE_2

ip address 192.168.254.253

inservice

serverfarm host ISA_INSIDE

transparent

predictor hash address destination 255.255.255.255

rserver ISA_INSIDE_1

inservice

rserver ISA_INSIDE_2

class-map match-any INTERNAL_GATEWAY

2 match virtual-address 192.168.252.1 255.255.255.0 any

class-map match-any INTERNAL_TRAFFIC

2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map type loadbalance first-match LB_ISA_INSIDE

class class-default

serverfarm ISA_INSIDE

policy-map multi-match OUTBOUND_TRAFFIC

class INTERNAL_TRAFFIC

loadbalance vip inservice

loadbalance policy LB_ISA_INSIDE

class INTERNAL_GATEWAY

loadbalance vip inservice

loadbalance policy LB_ISA_INSIDE

interface vlan 253

ip address 192.168.252.200 255.255.255.0

access-group input EVERYONE

service-policy input OUTBOUND_TRAFFIC

no shutdown

interface vlan 254

ip address 192.168.254.251 255.255.255.0

mac-sticky enable

access-group input EVERYONE

service-policy input OUTBOUND_TRAFFIC

no shutdown

If I route traffic via the 192.168.252.1 address, I am not seeing it hit the firewall. I assume that I am missing something basic, but I cannot see it. Any help or pointers are appreciated.

1 REPLY
New Member

Re: FWLB question

Hi,

Try using VIP address mask /32:

class-map match-any INTERNAL_GATEWAY

2 match virtual-address 192.168.252.1 255.255.255.255 any

VIP address mask should not overlap with ACE interface VLAN (vlan 253)

Regards,

Jasmina

162
Views
0
Helpful
1
Replies