Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1102
Views
0
Helpful
5
Replies

"access-group input ANY" problem

iamluheng
Level 1
Level 1

‎12-16-2011 03:57 PM

We are using OVH configure help guide, http://help.ovh.ie/VrackLoadBalancingACESimple

We have following setup:

vlan 1515 is where the load balancer is, and the vlan 2911 is where all the servers are. There is a 199.239.227.0/24 public IP assgin to the ACE.  The ACE use active/passive FT.

The purpose of the config is equally distribute http traffic to 5 real servers based on amount of connection it has.

And according to OVH guide, we should have "access-group input ANY" in both vlan to make it work. However, when we put an "access-group input ANY" with vlan 1515(the one where ACE and all the public IP is), all the IP stop responding including the one used to connect to the ACE. once we remove the "access-group input ANY" line, the ACE is connectable as well as ALL the vIPs are all pingable. however we still not able to connect the ACE with the http port, and telnet shows the port 80 is not open.

Here is the config output of our server.(with "access-group input ANY" enable in vlan 1515, and all the vIPs is not responding to Ping as well as ACE is not connectable.)

access-list ANY line 8 extended permit icmp any any

access-list ANY line 16 extended permit ip any any

probe tcp PROBE_TCP

  interval 30

  passdetect interval 60

rserver host abc

  ip address 172.16.0.1

  inservice

rserver host abcd

  ip address 172.16.0.2

  inservice

rserver host abcde

  ip address 172.16.0.3

  inservice

rserver host abcdef

  ip address 172.16.0.4

  inservice

rserver host abcdefg

  ip address 172.16.0.5

  inservice

serverfarm host FARM_WEB

  predictor leastconns

  probe PROBE_TCP

  rserver abc

    inservice

  rserver abcd

    inservice

  rserver abcde

    inservice

  rserver abcdef

    inservice

  rserver abcdefg

    inservice

parameter-map type http HTTP_PARAMETER_MAP

  persistence-rebalance

class-map match-any L4-WEB-IP

  2 match virtual-address 199.239.227.1 tcp eq www

  3 match virtual-address 199.239.227.2 tcp eq www

......

  248 atch virtual-address 199.239.227.249 tcp eq www

class-map type management match-all REMOTE_ACCESS

  2 match protocol ssh any

class-map type management match-all TEST

  2 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

  class REMOTE_ACCESS

    permit

policy-map type management first-match TEST_ALLOW

  class TEST

    permit

policy-map type loadbalance http first-match WEB_L7_POLICY

  class class-default

    serverfarm FARM_WEB

    insert-http x-forward header-value "%is"

policy-map multi-match WEB-to-vIPs

  class L4-WEB-IP

    loadbalance vip inservice

    loadbalance policy WEB_L7_POLICY

    loadbalance vip icmp-reply active

    nat dynamic 1 vlan 2911

    appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 1515

  ip address 199.239.227.250 255.255.255.0

  alias 199.239.227.249 255.255.255.0

  peer ip address 199.239.227.251 255.255.255.0

  access-group input ANY

  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input WEB-to-vIPs

  no shutdown

interface vlan 2911

  ip address 172.31.255.250 255.240.0.0

  alias 172.31.255.249 255.240.0.0

  peer ip address 172.31.255.251 255.240.0.0

  access-group input ANY

  nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

  service-policy input TEST_ALLOW

  no shutdown

ft track interface  VLAN1515

  track-interface vlan 1515

  peer track-interface vlan 1515

  priority 50

  peer priority 5

ip route 0.0.0.0 0.0.0.0 199.239.227.254

username XXX password 5 XXX  role Admin domain default-domain

Here is the config in the OVH website:

rbx-99-6k-ace-1/vrack1234# show running-config

Generating configuration....


access-list ANY line 8 extended permit icmp any any

access-list ANY line 16 extended permit ip any any


probe tcp PROBE_TCP

interval 30


passdetect interval 60



parameter-map type http HTTP_PARAMETER_MAP

persistence-rebalance



rserver host testvrack1.ovh.net

ip address 172.16.0.1


conn-limit max 50000 min 40000


inservice


rserver host tesvrack2.ovh.net

ip address 172.16.0.2


conn-limit max 50000 min 40000


inservice



serverfarm host FARM_WEB

predictor leastconns


probe PROBE_TCP


rserver testvrack1.ovh.net


inservice



class-map match-all L4-WEB-IP

2 match virtual-address 178.33.8.65 tcp eq www


class-map type management match-all REMOTE_ACCESS

2 match protocol ssh any


class-map type management match-all TEST

2 match protocol icmp any



policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY

class REMOTE_ACCESS


permit


policy-map type management first-match TEST_ALLOW

class TEST


permit



policy-map type loadbalance http first-match WEB_L7_POLICY

class class-default


serverfarm FARM_WEB


insert-http x-forward header-value "%is"



policy-map multi-match WEB-to-vIPs

class L4-WEB-IP


loadbalance vip inservice


loadbalance policy WEB_L7_POLICY


loadbalance vip icmp-reply active


nat dynamic 1 vlan 1234


appl-parameter http advanced-options HTTP_PARAMETER_MAP



interface vlan 123

ip address 178.33.8.77 255.255.255.240


access-group input ANY


service-policy input REMOTE_MGMT_ALLOW_POLICY


service-policy input WEB-to-vIPs


no shutdown


interface vlan 1234

ip address 172.31.255.251 255.240.0.0


access-group input ANY


nat-pool 1 172.31.255.250 172.31.255.250 netmask 255.240.0.0 pat


service-policy input TEST_ALLOW


no shutdown

Labels:
0 Helpful
5 Replies 5

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee

‎12-19-2011 02:48 AM

Good morning,

Adding the ACL to allow traffic is a must. The ACE includes a implicit deny all on the interfaces, so, the ACL is required to override this.

With this said, I suspect that your issue may be due to a faulty FT configuration leading to an active/active situation when the ACL is configured. I would check this first.

Daniel

0 Helpful

iamluheng
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎12-20-2011 10:58 AM

Hi

Thanks very much for reply.

I found the problem.

Any time put more than 214 IPs in the interface, it will

get disconnected.

class-map match-any L4-WEB-IP

    2 match virtual-address 1**.2**.227.1 tcp eq www

    3 match virtual-address 1**.2**.227.2 tcp eq www

  ......

    214 atch virtual-address 1**.2**.227.213 tcp eq www

If we put line "215 match virtual-address 1**.2**.227.214

tcp eq www", the interface will disconnected. to put it

back, two ways: 1. remove the 215 line. 2. remove ACL from

interface 1515.

Please let us know if it is a bug.

0 Helpful

Surya ARBY
Level 4
Level 4
In response to iamluheng

‎12-20-2011 11:41 AM

Which version is running on the ACE module ? You should alert OVH and ask them to open a case.

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to Surya ARBY

‎12-21-2011 12:10 AM

Good morning,

Yes, that looks like a possible bug. As Surya suggested, the best approach would be to open a TAC service request to have it investigated further.

I have two questions for you:

  • Why do you need to define more than 200 IP addresses on a single class? You are sending all the connections to the same serverfarm, so why not using a single VIP address?
  • The ACE provides the option to define a VIP as a range of addresses (by configuring a netmask after the address). Any specific reason why you are not using this instead of defnining the whole range? Doing this would probably solve your issue.

Regards

Daniel

0 Helpful

iamluheng
Level 1
Level 1
In response to Daniel Arrondo Ostiz

‎12-21-2011 05:00 AM

Good morning:

Thanks for replying Surya and Daniel.

Daniel, to answer your two questoin.

  • Why do you need to define more than 200 IP addresses on a single class? You are sending all the connections to the same serverfarm, so why not using a single VIP address?

We have about 700+ website on the serverfarm, and we are trying to give dedicated IP for each of the site.

  • The ACE provides the option to define a VIP as a range of addresses (by configuring a netmask after the address). Any specific reason why you are not using this instead of defnining the whole range? Doing this would probably solve your issue.

We are worrying two point.

1. if we define the whole range, it will conficts with interface 1515's IP(as the interface use public IP inside the /24 as well).

2.  "2 match virtual-address 1**.2**.227.0/255.255.255.0 tcp eq www", to be speicific, are you suggesting put this line in the class map and clear the rest?

0 Helpful
Customers Also Viewed These Support Documents