12-16-2011 03:57 PM
We are using OVH configure help guide, http://help.ovh.ie/VrackLoadBalancingACESimple
We have following setup:
vlan 1515 is where the load balancer is, and the vlan 2911 is where all the servers are. There is a 199.239.227.0/24 public IP assgin to the ACE. The ACE use active/passive FT.
The purpose of the config is equally distribute http traffic to 5 real servers based on amount of connection it has.
And according to OVH guide, we should have "access-group input ANY" in both vlan to make it work. However, when we put an "access-group input ANY" with vlan 1515(the one where ACE and all the public IP is), all the IP stop responding including the one used to connect to the ACE. once we remove the "access-group input ANY" line, the ACE is connectable as well as ALL the vIPs are all pingable. however we still not able to connect the ACE with the http port, and telnet shows the port 80 is not open.
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
interval 30
passdetect interval 60
rserver host abc
ip address 172.16.0.1
inservice
rserver host abcd
ip address 172.16.0.2
inservice
rserver host abcde
ip address 172.16.0.3
inservice
rserver host abcdef
ip address 172.16.0.4
inservice
rserver host abcdefg
ip address 172.16.0.5
inservice
serverfarm host FARM_WEB
predictor leastconns
probe PROBE_TCP
rserver abc
inservice
rserver abcd
inservice
rserver abcde
inservice
rserver abcdef
inservice
rserver abcdefg
inservice
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
class-map match-any L4-WEB-IP
2 match virtual-address 199.239.227.1 tcp eq www
3 match virtual-address 199.239.227.2 tcp eq www
......
248 atch virtual-address 199.239.227.249 tcp eq www
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map type management match-all TEST
2 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match TEST_ALLOW
class TEST
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 2911
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 1515
ip address 199.239.227.250 255.255.255.0
alias 199.239.227.249 255.255.255.0
peer ip address 199.239.227.251 255.255.255.0
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input WEB-to-vIPs
no shutdown
interface vlan 2911
ip address 172.31.255.250 255.240.0.0
alias 172.31.255.249 255.240.0.0
peer ip address 172.31.255.251 255.240.0.0
access-group input ANY
nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat
service-policy input TEST_ALLOW
no shutdown
ft track interface VLAN1515
track-interface vlan 1515
peer track-interface vlan 1515
priority 50
peer priority 5
ip route 0.0.0.0 0.0.0.0 199.239.227.254
username XXX password 5 XXX role Admin domain default-domain
rbx-99-6k-ace-1/vrack1234# show running-config
Generating configuration....
access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any
probe tcp PROBE_TCP
interval 30
passdetect interval 60
parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance
rserver host testvrack1.ovh.net
ip address 172.16.0.1
conn-limit max 50000 min 40000
inservice
rserver host tesvrack2.ovh.net
ip address 172.16.0.2
conn-limit max 50000 min 40000
inservice
serverfarm host FARM_WEB
predictor leastconns
probe PROBE_TCP
rserver testvrack1.ovh.net
inservice
class-map match-all L4-WEB-IP
2 match virtual-address 178.33.8.65 tcp eq www
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map type management match-all TEST
2 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match TEST_ALLOW
class TEST
permit
policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"
policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1234
appl-parameter http advanced-options HTTP_PARAMETER_MAP
interface vlan 123
ip address 178.33.8.77 255.255.255.240
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input WEB-to-vIPs
no shutdown
interface vlan 1234
ip address 172.31.255.251 255.240.0.0
access-group input ANY
nat-pool 1 172.31.255.250 172.31.255.250 netmask 255.240.0.0 pat
service-policy input TEST_ALLOW
no shutdown
12-19-2011 02:48 AM
Good morning,
Adding the ACL to allow traffic is a must. The ACE includes a implicit deny all on the interfaces, so, the ACL is required to override this.
With this said, I suspect that your issue may be due to a faulty FT configuration leading to an active/active situation when the ACL is configured. I would check this first.
Daniel
12-20-2011 10:58 AM
Hi
Thanks very much for reply.
I found the problem.
Any time put more than 214 IPs in the interface, it will
get disconnected.
class-map match-any L4-WEB-IP
2 match virtual-address 1**.2**.227.1 tcp eq www
3 match virtual-address 1**.2**.227.2 tcp eq www
......
214 atch virtual-address 1**.2**.227.213 tcp eq www
If we put line "215 match virtual-address 1**.2**.227.214
tcp eq www", the interface will disconnected. to put it
back, two ways: 1. remove the 215 line. 2. remove ACL from
interface 1515.
Please let us know if it is a bug.
12-20-2011 11:41 AM
Which version is running on the ACE module ? You should alert OVH and ask them to open a case.
12-21-2011 12:10 AM
Good morning,
Yes, that looks like a possible bug. As Surya suggested, the best approach would be to open a TAC service request to have it investigated further.
I have two questions for you:
Regards
Daniel
12-21-2011 05:00 AM
Good morning:
Thanks for replying Surya and Daniel.
Daniel, to answer your two questoin.
We have about 700+ website on the serverfarm, and we are trying to give dedicated IP for each of the site.
We are worrying two point.
1. if we define the whole range, it will conficts with interface 1515's IP(as the interface use public IP inside the /24 as well).
2. "2 match virtual-address 1**.2**.227.0/255.255.255.0 tcp eq www", to be speicific, are you suggesting put this line in the class map and clear the rest?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide