topic Re: Cisco ACE: Basic L3 load balancing in Application Networking

Cisco ACE: Basic L3 load balancing

Giorgio Romano — Mon, 20 Sep 2010 20:11:23 GMT

Hello everyone,

I need to balance L3 (routing) traffic using a cisco ace 4710 appliance with a "A3(2.5)" system version.

My rserver are some BlueCoat Proxy-SG in "proxy-transparent" mode.

My question is: is cisco ACE able to balance basic L3 traffic?

I followed this tutorial found on docwiki.cisco.com, but i cannot solve my problem.

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

can someone help me?

thank you in advance

Giorgio

Re: Cisco ACE: Basic L3 load balancing

david.stout — Tue, 21 Sep 2010 10:25:38 GMT

Can you attach your config so we can see what you have done and if there is something wrong ?

Re: Cisco ACE: Basic L3 load balancing

Giorgio Romano — Sun, 03 Oct 2010 16:34:42 GMT

Hi,

so, follow there is the configuration i've applied on the ACE:

access-list VLAN-2 line 8 extended permit ip any any
access-list VLAN-3 line 8 extended permit ip any any

rserver host Server-A
ip address 192.168.6.132
probe testa-tcp-Server-A
inservice
rserver host Server-B
ip address 192.168.6.133
probe testa-tcp-Server-B
inservice
rserver host Server-C
ip address 192.168.6.134
probe testa-tcp-Server-C
inservice

serverfarm host serverefarm-TRANSPARENT-PROXY
rserver Server-A
    inservice
rserver Server-B
    inservice
rserver Server-C
    inservice

class-map match-all vip-prova-transpa
2 match virtual-address 192.168.6.78 any

policy-map type loadbalance first-match policy-transparent
class class-default
serverfarm serverefarm-TRANSPARENT-PROXY

policy-map multi-match bilancia-transparent
class vip-prova-transpa
loadbalance vip inservice
loadbalance policy policy-transparent

interface vlan 2
ip address 192.168.6.70 255.255.255.224
alias 192.168.6.72 255.255.255.224
peer ip address 192.168.6.71 255.255.255.224
access-group input VLAN-532
service-policy input bilancia-transparent
no shutdown

interface vlan 3
ip address 192.168.6.130 255.255.255.240
alias 192.168.6.129 255.255.255.240
peer ip address 192.168.6.131 255.255.255.240
access-group input VLAN-3
no shutdown

the router has got as nex-hop the vip created with the class-map named "vip-prova-transpa"

the service policy is active and the Vserver IP (192.168.6.78) is issued but it doesn't seem to receive the L3 traffic from router.

Thank-You for every answer!

Giorgio Romano

Re: Cisco ACE: Basic L3 load balancing

Ivan Kovacevic — Sun, 03 Oct 2010 22:48:03 GMT

Hi Giorgio,

Seems to me you are trying to do transparent load-balancing in a wrong way. With this config the ACE is expecting traffic destined to VIP 192.168.6.78. However, the concept of transparent LB is based on the fact the you have to load-balance connection to any destination. Therefore, what you actually need is a "catch-all" VIP:

class-map match-all vip-prova-transpa
2 match virtual-address 0.0.0.0 0.0.0.0

Also, the serverfarm needs to be trasparent (ACE should not change the destination IP to the rserver IP):

serverfarm host serverefarm-TRANSPARENT-PROXY

transparent

You should also point your router to the ACE alias address 192.168.6.72 on vlan2. You might also need to enable mac-sticky on your interfaces and some other features depending on your L2 topology and design requirements.

Ivan

Re: Cisco ACE: Basic L3 load balancing

Giorgio Romano — Mon, 04 Oct 2010 11:37:11 GMT

Hi Ivan,

thank you for your answer.

As soon as possible I'm gonna apply your configuration to the ACE.

I'll keep you posted.

Thank you

Giorgio

Re: Cisco ACE: Basic L3 load balancing

wshuffman — Tue, 05 Oct 2010 13:01:00 GMT

I understand the ACE config. If two transparent proxies are used behind the ACE bridging two vlans, how do you prevent spanning-tree from blocking one port and have traffic flowing through both proxies?

Re: Cisco ACE: Basic L3 load balancing

Ivan Kovacevic — Tue, 05 Oct 2010 13:08:57 GMT

The ACE is not bridging the two vlans

Re: Cisco ACE: Basic L3 load balancing

Giorgio Romano — Thu, 07 Oct 2010 08:48:36 GMT

Hi Ivan,

it works, but in the class-map named "vip-prova-transpa" I had to enter the string "0.0.0.0" in virtual ip-address mask field.

without this string it doesn't work.

thank-you very much ivan!

Giorgio Romano

Re: Cisco ACE: Basic L3 load balancing

Ivan Kovacevic — Thu, 07 Oct 2010 09:17:48 GMT

Ah, my mistake... "match virtual-address 0.0.0.0 0.0.0.0" is correct config.

I am glad it is working now. Please mark the thread as "Answered".

Re: Cisco ACE: Basic L3 load balancing

wshuffman — Thu, 07 Oct 2010 12:21:18 GMT

I am confused about the subnet masks he used on the two vlans. We are trying to do this with a /24 network. The client will be 192.168.200.10 and have to pass throught the ACE -> Proxy -> 192.168.200.1 (gateway). Did he just pick 2 subnet masks that are inside of the /24 subnet?

Re: Cisco ACE: Basic L3 load balancing

Ivan Kovacevic — Thu, 07 Oct 2010 19:36:01 GMT

In this case the ACE is in routed mode, and we could use any IP addresses on it's interfaces (like 1.1.1.1 and 10.10.10.10).

In your case, if all the devices need to be L2 between the client and the DG, then ACE needs be in bridged mode. The config stays as it is shown above (with my corrections), except the interface part:

interface vlan 2 bridge-group 1 access-group input VLAN-532 service-policy input bilancia-transparent no shutdown interface vlan 3 bridge-group 1 access-group input VLAN-3 no shutdown interface bvi 1 ip address 192.168.200.x 255.255.255.0 no shutdown

Of course, real server IPs also need to be from 192.168.200.0/24 subnet.

Now for all this to work, we need to do a trick: for the clients, the DG needs to be the ACE BVI address 192.168.200.x. This is because the clients need to send the packet with the destination MAC address of the ACE. After that ACE creates a connection and load-balances the packet to one of the proxy-servers and send the packet with destination MAC address of the proxy-server where the connection is load-balanced. After this the transparent proxy-server should do it's thing and forward the packet with the destination MAC address of the real DG 192.168.200.1. During whole this process packet's source and destination IPs are unchanged.

Re: Cisco ACE: Basic L3 load balancing

Giorgio Romano — Fri, 08 Oct 2010 07:24:41 GMT

done!!

thank you very much again

Giorgio Romano