topic ACE Complex Design in Application Networking

ACE Complex Design

helsayed78 — Sun, 24 Jun 2012 12:02:24 GMT

Guys,
I am facing some problems with my ACE design and would like or thoughts and feedback on this:

I have an ACE with a client side and a Server Farm interface.
The client side layer 3 interfaces resides on the core backbone and the Server Farm layer 3 interface is behind a Firewall.
We have a two other servers load balanced located in the server farm and loadbalaced using Cisco ACE ( using a VIP Client Side IP).

Here is what we are facing:

The load balancing is working correctly when traffic is coming from any other subnet other than the server farm.

In other words Loadbalancing is not working with VIP IP for servers that reside in the server farm since there is a serverfarm interface on the ACE.

Does anyone have a clue.

Regards,

Hesham

ACE Complex Design

ajayku2 — Sun, 24 Jun 2012 12:20:27 GMT

Hi Hesham,

The solution is quite easy apply multimatch policy for the VIP in the serverfarm VLAN interface.

This will fix the issue.

When traffic hit the interface it match the class map and use the policy applied on that interface for loadbalancing.

Since you have not applied any policy on the server vlan interface it is not going to do any load balancing.

Hope it helps.

regards,

Ajay Kumar

ACE Complex Design

helsayed78 — Sun, 24 Jun 2012 12:43:04 GMT

You mean under the Server Farm VLAN ?? and what is the exact syntax that should be used?

Regards,

Hesham

ACE Complex Design

helsayed78 — Sun, 24 Jun 2012 12:51:32 GMT

Here is the configuration:

class-map match-all Test-C1
2 match virtual-address 172.X.X.X any
class-map type management match-any REMOTE-MGMT
description ---------Enable remote access---------
10 match protocol ssh any
20 match protocol icmp any
30 match protocol https any

policy-map type management first-match REMOTE-ACCESS
class REMOTE-MGMT
permit

policy-map type loadbalance first-match Test-POLICY
class class-default
sticky-serverfarm Test-Stickiness

policy-map multi-match SF-POLICY
class Test

    loadbalance vip inservice
    loadbalance policy Test-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 800

interface vlan 100

description ---------SERVER SIDE INTERFACE--------
ip address 172.X,X,X, 255.255.255.0
alias 172.X,X,X, 255.255.252.0
peer ip address 172.X,X,X, 255.255.252.0
no normalization
mac-sticky enable
no icmp-guard
access-group input ACL-IN
nat-pool 1 172.X,X,X,X, 172.X,X,X,X netmask 255.255.252.0 pat
service-policy input REMOTE-ACCESS
no shutdown

interface vlan 200 description ---------CLIENT SIDE INTERFACE---------
ip address 172.Y.Y Y. Y.255.255.255.0
alias 172.Y.Y.Y.y 255.255.255.0
peer ip address Y.Y.yYU 255.255.255.0
no normalization
no icmp-guard
access-group input ACL-IN
service-policy input Test-POLICY
service-policy input REMOTE-ACCESS
no shutdown

ACE Complex Design

ajayku2 — Sun, 24 Jun 2012 12:54:44 GMT

Hi,

It is same as you have used in client VLAN interface.

Something like this

Admin(config-if)# service-policy input vippolicy

In case if you still have confusion attach the running config and let me know the VIP IP.

regards,

Ajay Kumar

ACE Complex Design

ajayku2 — Sun, 24 Jun 2012 13:02:50 GMT

I am not sure why you have applied only

service-policy input Test-POLICY <<< You should have applied mutimatch policy SF-POLICY >>

Something like this:

service-policy input SF-POLICY

So the solution is to apply:

interface vlan 100

service-policy input SF-POLICY

Check and let me know if it helps.

regards,

Ajay Kumar

ACE Complex Design

helsayed78 — Sun, 24 Jun 2012 15:39:33 GMT

could you send me your private email so I can send you the config file

ACE Complex Design

ajayku2 — Sun, 24 Jun 2012 16:28:41 GMT

I have seen your config in the above. I am trying to say that you should apply this line in following interface.

interface vlan 100

service-policy input SF-POLICY <<<<<< Type this line by going to interface 100 >>>>>>>

no shutdown

Do the testing and let me know if it works for you.

ACE Complex Design

helsayed78 — Mon, 25 Jun 2012 05:32:08 GMT

I did so and didn't work.

Regards,

ACE Complex Design

ajayku2 — Mon, 25 Jun 2012 06:55:15 GMT

Two things to check:

1) Default gateway should point to ACE for this to work.

2) The return traffic from real server may be going to the server directly. Adding a NAT should fix this issue.

You can check the symptoms as shown below:

show conn | in ip address of server ( Acting as client)

See if connection is going to ACE or not.

See if the connection is getting load balanced or not.

If it is load balancing then the issue is real server is responding directly to server ( Client) and hence the connection is getting dropped. So add a NAT to fix the issue.

ACE Complex Design

Cesar Roque — Mon, 25 Jun 2012 19:45:08 GMT

Hi Hesham,

You probably need a nat-pool to make it work, please send me the running config or showtech of the Context where you have this setup