01-23-2013 06:33 AM
Hello all,
I am configuring a load balancer from cisco, a ACE 4710.
Load blancing is completely new to me, and i am unexpereinced in this field. It has to be configured for a customer that want to load balance HTTP and RTSP traffic over 4 application servers (Back-end)
I searched alot on google for possible solutions, and got RTSP in some way to work, but http wont work says my customer.
Is there someone that can help me with this issue, cause i am running really low on options here. Underneath is the config that i have already sofar.
If you need a topology of the layout, please let me know and i will try to upload one.
Generating configuration....
logging enable
logging buffered 5
logging host 172.18.251.182 udp/514
logging host 172.18.146.241 udp/514
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
login timeout 30
peer hostname ACE4710-Zabrze-2
hostname ACE4710-Zabrze-1
interface gigabitEthernet 1/1
switchport access vlan 2000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 14,21
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
ft-port vlan 22
no shutdown
clock timezone mst 1 0
radius-server host 172.18.252.2 key 7 "01000F175004" authentication
radius-server host 172.18.250.2 key 7 "01000F175004" authentication
aaa group server radius prv_rad
server 172.18.252.2
server 172.18.250.2
switch-mode
ntp server 172.18.250.160
ntp server 172.18.251.160
aaa authentication login default group prv_rad local
access-list ALL remark Access for all, permit all
access-list ALL line 8 extended permit ip any any
access-list ALL line 10 extended permit icmp any any
access-list PRV remark Access for Management
access-list PRV line 10 extended permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list STB remark Access For STB's to Serverfarm
access-list STB line 7 extended permit ip 10.0.0.0 0.255.255.255 172.25.248.0 0.0.0.255
access-list STB line 15 extended deny ip any any
probe tcp Traxis_HTTP
port 80
probe rtsp Traxis_RTSP
port 554
rserver host Traxis_FE1
description FE1
ip address 172.25.248.2
conn-limit max 4000000 min 4000000
probe Traxis_RTSP
probe Traxis_HTTP
fail-on-all
inservice
rserver host Traxis_FE2
description FE2
ip address 172.25.248.3
conn-limit max 4000000 min 4000000
inservice
rserver host Traxis_FE3
description FE3
ip address 172.25.248.4
conn-limit max 4000000 min 4000000
inservice
rserver host Traxis_FE4
description FE4
ip address 172.25.248.5
conn-limit max 4000000 min 4000000
inservice
serverfarm host Traxis
probe Traxis_HTTP
rserver Traxis_FE1
inservice
rserver Traxis_FE2
inservice
rserver Traxis_FE3
inservice
rserver Traxis_FE4
inservice
sticky ip-netmask 255.255.255.255 address source Sticky_Traxis
replicate sticky
serverfarm Traxis
class-map match-all L4STICKY-IP_6:ANY_CLASS
5 match virtual-address 172.25.255.6 tcp range 80 555
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm Sticky_Traxis
policy-map multi-match CLIENT_VIPS_PROD
class L4STICKY-IP_6:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply active
interface vlan 14
description Server_side
ip address 172.25.248.250 255.255.255.0
alias 172.25.248.1 255.255.255.0
peer ip address 172.25.248.251 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 21
description Firewall_Side
ip address 172.25.255.2 255.255.255.248
alias 172.25.255.4 255.255.255.248
peer ip address 172.25.255.3 255.255.255.248
access-group input ALL
service-policy input CLIENT_VIPS_PROD
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 2000
description management VLAN and Query interface VLAN
ip address 172.18.146.150 255.255.255.0
peer ip address 172.18.146.151 255.255.255.0
access-group input PRV
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 22
ip address 192.168.255.1 255.255.255.252
peer ip address 192.168.255.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 22
query-interface vlan 2000
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 172.18.0.0 255.255.0.0 172.18.146.1
ip route 0.0.0.0 0.0.0.0 172.25.255.1
snmp-server location "lb_env_traffic"
snmp-server community vnet_device_7Gxp2BdhXJ9Ke group Network-Monitor
snmp-server host 172.18.250.185 traps version 1 vnet_device_7Gxp2BdhXJ9Ke
snmp-server trap-source vlan 2000
snmp-server trap link ietf
I really hope someone inhere can help me out !!!
Best Regards
Peter
Solved! Go to Solution.
01-25-2013 04:49 AM
Hello Peter,
if it's RTSP not working one it might be that for your kind of traffic you would need to have inspection enabled, please see the example here:
if further analysis should be needed then we would probably need a packet capture and to investigate this further inside a TAC case.
Cheers,
Francesco
01-25-2013 02:18 AM
Hello Peter,
you will have to give us more details and I need to say the foreword that if much troubleshooting will be needed we will ask you to open a TAC SR.
How exactly is not working? Does the browser connect? Does it get an http error?
I see that you are using the same VIP with multiple ports, so I guess that it's covering both the RTSP and HTTP LB, as you are using exactly the same setup for both services then from a LB perspective they should either both work or both fail, unless there is a difference on the servers, like is the web server up and running, is it listening on the same port that the client is connecting to the vip to (so most likely 80)?
Two general considerations:
Cheers,
Francesco
01-25-2013 03:58 AM
Hi,
Thanks for replying Francesco.
Above you can see the layout of their setup.
At the moment HTTP traffic is working but for RTSP it doesnt work.
To follow you on your remarks a bit.
The reason for one VIP i guess is that HTTP and RTSP should be hitting the same rserver. For that reason i created a stickiness and the predictor (under serverfarm) it first was at the default one Round Robin, now i changed this to "HASH ADDRESS SOURCE"
The reason for this is, how the cutomer explains it
When a user gets the catalog on the STB and selects a VOD movie to watch, he does a purchase.
When the purchase is completed he tries to start watching the movie
Say the purchase and the watch both end up on a different server. Then the server who receives the watch command doesnt know the user purchased the VOD movie and returns an unauthorized message. Which results in the user not being able to watch his just bought movie.
So both HTTP and RTSP requests should be received at the same rserver.
About the Admin context, i thought about this, but the customer doesnt wanted it in another.
Below you find the new updated config :
ACE4710-Zabrze-1/Admin# sh run
Generating configuration....
logging enable
logging buffered 5
logging host 172.18.251.182 udp/514
logging host 172.18.146.241 udp/514
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
login timeout 30
peer hostname ACE4710-Zabrze-2
hostname ACE4710-Zabrze-1
interface gigabitEthernet 1/1
switchport access vlan 2000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 14,21
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
ft-port vlan 22
no shutdown
clock timezone mst 1 0
radius-server host 172.18.252.2 key 7 "01000F175004" authentication
radius-server host 172.18.250.2 key 7 "01000F175004" authentication
aaa group server radius prv_rad
server 172.18.252.2
server 172.18.250.2
switch-mode
ntp server 172.18.250.160
ntp server 172.18.251.160
aaa authentication login default group prv_rad local
access-list ALL remark Access for all, permit all
access-list ALL line 8 extended permit ip any any
access-list ALL line 10 extended permit icmp any any
access-list ALL line 15 extended permit tcp any any
access-list PRV remark Access for Management
access-list PRV line 10 extended permit ip 172.18.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list STB remark Access For STB's to Serverfarm
access-list STB line 7 extended permit ip 172.25.248.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list STB line 15 extended deny ip any any
probe tcp Traxis_HTTP
port 80
probe tcp Traxis_RTSP
port 554
rserver host Traxis_FE1
description FE1
ip address 172.25.248.2
conn-limit max 4000000 min 4000000
probe Traxis_HTTP
probe Traxis_RTSP
inservice
rserver host Traxis_FE2
description FE2
ip address 172.25.248.3
conn-limit max 4000000 min 4000000
probe Traxis_HTTP
probe Traxis_RTSP
inservice
rserver host Traxis_FE3
description FE3
ip address 172.25.248.4
conn-limit max 4000000 min 4000000
probe Traxis_HTTP
probe Traxis_RTSP
inservice
rserver host Traxis_FE4
description FE4
ip address 172.25.248.5
conn-limit max 4000000 min 4000000
probe Traxis_HTTP
probe Traxis_RTSP
inservice
serverfarm host Traxis
predictor hash address source
rserver Traxis_FE1
inservice
rserver Traxis_FE2
inservice
rserver Traxis_FE3
inservice
rserver Traxis_FE4
inservice
sticky ip-netmask 255.255.255.0 address source Sticky_Traxis
replicate sticky
serverfarm Traxis
class-map match-all L4STICKY-IP_6:ANY_CLASS
5 match virtual-address 172.25.255.6 any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match L7PLBSF_STICKY-NETMASK_POLICY
class class-default
sticky-serverfarm Sticky_Traxis
policy-map multi-match CLIENT_VIPS_PROD
class L4STICKY-IP_6:ANY_CLASS
loadbalance vip inservice
loadbalance policy L7PLBSF_STICKY-NETMASK_POLICY
loadbalance vip icmp-reply active
interface vlan 14
description Server_side
ip address 172.25.248.250 255.255.255.0
alias 172.25.248.1 255.255.255.0
peer ip address 172.25.248.251 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 21
description Firewall_Side
ip address 172.25.255.2 255.255.255.248
alias 172.25.255.4 255.255.255.248
peer ip address 172.25.255.3 255.255.255.248
access-group input ALL
service-policy input CLIENT_VIPS_PROD
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 2000
description management VLAN and Query interface VLAN
ip address 172.18.146.150 255.255.255.0
peer ip address 172.18.146.151 255.255.255.0
access-group input PRV
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 22
ip address 192.168.255.1 255.255.255.252
peer ip address 192.168.255.2 255.255.255.252
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 20
ft-interface vlan 22
query-interface vlan 2000
ft group 1
peer 1
priority 200
peer priority 150
associate-context Admin
inservice
ip route 172.18.0.0 255.255.0.0 172.18.146.1
ip route 10.0.0.0 255.0.0.0 172.25.255.1
snmp-server location "lb_env_traffic"
snmp-server community vnet_device_7Gxp2BdhXJ9Ke group Network-Monitor
snmp-server host 172.18.250.185 traps version 1 vnet_device_7Gxp2BdhXJ9Ke
snmp-server trap-source vlan 2000
snmp-server trap link ietf
01-25-2013 04:49 AM
Hello Peter,
if it's RTSP not working one it might be that for your kind of traffic you would need to have inspection enabled, please see the example here:
if further analysis should be needed then we would probably need a packet capture and to investigate this further inside a TAC case.
Cheers,
Francesco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide