ACE 4710 Load Balancer

b-cunningham · ‎12-03-2010

Hello,

I have a requirement to load balance between real servers on different subnets, but I need to preserve the original source IP address through the ACE. I know the ACE can do Asymmetric server normalization but that appears to require the servers to be on the same subnet. The traffic is just generic TCP and I don't want the ACE to take any action on the traffic other than to do basic balancing and allow me to direct all traffic to one server or the other for maintenance. Is there any way to accomplish routed load balancing that preserves the original source IP?

sachinga.hcl · ‎12-03-2010

Hi B-Cunningham,

Very simple !!

When you need the same user to be always sent to the same server, you need some sort of stickyness.

There are many different ways to achieve this.

Some predictor algorithms will by definition always select the same server for a given client. This is the case with the source ip hashing predictor.

But very often you will need to configure a sticky method in combination with your predictor algorithm.

What is the source ip hash predictor a sticky method ?

Actually, this is not a sticky method. But since the hash algorithm always give the same result for a given source ip address, it guarantees that a client using the same ip address will always be sent to the same server.

The advantage is that it does not require to configure a specific sticky method. It also works without the need for a sticky table. So it does preserve resources.

But the hash function will have different results when you add or remove a server. Therefore, when your rserver list is modified your clients might be sent to different servers breaking stickyness.

Is sticky source ip a good solution ?

Because of the changing hash results mentioned above, most people will prefer to use a standard predictor (roundrobin , leastconn, ...) and add a sticky source ip option.

The idea is to also use the source ip address to identify the client and select the corresponding server.

Unlike the hash method, the stick source ip solution will need sticky resources to save the information necessary for ACE to remember which client uses which server.

The advantage of the sticky option is that the sticky table is not affected when the rserver list is modified.

Why not use sticky source ip ?

Very often this solution is enough to guarantee stickyness.

But because a lot of clients do not have a static ip address, this method does not work.

There is also the problem of proxy servers hiding many clients behind a single ip address resulting in rserver overload when using sticky source ip.

For HTTP the solution is to use information contained in the client HTTP request and server HTTP response.

An HTTP Cookie is an object used by a server to identify HTTP clients. A loadbalancer can therefore also use this information to map a client to a server.

One drawback of hash predictor is that the hash predictor methods do not recognize the weight value you configure for real servers. The ACE uses the weight that you assign to real servers only in the round-robin and least-connections predictor methods.

Here is the hash algorithm

((_key) + (_key >> 8) + (_key >> 16) + (_key >> 24))The _key in this case is the source ip address has an unsigned 32 bits number.You then do rserver_index = hash % number_of_rserver.

Session persistence (stickiness) based on client source IP address or HTTP cookies are recommended to be configured on the Cisco ACE for this flow.

IP Address Stickiness

You can use the source IP address, the destination IP address, or both to uniquely identify individual clients and their requests for stickiness purposes based on their IP netmask. However, if an enterprise or a service provider uses a megaproxy to establish client connections to the Internet, the source IP address no longer is a reliable indicator of the true source of the request. In this case, you can use cookies or one of the other sticky methods to ensure session persistence.

Here can be the sample configuration:

resource-class websrv

limit-resource all minimum 0.00 maximum unlimited

limit-resource sticky minimum 20.00 maximum equal-to-min

rserver host webserver1

ip address 10.10.10.1

inservice

rserver host webserver2

ip address 10.10.10.2

inservice

rserver host webserver3

ip address 10.10.10.3

inservice

serverfarm host werbsrv1only

probe websrv

rserver webserver1 1000

inservice

serverfarm host werbsrv123

probe websrv

rserver webserver1 1000

inservice

rserver webserver2 1000

inservice

rserver webserver3 1000

inservice

ACE receives requests to the VIP on port 80 and translates them to port 1000 using the server farm configuration shown above.

The link to the websrv home page is http://websrv:1000/index.html. A probe to this link is configured on ACE as follows:

probe http websrv

port 1000

interval 2

faildetect 2

passdetect interval 2

request method get url /index.html

expect status 200 200

Session persistence can be established by tying the session to an IP address, that uniquely identifies the client.

Create a sticky-group

sticky ip-netmask 255.255.255.255 address source Client_subnet_1

timeout 10

serverfarm werbsrv1only

Change the server farm to the sticky-group:

policy-map type loadbalance first-match basic-slb

class class-default

sticky-serverfarm werbsrv1only

sticky ip-netmask 255.255.255.255 address source Client_subnet_2

timeout 10

serverfarm werbsrv123

sticky ip-netmask 255.255.255.255 address source Client_subnet_3

timeout 10

serverfarm werbsrv123

Here you can find the details in the below url :

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411

I have also attached a jpeg for your reference.

Hope you will get the idea how to use the sticky based on IP address.

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/sticky.html#wp1004411

Here you can find sample config of similar type:

http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6906/prod_white_paper0900aecd804edab0.html

HTH .

Please rate if you find it useful.

Thanks and regards,

Sachin Garg

Senior Specialist Security

HCL Comnet Ltd.

http://www.hclcomnet.co.in

A-10, Sector 3, Noida- 201301

INDIA

b-cunningham · ‎12-03-2010

Thank you very much for your reply Sachin, however my question wasn’t so much about session stickyness as how to make sure the rserver sees the original source IP address (no nat), when the load balancer is not on the same subnet as the rserver.

The load balancer will be on the same subnet as one of the rservers but the other two are on different subnets. All need to see the original source IP address of the tcp connection.

pablo.nxh · ‎12-03-2010

Hi buddy,

In your case since these two servers you mentioned do not share a VLAN with the ACE

the only way to get LB working w/o S-NAT is with policy based routing on server's default gateway so that

you can force the response to go through the ACE. PBR can be hard to t-shoot though.

If you're dealing with HTTP or HTTPS traffic (offloaded on the ACE) then you can still use S-NAT with the header insertion feature,

With header insertion the ACE will inject a new HTTP header containing the source IP of the original client, commonly known as

X-Forwarded-For.

Here is a config example:

policy-map type loadbalance http first-match WEB_L7_POLICY
  class class-default
    serverfarm SF-1
    insert-http X-Forwarded-For header-value "%is"

HTH
__ __ 
Pablo

b-cunningham · ‎12-03-2010

Thank you Pablo.

I was afraid of that. Is there a way to do static 1 to 1 NAT on the ACE?

Brad

sachinga.hcl · ‎12-03-2010

Hi Friend,

This could be helful for static NAT

rserver host SERVER-10.1
ip address 10.0.10.1
inservice

rserver host SERVER-10.2
ip address 10.0.10.2
inservice

serverfarm host FARM_20.1:80
failaction purge
rserver SERVER-10.1 21
inservice
rserver SERVER-10.2 21
inservice

class-map match-any L4-MAP-NAT
2 match source address 10.0.10.1 255.255.255.255
3 match source address 10.0.10.2 255.255.255.255

class-map match-all L4-MAP-FARM_20.1:21
2 match virtual-address 10.0.20.1 tcp eq www

policy-map type loadbalance first-match L7-FARM_20.1:80
class class-default
serverfarm FARM_20.1:80

policy-map multi-match L4-POLICYMAPMULTI-LOADBALANCE
class L4-MAP-FARM_20.1:21
loadbalance vip inservice
loadbalance policy L7-FARM_20.1:80
loadbalance vip icmp-reply active

policy-map multi-match L4-POLICYMAPMULTI-NAT
class L4-MAP-NAT
nat static 10.0.21.1 netmask 255.255.255.255 vlan 151

service-policy input L4-POLICYMAPMULTI-LOADBALANCE

interface vlan 101
description SERVERSIDE
ip address 10.0.10.199 255.255.255.0
service-policy input L4-POLICYMAPMULTI-NAT
no shutdown

interface vlan 151
description FIREWALLSIDE
ip address 10.0.0.2 255.255.255.240
no shutdown

Find the attached diagram in this respect.

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide,_Release_A2(x)_--_Troubleshooting_Network_Address_Translation

Kindly rate if you find it informative.

HTH

Sachin Garg

sachinga.hcl · ‎12-17-2010

Hi Friend,

Kindly update the status.

Kind Regards,

Sachin Garg

b-cunningham · ‎12-17-2010

Hello Sachin

We ended up using the ACE in transparent mode, putting all servers on the same subnet behind the ACE and using the ACE as their gateway.

We configured the second NIC on the servers for administrative access on a different subnet.

Thank you to everyone who responded.

Brad