cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7198
Views
0
Helpful
13
Replies

ACE 4710 - Rserver with multiple ports ?

dclee
Level 1
Level 1

Currently migrating from a CSS to a new ACE for all our inbound ssl connections.

On the CSS, I could define multiple backend services, different tcp ports and 1 IP.

ex.              

service TEST_HTTP22

         protocol tcp

         ip address 172.31.10.10

         port 22450

and

service TEST_HTTP25

         protocol tcp

         ip address 172.31.10.10

         port 22490

But now I have to define each backend web server as an RSERVER and it doesnt allow me to configure 2 rservers with same IP.

Any help would be appreciated.

Cheers


Dave

1 Accepted Solution

Accepted Solutions

cpomeroy
Level 1
Level 1

You would just create a single rserver, and add them to the serverfarm with the port numbers you want to use.  Here is an example:

rserver host IXIA_SRV1

  ip address 192.168.2.211

  inservice

serverfarm host IXIA

  rserver IXIA_SRV1  8001

    inservice

  rserver IXIA_SRV1 8002

   inservice

View solution in original post

13 Replies 13

cpomeroy
Level 1
Level 1

You would just create a single rserver, and add them to the serverfarm with the port numbers you want to use.  Here is an example:

rserver host IXIA_SRV1

  ip address 192.168.2.211

  inservice

serverfarm host IXIA

  rserver IXIA_SRV1  8001

    inservice

  rserver IXIA_SRV1 8002

   inservice

Thanks

Please take into account that traffic will be load balance between both rservers with different ports

Jorge

To migrate this config; configure two VIPs (two class-maps); two serverfarm (each being associated to one "service" aka port)

I totally agreed with what Surya said.

Mixing ports might trigger expected behaviors

Connections can go to the correct port sometimes however also they can go to the other port configured as well.

Jorge

Just so I am clear, on the old CSS, the above config only used 1 VIP and worked fine..But I cant do this correctly on the ACE without burning 2 VIPS ? I would be better off have each backend web server on their own server that is sharing ports.

Cheers

Dave

It's one IP address, but you'll have to define two class maps; one listening on port 22 and the other on port 25.

The vocabulary isn't clear sometimes.

A vip is an ip address; but sometimes people say "VIP" for virtual servers (IP / port).

Technically you have to define two virtual servers on one VIP.

Hi Dave,

Basically, you may need to have either 1 vip (virtual address) to hear on any port like this:

policy-map multi-match client-vips

  class slb-vip

    loadbalance vip inservice

    loadbalance policy slb

class-map match-all slb-vip

  2 match virtual-address 172.16.1.100 any

policy-map type loadbalance http first-match slb

  class class-default

    serverfarm web

serverfarm host web

  rserver server1

    inservice

  rserver server2

    inservice

Based on the configuration above the ACE will receive the traffic on any port, then servers will be responsible to hear on any port which you require( in your case 8001/8002), if not, the the ACE might eventually loadbalance the traffic to a server which does not hear on the "correct" port and the connection will fail . As you may know the ACE will keep the port which the connection started with until it reaches the servers, then for example: if you hit 172.16.1.100 on port 8002, ACE will keep port 8002 until the servers when it will load balance between the serverfarm which it has configured, so if both servers hear on both ports then any of them can handle the request

Second option:

You can have the same VIP but listening on different ports like this:

policy-map multi-match client-vips

  class slb-vip-8081

    loadbalance vip inservice

    loadbalance policy slb-8081

  class slb-vip-8082

    loadbalance vip inservice

    loadbalance policy slb-8082

class-map match-all slb-vip-8081

  2 match virtual-address 172.16.1.100 tcp eq 8081

policy-map type loadbalance http first-match slb-8081

  class class-default

    serverfarm web

serverfarm host web-8081

  rserver server1

    inservice

class-map match-all slb-vip-8082

  2 match virtual-address 172.16.1.100 tcp eq 8082

policy-map type loadbalance http first-match slb-8082

  class class-default

    serverfarm web-8082

serverfarm host web-8082

  rserver server2

    inservice

Hope this helps!!!

------------------------------

Jorge

Hi Jorge,

I've been a CLI engineer for years, but when it comes to configuration on ACE4710s, (I've done around 10 this year) I've found the GUI to be terrific.

You can literally configure real servers, VIPs, and serverfarms within minutes.

Looking at the configs after the GUI has finished, it uses the same technique as your second option in your last post,

i.e.  - multiple VIP class-maps, using the same IP address but on different ports

Long complex load balancing is almost too tricky using the CLI, the GUI makes life much easier, especially once multiple context are used as well !

Regards Tony

I followed the setup jobejara but I found the following error when applying to police at the interface: 

" Error: vip address duplicates an existing interface with ip address "

 

Hi Max,

From the error it looks like you are defining a IP as VIP which is already assigned to an interface. This will cause problems in network of duplicate IP address.

I haven't gone through the complete conversation here but you can share your configuration here and i can have a look at it.

I would suggest to open a new thread for it as well for tracking different errors and issues.

Let me know if you have any questions.

Regards,

Kanwal

Hidayat Khan
Level 1
Level 1

You can define one class map and one VIP address with different ports . example

class-map match-all slb-vip-808X

  10 match virtual-address 172.16.1.100 tcp eq 8081

  20 match virtual-address 172.16.1.100 tcp eq 808

  30 match virtual-address 172.16.1.100 tcp eq www

  40 match virtual-address 172.16.1.100 tcp eq 443

I have configured the same way and it works perfect for me.

Regards

Hi Tony,

Yes, that's correct. it may be easier perhaps with the GUI but basically the idea is the same, no matter you use the CLI or GUI. Keep your configuration separated is better and more recommended.

Jorge

Review Cisco Networking for a $25 gift card