Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1073
Views
0
Helpful
2
Replies

ACE 4710 transparent LB with two Caches and two routers.

gaboughanem
Level 1
Level 1

‎02-21-2012 11:09 AM

Hello,

I have ACE 4710 that load balance two cach flows (bluecoat), i am doing pbr on the routers to send the traffic destined to port 80 to ACE then Cach farm. After that the Cach flow will get the page from the internet via two routers. The return traffic will match another pbr on the routers with source port 80 that will send it to the ACE then CachFlow again .....then to the users.

I am not using ip-spoofing on the CachFlow for now. In the figure attached i created a VIP 0.0.0.0 0.0.0.0 port 80 on the interface on the ACE facing the routers, but the question is do i have to create another VIP 0.0.0.0 0.0.0.0 port 80 on the interface on ACE facing the Cach Flow? or just forward the traffic on the default route? What might be the default route since i have to use two routers and i cannot use hsrp?

Kindly I need some assistance

Thank you and regards,

George

access-list PERMIT_ALL line 8 extended permit ip any any
access-list CFLOW line 8 extended permit ip any any

ip name-server 8.8.8.8
ip name-server 4.2.2.2

##################################Config for Cache Cache Servers###################

probe http CISCO_WWW_PROBE
  ip address 72.163.4.161
  interval 2
  faildetect 2
  passdetect interval 2
  passdetect count 5
  request method head url /index.html
  expect status 200 200
  exit
probe http YAHOO_WWW_PROBE
  ip address 87.248.112.181
  interval 2
  faildetect 2
  passdetect interval 2
  passdetect count 5
  request method head url /index.html
  expect status 200 200
  exit

serverfarm host TRANSPARENT_PROXY_SF
  description Transparent Proxy Farm
  transparent
  predictor hash url
  probe CISCO_WWW_PROBE
  probe YAHOO_WWW_PROBE
  rserver CFLOW01
    inservice
  rserver CFLOW02
    inservice
  exit
  exit


############################################# Router Cache Farm ############################

probe icmp ICMP_PROBE
  description *** Probe for icmp health monitoring ***
  interval 5
  faildetect 2
  passdetect interval 60
  passdetect count 2
  exit

rserver host Router01
  description Connection to Sodetel Router
  ip address 192.168.14.4
  probe ICMP_PROBE
  inservice
rserver host Router02
  description Connection to IDM Router
  ip address 192.168.14.5
  probe ICMP_PROBE
  inservice


serverfarm host Routers
  description Transparent Proxy Farm
  transparent
  predictor hash url
  probe ICMP_PROBE
  rserver Router01
    inservice
  rserver Router02
    inservice
  exit
  exit


################################# Management################################

class-map type management match-any REMOTE_MGMT
  description Allow Remote management for below protocols
  8 match protocol icmp any
  9 match protocol ssh source-address 172.31.13.31 255.255.255.255
  10 match protocol ssh source-address 172.31.31.21 255.255.255.255


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_MGMT
    permit


###############################################################################


class-map match-all CFLO2Internet
  2 match virtual-address 0.0.0.0 0.0.0.0 any


class-map match-all TRANSPARENT_VIP_CM
  2 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

policy-map type loadbalance first-match TRANSPARENT_LB_PM
  class class-default
    serverfarm TRANSPARENT_PROXY_SF backup Routers


policy-map type loadbalance first-match CFLO2Internet_LB
  class class-default
    serverfarm Routers

policy-map multi-match CFLO2Internet_PM
  class CFLO2Internet
    loadbalance vip inservice
    loadbalance policy CFLO2Internet_LB
    loadbalance vip icmp-reply active
    connection advanced-options TCP

policy-map multi-match L3L4_PM
  class TRANSPARENT_VIP_CM
    loadbalance vip inservice
    loadbalance policy TRANSPARENT_LB_PM
    loadbalance vip icmp-reply active
    connection advanced-options TCP


====Interfaces======
interface vlan 11
  description Interface between Routers and ACE
  ip address 192.168.14.2 255.255.255.224
  alias 192.168.14.1 255.255.255.224
  peer ip address 192.168.14.3 255.255.255.224
  no icmp-guard
  access-group input PERMIT_ALL
  service-policy input REMOTE_MGMT_ALLOW_POLICY

  service-policy input L3L4_PM
  no shutdown


interface vlan 21
  description Connection to CFlow ServerFarm
  ip address 192.168.12.2 255.255.255.224
  alias 192.168.12.1 255.255.255.224
  peer ip address 192.168.12.3 255.255.255.224
  no icmp-guard
  access-group input CFLOW
  service-policy input CFLO2Internet_PM ------>>>> Is this necessary???
  no shutdown

Labels:
Preview file
584 KB
0 Helpful
2 Replies 2

gaboughanem
Level 1
Level 1

‎02-24-2012 09:50 AM

anyone?

Thanks

0 Helpful

Daniel Arrondo Ostiz
Cisco Employee
Cisco Employee
In response to gaboughanem

‎02-27-2012 05:55 AM

Hi George,

In the topology you described, only the service-policy in the interface towards the routers is necessary. For the traffic from the caches, the ACE will just forward to the default gateway.

The only problem is, as you mentioned, that you cannot use HSRP. In that case, you can still configure two default gateways, but there is no way to predict which one the ACE will use at a given time (the way it does to select the one it will use is sending an ARP request to both gateways and using the one that replies first until the ARP entry expires)

If you need to load-balance the traffic between both routers, then yes, you would need to configure a new VIP on the cache side and load-balanced to a transparent serverfarm composed of both routers.

Regards

Daniel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents