Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2536
Views
0
Helpful
4
Replies

ACE - backup sfarm in a different network than primary

Go to solution
Krzysztof Obara
Level 1
Level 1

‎07-19-2013 04:40 AM

Hello,

I'd like to ask if it's possible to configure a backup server farm with a real server in a different network than real servers in a primary server farm in bridge mode on Cisco ACE? If not, how to configure it based on the following config example:

rserver host REAL_1

  ip address 10.0.0.1

  inservice

rserver host REAL_2

  ip address 10.0.0.2

  inservice

rserver host REAL_BACKUP

  ip address 192.168.0.1

  inservice

serverfarm host SFARM_PRIMARY

  probe ICMP (default icmp probe)

  rserver REAL_1

    inservice

  rserver REAL_2

    inservice

serverfarm host SFARM_BACKUP

  probe ICMP (default icmp probe)

  rserver REAL_BACKUP

    inservice

policy-map type loadbalance first-match PM_L7_PRIMARY

  class class-default

    serverfarm SFARM_PRIMARY backup SFARM_BACKUP

class-map match-all CM_L3L4_PRIMARY

  2 match virtual-address 10.0.0.10 tcp eq http

policy-map multi-match PM_L3L4_PRIMARY

  class CM_L3L4_PRIMARY

    loadbalance vip inservice

    loadbalance policy PM_L7_PRIMARY

    loadbalance vip icmp-reply active

interface vlan 100

  description Client site VLAN for PRIMARY SERVERS

  bridge-group 100

  mac-sticky enable

  access-group input ACL_BPDUAllow (for allowing bpdu)

  access-group input ACL_ALLIP (for allowing all ip traffic in)

  access-group output ACL_ALLIP (for allowing all ip traffic out)

  service-policy input PM_L3L4_PRIMARY

  no shutdown

interface vlan 200

  description Server site VLAN for PRIMARY SERVERS

  bridge-group 100

  access-group input ACL_BPDUAllow (for allowing bpdu)

  access-group input ACL_ALLIP (for allowing all ip traffic in)

  access-group output ACL_ALLIP (for allowing all ip traffic out)

  no shutdown

interface bvi 100

  ip address 10.0.0.252 255.255.255.0

  alias 10.0.0.254 255.255.255.0

  peer ip address 10.0.0.253 255.255.255.0

  no shutdown

interface vlan 300

  description Client site VLAN for BACKUP SERVER

  bridge-group 300

  mac-sticky enable

  access-group input ACL_BPDUAllow (for allowing bpdu)

  access-group input ACL_ALLIP (for allowing all ip traffic in)

  access-group output ACL_ALLIP (for allowing all ip traffic out)

  no shutdown

interface vlan 400

  description Server site VLAN for BACKUP SERVER

  bridge-group 300

  access-group input ACL_BPDUAllow (for allowing bpdu)

  access-group input ACL_ALLIP (for allowing all ip traffic in)

  access-group output ACL_ALLIP (for allowing all ip traffic out)

  no shutdown

interface bvi 300

  ip address 192.168.0.252 255.255.255.0

  alias 192.168.0.254 255.255.255.0

  peer ip address 192.168.0.253 255.255.255.0

  no shutdown

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
gaursin2
Level 1
Level 1

‎07-21-2013 11:29 PM

Hi

Configuration looks good. I do not see any problem with this setup.

View solution in original post

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to Krzysztof Obara

‎07-22-2013 06:17 AM

Hi,

Yes it is possible. The only thing which you need to make sure is either you use NAT or make sure that the backup server farm is pointing their default gateway to VLAN 400 ip address. So that the return traffic can reach the ACE.

hope  that helps,

Ajay Kumar

View solution in original post

0 Helpful
4 Replies 4

Go to solution
gaursin2
Level 1
Level 1

‎07-21-2013 11:29 PM

Hi

Configuration looks good. I do not see any problem with this setup.

0 Helpful

Go to solution
Krzysztof Obara
Level 1
Level 1
In response to gaursin2

‎07-22-2013 03:22 AM

Hi Guarav,

Thank you for your answer.

So the ACE will pass the traffic from VLAN 100 (client site to PRIMARY SERVERS) to VLAN 400 (server site for BACKUP SERVER) - even though the VLANs are not bridged?

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to Krzysztof Obara

‎07-22-2013 06:17 AM

Hi,

Yes it is possible. The only thing which you need to make sure is either you use NAT or make sure that the backup server farm is pointing their default gateway to VLAN 400 ip address. So that the return traffic can reach the ACE.

hope  that helps,

Ajay Kumar

0 Helpful

Go to solution
Krzysztof Obara
Level 1
Level 1
In response to ajayku2

‎07-22-2013 09:31 AM

Thank you Ajay,

I think that I got it. It looks like configuring dynamic NAT on one-arm mode when normally servers are pointing to a default gateway outside the ACE.

I have a new question (just regarding to backup serverfarms). What do you think about using "failaction reassign" in primary and backup sfarms?

Please take a look at this specific example:

primary sfarm

failaction reassign

real servers have conn-limit set (so when the limit is reached for all servers the traffic should go to the sorry sfarm)

vip is listenning for 443 from clients (ssl)

with

sticky ip-netmask for address-source

backup sfarm (sorry sfarm)

failaction reassign

predictor leastconns slowstart 30

vip is listenning for port 80

but there is a sticky http-cookie configured for backup sfarm (timeout 60 mins)

After making some tests it seems that users who want to connect to a failed primary page, then they will see the sorry page. However, after the primary sfarm is up, the users still see sorry page. I guess - due to http-cookie on backup sfarm and failaction reassign feature.

Regards,

Krzysztof

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card