02-17-2012 10:05 PM
Good day,
We have a requirement to provide load balancing of a return for SSO functionality. The flow requirement is is follows:
1. Client--->ACE client VLAN VIP----->WEB servers(serperate VLAN - routed mode)
2. Web servers--------->WAS servers on seperate VLAN (not load balanced by ACE- using IBM Webshere)
3. WAS servers----->ACE client VLAN VIP (same as 1. above)------>WEB Servers (same as 1. above. Seperate VLAN - routed mode)
So three VLAN's, Client VLAN, Web server VLAN and WAS server VLAN in same context. Point three is the return flow from WAS servers to Web servers for SSO.
Configuration applied is below. The question is would this configuration achieve what is required? Also to confirm, which interface the policy-map
WASSSO-VIP should be applied to, the WEB or WAS server VLAN?
access-list any line 1 extended permit icmp any any
access-list any line 2 extended permit ip any any
rserver host SZAWAS1
ip address 10.250.203.139
inservice
rserver host SZAWAS2
ip address 10.250.203.140
inservice
rserver host SZAWEB1
ip address 10.250.202.171
inservice
rserver host SZAWEB2
ip address 10.250.202.172
inservice
serverfarm host SZAFIN_WASFARM
failaction purge
predictor leastconns slowstart 60
probe SZAWAS_TCP10001
probe SZAWAS_TCP10002
probe SZAWAS_TCP10003
fail-on-all
rserver SZAWAS1
inservice
rserver SZAWAS2
inservice
serverfarm host SZAFIN_WAS_SSO_FARM
failaction purge
predictor leastconns slowstart 60
probe SZAWAS_SSO_TCP
rserver SZAWAS1
inservice
rserver SZAWAS2
inservice
serverfarm host SZAFIN_WEBFARM
failaction purge
predictor leastconns slowstart 60
probe SZAWEB_TCP
rserver SZAWEB1
inservice
rserver SZAWEB2
inservice
parameter-map type generic SSLID_PARAMMAP
set max-parse-length 76
parameter-map type connection TCP_PARAM_MAP
set timeout inactivity 1800
set tcp timeout embryonic 900
set tcp timeout half-closed 900
sticky layer4-payload SSL_WEB_GROUP
timeout 15
serverfarm SZAFIN_WEBFARM
response sticky
layer4-payload offset 43 length 32 begin-pattern "(\x20|\x00\xST)"
class-map match-any L4VIPCLASS_CB_FIN_WASSSO_SA_SIT
2 match virtual-address 10.250.202.75 tcp eq https
class-map match-any L4VIPCLASS_CB_FIN_WAS_SA_SIT
2 match virtual-address 10.250.202.75 tcp eq 10001
3 match virtual-address 10.250.202.75 tcp eq 10002
4 match virtual-address 10.250.202.75 tcp eq 10003
class-map match-all L4VIPCLASS_CB_FIN_WEB_SA_SIT
2 match virtual-address 10.250.202.75 tcp eq https
class-map type management match-any REMOTE_ACCESS
2 match protocol ssh any
3 match protocol telnet any
4 match protocol icmp any
5 match protocol snmp any
6 match protocol http any
7 match protocol https any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match CB_FIN_WASSSO_SA_SIT
class class-default
serverfarm SZAFIN_WAS_SSO_FARM
policy-map type loadbalance first-match CB_FIN_WAS_SA_SIT
class class-default
serverfarm SZAFIN_WASFARM
policy-map type loadbalance generic first-match SSLID_32_WEB_POLICY
class class-default
sticky-serverfarm SSL_WEB_GROUP
policy-map multi-match CLIENT-VIPs
class L4VIPCLASS_CB_FIN_WEB_SA_SIT
loadbalance vip inservice
loadbalance policy SSLID_32_WEB_POLICY
loadbalance vip icmp-reply active
loadbalance vip advertise active
appl-parameter generic advanced-options SSLID_PARAMMAP
connection advanced-options TCP_PARAM_MAP
class L4VIPCLASS_CB_FIN_WAS_SA_SIT
loadbalance vip inservice
loadbalance policy CB_FIN_WAS_SA_SIT
loadbalance vip icmp-reply active
loadbalance vip advertise active
policy-map multi-match WASSSO-VIP
class L4VIPCLASS_CB_FIN_WASSSO_SA_SIT
loadbalance vip inservice
loadbalance policy CB_FIN_WASSSO_SA_SIT
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 303
description WAS Server Vlan
ip address 10.250.203.133 255.255.255.224
alias 10.250.203.132 255.255.255.224
peer ip address 10.250.203.134 255.255.255.224
no normalization
no icmp-guard
access-group input any
access-group output any
no shutdown
interface vlan 306
description Client Access Vlan
ip address 10.250.202.69 255.255.255.192
alias 10.250.202.68 255.255.255.192
peer ip address 10.250.202.70 255.255.255.192
no normalization
no icmp-guard
access-group input any
access-group output any
service-policy input CLIENT-VIPs
no shutdown
interface vlan 308
description WEB Server Vlan
ip address 10.250.202.165 255.255.255.224
alias 10.250.202.164 255.255.255.224
peer ip address 10.250.202.166 255.255.255.224
no normalization
no icmp-guard
access-group input any
access-group output any
no shutdown
ip route 0.0.0.0 0.0.0.0 10.250.202.65
Any advice would be greatly appreciated.
Thank you.
Paul
02-19-2012 10:32 PM
Good day,
Any feedback on this? I think the policy-map WASSSO-VIP should be on the WAS Server Vlan (303). Also with this implementation, Source NAT would not be required for the flow from the WAS servers back to the Web servers, correct?
Thank you.
Paul.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide