06-28-2012 06:56 AM
Hi,
We want to use 2 ACE for load balancing traffic between 2 services (port 8008) on 2 servers (1 service by server).
We have 3 paths:
Admin = VLAN64
Server side = VLAN64
Client side = VLAN65
We don't want to change the real servers ip adresses.
Our setup doesn't works right now. We are able to ping the VIP, but the traffic doesn't seem to pass the ACE (not able to reach the real servers).
Someone told us that we need to have 3 different VLAN...because our setup cause a loop...
Could you help please?
Here are the show run for the VC1:
Generating configuration....
logging enable
logging standby
logging timestamp
logging trap 7
logging history 7
logging buffered 3
logging persistent 7
logging device-id context-name
no logging message 251006
no logging message 251010
crypto chaingroup GESTION-CHAIN
crypto csr-params GESTION_2012
access-list PERMIT-ALL remark PERMIT-ALL
access-list PERMIT-ALL line 1 extended permit ip any any
access-list PERMIT-ALL line 2 extended permit icmp any any
probe http APPKIN
interval 5
passdetect interval 10
passdetect count 2
request method get url /itg/dashboard/app/portal/PageView.jsp
expect status 200 200
probe http APPS_LOCAL_LOGIN
interval 5
passdetect interval 10
passdetect count 2
expect status 200 200
rserver redirect DESOLE-GESTION
webhost-redirection https://gestion.home.qc/desole/page_redirection_sc.html
inservice
rserver host SESEGX13
ip address 172.29.64.135
inservice
rserver host SESEGX14
ip address 172.29.64.137
inservice
serverfarm redirect DESOLE-GESTION
rserver DESOLE-GESTION
inservice
serverfarm host GESTION-GKIN05-4420-8008
description GESTION Environnement GKIN05
probe APPS_LOCAL_LOGIN
rserver SESEGX13 8008
inservice
rserver SESEGX14 8008
inservice
parameter-map type http GESTION-PARAM-MAP
no persistence-rebalance
length-exceed continue
sticky http-cookie GKIN05-STICK STICKY-GESTION-GKIN05-4420-8008
cookie insert browser-expire
replicate sticky
serverfarm GESTION-GKIN05-4420-8008 backup DESOLE-GESTION
8 static cookie-value "SESEGX13-8008" rserver SESEGX13 8008
16 static cookie-value "SESEGX14-8008" rserver SESEGX14 8008
ssl-proxy service GESTION.home.QC
key GESTION2048-KEY.PEM
cert GESTION_2012_2048.pem
chaingroup GESTION-CHAIN
class-map match-all CM-VIP-GESTION-GKIN05-4420-8008
2 match virtual-address 172.29.240.110 tcp eq 4420
class-map type management match-any remote_access
2 match protocol icmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance http first-match PM-LB-GESTION-GKIN05-4420-8008
class class-default
sticky-serverfarm STICKY-GESTION-GKIN05-4420-8008
policy-map multi-match VIPS-HTTPS
class CM-VIP-GESTION-GKIN05-4420-8008
loadbalance vip inservice
loadbalance policy PM-LB-GESTION-GKIN05-4420-8008
loadbalance vip icmp-reply
appl-parameter http advanced-options GESTION-PARAM-MAP
ssl-proxy server GESTION.home.QC
interface vlan 64
description SERVER-SIDE
ip address 172.29.68.44 255.255.240.0
alias 172.29.68.46 255.255.240.0
peer ip address 172.29.68.45 255.255.240.0
no normalization
access-group input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 65
description IC-FIREWALL
ip address 172.29.240.101 255.255.255.0
alias 172.29.240.105 255.255.255.0
peer ip address 172.29.240.103 255.255.255.0
no normalization
no icmp-guard
access-group input PERMIT-ALL
service-policy input remote_mgmt_allow_policy
service-policy input VIPS-HTTPS
no shutdown
ft track interface TRACK_VLAN64
track-interface vlan 64
priority 150
ft track interface TRACK_VLAN65
peer track-interface vlan 65
peer priority 150
ip route 0.0.0.0 0.0.0.0 172.29.240.104
ip route 172.27.48.0 255.255.252.0 10.74.24.1
ip route 172.27.252.0 255.255.255.0 10.74.24.1
ip route 172.27.97.160 255.255.255.255 10.74.24.1
ip route 172.27.96.166 255.255.255.255 10.74.24.1
ip route 172.27.96.167 255.255.255.255 10.74.24.1
ip route 172.28.123.192 255.255.255.224 10.74.24.1
Thanks,
Solved! Go to Solution.
06-28-2012 08:23 PM
Hi the way round this is to use NAT, then only one interface is required
For each VIP I have a vlan (dont know how easy it is for you to generate dedicated vlans)
the clients IP address gets Natted to the same vlan
for example
class-map match-any testing
2 match virtual-address 172.17.1.7 tcp eq www
then on the policy map
policy-map multi-match multi-vips
class testing
loadbalance vip inservice
loadbalance policy JDEURL
loadbalance vip icmp-reply
nat dynamic 7 vlan 171 <----- note nat statement
then on the interface
interface vlan 171
description client server vlan
ip address 172.17.1.4 255.255.255.0
peer ip address 172.17.1.1 255.255.255.0
access-group input ALL
nat-pool 7 172.17.1.18 172.17.1.30 netmask 255.255.255.0 pat
service-policy input MAN
service-policy input multi-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 172.17.1.254 < gateway on router.
so a real client goes from say 172.16.1.1 to the VIP 172.17.1.7 in LB the LB then does a NAT on the client IP address when going to the real server.so it is 172.17.1.xx to real server IP
HTH
06-28-2012 08:23 PM
Hi the way round this is to use NAT, then only one interface is required
For each VIP I have a vlan (dont know how easy it is for you to generate dedicated vlans)
the clients IP address gets Natted to the same vlan
for example
class-map match-any testing
2 match virtual-address 172.17.1.7 tcp eq www
then on the policy map
policy-map multi-match multi-vips
class testing
loadbalance vip inservice
loadbalance policy JDEURL
loadbalance vip icmp-reply
nat dynamic 7 vlan 171 <----- note nat statement
then on the interface
interface vlan 171
description client server vlan
ip address 172.17.1.4 255.255.255.0
peer ip address 172.17.1.1 255.255.255.0
access-group input ALL
nat-pool 7 172.17.1.18 172.17.1.30 netmask 255.255.255.0 pat
service-policy input MAN
service-policy input multi-vips
no shutdown
ip route 0.0.0.0 0.0.0.0 172.17.1.254 < gateway on router.
so a real client goes from say 172.16.1.1 to the VIP 172.17.1.7 in LB the LB then does a NAT on the client IP address when going to the real server.so it is 172.17.1.xx to real server IP
HTH
07-05-2012 12:57 PM
Hi,
It works!
Thanks!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide