Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
691
Views
0
Helpful
3
Replies

ACE in routed mode

Go to solution
adam.zinser
Level 1
Level 1

‎03-03-2011 10:16 AM

My first question, can anyone recommend some very heavy reading discussing the ACE modules and associated traffic flows and order of operations?  Not just how-to scenarios.

And the primary question that brings me here:

I've got an ACE module in a 6500 chassis that's configured for routed mode.  For the purpose of this question we'll say that on the ACE I have a single VLAN for vIPs and a single VLAN for rservers.  vIP VLAN is 12 and rserver VLAN is 101.  I have a pair of App servers being load balanced, and a pair of Web servers being load balanced.

When user devices send traffic to the Web servers vIP, traffic hits the SVI for VLAN 12 and the service-policy is applied manipulating that traffic and sending it to the VLAN 101 SVI and on down to an rserver.  The same if user devices are sending traffic to the App servers vIP.

When a Web server tries to send over to the App servers vIP, I get no response.  In fact, from the Web server I can't even ping my gateway (SVI for VLAN 101).  How do I get the Web server to send traffic loadbalanced across the App servers?

Here's an example ACE config:

!

access-list ALL line 8 extended permit ip any any
!
probe tcp 5555
  port 5555
  interval 5
  passdetect interval 30
!
probe http HTTP
  interval 5
  passdetect interval 30
  expect status 200 200
!
rserver host APP01
  description App Server 1
  ip address 10.10.101.15
  probe 5555
  inservice
rserver host APP02
  description App Server 2
  ip address 10.10.101.16
  probe 5555
  inservice
rserver host WEB01
  description Web Server 1
  ip address 10.10.101.17
  probe HTTP
  inservice
rserver host WEB02
  description Web Server 2
  ip address 10.10.101.18
  probe HTTP
  inservice
!
serverfarm host APP-SERVERS
  predictor leastconns
  rserver APP01
    inservice
  rserver APP02
    inservice
serverfarm host WEB-SERVERS
  predictor leastconns
  rserver WEB01
    inservice
  rserver WEB02
    inservice
!
sticky ip-netmask 255.255.255.255 address both WEB-STICKY
  replicate sticky
  serverfarm WEB-SERVERS
sticky ip-netmask 255.255.255.255 address both APP-STICKY
  replicate sticky
  serverfarm APP-SERVERS
!
class-map match-any APP-VIP
  description App Servers VIP
  2 match virtual-address 10.10.12.21 tcp eq 5555
class-map match-any WEB-VIP
  description Web Servers VIP
  2 match virtual-address 10.10.12.20 tcp eq https
  3 match virtual-address 10.10.12.20 tcp eq www
!
policy-map type loadbalance first-match L7-APP-SERVERS
  class class-default
    sticky-serverfarm APP-STICKY
policy-map type loadbalance first-match L7-WEB-SERVERS
  class class-default
    sticky-serverfarm WEB-STICKY
!
policy-map multi-match L4-CONTEXT-A-VLAN
  class WEB-VIP
    loadbalance vip inservice
    loadbalance policy L7-WEB-SERVERS
    loadbalance vip icmp-reply
  class APP-VIP
    loadbalance vip inservice
    loadbalance policy L7-APP-SERVERS
    loadbalance vip icmp-reply
!
interface vlan 12
  description ACE-CONTEXT-A-vIPs
  ip address 10.10.12.5 255.255.252.0
  alias 10.10.12.4 255.255.252.0
  peer ip address 10.10.12.6 255.255.252.0
  access-group input ALL
  service-policy input MGMT-ACCESS
  service-policy input L4-CONTEXT-A-VLAN
  no shutdown
!
interface vlan 101
  description ACE-CONTEXT-A-SERVERS
  ip address 10.10.101.2 255.255.255.0
  alias 10.10.101.1 255.255.255.0
  peer ip address 10.10.101.3 255.255.255.0
  access-group input ALL
  no shutdown

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pablo.nxh
Level 3
Level 3

‎03-03-2011 12:13 PM

Hi Adam,

You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check

the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.

Now going back to your issue, you problem can be splitted in two parts.

1. Web server not able to ping VLAN 101 ACE's SVI.

ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy

to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new

one just for ICMP, that's up to you.

2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)

Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets

for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do

load balancing for clients reaching it out through VLAN 101.

In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.

Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.

I've attached a sample with NAT based on your config.

HTH

__ __

Pablo

View solution in original post

82669-ACE-NAT.txt.zip
0 Helpful
3 Replies 3

Go to solution
pablo.nxh
Level 3
Level 3

‎03-03-2011 12:13 PM

Hi Adam,

You can check Gilles'  DC t-shooting guides that should give you a very good overwiew about packet processing on the ACE; also you can check

the Cisco wiki site where you find the scenarios plus a detailed explanation for traffic management.

Now going back to your issue, you problem can be splitted in two parts.

1. Web server not able to ping VLAN 101 ACE's SVI.

ACE is a closed device, meaning that access to each Interface/VLAN needs to be explicitly configured; you need to apply the management policy

to the 101 SVI to allow ICMP or any other management protocol. You can apply the same (service-policy input MGMT-ACCESS) or create a new

one just for ICMP, that's up to you.

2. Web servers not able to communicate with APP servers thorugh VIP.(vise-versa)

Problem here is that servers are trying to communicate through SVI 101 but no VIPs are applied to it so the ACE will simply discard the packets

for 10.10.12.20/10.10.12.21 on that interface, servers have the ARP and everything to reach those VIPs but the ACE has not been instructed to do

load balancing for clients reaching it out through VLAN 101.

In order to do load balancing between APP & Web Servers you need to configure  L4-CONTEXT-A-VLAN on SVI 101 as well.

Also since your servers are sitting all in the same VLAN you're going to need client NAT to prevent assymetric routing on server-to-server communications.

I've attached a sample with NAT based on your config.

HTH

__ __

Pablo

82669-ACE-NAT.txt.zip
0 Helpful

Go to solution
adam.zinser
Level 1
Level 1
In response to pablo.nxh

‎03-03-2011 12:55 PM

Pablo,

     Makes sense to me.  I appreciate your help!  Oh, but where do I find "Gilles'  DC t-shooting guides"?

0 Helpful

Go to solution
pablo.nxh
Level 3
Level 3
In response to adam.zinser

‎03-03-2011 03:31 PM

Adam,

Don't mention it

You can find the guides on the application networking forum blog:

https://supportforums.cisco.com/community/netpro/data-center/application-network?view=blog.

Cya

__ __

Pablo

0 Helpful
Customers Also Viewed These Support Documents