ACE - Inter-context traffic flow.

Martin Charles · ‎11-20-2013

Experts ,

Could you please guide me for a traffic-flow mentioned below ?

Connection flow:

client IP 192.168.240.220 == VLAN721=[VIP 10.106.108.137] ===VLAN 537[Server 10.106.24.133]<=={User context test1}

[Server 10.106.24.133]=== VLAN 739==[VIP 10.106.112.59] =====VLAN343 [Server 10.106.3.8] <= {User Context test2}

There are two context test1 & test2 on the same ACE box resides in a CAT6k .. Just curious to know how to redirect the server (10.106.24.133) context test1 to VIP (10.106.112.59) context test 2 which are not in a shared vlan ..

context test 1

rserver redirect OASIS-SSO-STG2_OOS_REDIRECT

webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag

inservice

rserver host SITMA21

ip address 10.106.24.133

probe PING

inservice

rserver host SITMA22

ip address 10.106.24.138

probe PING

inservice

serverfarm host L17SVWOASIS03_FARM

description oasis-sso-stg2 server farm

failaction purge

probe TCP-80

rserver SITMA21 80

inservice

rserver SITMA22 80

serverfarm redirect OASIS-SSO-STG2_OOS_REDIRECT_FARM

rserver OASIS-SSO-STG2_OOS_REDIRECT

inservice

sticky ip-netmask 255.255.255.255 address both L17SVWOASIS03_STICKY

serverfarm L17SVWOASIS03_FARM backup OASIS-SSO-STG2_OOS_REDIRECT_FARM

timeout 10

replicate sticky

Need to know , when the redirection will takes place here .... i feel that only if the serverfarm (L17SVWOASIS03_FARM ) goes down , then the redirect server comes into picture as per the configs attached..

If that is the case then

rserver redirect OASIS-SSO-STG2_OOS_REDIRECT

webhost-redirection https://eportal-stg.publix.com/content/Associate/OutagePag

inservice

The highligted URL should be the VIP of the context test2 i.e 10.106.112.59 is it right ? in this the case how send this request to the VIP , since both are in different vlan ? is it should be done with PBR (policy based routing) via CAT6k ? could anyone please share the configs?

Or this can done with a default route to the VIP on the contexts?

Kanwaljeet Singh · ‎11-20-2013

Hi Martin,

Your understanding regarding redirect server is correct. When serverfarm L17SVWOASIS03_FARM, any requests coming for that VIP which corresponded to L17SVWOASIS03_FARM will be redirected to a different URL and client must now come on a different VIP. That shouldn't be a problem because ACE here is not routing the traffic to a different context. It is just telling the client to come on a different URL which resolves to a different VIP in a different context. So client should come to that VIP and that is like any other request to that VIP which i assume is already working.

Regarding your question of inter -context routing ACE does not allow intercontext communication. This is the behavior.

However, you can still achieve communication by going through an external gateway.

If a rserver S in vlan 10 of context A wants to communicate with vlan 20, VIP-B, you should configure context A with a static host route, pointing VIP-B to the default gateway. This default gateway will then forward the traffic to context B and for ACE it is like the connection comes from outside and not another context. Same for response. You need on context B a route for vlan 10 via the gateway

.

Logically this should work.

Give it a try and let me know how it goes.

Regards,

Kanwal

Martin Charles · ‎11-20-2013

Hi Kanwal ...

Gr8!!! ... Cool its works!!! Many thanks mate... It's happening even without a route!!! ( Not sure)

I now undestand how server redirect works , however i have seen some configuration as below

Client ---> VIP (20)-----Rserver (30)

But the same Rserver has been configured as a VIP in the other context , also both the context where in the same ACE box..

please let me know , how to make this work ? ASAIK the the first request which we send will get loadbalnced and it hits the rserver , but how the request goes to the VIP ( rserver ) in the other context , Will it traverse by default ? or as you said above we need to add static route?

If you have sample config to do the above can u please share ? Many thanks in Advance...

Martin

Kanwaljeet Singh · ‎11-21-2013

Hi Martin,

Hmm. I am not sure but what i am not understanding is why you want the request to be loadbalanced to a Rserver in one context and then same Rserver is VIP in another context in same ACE. I have seen that a VIP of another ACE is Rserver in another and of course that is a different and simple scenario.

So what you are saying is client comes to Vip(20) in context A and gets loadbalanced to Rserver(30) but Rserver 30 is actually a VIP in another context which loadbalances the traffic to another serverfarm. Never done that:)

Why don't you send the request to Rserver(vip in another context) directly. Why do you need to go to VIP20 and get it LB to Rserver(30)? Honestly i am not sure. May be someone else has better ideas.

Regards,

Kanwal

Martin Charles · ‎11-21-2013

Hi Kanwal,

Thanks for your time & reply ... Yes the topology is bit complex , but i have seen a customer configuration , which exactly states above... Not sure whether i can attach the same in the forum...

Hoping to see other views on this ... Thanks Again ..

Regards

Martin Charles A.

Kanwaljeet Singh · ‎11-22-2013

Hi Martin,

I was thinking about it and it is like loadbalancing to a server which is a HOP away. So how to do you that by doing routing so i guess in this case also you would need a route to VIP of different through another GATEWAY and vice-versa.

Can you try that and let me know how it goes. So my first reply suggestion should hold good here.

Regards,

Kanwal

Martin Charles · ‎11-25-2013

Hi Kanwal ...

First of all thanks for your time and suggestion on this case.. Yes i tried with the route , but the customer is in One-Arm mode and already a default route has been added , which is pointing to the CAT6k , since routing decision has been done by CAT6k ...

Here we go .. The customer config doesn't stop @ the place whether rserver of one context is the VIP in other context , it continues... .. Let me explain you with what i understood so far....

CSS - Context 1 -------> SCA - Context 2 ---> CSS - Context 1

1. A connection hitting from a firewall to CSS - Context 1 VIP i.e 10.99.1.76 (https) which will get load-balanced to Rservers (10.99.0.13 & 10.99.0.14) Port 475

2. The above mentioned two rserver were the VIP in SCA Context 2 , which will get loadbalanced to 10.99.1.76 Port 8080

My head started to Spin when i found d third...

3. The above mentioned Rserver 10.99.1.76 8080 is the VIP again CSS - Context 1 , which gets finally loadbalanced into

10.99.1.217

I made this config up and running in my lab , and the VIP and rservers are up .... Since its one-arm mode i have given the static route to CAT6k , but still i am unable to fetch the page as required ...

Will post the configs on the next thread..

Thanks

Martin

Martin Charles · ‎11-25-2013

Configs

=====

CSS - Context 1

============

probe tcp qaahmapp1-ssl-475_PROBE

port 475

interval 5

passdetect interval 5

connection term forced

rserver host HS_PROD.sanovia_447-ssl-a

ip address 10.99.0.13

inservice

rserver host HS_PROD.sanovia_447-ssl-b

ip address 10.99.0.14

inservice

serverfarm host sanovia.qaahm.ssl

probe qaahmapp1-ssl-475_PROBE

rserver HS_PROD.sanovia_447-ssl-a 475

conn-limit max 4000000 min 4000000

inservice

rserver HS_PROD.sanovia_447-ssl-b 475

conn-limit max 4000000 min 4000000

inservice

parameter-map type http cisco_avs_parametermap

case-insensitive

persistence-rebalance

parsing non-strict

action-list type optimization http cisco_avs_bandwidth_and_latency

delta

flashforward

action-list type optimization http cisco_avs_img_latency

flashforward-object

action-list type optimization http cisco_avs_obj_latency

flashforward-object

class-map type http loadbalance match-all cisco_avs_bandwidth_and_latency

2 match http url .*

class-map type http loadbalance match-any cisco_avs_img_latency

2 match http url .*jpg

3 match http url .*jpeg

4 match http url .*jpe

5 match http url .*png

class-map type http loadbalance match-any cisco_avs_obj_latency

2 match http url .*gif

3 match http url .*css

4 match http url .*js

5 match http url .*class

6 match http url .*jar

7 match http url .*cab

8 match http url .*txt

9 match http url .*ps

10 match http url .*vbs

11 match http url .*xsl

12 match http url .*xml

13 match http url .*pdf

14 match http url .*swf

class-map match-all sanovia.qaahm.ssl_CLASS

2 match virtual-address 10.99.1.76 tcp eq https

policy-map type loadbalance first-match sanovia.qaahm.ssl_CLASS-l7slb

class class-default

serverfarm sanovia.qaahm.ssl

insert-http x-forward header-value "%is"

policy-map type optimization http first-match sanovia.qaahm.ssl_CLASS-l7opt

class cisco_avs_obj_latency

action cisco_avs_obj_latency

class cisco_avs_img_latency

action cisco_avs_img_latency

class cisco_avs_bandwidth_and_latency

action cisco_avs_bandwidth_and_latency

policy-map multi-match POLICY

class sanovia.qaahm.ssl_CLASS

loadbalance vip inservice

loadbalance policy sanovia.qaahm.ssl_CLASS-l7slb

optimize http policy sanovia.qaahm.ssl_CLASS-l7opt

loadbalance vip icmp-reply active

nat dynamic 2 vlan 20

appl-parameter http advanced-options cisco_avs_parametermap

interface vlan 20

ip address 10.99.1.240 255.255.255.0

alias 10.99.1.241 255.255.255.0

nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat

nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat

no shutdown

ip route 0.0.0.0 0.0.0.0 10.99.1.1

========================================================================================

SCA - Context 2

============

crypto chaingroup GoDaddy

cert cisco-sample-cert

probe tcp AHM_QA-PROBE

port 8080

interval 5

passdetect interval 5

connection term forced

rserver host AHM_QA

ip address 10.99.1.76

conn-limit max 4000000 min 4000000

inservice

serverfarm host AHM_QA

rserver AHM_QA 8080

conn-limit max 4000000 min 4000000

probe AHM_QA-PROBE

inservice

parameter-map type ssl sanovia-ssl-parms

description This is where you tweak your SSL parms, cert, etc.

cipher RSA_WITH_RC4_128_MD5 priority 4

cipher RSA_WITH_RC4_128_SHA priority 5

cipher RSA_WITH_DES_CBC_SHA priority 3

cipher RSA_WITH_3DES_EDE_CBC_SHA priority 6

cipher RSA_WITH_AES_128_CBC_SHA priority 7

cipher RSA_WITH_AES_256_CBC_SHA priority 8

ssl-proxy service sanovia-ssl-proxy

key cisco-sample-key

cert cisco-sample-cert

chaingroup GoDaddy

ssl advanced-options sanovia-ssl-parms

class-map match-any AHM_QA-CLASS

2 match virtual-address 10.99.0.13 tcp eq 475

3 match virtual-address 10.99.0.14 tcp eq 475

policy-map type loadbalance first-match AHM_QA-CLASS-l7slb

class class-default

serverfarm AHM_QA

policy-map multi-match POLICY

class AHM_QA-CLASS

loadbalance vip inservice

loadbalance policy AHM_QA-CLASS-l7slb

loadbalance vip icmp-reply active

nat dynamic 1 vlan 10

ssl-proxy server sanovia-ssl-proxy

interface vlan 10

ip address 10.99.0.17 255.255.255.0

peer ip address 10.99.0.11 255.255.255.0

nat-pool 1 10.99.0.13 10.99.0.13 netmask 255.255.255.255 pat

service-policy input POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 10.99.0.1

========================================================================================

CSS - Context 1 ( another VIP)

=======================

rserver host qaahmapp1-8080

ip address 10.99.1.217

conn-limit max 4000000 min 4000000

inservice

serverfarm host sanovia.qaahm.postssl

rserver qaahmapp1-8080 8080

conn-limit max 4000000 min 4000000

inservice

parameter-map type http HTTP_PARAMETER_MAP

persistence-rebalance

sticky http-cookie ACE_Cookie qanovia.qaahm.postssl-STICKY

cookie insert

serverfarm sanovia.qaahm.postssl

timeout 45

replicate sticky

class-map match-all sanovia.qaahm.postssl_CLASS

2 match virtual-address 10.99.1.76 tcp eq 8080

policy-map type loadbalance first-match sanovia.qaahm.postssl_CLASS-l7slb

class class-default

sticky-serverfarm qanovia.qaahm.postssl-STICKY

policy-map multi-match POLICY

class sanovia.qaahm.postssl_CLASS

loadbalance vip inservice

loadbalance policy sanovia.qaahm.postssl_CLASS-l7slb

loadbalance vip icmp-reply active

nat dynamic 2 vlan 20

appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 20

ip address 10.99.1.240 255.255.255.0

alias 10.99.1.241 255.255.255.0

nat-pool 1 10.99.1.221 10.99.1.221 netmask 255.255.255.255 pat

nat-pool 2 10.99.1.220 10.99.1.220 netmask 255.255.255.255 pat

no shutdown

=============================================================================

I have configured two vlans in CAT6k i.e vlan 10 & vlan 20 with the following ip's as mentioned in the route of ACE

10.99.0.1 & 10.99.1.1

Also configured only the final rserver 10.99.1.217 under vlan 20 .... this made all the vip and rserver up .. but still couldnt get the required page... there is small confusion in the first context as the vip is shown as https , but i dont see any cert and key in the customer config , so i made it as http for my test... but the second context vip is https , where i have added the certs n key as requied....

Let me know if i am missing anything here.... Many thanks in advance...

thanks

Martin