Solved: ACE: Inter Server Farm Ping

andrenaude1 · ‎09-06-2011

Hi All, First some background, I inherited an ACE at a Network I started supporting. On this ACE there is 2 Serverfarms configured, both serverfarms are in thier own Vlans, with their own different IP ranges with thier own VIPs. So it's basically to seperate serverfarms working totally seperate from each other. The server farms's loadbalancing is working perfectly and there is no problems.

But now a requirement has come down the line, where the servers in Vlan/Farm A needs to see the Vip for Vlan/Farm B, but they can't.

Any Server in Vlan/Farm A can ping/connect directly to any Server in Vlan/Farm B, but it can't ping/connect to the Vip for Vlan/Farm B.

Anyone any ideas ?

Marko Leopold · ‎09-08-2011

Hello!

Please try this!

interface vlan 20
description Serverfarm Vlan
ip address 172.17.20.1 255.255.255.0
alias 172.17.20.3 255.255.255.0
peer ip address 172.17.20.2 255.255.255.0
access-group input PERMIT_ALL

service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

interface vlan 21
description 2nd Serverfarm Vlan
ip address 172.17.21.1 255.255.255.0
alias 172.17.21.3 255.255.255.0
peer ip address 172.17.21.2 255.255.255.0
access-group input PERMIT_ALL

service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

interface vlan 44
description Outside_Vlan
ip address 172.17.44.6 255.255.255.0
alias 172.17.44.8 255.255.255.0
peer ip address 172.17.44.7 255.255.255.0
access-group input PERMIT_ALL
service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

View solution in original post

Marko Leopold · ‎09-07-2011

First i guess you have the ACL to permit everything working on every interface there.

Second, put the service-policy input command for your vip on the interfaces of your servers.

andrenaude1 · ‎09-08-2011

Err, I guess.

Here is a selectively edited config of the ACE. Maybe that can shed some more light on the problem.
It's the servers in Vlan 21, that can't see the vip for Vlan 20.

ADMIN

peer hostname ACE_2
hostname ACE_1

interface gigabitEthernet 1/1
description uplink_CAT6500
channel-group 5
no shutdown
interface gigabitEthernet 1/2
description uplink_CAT6500
channel-group 5
no shutdown
interface gigabitEthernet 1/3
description uplink_CAT6500
channel-group 5
no shutdown
interface gigabitEthernet 1/4
description uplink_CAT6500
channel-group 5
no shutdown
interface port-channel 5
ft-port vlan 45
switchport trunk native vlan 1
switchport trunk allowed vlan 20-21,44
no shutdown

access-list PERMIT_ALL line 10 extended permit ip any any

class-map type management match-any MGMT_CLASS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol https any
7 match protocol snmp any
8 match protocol xml-https any

policy-map type management first-match MGMT_POLICY
class MGMT_CLASS
permit

interface vlan 44
description Outside_Vlan_4_Admin_contex_managment
ip address 172.17.44.4 255.255.255.0
access-group input PERMIT_ALL
service-policy input MGMT_POLICY
no shutdown

ft interface vlan 45
ip address 172.17.45.4 255.255.255.0
peer ip address 172.17.45.5 255.255.255.0
no shutdown

ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 45
query-interface vlan 44

ip route 0.0.0.0 0.0.0.0 172.17.44.3

context C1
description Contex1
allocate-interface vlan 20-21
allocate-interface vlan 44

ft group 1
peer 1
priority 200
associate-context C1
inservice

_________________________________________________________________
CONTEXT

access-list PERMIT_ALL line 10 extended permit ip any any
access-list PERMIT_ALL line 20 extended permit icmp any any

probe http HTTP
interval 2
passdetect interval 30
open 5
probe icmp ICMP
interval 2
passdetect interval 30

rserver host FLXTEBAPROD01
ip address 172.17.21.98
inservice
rserver host FLXTEBAPROD02
ip address 172.17.21.99
inservice
rserver host IBM_P595_Ha
ip address 172.17.20.46
inservice
rserver host IBM_P595_Prod
ip address 172.17.20.43
inservice

serverfarm host 2ND_FARM
probe ICMP
rserver FLXTEBAPROD01
    inservice
rserver FLXTEBAPROD02
    inservice
serverfarm host FARM
probe ICMP
rserver IBM_P595_Ha
    inservice
rserver IBM_P595_Prod
    inservice

class-map match-any 2ND_FARM_VIP
2 match virtual-address 172.17.21.200 any

class-map match-any FARM_VIP
2 match virtual-address 172.17.20.70 any

class-map type management match-any MGMT_CLASS
description remote-access-traffic-match
2 match protocol telnet any
3 match protocol ssh any
4 match protocol icmp any
5 match protocol http any
6 match protocol https any
7 match protocol snmp any
8 match protocol xml-https any

policy-map type management first-match MGMT_POLICY
class MGMT_CLASS
permit

policy-map type loadbalance first-match 2ND_FARM_VIP-SLB
class class-default
serverfarm 2ND_FARM

policy-map type loadbalance first-match FARM_VIP-SLB
class class-default
serverfarm FARM

policy-map multi-match farm-vips
class FARM_VIP
    loadbalance vip inservice
    loadbalance policy FARM_VIP-SLB
    loadbalance vip icmp-reply active

class 2ND_FARM_VIP
    loadbalance vip inservice
    loadbalance policy 2ND_FARM_VIP-SLB
    loadbalance vip icmp-reply active

interface vlan 20
description Serverfarm Vlan
ip address 172.17.20.1 255.255.255.0
alias 172.17.20.3 255.255.255.0
peer ip address 172.17.20.2 255.255.255.0
access-group input PERMIT_ALL
service-policy input MGMT_POLICY
no shutdown

interface vlan 21
description 2nd Serverfarm Vlan
ip address 172.17.21.1 255.255.255.0
alias 172.17.21.3 255.255.255.0
peer ip address 172.17.21.2 255.255.255.0
access-group input PERMIT_ALL
service-policy input MGMT_POLICY
no shutdown

interface vlan 44
description Outside_Vlan
ip address 172.17.44.6 255.255.255.0
alias 172.17.44.8 255.255.255.0
peer ip address 172.17.44.7 255.255.255.0
access-group input PERMIT_ALL
service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

ip route 0.0.0.0 0.0.0.0 172.17.44.3

Any one any idea ?

Marko Leopold · ‎09-08-2011

Hello!

Please try this!

interface vlan 20
description Serverfarm Vlan
ip address 172.17.20.1 255.255.255.0
alias 172.17.20.3 255.255.255.0
peer ip address 172.17.20.2 255.255.255.0
access-group input PERMIT_ALL

service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

interface vlan 21
description 2nd Serverfarm Vlan
ip address 172.17.21.1 255.255.255.0
alias 172.17.21.3 255.255.255.0
peer ip address 172.17.21.2 255.255.255.0
access-group input PERMIT_ALL

service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

interface vlan 44
description Outside_Vlan
ip address 172.17.44.6 255.255.255.0
alias 172.17.44.8 255.255.255.0
peer ip address 172.17.44.7 255.255.255.0
access-group input PERMIT_ALL
service-policy input farm-vips
service-policy input MGMT_POLICY
no shutdown

andrenaude1 · ‎09-08-2011

That's a WIN.

Thanks Man !

rjohnsoniv21 · ‎04-19-2012

I'm having a similar issue. I can get ping to work between two server farms on the same context, but not SMTP. Any ideas on how I could get SMTP to work between to farms?

Thanks in advance.

Marko Leopold · ‎04-19-2012

Let me ask my magic glass ball...it says..."Configure the right things!!!!" You know, your question is very open. What answers do you expect?