Solved: ACE redirect from port 80 to port 8080

jcarvalh · ‎02-16-2012

Hello.

In ACE module I am trying to redirect traffic (80 to 8080). The thing is that my VIP receives traffic in port 80, 8080 and 443 and I want to redirect only http traffic.

I have tried the following config:

access-list http extended permit tcp any any eq www

serverfarm host A

rserver 10.0.0.1

inservice

rserver 10.0.0.2

inservice

serverfarm host A-80to8080

rserver 10.0.0.1 8080

inservice

rserver 10.0.0.2 8080

inservice

class-map match-any VIP

100 match virtual-address 1.1.1.1 any

class HTTP

10 match access-list http

policy-map type loadbalance first-match A

class HTTP

serverfam A-80to8080

class class-default

serverfarm A

The thing is that the class HTTP is not acepted. Does anyone know if it is possible to loadbalance traffic based on an ACL? I have also tried port numbers on class HTTP and it didn´t worked also.

Best regards,

Joao Carvalho

Daniel Arrondo Ostiz · ‎02-16-2012

Hi Joao,

You should configure two separate VIPs. One for port 80 doing the redirection and one for port 8080 load-balancing the traffic.

Regards

Daniel

View solution in original post

mgalazka · ‎02-16-2012

Hi Joao,

You could try to accomplish this by doing something like the below config? Basically create two different LB policies - one for straight through, one for PAT.

Alternatively, if you are OK with a non-transparent redirect, you could create a rserver type redirect to handle the port 80 to 8080 redirect. This would throw a 302 redirect at the user's browser, thus immediately transferring them to port 8080 on the VIP.

Anyway, here is a quick example of the first option.

class-map match-any VIP1
 2 match virtual-address 1.1.1.1 tcp eq 8080
 3 match virtual-address 1.1.1.1 tcp eq 443
 class-map match-any VIP2
 2 match virtual-address 1.1.1.1 tcp eq 80
 policy-map type loadbalance first-match VIP1-POLICY
  class class-default
   serverfarm A
policy-map type loadbalance first-match VIP2-POLICY
 class class-default
  serverfarm A-80to8080
policy-map multi-match INTERFACE-LB-POLICY
 class VIP1
  loadbalance vip inservice
  loadbalance policy VIP1-POLICY
 class VIP2
  loadbalance vip inservice
  loadbalance policy VIP2-POLICY

Hope this helps!

Matt

View solution in original post

Daniel Arrondo Ostiz · ‎02-16-2012

Hi Joao,

You should configure two separate VIPs. One for port 80 doing the redirection and one for port 8080 load-balancing the traffic.

Regards

Daniel

mgalazka · ‎02-16-2012

Hi Joao,

You could try to accomplish this by doing something like the below config? Basically create two different LB policies - one for straight through, one for PAT.

Alternatively, if you are OK with a non-transparent redirect, you could create a rserver type redirect to handle the port 80 to 8080 redirect. This would throw a 302 redirect at the user's browser, thus immediately transferring them to port 8080 on the VIP.

Anyway, here is a quick example of the first option.

class-map match-any VIP1
 2 match virtual-address 1.1.1.1 tcp eq 8080
 3 match virtual-address 1.1.1.1 tcp eq 443
 class-map match-any VIP2
 2 match virtual-address 1.1.1.1 tcp eq 80
 policy-map type loadbalance first-match VIP1-POLICY
  class class-default
   serverfarm A
policy-map type loadbalance first-match VIP2-POLICY
 class class-default
  serverfarm A-80to8080
policy-map multi-match INTERFACE-LB-POLICY
 class VIP1
  loadbalance vip inservice
  loadbalance policy VIP1-POLICY
 class VIP2
  loadbalance vip inservice
  loadbalance policy VIP2-POLICY

Hope this helps!

Matt

jcarvalh · ‎02-16-2012

Hello.

Thanks for your replies but I tried something diferent and it works.

I have made the following config:

class-map type http loadbalance match-any HTTP
match http header Host header-value .*

policy-map type loadbalance first-match A-SF
class HTTP
serverfarm A-80to8080
class class-default
serverfarm A

In this way all http traffic is redirected to 8080; since ACE is making an inspection to the packet it will redirect all HTTP traffic regardless of the destination port (in my case the firewall is only allowing http, https and 8080 so no one will notice this)

Once again thanks for your replies.

Joao