09-07-2012 01:38 PM
Im having a (from google-fu) seemingly unique issue with load balancing.
So for background, I am running the ACE 4710 device in "on a stick" mode, so I am using NAT and all that good stuff. I am also utilizing class maps and host header matching so I can save on IP space.
(so www.mainsite.com and mainsite.com go to one serverfarm, services.mainsite.com go to another, mobile.mainsite.com go to another, etc)
The multi-match policy looks like this:
policy blah blah multimatch on the interface
class VIP_MAINSITE_WILDCARD loadbalance vip inservice loadbalance policy L7_POLICY_MAINSITE_WILDCARD loadbalance vip icmp-reply active nat dynamic 1 vlan 205 appl-parameter http advanced-options HTTP_PARAMETER_MAP
The policy map looks like this:policy-map type loadbalance first-match L7_POLICY_MAINSITE_WILDCARD
class L7_CLASS_MAINSITE_COM_NOCOMPRESS
sticky-serverfarm STICKY_IP_MAINSITE_COM insert-http X-Forwarded-For header-value "%is"
class L7_CLASS_MAINSITE_COMcompress default-method gzip
sticky-serverfarm STICKY_IP_MAINSITE_COMinsert-http X-Forwarded-For header-value "%is"
class L7_CLASS_BETA_MAINSITE_COM_NOCOMPRESS
sticky-serverfarm STICKY_IP_beta.mainsite.cominsert-http X-Forwarded-For header-value "%is"
class L7_CLASS_BETA_MAINSITE_COMcompress default-method gzip
sticky-serverfarm STICKY_IP_beta.mainsite.cominsert-http X-Forwarded-For header-value "%is"
Class maps are:
class-map type http loadbalance match-all L7_CLASS_MAINSITE_COM
2 match class-map L7_CLASS_MAINSITE_COM_VHOSTS <---this is just a match-any class map with www.mainsite.com and mainsite.com as hosts
class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM
match class-map L7_CLASS_beta.mainsite.com-vhosts <-- just matches beta.mainsite.com and betatest.mainsite.com
and the no-compress just also include the default-mime types class map
The class-map for the VIP looks like this:
class-map match-any VIP_MAINSITE_WILDCARD
2 match virtual-address 10.0.205.23 tcp eq www
So...finally, to the crux...what I am trying to do, is be able to limit the IP address that can access the beta site.
So I thought I would add
class-map type http loadbalance match-any ACL_CLASS_beta.mainsite.com
match source-address 10.0.0.0 255.0.0.0 <-- our internal ip range (we are on a site-to-site vpn with the datacenter so it's all internal traffic)
match source-address x.x.x.x <-- vendor A, and so on
And then apply that class map like so
class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM
4 match class-map L7_CLASS_beta.mainsite.com-vhosts
5 match class-map ACL_CLASS_beta.mainsite.com
Basically, as soon as I add that ACL_CLASS_beta.mainsite.com class map, all I get back from the ACE is RST packets and it comes back with an L7 LB Policy Miss.
It SEEMS like it should work, but it doesnt seem to like matching on those source addresses at all.
Maybe I'm going about this the wrong way? Any insight would be pretty awesome. Thanks.
09-10-2012 07:49 PM
Hey Luke,
It looks you are mixing many things here and probably that´s why is not working.
class-map type http loadbalance match-all L7_CLASS_BETA_MAINSITE_COM
4 match class-map L7_CLASS_beta.mainsite.com-vhosts
5 match class-map ACL_CLASS_beta.mainsite.com
Since you are matching a "match-all" statement ( which works as "AND"), you need to do both things at that same time to continue and work properly
Can you upload the config of class-map L7_CLASS_beta.mainsite.com-vhosts and class-map ACL_CLASS_beta.mainsite.com?
In case you just need to match any of those policies, you may try with a "match-any" instead of a "match-all".
Can you upload #show stats http and # show service-policy
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide