08-22-2012 03:13 AM
Hi
I'd appreciate any input to a few things I'm trying to understand for ACE loadbalancing.
Persistence loadalancing. My understanding from
is that with persistence loadbalancing disabled GETS in the same tcp connection go to the same server but if there is any header insertion such as source IP then this is only done on the 1st GET and subsequent ones, although sent to the same server, will have no header insertion.
With enabled and strict mode seem to be much the same in that header insertion is done on all GETs. Good, that's what I want. I want to see the source address all the time.
But in the same document there is a caveat about NTLM and that with NTLM you should disable persistence loadbalancing. This seems to imply to me that enabled and strict modes would not send the traffic to the same server hence resulting in a NTLM reauthentication requirement. And it also seems to imply that if you use NTLM you cannot insert the source address in all GETs.
Is that correct ?
This seems to explain a bit better but if the caveat about NTLM in the cisco doc is correct then we don't seem to be able to use NTLM with a method that inserts the source IP.
http://datacenteroverlords.com/2012/05/17/cisco-ace-insert-client-ip-address/
Is there any difference in using an action list to do the header insertion and just using an insert-http command in the load balance policy as in the 2nd URL above ? I've seen both methods used. Is there any difference or is it just different ways to do the same thing ?
With http deep inspection what is achieved, if anything, with a policy that matches all but doesn't seem to do much else ? I've seen deep inspection policies on ASAs where they look at certain HTTP parameters but what does something like the following achieve ?
policy-map type inspect http match-all INSPECT_HTTP
class class-default
permit
Does this just look at all http traffic for malformed traffic or does it, is if first appears, not really do much ? Would this look at any http traffic such as non standard ports or just port 80 traffic ?
Many thanks. St.
Solved! Go to Solution.
08-22-2012 11:56 AM
Thats correct.
08-22-2012 03:54 AM
Hi,
Please find answers below.
Persistence loadalancing. My understanding from
is that with persistence loadbalancing disabled GETS in the same tcp connection go to the same server but if there is any header insertion such as source IP then this is only done on the 1st GET and subsequent ones, although sent to the same server, will have no header insertion.
With enabled and strict mode seem to be much the same in that header insertion is done on all GETs. Good, that's what I want. I want to see the source address all the time.
But in the same document there is a caveat about NTLM and that with NTLM you should disable persistence loadbalancing. This seems to imply to me that enabled and strict modes would not send the traffic to the same server hence resulting in a NTLM reauthentication requirement. And it also seems to imply that if you use NTLM you cannot insert the source address in all GETs.
Is that correct ?
Persistent rebalance only does a rebalance when needed.
'persistent rebalance strict' forces to rebalance for all requests.
To insert header for each request, you should configure the below command and it doesn't work work with persistence-rebalance.
(config-parammap-http)# header modify ?
per-request This is applicable for every request/response
(config-parammap-http)# header modify per-request ?
Is there any difference in using an action list to do the header insertion and just using an insert-http command in the load balance policy as in the 2nd URL above ? I've seen both methods used. Is there any difference or is it just different ways to do the same thing ?
The difference is that action-list is more comprehensive, you can insert in both request and response, but for insert-http cmd under class, I believe you can only insert it in request.
Does this just look at all http traffic for malformed traffic or does it, is if first appears, not really do much ? Would this look at any http traffic such as non standard ports or just port 80 traffic ?
It inspects all http traffic on port 80.
The security features covered by HTTP application inspection are as follows:
•RFC compliance monitoring and RFC method filtering
•Content, URL, and HTTP header length checks
•Transfer-encoding methods
•Content type verification and filtering
•Port 80 misuse
Regards,
Siva
08-22-2012 05:37 AM
Thanks Siva
Perhaps part of my question should have been what exactly is persistent loadbalance and under what circumstances do we use it and its two modes on just enabled and strict ?
Thanks, St.
08-22-2012 07:46 AM
With Persistence Rebalance
When the first HTTP request comes in, the ACE will match the request to a layer-7 class-map and load balance it to one of the servers within the serverfarm associated with that class-map.
The ACE will then also match all subsequent requests on the same TCP connection to a layer 7 class-map. If the subsequent request matches the same layer 7 class-map as the previous request, then it will be sent to the same server as the previous request. If it matches a different layer 7 class-map, then it will be load balanced to one of the
servers within the serverfarm of the newly matched layer-7 class-map according to the
serverfarm's predictor.
With the Persistence Rebalance Strict
When the first HTTP request comes in, the ACE will match the request to a layer-7 class-map and load balance it to one of the servers within the serverfarm associated with that class-map.
The ACE will then also match all subsequent requests on the same TCP connection to a layer 7 class-map. Even if the subsequent request matches the same layer 7 class-map as the previous request, then it will still be load balanced across the servers within the same serverfarm according to the predictor, so it may go to a different server in the
farm. If it matches a different layer 7 class-map, then it will be load balanced to one of the servers within the serverfarm of the newly matched layer-7 class-map. With the Strict feature, EVERY request will be load balanced, whether it is using the same serverfarm as the previous request or not.
08-22-2012 09:18 AM
Excuse my ignorance here. ACE's are pretty new to me.
Based on the fact the the L7 class map only has a class class-default, there is no L7 granularity in the class map, and all traffic matches class-default then there would seem to be no difference between persistence rebalance off or on. The only difference would be in strict mode where every request is load balanced.
So with only class class-default all traffic on the same connection with rebalance disabled or enabled would go to the same server ?
If we have a granular L7 class-map then
rebalance disabled sends traffic to the same server.
rebalance enabled MAY, depending on the class-map, send the traffic to a different server.
Is that correct ?
Thanks, St.
08-22-2012 11:56 AM
Thats correct.
08-22-2012 01:08 PM
Thanks again Siva.
Currently following your ask the Expert event so I expect I'll pick up some more good stuff.
St.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide