Solved: ACE20 persistence rebalance and deep inspection

eagles-nest · ‎08-22-2012

Hi

I'd appreciate any input to a few things I'm trying to understand for ACE loadbalancing.

Persistence loadalancing. My understanding from

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1062907

is that with persistence loadbalancing disabled GETS in the same tcp connection go to the same server but if there is any header insertion such as source IP then this is only done on the 1st GET and subsequent ones, although sent to the same server, will have no header insertion.

With enabled and strict mode seem to be much the same in that header insertion is done on all GETs. Good, that's what I want. I want to see the source address all the time.

But in the same document there is a caveat about NTLM and that with NTLM you should disable persistence loadbalancing. This seems to imply to me that enabled and strict modes would not send the traffic to the same server hence resulting in a NTLM reauthentication requirement. And it also seems to imply that if you use NTLM you cannot insert the source address in all GETs.

Is that correct ?

This seems to explain a bit better but if the caveat about NTLM in the cisco doc is correct then we don't seem to be able to use NTLM with a method that inserts the source IP.

http://datacenteroverlords.com/2012/05/17/cisco-ace-insert-client-ip-address/

Is there any difference in using an action list to do the header insertion and just using an insert-http command in the load balance policy as in the 2nd URL above ? I've seen both methods used. Is there any difference or is it just different ways to do the same thing ?

With http deep inspection what is achieved, if anything, with a policy that matches all but doesn't seem to do much else ? I've seen deep inspection policies on ASAs where they look at certain HTTP parameters but what does something like the following achieve ?

policy-map type inspect http match-all INSPECT_HTTP

class class-default

permit

Does this just look at all http traffic for malformed traffic or does it, is if first appears, not really do much ? Would this look at any http traffic such as non standard ports or just port 80 traffic ?

Many thanks. St.

sivaksiv · ‎08-22-2012

Thats correct.

View solution in original post

sivaksiv · ‎08-22-2012

Hi,

Please find answers below.

Persistence loadalancing. My understanding from

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1062907

is that with persistence loadbalancing disabled GETS in the same tcp connection go to the same server but if there is any header insertion such as source IP then this is only done on the 1st GET and subsequent ones, although sent to the same server, will have no header insertion.

With enabled and strict mode seem to be much the same in that header insertion is done on all GETs. Good, that's what I want. I want to see the source address all the time.

But in the same document there is a caveat about NTLM and that with NTLM you should disable persistence loadbalancing. This seems to imply to me that enabled and strict modes would not send the traffic to the same server hence resulting in a NTLM reauthentication requirement. And it also seems to imply that if you use NTLM you cannot insert the source address in all GETs.

Is that correct ?

Persistent rebalance only does a rebalance when needed.

'persistent rebalance strict' forces to rebalance for all requests.

To insert header for each request, you should configure the below command and it doesn't work work with persistence-rebalance.

(config-parammap-http)# header modify ?

per-request This is applicable for every request/response

(config-parammap-http)# header modify per-request ?

Is there any difference in using an action list to do the header insertion and just using an insert-http command in the load balance policy as in the 2nd URL above ? I've seen both methods used. Is there any difference or is it just different ways to do the same thing ?

The difference is that action-list is more comprehensive, you can insert in both request and response, but for insert-http cmd under class, I believe you can only insert it in request.

Does this just look at all http traffic for malformed traffic or does  it, is if first appears, not really do much ?  Would this look at any  http traffic such as non standard ports or just port 80 traffic ?

It inspects all http traffic on port 80.

The security features covered by HTTP application inspection are as follows:

•RFC compliance monitoring and RFC method filtering

•Content, URL, and HTTP header length checks

•Transfer-encoding methods

•Content type verification and filtering

•Port 80 misuse

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/security/guide/appinsp.html#wp1324742

Regards,
Siva

eagles-nest · ‎08-22-2012

Thanks Siva

Perhaps part of my question should have been what exactly is persistent loadbalance and under what circumstances do we use it and its two modes on just enabled and strict ?

Thanks, St.

sivaksiv · ‎08-22-2012

With Persistence Rebalance

When the first HTTP request comes in, the ACE will match the request to a layer-7 class-map and load balance it to one of the servers within the serverfarm associated with that class-map.

The ACE will then also match all subsequent requests on the same TCP connection to a layer 7 class-map. If the subsequent request matches the same layer 7 class-map as the previous request, then it will be sent to the same server as the previous request. If it matches a different layer 7 class-map, then it will be load balanced to one of the

servers within the serverfarm of the newly matched layer-7 class-map according to the

serverfarm's predictor.

With the Persistence Rebalance Strict

When the first HTTP request comes in, the ACE will match the request to a layer-7 class-map and load balance it to one of the servers within the serverfarm associated with that class-map.

The ACE will then also match all subsequent requests on the same TCP connection to a layer 7 class-map. Even if the subsequent request matches the same layer 7 class-map as the previous request, then it will still be load balanced across the servers within the same serverfarm according to the predictor, so it may go to a different server in the

farm. If it matches a different layer 7 class-map, then it will be load balanced to one of the servers within the serverfarm of the newly matched layer-7 class-map. With the Strict feature, EVERY request will be load balanced, whether it is using the same serverfarm as the previous request or not.

eagles-nest · ‎08-22-2012

Excuse my ignorance here. ACE's are pretty new to me.

Based on the fact the the L7 class map only has a class class-default, there is no L7 granularity in the class map, and all traffic matches class-default then there would seem to be no difference between persistence rebalance off or on. The only difference would be in strict mode where every request is load balanced.

So with only class class-default all traffic on the same connection with rebalance disabled or enabled would go to the same server ?

If we have a granular L7 class-map then

rebalance disabled sends traffic to the same server.

rebalance enabled MAY, depending on the class-map, send the traffic to a different server.

Is that correct ?

Thanks, St.

sivaksiv · ‎08-22-2012

Thats correct.

eagles-nest · ‎08-22-2012

Thanks again Siva.

Currently following your ask the Expert event so I expect I'll pick up some more good stuff.

St.