Applying ACE connection parameter map?

pattyj · ‎10-25-2011

How do I apply the connection parameter map in a configuration like this to the service policy int827? Do I need to define the traffic? Can I specify only one source destination flow to apply the set tcp half-closed TCP normalization against?

Any help would be appreciated.

Thank you all,

Jon

policy-map type loadbalance first-match wss-1100-l7slb

class class-default

sticky-serverfarm sticky-srcip-1100

policy-map type loadbalance first-match wss-1101-l7slb

class class-default

sticky-serverfarm sticky-srcip-1101

parameter-map type connection TCPIP_PARAM_MAP

set tcp timeout half-closed 180

policy-map multi-match int827

class wss-1100

loadbalance vip inservice

loadbalance policy wss-1100-l7slb

class wss-1101

loadbalance vip inservice

loadbalance policy wss-1101-l7slb

interface vlan 827
bridge-group 1
no normalization
access-group input etherany
access-group input ip-any-any
access-group output ip-any-any
service-policy input mgmt
service-policy input int827
no shutdown

interface vlan 828
bridge-group 1
no normalization
access-group input etherany
access-group input ip-any-any
access-group output ip-any-any
no shutdown

interface bvi 1
mac-address autogenerate
ip address x.x.x.6 255.255.255.0
peer ip address x.x.x.7 255.255.255.0
no shutdown

ip route 0.0.0.0 0.0.0.0 x.x.x.1

Andrew Nam · ‎10-30-2011

Yes, you always need to define interesting traffic to apply the connection parameter-map. If you apply "tcp timeout half-closed" to any traffic then you need to define class-map with 0.0.0.0. If you want to apply the

"tcp timeout half-closed" to the current class-map, then you can assoicate it with a multi-match policy map as below :

The service policy always applies to the incoming interface.

......

parameter-map type connection TCPIP_PARAM_MAP

set tcp timeout half-closed 180

policy-map multi-match int827

class wss-1100

loadbalance vip inservice

loadbalance policy wss-1100-l7slb

connection advanced-options

class wss-1101

loadbalance vip inservice

loadbalance policy wss-1101-l7slb

connection advanced-options

......

Just one more side note for the timeout parameter. The timeout value (default or other wise) remains the same irrespective of normalization or no norm.

If you have a parameter map configured for timeout then it should still take in affect when you have normalization disabled.

The only difference is that with normalization enabled, ACE will send a reset back after the timeout expires and will silently drop it when no norm is configured.

regards

Andrew