08-03-2012 12:27 PM
With Sivakumar Sukumar
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) loadbalancer with Sivakumar Sukumar. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module:
Sivakumar Sukumar is an experienced support engineer with the High Touch Technical Support content team, covering all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), Cisco Content Switching Module, Cisco Content Services Switches, and other content products. He has been with Cisco for more than 2 years, working with major customers to help resolve their issues related to content products. He holds CCNP and DCASI certification.
Remember to use the rating system to let Sivakumar know if you have received an adequate response.
Sivakumar might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum shortly after the event. This event lasts through August 24, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
08-22-2012 01:30 PM
Hi Akhtar,
I built a config that meets your requirement and tested working in my LAB.
Traffic that comes to CM_BYPASS_VIP with SRC ip 192.168.80.89 would be load balanced to PM_LB_SF_BCPROXY and traffic coming from SRC IP 192.168.80.89 to any would be loadbalanced to PM_L7_BYPASS_SRC_IP
==================== configuration ==============
rserver host RS_BCPR01
ip address 192.168.0.103
inservice
rserver host RS_BCPR02
ip address 192.168.0.104
inservice
serverfarm host SF_PLATTS
transparent
rserver PLATTS_APP
inservice
serverfarm host SF_BCPR
transparent
probe PROBE_TCP
rserver RS_BCPR01
inservice
rserver RS_BCPR02
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE
replicate sticky
serverfarm SF_BCPR
class-map match-any CM_BYPASS_VIP
2 match virtual-address 10.10.10.10 any
3 match virtual-address 20.20.20.20 any
4 match virtual-address 30.30.30.30 any
5 match virtual-address 40.40.40.40 any
class-map match-all CM_SF_BCPR
255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www
policy-map type loadbalance first-match PM_LB_SF_BCPROXY
match test source-address 192.168.80.89 255.255.255.255
sticky-serverfarm STICKY-SOURCE
policy-map type loadbalance first-match PM_L7_BYPASS_SRC_IP
match test source-address 192.168.80.89 255.255.255.255
sticky-serverfarm SF_PLATTS
policy-map multi-match NEW-POLICY
class CM_BYPASS_VIP
loadbalance vip inservice
loadbalance policy PM_LB_SF_BCPROXY
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
class CM_SF_BCPR
loadbalance vip inservice
loadbalance policy PM_L7_BYPASS_SRC_IP
loadbalance vip icmp-reply active
appl-parameter http advanced-options PARAMAP_CASE
int vlan 300
service-policy input NEW-POLICY
Let me know if you have any questions.
Regards,
Siva
08-23-2012 04:00 AM
Thanks for your reply. Regarding client authentication, I want to know if this is the complete configuration required ?
We will be carrying out the tests one again to see if the front end or the back end connection is having problem.
May i know what would be the best way to find if the front end client authentication is successfull or not ?
Since this Expert Session is ending tomorrow, would it possible for you to send me your email id through PM so that I can contact you in case this client authentication issue is not getting fixed.
Regards,
Akhtar
08-23-2012 06:56 AM
Hi Akhtar,
No the configuration I have given is without client authentication and SSL. Add the below config to enable client authentication.
crypto authgroup POS
cert cert_client.pem
ssl-proxy service ssl-proxy
key POS
cert cert_server.pem
authgroup POS
ssl advanced-options POS
I sent you my contact information via PM.
Regards,
Siva
08-22-2012 12:44 PM
Hi Siva,
Could you please give an scenario/example when to use SNAT? And another scenario/example using DNAT on the ACE?
thanks!!
Fernado
08-23-2012 12:17 AM
Hi Fernando,
Good question!
Source NAT: I can think of 2 different scenarios where it is primarily required:
1. One-arm mode:
One Arm Mode is used when not every server needs to be load balanced or if you couldn’t move the gateway of all of the servers to the ACE when not all of them will be load balanced. One Arm Mode works very simply: the user hits the virtual IP address of the serverfarm on the ACE and then the ACE directs the traffic to the appropriate real server dependent upon which load balancing algorithm has been selected. The trick is getting return traffic from the real server to go back through the ACE; this is achieved with source NAT. With SRC NAT, the user hits the ACE, src address is translated to one in the pool. The real server sees the source address as one in the pool and knows that that subnet resides on the ACEand replies back to the ACE. The ACE then NATs the address to the user’s real address and forwards the response.
Now on to setting up the source NAT pool, we have a good article on setting this up (complete with configs).
2. Routed-mode:
When you deploy ACE in Routed Mode where the real server gateway resides on an interface of the ACE. You would run into a issue where real servers hit the VIP for another serverfarm on the ACE and had the connection reset. The problem is that the load-balanced real-server talk directly to the originating server since they were in the same VLAN/subnet. So we need the load-balanced real-server to respond to the ACE and then from the ACE to the requesting server. For this to happen, you would setup Source NAT, when the connection from a real-server enters the ACE, it gets NAT’d to an address in the VIP subnet; when the real-server responds it responds to the ACE and then back to the requesting real-server.
Sample config:
Servers connecting to the VIP on VLAN YYY are load balanced AND source NAT'd to the VIP subnet.
class-map match-all REAL_SERVERS
2 match source-address x.x.x.0 255.255.255.0
class-map match-all VIP-X
2 match virtual-address y.y.y.5 tcp eq www
policy-map multi-match CLIENT_VIPS
class VIP-X
loadbalance vip inservice
loadbalance policy SLB_LOGIC
loadbalance vip icmp-reply active
class REAL_SERVERS
nat dynamic 1 vlan YYY
interface vlan XXX
description Client vlan
ip address x.x.x.1 255.255.255.0
service-policy input CLIENT_VIPS
no shutdown
interface vlan YYY
description Servers vlan
ip address y.y.y.1 255.255.255.0
service-policy input CLIENT_VIPS
nat-pool 1 y.y.y.2 y.y.y.2 netmask 255.255.255.0 pat
no shutdown
------------------------------------------------------------------------------------------------
Destination NAT is ON by default on the ACE, as the VIP address will be "translated" to the real server address.
If you want to just do a dst NAT for a given ip in a scenario like below:
(Source,Destination)
Before NAT(x.x.x.x,y.y.y.y)====>After NAT(x.x.x.x,z.z.z.z)
Configure 1 rserver per serverfarm, where the real server will have your destination IP.
y.y.y.y will be your VIP address
z.z.z.z will be your rserver address
-------------------------------------------------------------------------------------------------
Let me know if you have any questions.
Regards,
Siva
08-23-2012 06:07 AM
Just what I was looking for!
THanks so much!!!!
08-24-2012 10:50 AM
Siva,
This forum has been providing us with lots of useful information. Thanks for the same.
On another note, I wanted to find out if ACE supports some kind of "mld" related things ? If there are any pages where I could get information about ACE's MLD/multicast related topics, please let me know the same.
Thanks !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide