Ask the Expert: Understanding and Troubleshooting ACE Loadbalancer - Page 4

ciscomoderator · ‎08-03-2012

With Sivakumar Sukumar

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about configuration and troubleshooting the Cisco Application Control Engine (ACE) loadbalancer with Sivakumar Sukumar. The Cisco ACE Application Control Engine Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers is a next-generation load-balancing and application-delivery solution. A member of the Cisco family of Data Center 3.0 solutions, the module:

Helps ensure business continuity by increasing application availability
Improves business productivity by accelerating application and server performance
Reduces data center power, space, and cooling needs through a virtualized architecture
Helps lower operational costs associated with application provisioning and scaling

Sivakumar Sukumar is an experienced support engineer with the High Touch Technical Support content team, covering all Cisco content delivery network technologies including Cisco Application Control Engine (ACE), Cisco Wide Area Application Services (WAAS), Cisco Content Switching Module, Cisco Content Services Switches, and other content products. He has been with Cisco for more than 2 years, working with major customers to help resolve their issues related to content products. He holds CCNP and DCASI certification.

Remember to use the rating system to let Sivakumar know if you have received an adequate response.

Sivakumar might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Data Center sub-community discussion forum shortly after the event. This event lasts through August 24, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

sivaksiv · ‎08-22-2012

Hi Akhtar,

I built a config that meets your requirement and tested working in my LAB.

Traffic that comes to CM_BYPASS_VIP with SRC ip 192.168.80.89 would be load balanced to PM_LB_SF_BCPROXY and traffic coming from SRC IP 192.168.80.89 to any would be loadbalanced to PM_L7_BYPASS_SRC_IP

==================== configuration ==============

rserver host RS_BCPR01

ip address 192.168.0.103

inservice

rserver host RS_BCPR02

ip address 192.168.0.104

inservice

serverfarm host SF_PLATTS

transparent

rserver PLATTS_APP

inservice

serverfarm host SF_BCPR

transparent

probe PROBE_TCP

rserver RS_BCPR01

inservice

rserver RS_BCPR02

inservice

sticky ip-netmask 255.255.255.255 address source STICKY-SOURCE

replicate sticky

serverfarm SF_BCPR

class-map match-any CM_BYPASS_VIP

2 match virtual-address 10.10.10.10 any

3 match virtual-address 20.20.20.20 any

4 match virtual-address 30.30.30.30 any

5 match virtual-address 40.40.40.40 any

class-map match-all CM_SF_BCPR

255 match virtual-address 0.0.0.0 0.0.0.0 tcp eq www

policy-map type loadbalance first-match PM_LB_SF_BCPROXY

match test source-address 192.168.80.89 255.255.255.255

sticky-serverfarm STICKY-SOURCE

policy-map type loadbalance first-match PM_L7_BYPASS_SRC_IP

match test source-address 192.168.80.89 255.255.255.255

sticky-serverfarm SF_PLATTS

policy-map multi-match NEW-POLICY

class CM_BYPASS_VIP

loadbalance vip inservice

loadbalance policy PM_LB_SF_BCPROXY

loadbalance vip icmp-reply active

appl-parameter http advanced-options PARAMAP_CASE

class CM_SF_BCPR

loadbalance vip inservice

loadbalance policy PM_L7_BYPASS_SRC_IP

loadbalance vip icmp-reply active

appl-parameter http advanced-options PARAMAP_CASE

int vlan 300

service-policy input NEW-POLICY

Let me know if you have any questions.

Regards,
Siva

Akhtar Samo · ‎08-23-2012

Thanks for your reply. Regarding client authentication, I want to know if this is the complete configuration required ?

We will be carrying out the tests one again to see if the front end or the back end connection is having problem.

May i know what would be the best way to find if the front end client authentication is successfull or not ?

Since this Expert Session is ending tomorrow, would it possible for you to send me your email id through PM so that I can contact you in case this client authentication issue is not getting fixed.

Regards,

Akhtar

sivaksiv · ‎08-23-2012

Hi Akhtar,

No the configuration I have given is without client authentication and SSL. Add the below config to enable client authentication.

crypto authgroup POS

cert cert_client.pem

ssl-proxy service ssl-proxy

key POS

cert cert_server.pem

authgroup POS

ssl advanced-options POS

I sent you my contact information via PM.

Regards,

Siva

Fernando Bello · ‎08-22-2012

Hi Siva,

Could you please give an scenario/example when to use SNAT? And another scenario/example using DNAT on the ACE?

thanks!!

Fernado

sivaksiv · ‎08-23-2012

Hi Fernando,

Good question!

Source NAT: I can think of 2 different scenarios where it is primarily required:

1. One-arm mode:

One Arm Mode is used when not every server needs to be load balanced or if you couldn’t move the gateway of all of the servers to the ACE when not all of them will be load balanced. One Arm Mode works very simply: the user hits the virtual IP address of the serverfarm on the ACE and then the ACE directs the traffic to the appropriate real server dependent upon which load balancing algorithm has been selected. The trick is getting return traffic from the real server to go back through the ACE; this is achieved with source NAT. With SRC NAT, the user hits the ACE, src address is translated to one in the pool. The real server sees the source address as one in the pool and knows that that subnet resides on the ACEand replies back to the ACE. The ACE then NATs the address to the user’s real address and forwards the response.

Now on to setting up the source NAT pool, we have a good article on setting this up (complete with configs).

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

2. Routed-mode:

When you deploy ACE in Routed Mode where the real server gateway resides on an interface of the ACE. You would run into a issue where real servers hit the VIP for another serverfarm on the ACE and had the connection reset. The problem is that the load-balanced real-server talk directly to the originating server since they were in the same VLAN/subnet. So we need the load-balanced real-server to respond to the ACE and then from the ACE to the requesting server. For this to happen, you would setup Source NAT, when the connection from a real-server enters the ACE, it gets NAT’d to an address in the VIP subnet; when the real-server responds it responds to the ACE and then back to the requesting real-server.

Sample config:

Servers connecting to the VIP on VLAN YYY are load balanced AND source NAT'd to the VIP subnet.

class-map match-all REAL_SERVERS

2 match source-address x.x.x.0 255.255.255.0

class-map match-all VIP-X

2 match virtual-address y.y.y.5 tcp eq www

policy-map multi-match CLIENT_VIPS

class VIP-X

loadbalance vip inservice

loadbalance policy SLB_LOGIC

loadbalance vip icmp-reply active

class REAL_SERVERS

nat dynamic 1 vlan YYY

interface vlan XXX

description Client vlan

ip address x.x.x.1 255.255.255.0

service-policy input CLIENT_VIPS

no shutdown

interface vlan YYY

description Servers vlan

ip address y.y.y.1 255.255.255.0

service-policy input CLIENT_VIPS

nat-pool 1 y.y.y.2 y.y.y.2 netmask 255.255.255.0 pat

no shutdown

------------------------------------------------------------------------------------------------

Destination NAT is ON by default on the ACE, as the VIP address will be "translated" to the real server address.

If you want to just do a dst NAT for a given ip in a scenario like below:

(Source,Destination)

Before NAT(x.x.x.x,y.y.y.y)====>After NAT(x.x.x.x,z.z.z.z)

Configure 1 rserver per serverfarm, where the real server will have your destination IP.

y.y.y.y will be your VIP address

z.z.z.z will be your rserver address

-------------------------------------------------------------------------------------------------

Let me know if you have any questions.

Regards,

Siva

Fernando Bello · ‎08-23-2012

Just what I was looking for!

THanks so much!!!!

ganessub · ‎08-24-2012

Siva,

This forum has been providing us with lots of useful information. Thanks for the same.

On another note, I wanted to find out if ACE supports some kind of "mld" related things ? If there are any pages where I could get information about ACE's MLD/multicast related topics, please let me know the same.

Thanks !