05-24-2012 05:15 AM
Hi networker,
Actually, I'm beat me about configuring the ACE 4700!
I've read the cisco configuration guide but it is difficult to put all the configuration together! I don't find right example....
I'm trying to configure "Basic Load Balancing Using Bridged Mode on the Cisco Application Control Engine" BUT with two context, "Admin" and "Context1".
We'll find a part of my configuration, rserver and all that stuff is actually not important!
Here is my questions:
- Each context has one VLAN, both are defined in a BVI interface! How to assign this BVI Interface in a port-channel group of two interface gigabit Ethernet 1/2 and 1/3? How to assign BVI Interface in a physical interface?
- Each context has one VLAN, how to enable traffic between this VLAN between each context?
Admin context
interface gigabitEthernet 1/1
[...]
interface gigabitEthernet 1/2
channel-group 1
no shutdown
interface gigabitEthernet 1/3
channel-group 1
no shutdown
interface gigabitEthernet 1/4
[...]
interface port-channel 1
switchport access vlan 10
no shutdown
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
interface vlan 10
description "Client Side"
bridge-group 1
access-group input PERMIT_ALL
service-policy input L4_MGMT_MATCH
no shutdown
interface bvi 1
ip address 192.168.10.244 255.255.255.0
peer ip address 192.168.10.245 255.255.255.0
no shutdown
context Context1
allocate-interface vlan 10
allocate-interface vlan 20
Context1 context
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
interface vlan 20
description "Server Side"
bridge-group 1
nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat
service-policy input L4_MGMT_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
Thanks in advance for your help and fresh idea
Solved! Go to Solution.
05-27-2012 04:52 AM
This is a basic one-armed mode config. If this fits your load balancing requirements it is a good option. Only traffic that needs to be load balanced will pass through the ACE. All direct to server or server initiated traffic will bypass the ACE. What is the reason you turned off normalization? If your servers are not pointing to the ACE as the default gateway you can probably leave this security feature enabled. When loadbalancing with this config NAT will force the server reply back to the ACE so the servers gateway can point to the same device as the ACE is using..
Regarding the Admin context; if you are only going to have one context you can do both the Administration and loadbalancing in this context for simplicity, but with multiple contexts it is a good idea to leave the Admin context for Administration only.
If you decide to add more contexts in the futrue you would just need to configure the Gig interfaces on the ACE as well as the connecting switch as trunk links.
Regards
Jim
05-24-2012 05:51 AM
What you are trying to do is not possible. The ACE cannot talk directly from one context to another without first leaving the device either L2 or L3 and then get sent into the 2nd context via the switch or router.
BVIs are only relevant to one context. You create the two vlans and a BVI, and then tie the BVI to the two vlans.
What is the reason for having traffic in the Admin context bridge to the second context? Why not just have vlan 10 and 20 in one context and bridge them together?
Regards
Jim
05-24-2012 06:13 AM
Thanks jsirstin for your answer!
Two context: because we want to separate two differents departments. Yes, with one context it will be simply...
But something is not clear for me!
To simplify my question, I'll say: it is possible to have one VLAN on each context, VLAN1 -> Admin, VLAN2 -> context1 with the same subnet? How to configure routing or bridging between context?
Best regards,
jm
05-24-2012 07:46 AM
Blankguy7,
Routing/ bridging between contexts is not possible if both are in the same subnet and both contexts are active on the same ACE.
If you can provide some additional info with your requirements I could help with a sample config. I need to understand your requirements for both load balancing as well as routing/bridging.
Regards
Jim
05-24-2012 11:22 PM
Ok, thanks for you proposition to help me!
We've two departments, one "prod" and one "test". In this departments there're clients and servers. Where the clients want to connect to the servers and applications. Where application is redundant on two or more servers with Load-Balancing.
Example: When the client will connect to a application it call a virtual ip adress, then ACE check a probe (LDAP_PROBE). When the test is ok the ACE will nat the IP address from client and connect to the server. With help from the nat ip address all traffic will be routed between the server and client through the ACE.
2xACE with Port : E1 (mgmt) E2 (IN from clients) E3 (OUT to servers) E4 (FT heartbeat)
so, here my example of my first try, what do you think?
ACE1/Admin# sh run
Generating configuration....
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
hostname ACE1
interface gigabitEthernet 1/1
shutdown
interface gigabitEthernet 1/2
switchport access vlan 10
no shutdown
interface gigabitEthernet 1/3
switchport access vlan 20
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
interface vlan 10
description "Client Side"
ip address 192.168.10.244 255.255.255.0
access-group input PERMIT_ALL
service-policy input L4_MGMT_MATCH
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
context PROD
allocate-interface vlan 20
ssh key dsa 1024 force
ACE1/PROD# sh run
Generating configuration....
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
script file name LDAP_PROBE
probe scripted prvd30_PROBE
port 3930
interval 5
passdetect interval 5
script LDAP_PROBE
rserver host M3000_TEST
ip address 192.168.10.223
inservice
serverfarm host ldapprod
predictor response syn-to-close
probe prvd30_PROBE
rserver M3000_TEST
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
class-map match-all ldapprod_CLASS
2 match virtual-address 192.168.10.248 tcp eq 3930
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
policy-map type loadbalance first-match ldapprod_POLICY
class class-default
serverfarm ldapprod
policy-map multi-match PROD-POLICY
class ldapprod_CLASS
loadbalance vip inservice
loadbalance policy ldapprod_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
interface vlan 20
description "Server Side"
ip address 192.168.10.245 255.255.255.0
no normalization
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat
service-policy input L4_MGMT_MATCH
service-policy input PROD-POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
Thank you very much and best regards,
Jérôme
05-25-2012 05:42 AM
This will not work. Are you planning on adding any other contexts to the ACE in the furture? If not you could do this all in the Admin context using bridge mode. If you are adding more contexts in the future you could do this in a different context and have the Admin only for management of the ACE but you would need to configure your gig interfaces as trunks to include more than 4 vlans.
In the sample below there are two vlans 10 and 20. Vlan 10 would have all non-loadbalanced servers as well as the defaut gateway of the ACE. This default gateway will be the same for all servers in these two vlans as well.
Vlan 20 is a layer 2 vlan on the switch and this is where the servers that need to be loadbalanced are located.
With this topology you do not need to use nat since the server reply for the loadbalanced servers have to bridge through the ACE to get back to the client.
Just make sure you issue show arp once configured to confirm that the ACE learns load balanced servers on vlan 20 and the gateway on vlan 10.
I put in a sample ft config as well but did not know what vlan you were using for the ft link.
ACE1/Admin# sh run
Generating configuration....
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
hostname ACE1
interface gigabitEthernet 1/1
shutdown
interface gigabitEthernet 1/2
switchport access vlan 10
no shutdown
interface gigabitEthernet 1/3
switchport access vlan 20
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
script file name LDAP_PROBE
probe scripted prvd30_PROBE
port 3930
interval 5
passdetect interval 5
script LDAP_PROBE
rserver host M3000_TEST
ip address 192.168.10.223
inservice
serverfarm host ldapprod
predictor response syn-to-close
probe prvd30_PROBE
rserver M3000_TEST
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
class-map match-all ldapprod_CLASS
2 match virtual-address 192.168.10.248 tcp eq 3930
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
policy-map type loadbalance first-match ldapprod_POLICY
class class-default
serverfarm ldapprod
policy-map multi-match PROD-POLICY
class ldapprod_CLASS
loadbalance vip inservice
loadbalance policy ldapprod_POLICY
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
interface vlan 10
description "Client Side"
bridge-group1
access-group input PERMIT_ALL
service-policy input L4_MGMT_MATCH
service-policy input PROD-POLICY
no shutdown
interface vlan 20
description "Server Side"
bridge-group 1
access-group input PERMIT_ALL
access-group output PERMIT_ALL
service-policy input L4_MGMT_MATCH
no shutdown
interface bvi 1
ip address 192.168.10.245 255.255.255.0
peer ip address 192.168.10.244 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.10.1
ft interface vlan 601
ip address 1.1.1.2 255.255.
peer ip address 1.1.1.1 255
no shutdown
ft peer 1
heartbeat interval 100
heartbeat count 10
ft-interface vlan 601
query-interface vlan 10
ft group 1
peer 1
no preempt
priority 121
peer priority 120
associate-context Admin
inservice
05-25-2012 06:27 AM
Thanks for your help...
I don't really know if in the future it'll be more context... but I will check that! The context was a desire from chief too but I'll speak to him again...
So, before to test without context I've testing within! As you tell to me, I've defined the admin context for the managment (I must to add a ip address) and the context for the traffic. I wrote this config below... it's a working config and feel free to tell me please what's you're thinking about it.
About ft, I must to define the VLAN and put it at the end of the admin config.
We've defined context for to divide departments for security reason but no one will access on it for management. Only the admin's group will be access on it! In this case, is it really important to have context or not???
ACE1/Admin# sh run
Generating configuration....
boot system image:c4710ace-t1k9-mz.A5_1_2.bin
hostname ACE1
interface gigabitEthernet 1/1
shutdown
interface gigabitEthernet 1/2
no shutdown
interface gigabitEthernet 1/3
switchport access vlan 20
no shutdown
interface gigabitEthernet 1/4
switchport access vlan 10
no shutdown
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
interface vlan 10
description "mgmt"
access-group input PERMIT_ALL
service-policy input L4_MGMT_MATCH
context PROD
allocate-interface vlan 20
ACE1/PROD# sh run
Generating configuration....
logging enable
access-list PERMIT_ALL line 8 extended permit ip any any
access-list PERMIT_ALL line 16 extended permit icmp any any
access-list PERMIT_ALL line 24 extended permit tcp any any
access-list PERMIT_ALL line 32 extended permit udp any any
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
script file name LDAP_PROBE
probe scripted prvd30_PROBE
port 3930
interval 5
passdetect interval 5
script LDAP_PROBE
rserver host M3000_TEST
ip address 192.168.10.223
inservice
serverfarm host ldapprod
predictor response syn-to-close
probe prvd30_PROBE
rserver M3000_TEST 3930
inservice
parameter-map type http CASE_PARAM
case-insensitive
persistence-rebalance
class-map type management match-any L4_MGMT_CLASS
2 match protocol icmp any
3 match protocol ssh any
4 match protocol https any
5 match protocol xml-https any
class-map match-all ldapprod_CLASS
2 match virtual-address 192.168.10.248 tcp eq 23930
policy-map type management first-match L4_MGMT_MATCH
class L4_MGMT_CLASS
permit
policy-map type loadbalance first-match ldapprod_POLICY
class class-default
serverfarm ldapprod
policy-map multi-match PROD-POLICY
class ldapprod_CLASS
loadbalance vip inservice
loadbalance policy ldapprod_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 20
appl-parameter http advanced-options CASE_PARAM
interface vlan 20
description "server side"
ip address 192.168.10.245 255.255.255.0
no normalization
no icmp-guard
access-group input PERMIT_ALL
access-group output PERMIT_ALL
nat-pool 1 192.168.10.249 192.168.10.249 netmask 255.255.255.0 pat
service-policy input L4_MGMT_MATCH
service-policy input PROD-POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.1
05-27-2012 04:52 AM
This is a basic one-armed mode config. If this fits your load balancing requirements it is a good option. Only traffic that needs to be load balanced will pass through the ACE. All direct to server or server initiated traffic will bypass the ACE. What is the reason you turned off normalization? If your servers are not pointing to the ACE as the default gateway you can probably leave this security feature enabled. When loadbalancing with this config NAT will force the server reply back to the ACE so the servers gateway can point to the same device as the ACE is using..
Regarding the Admin context; if you are only going to have one context you can do both the Administration and loadbalancing in this context for simplicity, but with multiple contexts it is a good idea to leave the Admin context for Administration only.
If you decide to add more contexts in the futrue you would just need to configure the Gig interfaces on the ACE as well as the connecting switch as trunk links.
Regards
Jim
06-01-2012 04:47 AM
Thank you very much for your graceful help!
Now, it's running well...
Last but not least question: How to configure a track interface or query-interface in a ft peer or group with a vlan doesn't belong to the Admin context. It is important for us to stop the ft when the VLAN 20 is down and not only the FT VLAN 10.
IN ADMIN CONTEXT
command
ACE3/Admin(config-ft-peer)# query-interface vlan 20
Error: query vlan '20' does not exist or is FT vlan!
config
ft interface vlan 1000
ip address 10.1.1.1 255.255.255.0
peer ip address 10.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 1000
query-interface vlan 10
ft group 1
peer 1
priority 150
associate-context Admin
ip route 0.0.0.0 0.0.0.0 192.168.10.1
context PROD
allocate-interface vlan 20
allocate-interface vlan 30
ft group 2
peer 1
priority 150
associate-context PROD
inservice
Thanks in advance
05-24-2012 06:08 AM
Hi
Please refer below links
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Troubleshooting_Guide
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Configuration_Examples_--_Routing_and_Bridging_Configuration_Examples
Thanks
Sent from my iPhone
05-24-2012 06:23 AM
Thanks tkumaraq for your answer.
In the link about "Example of a Bridged Configuration" it doesn't indicate how to configure the interface gigabit?
Best regards,
jm
05-25-2012 02:41 PM
in any way you want.
You bridge between vlan, physical interfaces are just there to carry vlans.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide