Cisco ACE Design

vinovinom · ‎10-28-2010

Hi Guys

I need some advice regarding the Cisco ACE design. I am designing a solution for a pair of Cisco ACE devices which needs to load balance between 2 https website address. The first website is supported by 2 servers and the second by a single server. I want to to know the best way t implement as well as ACE failover considerations. I am confused whether I need to use contexts or just 2 server farms and 2 VIP in a single context. Also I would like to do a SSL offload in the ace as well. I am planning for One-Arm mode design. Also I need clarification of which load balancing algorithm should be used and by default which is enabled.

Many thanks in advance.

Regards

Vino

chrhiggi · ‎10-28-2010

Hello Vino-

The idea of a context is to segregate traffic and resources at a finite level. I.e. Context Production and Context Development. Production gets 90% of the resources, development gets 5% and you leave 5% available. If development throws too much traffic at thier vips, they cap out at 5% of the total module resources, so they don't effect the production traffic. If that is not the kind of scalability you need with your vips, then you do not need more than 1 context.

For the configuration aspect of your question, check into our wiki, it has all sorts of examples:

Configuration:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples

2nd Configuration:

http://docwiki-dev.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples

Troubleshooting:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide%2C_Release_A2(x)

vinovinom · ‎11-12-2010

Hi Guys

I had made Cisco ACE design to loadbalance between 2 URLs in a routed mode with SSL Offload. From my understanding if you match the URL and then Offload SSL and then de-encrypt packets and forward them in port 80.

Requirement is :

External Users --------> Cisco ACE modules in on site -------------> Servers in another site.

Internal Users ----------> Cisco ACE 4710 in same region as server ------------> Servers.

There are 2 URLs to load balance with 2 servers for each of them. (for both users the destination is the same set of servers.)

How do the ACE able to handle both the domain and sub domain load balancing and the stickiness portion?

Thanks

Vino

chrhiggi · ‎11-12-2010

ACE actually decrypts the traffic fist since we cannot look at the L5 HTTP url/headers until the packet is decrypted.

There are many different types of sticky on ACE, anything that uses the higher protocols would require decryption (i.e. http header sticky, http cookie sticky) You can do source IP sticky, or L4 sticky without decrypting (i.e. SSL session ID sticky, port sticky, or just plain vanilla source IP sticky.)

In terms of order -

1.) Match the destination IP to a VIP.

2.) Check what the VIP match is going to require (i.e. is it ssl decryption, HTTP inspection, source nat, etc.)

3.) Decrypt SSL

4.) Check the HTTP URL against the class maps under the policymap type loadbalance

5.) Check if there is an existing sticky entries for the sticky serverfarm under the class that the url matched

- If there is a sticky match, send the connection directly to the server

- If there is no sticky match, send the connection to the serverfarm and balance it to a server based on the loadbalancing predictor under that farm.

Let me know if you need more clarification!

Chris

vinovinom · ‎11-12-2010

Chris

Many thanks for your reply. That explains clearly, but what I needed was to clarify whether I need to use 2 VIP for 2 URLs and whether use same VIP in the Cisco Module as well... As external users would use ACE module to LB/SSL Offload and internal users use ACE 4710 to LB/SSL Offload. And how does the routing is done for it ?

Thanks

Vino

chrhiggi · ‎11-12-2010

If you have 2 separate devices, you will need 2 differnt VIP IPs, yes. As a rule of thumb, each domain needs a different IP unless you are using a wildcard SSL certificate. Another gotcha to be aware of - If you are going to have 2 ACE's active in the same vlan which are not FT together, make sure to configure a shared-host-vlan ID for each that is a different number so your MAC addresses don't collide.

-Chris Higgins

vinovinom · ‎11-15-2010

Hi Chris

Many thanks for your reply. I just also want to ask how can we set it up using 2 differrent IPs for 2 urls in each ACE device for internal users and external users. Can we use the same IP for a URL in each device ? how about we set up the routing in the network if so? Otherwise what other options are there ?

Vino

chrhiggi · ‎11-19-2010

Vino-

You can create 2 vips on ace, and on your DNS server, each domain will point to a different IP.

I attached a configuraiton example showing what the configuration would look like on ACE.

Chris

vinovinom · ‎11-22-2010

Chris

Thanks very much for your help...

Vino

jsmith110840 · ‎09-15-2011

Hi Chris,

I am currently working on the cisco ace for ssl offload. Could you please let me know if I have two different vip for two different services, will i have to buy two separate certificates. As both would need to be accessed via https using different url.

Many thanks in advance.

Jim

chrhiggi · ‎09-16-2011

Hi Jim-

Each domain will need its own certificate unless you are using sub domains and have the resources to buy a multi-domain, or wildcard certificate.

i.e.

If you were hosting www.cisco.com and www.ciscorocks.com, you would need 2 certificates.

If you were hosting www.cisco.com and tac.cisco.com, you could purchase a multi-domain certificate. (they use the subject alternative name field to specify multiple domains the certificate is valid for.)

If you were hosting www.cisco.com, tac.cisco.com, and sales.cisco.com, you can purchase a wildcard certificate. The issued to field will show *.cisco.com which matches any sub domain of cisco.com.

The difference in purchasing each type of cert is cost. 2 single certs can be as cheap as $40/cert. A multi-domin for 2 certs might run $60, and a wildcard cert might run $2000+ .

jsmith110840 · ‎09-18-2011

Hi Chris,

Thank you so much for your prompt reply.

The one I am designing matches the the third option you provided:

"If you were hosting www.cisco.com, tac.cisco.com, and sales.cisco.com, you can purchase a wildcard certificate. The issued to field will show *.cisco.com which matches any sub domain of cisco.com."

While reading some cisco ace documentation, I realised that as you mention a wild card certificate would be appropriate. As I am planning to host approximately 5 services, I think buying one certificate (wild card certificate) would be easy to manage in future when it comes to renewing it.

However, when it comes to configuring it, I am getting difficulties on how to do it with different VIPs.

I have five VIPs, each pointing to different serverfarms. I am doing ssl termination on the cisco ace, my clients would access the VIPs via https, the ace terminates the ssl and then forward clear http traffic to the servers.

Could you please give me some advice.

Many Thanks,

Jim

chrhiggi · ‎09-19-2011

Jim-

It depends a bit on how you want to devide up the domains to the servers. Do you have different servers for each domain, or do all of your servers host all of the domains?

Chris

jsmith110840 · ‎09-19-2011

Hi Chris,

I have different servers for each domain.

For example, ServerA and ServerB will host "tac.cisco.com".

ServerC and ServerD will host "sales.cisco.com"

Regards,

Jim

chrhiggi · ‎09-20-2011

Jim-

You can do this one of two ways, a single vip the devides the traffic by matching the domain, or 2 vips. Which one you choose is based on how many IPs you want to use on your DNS server.

If you had 1 IP - this would be an example configuration:

rserver host sjhp-1
ip address 172.16.35.1
inservice
rserver host sjhp-2
ip address 172.16.35.2
inservice
rserver host sjhp-3
ip address 172.16.35.3
inservice
rserver host sjhp-4
ip address 172.16.35.4
inservice

serverfarm host Domain1Servers
rserver sjhp-1 80
inservice
rserver sjhp-2 80
inservice

serverfarm host Domain2Servers
rserver sjhp-3 80
inservice
rserver sjhp-4 80
inservice

ssl-proxy service DecryptCisco.com
key key.pem
cert cert.pem

class-map match-any VIP
2 match virtual-address 172.16.35.7 tcp eq https

class-map type http loadbalance match-any Domain1
3 match http header Host header-value "www\.cisco\.com"

class-map type http loadbalance match-any Domain2
2 match http header Host header-value "mail\.cisco\.com"

policy-map type loadbalance http first-match LBPM
class Domain1
serverfarm Domain1Servers
class Domain2
serverfarm Domain2Servers

policy-map multi-match PMM
class VIP
    loadbalance policy LBPM
    loadbalance vip icmp-reply active
    ssl-proxy server DecryptCisco.com
    loadbalance vip inservice

If you had 2 IP addresses, this is what your configuration would be:

rserver host sjhp-1
ip address 172.16.35.1
inservice
rserver host sjhp-2
ip address 172.16.35.2
inservice
rserver host sjhp-3
ip address 172.16.35.3
inservice
rserver host sjhp-4
ip address 172.16.35.4
inservice

serverfarm host Domain1Servers
rserver sjhp-1 80
inservice
rserver sjhp-2 80
inservice

serverfarm host Domain2Servers
rserver sjhp-3 80
inservice
rserver sjhp-4 80
inservice

ssl-proxy service DecryptCisco.com
key key.pem
cert cert.pem

class-map match-any VIPDomain1
2 match virtual-address 172.16.35.7 tcp eq https

class-map match-any VIPDomain2
2 match virtual-address 172.16.35.8 tcp eq https

policy-map type loadbalance http first-match LBDomain1
class class-default
serverfarm Domain1Servers

policy-map type loadbalance http first-match LBDomain2
class class-default
serverfarm Domain2Servers

policy-map multi-match PMM
class VIPDomain1
    loadbalance policy LBDomain1
    loadbalance vip icmp-reply active
    ssl-proxy server DecryptCisco.com
    loadbalance vip inservice
class VIPDomain2
    loadbalance policy LBDomain2
    loadbalance vip icmp-reply active
    ssl-proxy server DecryptCisco.com
    loadbalance vip inservice

Let me know if you have any questions!

Regards,

Chris