10-28-2010 06:15 AM
Hi Guys
I need some advice regarding the Cisco ACE design. I am designing a solution for a pair of Cisco ACE devices which needs to load balance between 2 https website address. The first website is supported by 2 servers and the second by a single server. I want to to know the best way t implement as well as ACE failover considerations. I am confused whether I need to use contexts or just 2 server farms and 2 VIP in a single context. Also I would like to do a SSL offload in the ace as well. I am planning for One-Arm mode design. Also I need clarification of which load balancing algorithm should be used and by default which is enabled.
Many thanks in advance.
Regards
Vino
10-28-2010 11:07 AM
Hello Vino-
The idea of a context is to segregate traffic and resources at a finite level. I.e. Context Production and Context Development. Production gets 90% of the resources, development gets 5% and you leave 5% available. If development throws too much traffic at thier vips, they cap out at 5% of the total module resources, so they don't effect the production traffic. If that is not the kind of scalability you need with your vips, then you do not need more than 1 context.
For the configuration aspect of your question, check into our wiki, it has all sorts of examples:
Configuration:
http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples
2nd Configuration:
http://docwiki-dev.cisco.com/wiki/Category:Data_Center_Application_Services_Configuration_Examples
Troubleshooting:
11-12-2010 02:59 AM
Hi Guys
I had made Cisco ACE design to loadbalance between 2 URLs in a routed mode with SSL Offload. From my understanding if you match the URL and then Offload SSL and then de-encrypt packets and forward them in port 80.
Requirement is :
External Users --------> Cisco ACE modules in on site -------------> Servers in another site.
Internal Users ----------> Cisco ACE 4710 in same region as server ------------> Servers.
There are 2 URLs to load balance with 2 servers for each of them. (for both users the destination is the same set of servers.)
How do the ACE able to handle both the domain and sub domain load balancing and the stickiness portion?
Thanks
Vino
11-12-2010 11:11 AM
ACE actually decrypts the traffic fist since we cannot look at the L5 HTTP url/headers until the packet is decrypted.
There are many different types of sticky on ACE, anything that uses the higher protocols would require decryption (i.e. http header sticky, http cookie sticky) You can do source IP sticky, or L4 sticky without decrypting (i.e. SSL session ID sticky, port sticky, or just plain vanilla source IP sticky.)
In terms of order -
1.) Match the destination IP to a VIP.
2.) Check what the VIP match is going to require (i.e. is it ssl decryption, HTTP inspection, source nat, etc.)
3.) Decrypt SSL
4.) Check the HTTP URL against the class maps under the policymap type loadbalance
5.) Check if there is an existing sticky entries for the sticky serverfarm under the class that the url matched
- If there is a sticky match, send the connection directly to the server
- If there is no sticky match, send the connection to the serverfarm and balance it to a server based on the loadbalancing predictor under that farm.
Let me know if you need more clarification!
Chris
11-12-2010 12:52 PM
Chris
Many thanks for your reply. That explains clearly, but what I needed was to clarify whether I need to use 2 VIP for 2 URLs and whether use same VIP in the Cisco Module as well... As external users would use ACE module to LB/SSL Offload and internal users use ACE 4710 to LB/SSL Offload. And how does the routing is done for it ?
Thanks
Vino
11-12-2010 01:13 PM
If you have 2 separate devices, you will need 2 differnt VIP IPs, yes. As a rule of thumb, each domain needs a different IP unless you are using a wildcard SSL certificate. Another gotcha to be aware of - If you are going to have 2 ACE's active in the same vlan which are not FT together, make sure to configure a shared-host-vlan ID for each that is a different number so your MAC addresses don't collide.
-Chris Higgins
11-15-2010 01:55 AM
Hi Chris
Many thanks for your reply. I just also want to ask how can we set it up using 2 differrent IPs for 2 urls in each ACE device for internal users and external users. Can we use the same IP for a URL in each device ? how about we set up the routing in the network if so? Otherwise what other options are there ?
Vino
11-19-2010 10:44 AM
11-22-2010 03:45 AM
Chris
Thanks very much for your help...
Vino
09-15-2011 03:54 PM
Hi Chris,
I am currently working on the cisco ace for ssl offload. Could you please let me know if I have two different vip for two different services, will i have to buy two separate certificates. As both would need to be accessed via https using different url.
Many thanks in advance.
Jim
09-16-2011 12:00 PM
Hi Jim-
Each domain will need its own certificate unless you are using sub domains and have the resources to buy a multi-domain, or wildcard certificate.
i.e.
If you were hosting www.cisco.com and www.ciscorocks.com, you would need 2 certificates.
If you were hosting www.cisco.com and tac.cisco.com, you could purchase a multi-domain certificate. (they use the subject alternative name field to specify multiple domains the certificate is valid for.)
If you were hosting www.cisco.com, tac.cisco.com, and sales.cisco.com, you can purchase a wildcard certificate. The issued to field will show *.cisco.com which matches any sub domain of cisco.com.
The difference in purchasing each type of cert is cost. 2 single certs can be as cheap as $40/cert. A multi-domin for 2 certs might run $60, and a wildcard cert might run $2000+ .
09-18-2011 02:11 PM
Hi Chris,
Thank you so much for your prompt reply.
The one I am designing matches the the third option you provided:
"If you were hosting www.cisco.com, tac.cisco.com, and sales.cisco.com, you can purchase a wildcard certificate. The issued to field will show *.cisco.com which matches any sub domain of cisco.com."
While reading some cisco ace documentation, I realised that as you mention a wild card certificate would be appropriate. As I am planning to host approximately 5 services, I think buying one certificate (wild card certificate) would be easy to manage in future when it comes to renewing it.
However, when it comes to configuring it, I am getting difficulties on how to do it with different VIPs.
I have five VIPs, each pointing to different serverfarms. I am doing ssl termination on the cisco ace, my clients would access the VIPs via https, the ace terminates the ssl and then forward clear http traffic to the servers.
Could you please give me some advice.
Many Thanks,
Jim
09-19-2011 09:11 AM
Jim-
It depends a bit on how you want to devide up the domains to the servers. Do you have different servers for each domain, or do all of your servers host all of the domains?
Chris
09-19-2011 10:06 AM
Hi Chris,
I have different servers for each domain.
For example, ServerA and ServerB will host "tac.cisco.com".
ServerC and ServerD will host "sales.cisco.com"
Regards,
Jim
09-20-2011 10:27 AM
Jim-
You can do this one of two ways, a single vip the devides the traffic by matching the domain, or 2 vips. Which one you choose is based on how many IPs you want to use on your DNS server.
If you had 1 IP - this would be an example configuration:
rserver host sjhp-1
ip address 172.16.35.1
inservice
rserver host sjhp-2
ip address 172.16.35.2
inservice
rserver host sjhp-3
ip address 172.16.35.3
inservice
rserver host sjhp-4
ip address 172.16.35.4
inservice
serverfarm host Domain1Servers
rserver sjhp-1 80
inservice
rserver sjhp-2 80
inservice
serverfarm host Domain2Servers
rserver sjhp-3 80
inservice
rserver sjhp-4 80
inservice
ssl-proxy service DecryptCisco.com
key key.pem
cert cert.pem
class-map match-any VIP
2 match virtual-address 172.16.35.7 tcp eq https
class-map type http loadbalance match-any Domain1
3 match http header Host header-value "www\.cisco\.com"
class-map type http loadbalance match-any Domain2
2 match http header Host header-value "mail\.cisco\.com"
policy-map type loadbalance http first-match LBPM
class Domain1
serverfarm Domain1Servers
class Domain2
serverfarm Domain2Servers
policy-map multi-match PMM
class VIP
loadbalance policy LBPM
loadbalance vip icmp-reply active
ssl-proxy server DecryptCisco.com
loadbalance vip inservice
If you had 2 IP addresses, this is what your configuration would be:
rserver host sjhp-1
ip address 172.16.35.1
inservice
rserver host sjhp-2
ip address 172.16.35.2
inservice
rserver host sjhp-3
ip address 172.16.35.3
inservice
rserver host sjhp-4
ip address 172.16.35.4
inservice
serverfarm host Domain1Servers
rserver sjhp-1 80
inservice
rserver sjhp-2 80
inservice
serverfarm host Domain2Servers
rserver sjhp-3 80
inservice
rserver sjhp-4 80
inservice
ssl-proxy service DecryptCisco.com
key key.pem
cert cert.pem
class-map match-any VIPDomain1
2 match virtual-address 172.16.35.7 tcp eq https
class-map match-any VIPDomain2
2 match virtual-address 172.16.35.8 tcp eq https
policy-map type loadbalance http first-match LBDomain1
class class-default
serverfarm Domain1Servers
policy-map type loadbalance http first-match LBDomain2
class class-default
serverfarm Domain2Servers
policy-map multi-match PMM
class VIPDomain1
loadbalance policy LBDomain1
loadbalance vip icmp-reply active
ssl-proxy server DecryptCisco.com
loadbalance vip inservice
class VIPDomain2
loadbalance policy LBDomain2
loadbalance vip icmp-reply active
ssl-proxy server DecryptCisco.com
loadbalance vip inservice
Let me know if you have any questions!
Regards,
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide