cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9546
Views
21
Helpful
18
Replies

Cisco ACE Design

vinovinom
Level 1
Level 1

Hi Guys

I need some advice regarding the Cisco ACE design. I am designing a solution for a pair of Cisco ACE devices which needs to load balance between 2 https website address. The first website is supported by 2 servers and the second by a single server. I want to to know the best way t implement as well as ACE failover considerations. I am confused whether I need to use contexts or just 2 server farms and 2 VIP in a single context. Also I would like to do a SSL offload in the ace as well. I am planning for One-Arm mode design. Also I need clarification of which load balancing algorithm should be used and by default which is enabled.

Many thanks in advance.

Regards

Vino

18 Replies 18

Hi Chris,

Thank you so much for this. I am going to test both concept and will let you know how it went.

Kind Regards,

Jim

Hi Chris,

Thank you so much for your help.  Its working fine.

However,  I had another issue, the servers that would be hosting the services  have some kind of url that the client would access along with the vip.

Currently, I requested them to change it to the same domain as  the same parameter I would have when I buy the wild card certificate.   But, I was just wondering is it possible for the ace to redirect the  clients to their specific url once they hit the vip.

Kind Regards,

Jim

Jim-

That is actually very easy to do on ACE. You just need to know what the initial URL is and the URL that you would like to redirect to.

First, you need to add 2 classes which match the URL that your client initially request + the domain:

class-map type http loadbalance match-any Domain1
  3 match http header Host header-value "www\.cisco\.com"

class-map type http loadbalance match-any Domain1-URL
  3 match http header Host header-value "www\.cisco\.com"
  4 match http url "/login.html"

class-map type http loadbalance match-any Domain2
  2 match http header Host header-value "mail\.cisco\.com"

class-map type http loadbalance match-any Domain2-URL
  2 match http header Host header-value "mail\.cisco\.com"
  3 match http url "/login.html"

Then you need to create the redirect rserver and serverfarm:

rserver redirect Domain1Redirect
  webhost-redirection /newloginpage/index.html
  inservice

rserver redirect Domain1Redirect
  webhost-redirection /newloginpage/index.html
  inservice

serverfarm redirect Domain1RedirectFarm
  rserver Domain1Redirect
    inservice

serverfarm redirect Domain2RedirectFarm
  rserver Domain1Redirect
    inservice

Then you need to update the loadbalance policy map to include the 2 new classes. Be sure to add them in the order below:

policy-map type loadbalance http first-match LBPM
  class Domain1-URL
   serverfarm Domain1Redirect
  class Domain1
   serverfarm Domain1Servers
  class Domain2-URL
   serverfarm Domain2Redirect
  class Domain2
   serverfarm Domain2Servers

With this configuration, whenever a user accesses mail.cisco.com/login.html, they will be redirected to mail.cisco.com/newloginpage/index.html

There are actually some really cool things you can do with redirects in general.  Say your client accesses mail.cisco.com/stuff/index.html or mail.cisco.com/login/pictures.html.  You need to match any pages the client accesses in the /stuff/ folder and redirect the client to the mail.cisco.com/newlogin/stuff/X where x is the same page/object the client initially accessed..  You class map would match http url "/stuff/.*"

And instead of:

rserver redirect Domain1Redirect
  webhost-redirection /newloginpage/stuff/index.html
  inservice

Use this:

rserver redirect Domain1Redirect
  webhost-redirection /newloginpage/%p
  inservice

%p copies the entire url and pastes it in after the expression you enter.  %h copies the host header that the client sent as well.  %h is useful where you need to send the client to a new protocol.  I.e. you match http, but want to send the client to https.

i.e.:

rserver redirect Domain1Redirect
  webhost-redirection https://%h/newloginpage/%p
  inservice

Regards,

Chris

Hi Chris,

Sorry for not getting back earlier.

Just have been really busy with the design architecture.

However, the information you provided sounds brilliant.

I am going to test the concept and will let you know how it went.

Thanks a lot again for your valuable advice.

Kind Regards,

Jim

Review Cisco Networking for a $25 gift card