Re: Configuring Cisco ACE

Dan Smith · ‎07-10-2007

I have been given the task of configuring a Cisco ACE20 initially for SLB. I have configured IOS SLB sucesfully but the ACE appears far more complex. Does anyone have any confgiuration guides with diagrams. The Cisco documentation only gives command guides which I am finding difficult to follow. I have set up a test scenario as follows:

Client side vlan 10 - 172.22.152.0 / 21

Server side vlan 17 - 172.22.244.0 /24

Vlan 10 is set up on Sup720 as L2/3

Vlan 17 is set up on Sup720 as L2 only

PC with IIS running with IP address 172.22.244.101

VIP address 172.22.152.6

Rserver address 172.22.244.101

Route on ACE 0.0.0.0 0.0.0.0 172.22.152.2

I can ping the rserver from ACE OK as I have captured the ICMP traffic with analyser, when I attempt to HTTP to the vserver address I see the traffic hit the ACE but it sends TCP resets.

I can provide the full config of the ACE etc if needed.

With IOS SLB (without NAT) I used loopback addresses on the real servers from the ACE documentation it appears the VIP address has to be completely unique, does this mean there is no need for loopback interfaces. Also does the VIP address have to be in a different subnet than the clients as mine is not but it is in the same subnet as my client side vlan as was stated in the ACE getting started guide.

I am very new to content swithing especially classifying traffic etc, can anyone please help ?

Gilles Dufour · ‎07-10-2007

could you please share your config and a 'show service-policy'.

Will start helping you from there.

The vip can be any ip you want.

You can use it as a loopback on the servers, but we usually do this when the loabalancer forward without nating.

This is not mandatory.

Gilles.

Dan Smith · ‎07-11-2007

Config attached.........

Gilles Dufour · ‎07-11-2007

curr conns : 0 , hit count : 2

dropped conns : 2

client pkt count : 3 , client byte count: 240

server pkt count : 0 , server byte count: 0

Are you sure your servers are responding ?

can you sniff on the server to see if they receive a SYN and if they respond with a SYN/ACK in the right direction [ACE].

The config looks good.

Gilles.

Dan Smith · ‎07-11-2007

Giles

Capture attached (etherreal).

I am the client on 172.21.17.20, the VIP address 172.22.152.6 replies with a RST/ACK. I can see the connection attempt on the ACE:

switch/Admin# sh conn

total current connections : 6

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

4 1 in TCP 10 172.21.17.20:1291 172.22.152.6:80 SYNSEEN

1 1 out TCP 17 172.22.152.6:80 172.21.17.20:1291 INIT

3 1 in TCP 10 172.21.17.20:1285 172.22.152.5:23 ESTAB

5 1 out TCP 10 172.22.152.5:23 172.21.17.20:1285 ESTAB

4 2 in UDP 17 172.22.244.101:1042 172.28.7.25:161 --

2 2 out UDP 10 172.28.7.25:161 172.22.244.101:1042 --

switch/Admin#

Do I need a loopback address on the real server. Also I only have one real server set-up at the moment - I didn't think this would matter.

Hope this helps....

Paul

Syed Iftekhar Ahmed · ‎07-11-2007

remove "transparent" from the server farm

serverfarm host WEB-FARM

description WEB SERVERFARM

rserver WEB1

inservice

rserver WEB2

inservice

Syed Iftekhar Ahmed

Dan Smith · ‎07-12-2007

Thank you very much - That has worked. I read in one of the manuals that this command had to be included.

One other question - If server administrators require remote access to the rservers real IP address (like ours do), as the rservers are not part of a L3 network on our intermidiate routers I configured a static route via the ACE client side interface as follows:-

ip route 172.22.244.101 255.255.255.255 172.22.152.5

Is this best practice or should I be using a different method.

Syed Iftekhar Ahmed · ‎07-12-2007

You just need to make sure that intermediate routing devices can route traffic to the real and your ACE should allow traffic to the real.

Static routes can definitely help.

Syed Iftekhar Ahmed