07-01-2011 08:54 AM
Hi Guys,
At the moment we have a situation where we have one serverfarm, with rserverA and rserverB, behind one VIP address.
We would like to do the following:
1) Send a select list of Client IP's to rserver A.
2) The rest of the traffic to rserver B.
Is this possible?
Any code segments would be help as well.
Also we are doing stickiness based on source IP address.
Let me know if you need anymore info?
Cheers,
Rob
07-01-2011 09:22 AM
Hi Rob,
You can do this using either ACLs which can become difficult to t-shoot or the easy/scalable way with L7 policy load balance.
You need to do create new serverfarms where you will include only serverfarm A and B separately.
serverfarm host A
rserver A
inservice
serverfarm host B
rserver B
inservice
- Here you would match the different hosts/subnets
class-map type http loadbalance match-any Host-A
2 match source-address 10.10.10.0 255.255.255.248
3 match source-address 67.21.6.1 255.255.255.255
class-map type http loadbalance match-any Host-B
2 match source-address 192.168.10.0 255.255.255.0
- Then you do your first match policy. This is a logic "OR" supposing there are clients that will not fall wihtin the subnets/hosts described above, class-default will take care of that traffic and will end up being load balancing to the "Mixed" serverfam.
policy-map type loadbalance first-match LB
class Host-A
serverfarm A
class Host-B
serverfarm B
class class-default
sticky-serverfarm Mixed
HTH
__ __
Pablo
07-19-2011 10:47 AM
Sorry for the delayed response,
we are trying to work out if the code above will only match on 'http' traffic? we need to match on both http and https traffic.
At the moment I have coded this:
--------------------------------------------------------
class-map type http loadbalance MY_TEST_FARM
2 match source-address 10.10.10.0 255.255.255.248
-------------------------------------------------------
so by default if I have left out the 'match-all' or 'match-any' what is the default action?
Thank you in advance,
Rob
07-19-2011 11:46 AM
Hi Rob,
The class-maps type http will work to match both; HTTP and HTTPS because in this case the ACE won't need to check beyond layer 3 to make a decision.You can also do it with a generic class-map but it is pretty much the same thing.
class-map type generic match-any LB
10 match source-address 192.168.11.2 255.255.255.0
The default action; if not specified is a "match-all"
HTH
__ __
Pablo
07-20-2011 03:43 AM
Hi Pablo,
we got this working, with the http policy.
Just wondering though when we have the following command:
"policy-map type loadbalance first-match LB"
I couldn't see issue a generic class map after this, just the http class maps, is the above line default to only reference certain class-maps?
Cheers,
Rob
07-20-2011 11:34 AM
Hi Rob,
Glad to hear you got working!!!
Problem with generic class-maps is that can only be attached under "type" generic first-match policies,
i.e "policy-map type loadbalance generic LB"
Personally I've never seen generic policies being used; as the documentation states "use this keyword to provide support for protocols that the ACE does not explicitly support".You rarely see a "not supported" protocol because most of them work at layer 4 which represents not problem to the ACE.
"Is the above line default to only reference certain class-maps?"
Well... kinda, it allows you to match layer 3-4 class-maps and HTTP (L5), HTTP class-maps are design for L5 matching but they can also inspect from L3 to L7. HTTPS is readable up to layer 4 to the ACE or any device (if SSL termination is not configured); so that's why you can do a "source-match" for SSL traffic under a HTTP class-map/policy-match; in this case L5 inspection is not required at all.
HTH
__ __
Pablo
07-21-2011 04:28 AM
Ok, so if we need to load balance some FTP traffic as well on the same VIP, with deterministic source IPs.
How would we modify our config to suit this new requirement or would it already do this?
Also if our HTTP traffic comes over a customised port say tcp port 8080, do we need to do anything on the ACE, or it is smart enough to know about HTTP on a different port?
Thanks for your help so far, its been very helpful!
Cheers,
Rob
07-21-2011 11:53 AM
Hi Rob,
Yup, if you wanted to balance any other L3/L4 protocol you're in good shape now, for example for FTP you can use the same class-map that includes the "source-match" then configure a new first-match policy and the new VIP or same VIP with "eq ftp". (FTP configuration is a little bit tricky though).
"Also if our HTTP traffic comes over a customised port say tcp port 8080, do we need to do anything on the ACE, or it is smart enough to know about HTTP on a different port?"
Same thing here, as long as you have a VIP that matches incoming traffic with dst port 8080 you shouldn't have any problem because it is still a L4 matching from the ACE perspective.
For example if you want to match standard and secondary HTTP ports under the same class-map assuming both ports are balanced to the same real servers then you would do it like this:
class-map match-any WEB
2 match virtual-address 10.10.10.10 tcp eq www
3 match virtual-address 10.10.10.10 tcp eq 8080
So that you can apply the same filtering to both ports under the first-match policy; saving config lines and resources at the same time.
HTH
__ __
Pablo
09-28-2011 06:43 AM
Actually, I'm trying this implementation again, but we are getting this error, it seems that our policy-map only supports the 'class class-default' keywords for some reason???
DCSACE01/PDMZ-VRF(config)# policy-map type loadbalance first-match WEBPROXY02_CLUSTER_v3
class WEBPROXY_TESTFARM_B
sticky-serverfarm webproxy02_TESTFARM-sticky
DCSACE01/PDMZ-VRF(config-pmap-lb)# class WEBPROXY_TESTFARM_B
class class-default
sticky-serverfarm webproxy02-stickyError: Specified class-map is not consistent with the policy-map type
DCSACE01/PDMZ-VRF(config-pmap-lb)# sticky-serverfarm webproxy02_TESTFARM-sticky
^
% invalid command detected at '^' marker.
DCSACE01/PDMZ-VRF(config-pmap-lb)#
DCSACE01/PDMZ-VRF(config)# policy-map type loadbalance first-match WEBPROXY02_CLUSTER_v3
DCSACE01/PDMZ-VRF(config-pmap-lb)# class ?
class-default Specify actions for default class-map
DCSACE01/PDMZ-VRF(config-pmap-lb)# class
The version we are running is
Version A2(1.2)
(Yes its a bit old)
Cheers,
Rob
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide