cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1548
Views
0
Helpful
9
Replies

http REUSE

nir.fisher
Level 1
Level 1

question ,

Does the feature of http reuse work without configuring nat ? or is nat necessary ?

thanks.

9 Replies 9

Sean Merrow
Level 4
Level 4

Hello,

You should configure NAT and PAT for TCP reuse.  Other requirements are as follows:

Ensure that the ACE maximum segment size (MSS) is the same as the server MSS.

Configure port address translation (PAT) on the interface that is connected to the real server. PAT prevents collisions when a client stops using a server connection, and then that connection is reused by another client. Without PAT, if the original client tries to reuse the original server connection, it is no longer available. For details about configuring PAT, see the Cisco Application Control Engine Module Security Configuration Guide.

Configure the ACE with the same TCP options that exist on the TCP server.

Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).

Thanks,

Sean

Thanks for all the good information

can you attach a sample config for reference ?

Sure.  The parts in red are the tcp server-conn reuse.  The part in blue is in case you need to adjust the ACE's MSS to be the same as the server's MSS.  In this example, the server's MSS is 1380, so the ACE must match.  Default MSS of ACE is 1460.


access-list ANYONE line 10 extended permit tcp any any

parameter-map type http TCP_REUSE_PARAM_MAP
  server-conn reuse

parameter-map type connection MSS_PARAM_MAP
  set tcp mss min 1380 max 1380

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all ABC-VIP-CM
  2 match virtual-address 172.16.51.30 tcp eq www

policy-map type loadbalance first-match ABC-VIP-PM
  class class-default
    serverfarm REAL_SERVERS

policy-map multi-match WEB-VIPS
  class ABC-VIP-CM
    loadbalance vip inservice
    loadbalance policy ABC-VIP-PM
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 20
    appl-parameter http advanced-options TCP_REUSE_PARAM_MAP

    connection advanced-options MSS_PARAM_MAP

interface vlan 10
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 20
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1


Hope this helps,

Sean

Thank you very much , you are a great resource for knowledge , thanks for all the support .

If I understood correctly than all clients will pass the ACE to the server farm as source 192.168.1.100 (?)

If we are talking about a great number of clients is it recommended to use a pool of like 20 addresses  (with PAT) or is 1 address enough?

by the way I think there is a little mistake in the config :

instead of  :

service-policy input CLIENT_VIPS

it should be :

service-policy input WEB_VIPS

correct me if I am wrong

have a good day

Hello,

If I understood correctly than all clients will pass the ACE to the server farm as source 192.168.1.100 (?)

This is correct.

If we are talking about a great number of clients is it recommended to use a pool of like 20 addresses  (with PAT) or is 1 address enough?

You should use as many addresses as you need, up to 32.  In a NAT pool that uses PAT, there is a limit of 32 addresses in the pool.  Each address gives you a lot of entries when using PAT, so often times you can get away with only  a single addresss in the pool.  You can add more if you need them.

by the way I think there is a little mistake in the config :

Yes, you caught me  ;- )  what you pointed out was a mistake.  Sorry for the confusion.

Sean

Thanks a lot ,

your a big help .

hi sean

do you still answer questions at this forum?

Hello,

I no longer actively monitor this forum.  I have moved to a different support group.  My former team members have been much more active in this forum and will gladly help out.  I am in the process of ramping up on Network-Centric Video Surveillance, Access Control, IP Interorperability and Collaboration (IPICS), and EnergyWise Orchestrator.  Maybe I'll see you in that forum someday?

If you have a new question, I would recommend starting a new thread, and I'm sure you won't have to wait long for a quality answer.  Did you have a question stemming from this thread?

- Sean

I guess there is nothing left for me to do but wish you all the best

thanks for all your help

Review Cisco Networking for a $25 gift card