06-16-2010 04:48 AM
question ,
Does the feature of http reuse work without configuring nat ? or is nat necessary ?
thanks.
06-17-2010 05:58 AM
Hello,
You should configure NAT and PAT for TCP reuse. Other requirements are as follows:
Ensure that the ACE maximum segment size (MSS) is the same as the server MSS.
Configure port address translation (PAT) on the interface that is connected to the real server. PAT prevents collisions when a client stops using a server connection, and then that connection is reused by another client. Without PAT, if the original client tries to reuse the original server connection, it is no longer available. For details about configuring PAT, see the Cisco Application Control Engine Module Security Configuration Guide.
Configure the ACE with the same TCP options that exist on the TCP server.
Ensure that each server farm is homogeneous (all real servers within a server farm have identical configurations).
Thanks,
Sean
06-19-2010 11:03 PM
Thanks for all the good information
can you attach a sample config for reference ?
06-21-2010 05:40 AM
Sure. The parts in red are the tcp server-conn reuse. The part in blue is in case you need to adjust the ACE's MSS to be the same as the server's MSS. In this example, the server's MSS is 1380, so the ACE must match. Default MSS of ACE is 1460.
access-list ANYONE line 10 extended permit tcp any any
parameter-map type http TCP_REUSE_PARAM_MAP
server-conn reuse
parameter-map type connection MSS_PARAM_MAP
set tcp mss min 1380 max 1380
rserver host SERVER_01
ip address 192.168.1.11
inservice
rserver host SERVER_02
ip address 192.168.1.12
inservice
rserver host SERVER_03
ip address 192.168.1.13
inservice
serverfarm host REAL_SERVERS
rserver SERVER_01
inservice
rserver SERVER_02
inservice
rserver SERVER_03
inservice
class-map match-all ABC-VIP-CM
2 match virtual-address 172.16.51.30 tcp eq www
policy-map type loadbalance first-match ABC-VIP-PM
class class-default
serverfarm REAL_SERVERS
policy-map multi-match WEB-VIPS
class ABC-VIP-CM
loadbalance vip inservice
loadbalance policy ABC-VIP-PM
loadbalance vip icmp-reply active
nat dynamic 1 vlan 20
appl-parameter http advanced-options TCP_REUSE_PARAM_MAP
connection advanced-options MSS_PARAM_MAP
interface vlan 10
description Client vlan
ip address 172.16.51.11 255.255.255.0
access-group input ANYONE
service-policy input CLIENT_VIPS
no shutdown
interface vlan 20
description Servers vlan
ip address 192.168.1.1 255.255.255.0
nat-pool 1 192.168.1.100 192.168.1.100 netmask 255.255.255.0 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.51.1
Hope this helps,
Sean
06-23-2010 01:30 AM
Thank you very much , you are a great resource for knowledge , thanks for all the support .
If I understood correctly than all clients will pass the ACE to the server farm as source 192.168.1.100 (?)
If we are talking about a great number of clients is it recommended to use a pool of like 20 addresses (with PAT) or is 1 address enough?
by the way I think there is a little mistake in the config :
instead of :
service-policy input CLIENT_VIPS
it should be :
service-policy input WEB_VIPS
correct me if I am wrong
have a good day
06-23-2010 05:08 AM
Hello,
If I understood correctly than all clients will pass the ACE to the server farm as source 192.168.1.100 (?)
This is correct.
If we are talking about a great number of clients is it recommended to use a pool of like 20 addresses (with PAT) or is 1 address enough?
You should use as many addresses as you need, up to 32. In a NAT pool that uses PAT, there is a limit of 32 addresses in the pool. Each address gives you a lot of entries when using PAT, so often times you can get away with only a single addresss in the pool. You can add more if you need them.
by the way I think there is a little mistake in the config :
Yes, you caught me ;- ) what you pointed out was a mistake. Sorry for the confusion.
Sean
06-24-2010 03:26 AM
Thanks a lot ,
your a big help .
08-22-2010 08:35 AM
hi sean
do you still answer questions at this forum?
08-23-2010 05:15 AM
Hello,
I no longer actively monitor this forum. I have moved to a different support group. My former team members have been much more active in this forum and will gladly help out. I am in the process of ramping up on Network-Centric Video Surveillance, Access Control, IP Interorperability and Collaboration (IPICS), and EnergyWise Orchestrator. Maybe I'll see you in that forum someday?
If you have a new question, I would recommend starting a new thread, and I'm sure you won't have to wait long for a quality answer. Did you have a question stemming from this thread?
- Sean
08-23-2010 10:34 PM
I guess there is nothing left for me to do but wish you all the best
thanks for all your help
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide