07-09-2010 01:32 AM
Hi,
We have an ACE 4710 and we need to configure it for HTTP URL Load Balancing between two server farms.
For example we need url (https://www.test.com) to load balance to Server Farm 1 and another url (https://www.test.com/test1) to load
balance to Server Farm 2.
Can you give me an example of the match statements that needs to be configured?
class-map type http load balance match-all SF1
match http url http://www.test.com
class-map type http load balance match-all SF2
match http url http://www.test.com/test1
Are these statements correct?
Thanks in advance,
Theofilos Sakoulias
Solved! Go to Solution.
07-09-2010 03:14 AM
Yes you have to modify the header for the site you are using.
Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.
Something like....
match layer 4 class-map for HTTPS traffic and IP address
terminate SSL connection
go to policy-map
check layer 7 class-map statement for a first-match
loadbalance to serverfarm when match is found
I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.
Dave.
07-09-2010 01:55 AM
I would do it this way.
class-map type http loadbalance match-all SF1
2 match http header Host header-value "www.test.com"
class-map type http loadbalance match-all SF2
2 match http header Host header-value "www.test.com"
3 match http url /test1
policy-map type loadbalance first-match Loadbalance-pm
class SF2
serverfarm ServerFarm2
class SF1
serverfarm ServerFarm1
class class-default
serverfarm DefaultServerFarm
Just remember to have the most specific rule first in the policy-map and use match-all statements. If you put the SF1 class first then anything else under it will not be processed.
Regards,
Dave.
07-09-2010 02:57 AM
Hi David,
Is there any difference if i use https instead of http?
I have already configured ssl proxy service under the policy map type load balance.
Furthermore, do we need to use urlrewrite?
Below you can find our current config :
switch/Admin# sh run
Generating configuration....
resource-class Sticky
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 10.00 maximum equal-to-min
boot system image:c4710ace-mz.A3_2_5.bin
interface gigabitEthernet 1/1
description Management
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description Servers
switchport access vlan 990
no shutdown
interface gigabitEthernet 1/3
description Clients
switchport access vlan 991
no shutdown
interface gigabitEthernet 1/4
description FT Port
ft-port vlan 999
no shutdown
crypto chaingroup Chain_Group_2010
cert CERT
cert Intermediate
context Admin
member Sticky
access-list ALL line 8 extended permit ip any any
access-list ALL line 9 extended permit icmp any any
probe http HTTP_Probe
description HTTP_Probe
port 8080
interval 15
passdetect interval 60
request method get url \
expect status 0 999
open 1
probe icmp ICMP_Probe
description ICMP_Probe
interval 15
passdetect interval 60
rserver host Serv3
description Serv3
ip address 172.16.3.113
probe ICMP_Probe
probe HTTP_Probe
inservice
rserver host Serv4
description Serv4
ip address 172.16.3.114
probe ICMP_Probe
probe HTTP_Probe
inservice
rserver host Serv7
description Serv7
ip address 172.16.3.117
probe ICMP_Probe
probe HTTP_Probe
inservice
action-list type modify http urlrewrite
ssl url rewrite location "my\.test\.com.*"
serverfarm host Server_Farm_Pilot
description Server_Farm_Pilot
failaction purge
rserver Serv3 8080
probe ICMP_Probe
probe HTTP_Probe
inservice
rserver Serv4 8080
probe ICMP_Probe
probe HTTP_Probe
inservice
serverfarm host Server_Farm_2
description Server_Farm_2
failaction purge
probe HTTP_Probe
probe ICMP_Probe
rserver Serv7 8080
probe ICMP_Probe
probe HTTP_Probe
inservice
ssl-proxy service Proxy_Service_2010
key KEY
cert CERT
chaingroup Chain_Group_2010
sticky http-cookie COOKIE Sticky_Group
replicate sticky
serverfarm Server_Farm_Pilot
class-map match-all VIP_HTTP
2 match virtual-address 172.16.1.210 tcp eq www
class-map match-all Virtual_Server_Pilot
2 match virtual-address 172.16.1.210 tcp eq https
class-map type management match-any remote_access
201 match protocol xml-https any
202 match protocol icmp any
203 match protocol telnet any
204 match protocol ssh any
205 match protocol http any
206 match protocol https any
207 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match VIP_HTTP-l7slb
class class-default
sticky-serverfarm Sticky_Group
policy-map type loadbalance first-match Virtual_Server_Pilot-l7slb
class class-default
sticky-serverfarm Sticky_Group
action urlrewrite
policy-map multi-match int991
class Virtual_Server_Pilot
loadbalance vip inservice
loadbalance policy Virtual_Server_Pilot-l7slb
loadbalance vip icmp-reply
ssl-proxy server Proxy_Service_2010
class VIP_HTTP
loadbalance vip inservice
loadbalance policy VIP_HTTP-l7slb
interface vlan 990
description Servers
ip address 172.16.3.201 255.255.255.0
alias 172.16.3.203 255.255.255.0
peer ip address 172.16.3.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
interface vlan 991
description Clients
ip address 172.16.1.201 255.255.255.0
alias 172.16.1.203 255.255.255.0
peer ip address 172.16.1.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
service-policy input int991
no shutdown
interface vlan 1000
description Management
ip address 10.10.10.201 255.255.255.0
alias 10.10.10.203 255.255.255.0
peer ip address 10.10.10.202 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ft interface vlan 999
ip address 1.1.1.1 255.255.255.0
peer ip address 1.1.1.2 255.255.255.0
no shutdown
ft peer 1
heartbeat interval 300
heartbeat count 10
ft-interface vlan 999
ft group 1
peer 1
priority 110
associate-context Admin
inservice
ft track host TRACK_HOST1
track-host 172.16.3.113
probe ICMP_Probe priority 20
ft track interface Track_Clients
track-interface vlan 991
peer track-interface vlan 991
priority 20
ft track interface Track_Servers
track-interface vlan 990
peer track-interface vlan 990
priority 20
ip route 0.0.0.0 0.0.0.0 172.16.1.121
switch/Admin#
The difference is that our url is https://www.my.test.com. So according to your solution the header value should be modified to "www.my.test.com"?
Thanks
07-09-2010 03:14 AM
Yes you have to modify the header for the site you are using.
Also the ACE is terminating the HTTPS session between the client and ACE. When it sends traffic to the servers it will be HTTP and therefore the solution I gave you would be fine as the SSL Termination happens before the Layer 7 class-maps are checked and applied.
Something like....
match layer 4 class-map for HTTPS traffic and IP address
terminate SSL connection
go to policy-map
check layer 7 class-map statement for a first-match
loadbalance to serverfarm when match is found
I would also recommend using SSL-rewrite to handle any HTTP 30x codes that may be generated by the website. Just to be sure.
Dave.
07-15-2010 02:51 AM
Hi David,
I did the following :
class-map type http loadbalance match-all ClientA
2 match http header Host header-value "my.domain.com"
3 match http url /ClientA
class-map type http loadbalance match-all Main_Domain
2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
2 match http header Host header-value "my.domain.com"
3 match http url /ClientB
policy-map type loadbalance first-match VIP_HTTP-l7slb
class ClientA
sticky-serverfarm Sticky_ClientA
class ClientB
sticky-serverfarm Sticky_ClientB
class Main_Domain
sticky-serverfarm Sticky_Main_Domain
When i test the above config, i don't get the desired functionallity. All the connections (to http://mydomain.com, http://mydomain.com/ClientA and http://mydomain.com/ClientB) are load balanced to serverfarm Sticky_Main_Domain. When i remove the Main_Domain class map all the connections are droped, which indicates that no connection requests are matched to class maps ClientA and ClientB.
Any help would be appreciated
Thanks
07-16-2010 12:20 AM
I found the solution.
The final config should be like this one :
class-map type http loadbalance match-all ClientA
2 match http header Host header-value "my.domain.com"
3 match http url /ClientA/.*
class-map type http loadbalance match-all Main_Domain
2 match http header Host header-value "my.domain.com"
class-map type http loadbalance match-all ClientB
2 match http header Host header-value "my.domain.com"
3 match http url /ClientB/.*
policy-map type loadbalance first-match VIP_HTTP-l7slb
class ClientA
sticky-serverfarm Sticky_ClientA
class ClientB
sticky-serverfarm Sticky_ClientB
class Main_Domain
sticky-serverfarm Sticky_Main_Domain
Watch the regular expressions in red !!!!!
Thank you all for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide