11-16-2011 11:58 AM
I am trying to configure ACE 4710 to load balance base on the URL, If it matches the specific URL ( /456/ ), the traffic will be sent to server farm 456 else the traffic will be sent to server farm 123.
I attached an image of the topology.
Ace Config:
rserver host SRV01_123
ip address 192.168.1.101
inservice
rserver host SRV02_123
ip address 192.168.1.102
inservice
rserver host SRV01_456
ip address 192.168.1.111
inservice
serverfarm host farm_123
rserver SRV01_123
inservice
rserver SRV02_123
inservice
serverfarm host farm_456
rserver SRV01_456
inservice
class-map match-all VIP_Application
2 match virtual-address 192.168.1.10 tcp eq https
class-map type http loadbalance match-all L7_server_456
2 match http url /456/
policy-map type loadbalance http first-match LB_Application
class L7_server_456
serverfarm farm_456
class class-default
serverfarm farm_123
policy-map multi-match ServerGroup1_PM
class VIP_Application
loadbalance vip inservice
loadbalance policy LB_Application
loadbalance vip icmp-reply
interface vlan 70
bridge-group 1
no shutdown
interface vlan 700
bridge-group 1
service-policy input ServerGroup1_PM
no shutdown
Thanks
Solved! Go to Solution.
11-16-2011 02:21 PM
Hi John,
If you want to do the offload in the ACE also called SSL termination, it is a two step process:
1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
Here you can take a look at the SSL termination process (using clear text port in the backend servers).
Oficial Configuration Example
Cisco Wiki Example
HTH
__ __
Pablo
11-16-2011 01:00 PM
Hi John,
Unfortunately this can't be done unless you configure the ACE to offload your SSL connections, https information is readable up to layer 4 to the ACE, layer 5 information such as host headers or URL is hidden and can't be matched using L5 policies without decypting the connection within the load balancer.
HTH
__ __
Pablo
11-16-2011 01:43 PM
Hi Pablo,
Thank you very much for your response.
Can you please show me an example with this kind of configuration?
Thank you a lot.
11-16-2011 02:21 PM
Hi John,
If you want to do the offload in the ACE also called SSL termination, it is a two step process:
1- You need to upload your certificate and key to the ACE using FTP or one of the available methods.
2- Create the the SSL proxy service where you add these two files and finally add this service under the policy-multimatch for the VIP in question.
You also need to decide whether you want to keep your server listening in the encrypted port (that would be a two way encryption process called End-to-End SSL) or you can change the port to 80 and leave all the decyption process to the ACE (this would be transparent to the client, the site will show up as HTTPS all the time).
Here you can take a look at the SSL termination process (using clear text port in the backend servers).
Oficial Configuration Example
Cisco Wiki Example
HTH
__ __
Pablo
11-17-2011 10:20 AM
Hi Pablo,
Thank you very much for your responses.
Yours sincerely,
John.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide