Solved: Re: load balancing FTP/HTTP on same VIP

Muhammad Khan · ‎01-29-2010

Hi,

Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?

class-map match-any WCVS
2 match virtual-address 20.0.0.1 tcp eq www
4 match virtual-address 20.0.0.1 tcp eq ftp

policy-map multi-match int3
class WCVS
    loadbalance vip inservice
    loadbalance policy VS-l7slb
    inspect ftp
    nat dynamic 5 vlan 20

int vl20
service-policy input int3

Sean Merrow · ‎02-01-2010

Hello,

I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.

Let me know how it goes...

logging enable
logging buffered 6

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2

probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2

rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice

serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
    conn-limit max 4000000 min 4000000
    inservice
rserver Server2 80
    conn-limit max 4000000 min 4000000
    inservice

serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
    conn-limit max 4000000 min 4000000
    inservice
rserver Server2
    conn-limit max 4000000 min 4000000
    inservice

sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP

class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any

class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www

class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this

class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255

policy-map type management first-match Management
class Management
    permit

policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
    sticky-serverfarm XXX_tempCookie

policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
    Serverfarm FARM-FTP

policy-map multi-match int3
class XXX-WCVS-WWW
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-FTP
    inspect ftp
class NAT-VIP
    nat dynamic 5 vlan 12


interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.254

View solution in original post

Sean Merrow · ‎02-01-2010

Hello Muhammad,

Two points on your config:

It is recommended to perform protocol inspection (ie. inspect ftp) only on the required protocol, so it is better to separate them out.
Your config requirement is a bit more complex than normal due to the client NAT and one-armed.

I would recommend trying this with the following config. This way, both the FTP and HTTP will be source-NAT'd as desired, then the passive FTP data channel will also be NAT'd. This config will likely be required if you are using passive FTP.

class-map match-any WCVS-WWW
2 match virtual-address 20.0.0.1 tcp eq www
class-map match-any WCVS-FTP
2 match virtual-address 20.0.0.1 tcp eq ftp
class-map match-all NAT-VIP
2 match destination-address 20.0.0.1 255.255.255.255

policy-map type loadbalance first-match VS-l7slb
class class-default
serverfarm SERVERS

policy-map multi-match int3
class WCVS-WWW
    loadbalance vip inservice
    loadbalance policy VS-l7slb
class WCVS-FTP
    loadbalance vip inservice
    loadbalance policy VS-l7slb
    inspect ftp
class NAT-VIP
    nat dynamic 5 vlan 20

int vl20
service-policy input int3

Don't forget that your VLAN interface will also need an ACL applied that will permit the traffic to this VIP.

Hope this helps,

Sean

Muhammad Khan · ‎02-01-2010

Hi Sean,

Thank you for your reply.

I have tested the config. HTTP part seems to be working well but FTP is failing. When I try to establish a FTP connection I get connected message but nothing beyone:

C:\>ftp www.xxx.com
Connected to www.xxx.com.

I have attached device config if you get a chance to review.

Sean Merrow · ‎02-01-2010

Hello,

I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.

Let me know how it goes...

logging enable
logging buffered 6

access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any

probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2

probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2

rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice

serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
    conn-limit max 4000000 min 4000000
    inservice
rserver Server2 80
    conn-limit max 4000000 min 4000000
    inservice

serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
    conn-limit max 4000000 min 4000000
    inservice
rserver Server2
    conn-limit max 4000000 min 4000000
    inservice

sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP

class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any

class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www

class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535   <-- try first without this, then with this

class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255

policy-map type management first-match Management
class Management
    permit

policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
    sticky-serverfarm XXX_tempCookie

policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
    Serverfarm FARM-FTP

policy-map multi-match int3
class XXX-WCVS-WWW
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
    loadbalance vip inservice
    loadbalance policy XXX_VS-l7slb-FTP
    inspect ftp
class NAT-VIP
    nat dynamic 5 vlan 12


interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.10.254

Muhammad Khan · ‎02-02-2010

Hi Sean,

Thank you for your reply it works perfect.

It works without range so inspect takes care of Active FTP connection.

3 match virtual-address 10.10.10.100 tcp range 1023 65535 [Not required]

For FTP probe I would assume it only checks the successful hand-shake as oppose to establishing a TCP connection to the server and then issues a quit command as it would do in an FTP type probe?

"A TCP probe makes a connection, and if the connection through a 3-way handshake (SYN, SYN-ACK, and ACK) is successful, the server is marked as passed" [Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]

An FTP probe establishes a TCP connection to the server and then issues a quit command.[Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]

Thank you for your help.

Muhammad.

Sean Merrow · ‎02-02-2010

Hi Muhammad,

Thanks for the follow-up, and glad to hear it is working. You are correct about the TCP probe. I only wanted to get across the idea of using a unique probe for each application. You would be better off using the FTP probe for the FTP servers, rather than using a TCP probe.

- Sean