01-29-2010 07:51 AM
Hi,
Please could someone confirm if it is possible to load balance FTP and HTTP on same VIP? Would something like this work in a one-armed design?
class-map match-any WCVS
2 match virtual-address 20.0.0.1 tcp eq www
4 match virtual-address 20.0.0.1 tcp eq ftp
policy-map multi-match int3
class WCVS
loadbalance vip inservice
loadbalance policy VS-l7slb
inspect ftp
nat dynamic 5 vlan 20
int vl20
service-policy input int3
Solved! Go to Solution.
02-01-2010 10:53 AM
Hello,
I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.
Let me know how it goes...
logging enable
logging buffered 6
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2
probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2
rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
conn-limit max 4000000 min 4000000
inservice
rserver Server2 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
conn-limit max 4000000 min 4000000
inservice
rserver Server2
conn-limit max 4000000 min 4000000
inservice
sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP
class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any
class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www
class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535 <-- try first without this, then with this
class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255
policy-map type management first-match Management
class Management
permit
policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
sticky-serverfarm XXX_tempCookie
policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
Serverfarm FARM-FTP
policy-map multi-match int3
class XXX-WCVS-WWW
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-FTP
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.254
02-01-2010 06:01 AM
Hello Muhammad,
Two points on your config:
I would recommend trying this with the following config. This way, both the FTP and HTTP will be source-NAT'd as desired, then the passive FTP data channel will also be NAT'd. This config will likely be required if you are using passive FTP.
class-map match-any WCVS-WWW
2 match virtual-address 20.0.0.1 tcp eq www
class-map match-any WCVS-FTP
2 match virtual-address 20.0.0.1 tcp eq ftp
class-map match-all NAT-VIP
2 match destination-address 20.0.0.1 255.255.255.255
policy-map type loadbalance first-match VS-l7slb
class class-default
serverfarm SERVERS
policy-map multi-match int3
class WCVS-WWW
loadbalance vip inservice
loadbalance policy VS-l7slb
class WCVS-FTP
loadbalance vip inservice
loadbalance policy VS-l7slb
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 20
int vl20
service-policy input int3
Don't forget that your VLAN interface will also need an ACL applied that will permit the traffic to this VIP.
Hope this helps,
Sean
02-01-2010 09:55 AM
Hi Sean,
Thank you for your reply.
I have tested the config. HTTP part seems to be working well but FTP is failing. When I try to establish a FTP connection I get connected message but nothing beyone:
C:\>ftp www.xxx.com
Connected to www.xxx.com.
I have attached device config if you get a chance to review.
02-01-2010 10:53 AM
Hello,
I assume you want to ultimately use cookie sticky, since it is in your config, but not yet used. The '80' next to the rservers within the serverfarm will keep FTP from working because that will force the ACE to always use a destination port of 80 to the rservers, which is good for HTTP, but not so good for FTP. Below is your config with some modifications. I've created a new serverfarm for FTP, created a new probe for that farm, included HTTP cookie-sticky, and created a new L7 policy-map. There is one line that I would like you to remove and see if it works. If it does not, then add this line and see if it works.
Let me know how it goes...
logging enable
logging buffered 6
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
probe http Probe_HTTP
interval 5
passdetect interval 60
expect status 200 200
open 2
receive 2
probe tcp Probe_FTP
port 21
interval 5
passdetect interval 60
open 2
receive 2
rserver host Server1
ip address 10.10.10.10
conn-limit max 4000000 min 4000000
inservice
rserver host Server2
ip address 10.10.10.11
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-HTTP
probe Probe_HTTP
rserver Server1 80
conn-limit max 4000000 min 4000000
inservice
rserver Server2 80
conn-limit max 4000000 min 4000000
inservice
serverfarm host FARM-FTP
probe Probe_FTP
rserver Server1
conn-limit max 4000000 min 4000000
inservice
rserver Server2
conn-limit max 4000000 min 4000000
inservice
sticky http-cookie XXX_tempCookie XXX_tempCookie
cookie insert
serverfarm FARM-HTTP
class-map type management match-any Management
201 match protocol http any
202 match protocol https any
203 match protocol icmp any
204 match protocol kalap-udp any
205 match protocol ssh any
206 match protocol telnet any
207 match protocol xml-https any
class-map match-any XXX-WCVS-WWW
2 match virtual-address 10.10.10.100 tcp eq www
class-map match-any XXX-WCVS-FTP
2 match virtual-address 10.10.10.100 tcp eq ftp
3 match virtual-address 10.10.10.100 tcp range 1023 65535 <-- try first without this, then with this
class-map match-any NAT-VIP
2 match destination-address 10.10.10.100 255.255.255.255
policy-map type management first-match Management
class Management
permit
policy-map type loadbalance first-match XXX_VS-l7slb-WWW
class class-default
sticky-serverfarm XXX_tempCookie
policy-map type loadbalance first-match XXX_VS-l7slb-FTP
class class-default
Serverfarm FARM-FTP
policy-map multi-match int3
class XXX-WCVS-WWW
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-WWW
class XXX-WCVS-FTP
loadbalance vip inservice
loadbalance policy XXX_VS-l7slb-FTP
inspect ftp
class NAT-VIP
nat dynamic 5 vlan 12
interface vlan 12
ip address 10.10.10.1 255.255.255.0
alias 10.10.10.3 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ALL
nat-pool 5 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input Management
service-policy input int3
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.254
02-02-2010 07:28 AM
Hi Sean,
Thank you for your reply it works perfect.
It works without range so inspect takes care of Active FTP connection.
3 match virtual-address 10.10.10.100 tcp range 1023 65535 [Not required]
For FTP probe I would assume it only checks the successful hand-shake as oppose to establishing a TCP connection to the server and then issues a quit command as it would do in an FTP type probe?
"A TCP probe makes a connection, and if the connection through a 3-way handshake (SYN, SYN-ACK, and ACK) is successful, the server is marked as passed" [Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]
An FTP probe establishes a TCP connection to the server and then issues a quit command.[Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide]
Thank you for your help.
Muhammad.
02-02-2010 07:34 AM
Hi Muhammad,
Thanks for the follow-up, and glad to hear it is working. You are correct about the TCP probe. I only wanted to get across the idea of using a unique probe for each application. You would be better off using the FTP probe for the FTP servers, rather than using a TCP probe.
- Sean
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide