10-03-2012 11:20 PM
Hello ,
Kindly any one help to configure Cisco Ace 4710 , I am new in LB so plz guide to Configure ACE with my scenario which is given by my boss.
Note :- Just a testing face I need to access my one server(192.168.1.11 : 80) through VIP :- 10.13.77.10 , I have only one Cisco Router 2800 and One L2 Cisco Switch 2960 and Cisco Ace 4710 . So I already configured 2 Different VLANS in Switch (Vlan 10 & Vlan 100) and by router I given the ip address of that Vlans with Inter Routing Vlan.
My Connectivity is like this :-- Router Ethernet 0/0 --- 10.13.77.1/24 with vlan 10) & Router Ethernet 0/1 ---- 192.168.1.1/24 with vlan 100 ) connected with switch after that I configured ACE LB and connect the ACE interface with switch Like that ---- Connect to ACE Interface 2/3 vlan10 with switch vlan10(Ethernet port 2-12) and
Connect to ACE Interface 3/3 vlan100 with switch vlan100(Ethernet port 13-24) .
Testing to access server from Switch Vlan10 to Vlan 100 where my server is there.
Configuration :--- ACE> client side Vlan10 (10.13.77.4/24) , VIP :- 10.13.77.10, SM-- 255.255.255.255
ACE> server side Vlan100 (192.168.1.5/24), Web server -- 192.168.1.11 with 80 port
ACE> Managment Vlan 1000 (172.16.6.5/24) ,
ip route 0.0.0.0 0.0.0.0 10.13.77.1
I already Configured in Routed mode but From Vlan10 ip subnet example like 10.13.77.12(Client or User PC) tried to access server 192.168.1.11 with VIP http://10.13.77.10 but not responding , if i access server with real IP then accessible (why boz there is inter vlan routing) , PLZ Guide.
Regards,
Prem
10-04-2012 05:17 AM
Are you able to post your ace config?
What does "show conn" on the ace give you when you try and connect?
what does "show serverfarm" give you ?
are you using probes?
We use transparent Ace loadbalancers, but ill do my best.
Vlan 10 user
Vlan 100 server
a switchport in vlan 10 connected to the router on 0/0
a switchport in vlan 100 connected to the router on 0/1
a switchport in vlan 10 connected to the Ace port configured on that vlan
a switchport in vlan 100 connected to the Ace port configured on that vlan
so I understand that all Ip addresses can ping all other ip addresses?
10-04-2012 08:15 AM
This config looks like it is for an ace module in a 6500 series switch rather than a stand alone device:
"interface port-channel 10
description ##ace-to-msfc##
switchport trunk allowed vlan 1000,10-100
port-channel load-balance src-dst-port"
10-04-2012 05:47 AM
Hello,
Yes all other ip addresses is ping accept VIP (10.13.77.10), Yes I already configured Probe as well as Sticky.
Is there any ip Route required in ACE or Router ??? I Given the route in ACE (0.0.0.0 0.0.0.0 10.13.77.1) and Router ( 0.0.0.0 0.0.0.0 192.168.1.5 ) .
This part i'm not configured (if required plz guide):---channel-group 10 (for all interface) and
interface port-channel 10
description ##ace-to-msfc##
switchport trunk allowed vlan 1000,10-100
port-channel load-balance src-dst-port
Regards,
Prem
10-04-2012 08:13 AM
how many ports are connected to the ace?
If it is just one for each VLAN, you do not need any port channel commands or load balancing commands as the the switch is not doing the load balancing.
Switch Interface connected to ACE with address 10.13.77.4
switchport mode access
switchport access vlan 10
Switch Interface connected to ACE with address 192.168.1.5
switchport mode access
switchport access vlan 100
On the ace are you using sub interfaces for the different vlans, as I see you are trunking between the switch and the ace - do you need to do this?
For the ace config, I'll need to see what you have configured already in order to help you. Just post a show run on the ace. Ace configs require quite alot of config, and some understanding of the cisco Modular QoS CLI
10-04-2012 03:36 PM
Hello Prem,
Can you paste your current configuration?
Basically you have the VIP:10.13.77.10 on the vlan 10(10.13.77.1/24) and you need to connect to the backend server:192.168.1.11 which under the VLAN 100, correct?
Basically your ACE configuration should be like this:
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
class-map match-all slb-vip
2 match virtual-address 10.13.77.10 tcp eq http
policy-map type loadbalance http first-match slb
class class-default
serverfarm web
serverfarm host web
rserver myserver
inservice
rserver host myserver
ip address 192.168.1.11
inservice
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
interface vlan 10
description "Client Side"
ip address 10.13.77.2 255.255.255.0
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 100
description "Default gateway of real servers"
ip address 192.168.1.1 255.255.255.0
service-policy input remote-access
no shutdown
ip route 0.0.0.0 0.0.0.0 10.13.77.1
Here you have a link about it:
Hope this helps
Jorge
10-04-2012 03:43 PM
Here you have a link which might help you as well to establish the communication to the client side and server side:
Also remember to have a management policy, class,etc
Jorge
10-04-2012 10:40 PM
Thanx everyone.
Just i want to clear that i 've only one ACE device . so need to know that Client should be access server through VIP or any other IP.
Very soon I'll be past the Show Run Status ... so that you know the real configuration.
My router one interface is same ip address 192.168.1.1 so is there ok to give ACE one server side interface IP
Prem
10-04-2012 11:26 PM
Hello,
Here are My LB Sh Run plz check and Guide
LB/VC_web# show run
Generating configuration....
logging enable
logging timestamp
logging trap 5
access-list accesslist line 8 extended permit tcp any eq www any eq www
access-list accesslist line 16 extended permit tcp any any
probe http HTTP_probe
description Basic health check
port 80
interval 15
passdetect interval 60
request method head
expect status 200 200
open 1
rserver host web1
description web server1
ip address 192.168.1.11
inservice
rserver host web2
description web server2
ip address 192.168.1.10
inservice
serverfarm host Webserver_farm
description web server farm
failaction reassign across-interface
probe HTTP_probe
rserver web1 80
probe HTTP_probe
inservice
rserver web2 80
inservice
serverfarm redirect Webserver_farm_Redirect
description redirect traffic to https
serverfarm redirect Webserver_farm_maintanence
description send user to maintanence page
parameter-map type http cisco_avs_parametermap
case-insensitive
persistence-rebalance
sticky http-cookie ACEPSESSIONID web_persistance
cookie insert browser-expire
serverfarm Webserver_farm backup Webserver_farm_maintanence
action-list type optimization http cisco_avs_container_latency
flashforward
action-list type optimization http cisco_avs_img_latency
flashforward-object
action-list type optimization http cisco_avs_obj_latency
flashforward-object
ssl-proxy service web_ssl
key web_ecom.key
cert cisco-sample-cert
class-map match-all WEB_HTTP
2 match virtual-address 10.13.77.10 tcp eq www
class-map type http loadbalance match-all cisco_avs_container_latency
2 match http url .*
class-map type http loadbalance match-any cisco_avs_img_latency
2 match http url .*jpg
3 match http url .*jpeg
4 match http url .*jpe
5 match http url .*png
class-map type http loadbalance match-any cisco_avs_obj_latency
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
class-map type http loadbalance match-any default-compression-exclusion-mime-typ
e
description DM generated classmap for default LB compression exclusion mime ty
pes.
2 match http url .*gif
3 match http url .*css
4 match http url .*js
5 match http url .*class
6 match http url .*jar
7 match http url .*cab
8 match http url .*txt
9 match http url .*ps
10 match http url .*vbs
11 match http url .*xsl
12 match http url .*xml
13 match http url .*pdf
14 match http url .*swf
15 match http url .*jpg
16 match http url .*jpeg
17 match http url .*jpe
18 match http url .*png
class-map type http loadbalance match-any https_redirect
2 match http url /cart/.*
class-map type management match-any mgmt-cm
2 match protocol http any
3 match protocol https any
4 match protocol icmp any
5 match protocol kalap-udp any
6 match protocol snmp any
7 match protocol ssh any
8 match protocol telnet any
9 match protocol xml-https any
class-map type http loadbalance match-any static_file_objects
2 match http url /images/.*
3 match http url /css/.*
4 match http url /js/.*
5 match http url /sry.html
policy-map type management first-match mgmt-pm
class mgmt-cm
permit
policy-map type loadbalance first-match WEB_HTTP-l7slb
class static_file_objects
serverfarm Webserver_farm
class https_redirect
serverfarm Webserver_farm_Redirect
class default-compression-exclusion-mime-type
sticky-serverfarm web_persistance
class class-default
serverfarm Webserver_farm backup Webserver_farm_maintanence
compress default-method deflate
policy-map type optimization http first-match WEB_HTTP-l7opt
class cisco_avs_obj_latency
action cisco_avs_obj_latency
class cisco_avs_img_latency
action cisco_avs_img_latency
class cisco_avs_container_latency
action cisco_avs_container_latency
policy-map multi-match int10
class WEB_HTTP
loadbalance vip inservice
loadbalance policy WEB_HTTP-l7slb
optimize http policy WEB_HTTP-l7opt
loadbalance vip icmp-reply active
appl-parameter http advanced-options cisco_avs_parametermap
interface vlan 10
description clientside
ip address 10.13.77.4 255.255.255.0
access-group input accesslist
access-group output accesslist
service-policy input int10
service-policy input mgmt-pm
no shutdown
interface vlan 100
description "server vlan"
ip address 192.168.1.5 255.255.255.0
access-group input accesslist
nat-pool 1 192.168.1.30 192.168.1.40 netmask 255.255.255.0 pat
service-policy input int10
service-policy input mgmt-pm
no shutdown
ip route 0.0.0.0 0.0.0.0 10.13.77.1
username DC password 5 $1$zTWHyTWJ$V4ebZI22AFWo42YDsTghW. role Admin domain def
ault-domain
username cisco password 5 $1$.sDsVovB$/INwHzZS/51MjpSfQQwRI0 role Network-Monit
or domain default-domain
username admin password 5 $1$iKZwA9Ca$NwUfJbOmkODdyCUYyr/BS0 role Admin domain
default-domain
snmp-server community public group Network-Monitor
Thanx
Prem
10-05-2012 02:07 PM
Hello Prem,
Can you upload the following outputs?
# show service-policy int10 class-map WEB_HTTP
# show service-policy int10 class-map WEB_HTTP
# show stats http
# show probe HTTP_probe
# show probe HTTP_probe detail
Jorge
10-05-2012 02:13 PM
Hello Prem,
Are you able to ping your default gateway?
Can you ping the servers from the ACE and viceversa?
Can you try to telnet the servers from the ACE?
Could you modify your configuration to look like this to see if it works?
policy-map multi-match int10
class WEB_HTTP
loadbalance vip inservice
loadbalance policy WEB_HTTP-l7slb
loadbalance vip icmp-reply active
policy-map type loadbalance first-match WEB_HTTP-l7slb
class class-default
serverfarm Webserver_farm
serverfarm host Webserver_farm
description web server farm
rserver web1 80
inservice
rserver web2 80
inservice
Jorge
10-05-2012 11:31 PM
Hi Jorge,
I already configured all above which you adviced . and I able ping server ip address from ACE or viceversa but not able to telnet server. But I'm able to access server (192.168.1.11) from client (10.13.77.9), As per my requirement i want to access server from VIP (10.13.77.10 :80).
MY connectivity : 1> Both ACE (client & server side Interface) connect with switch
2> Routers both FastEthernet( 0/0 & 0/1) connect with Switches seperate Vlans (Vlan10 & Vlan100)
3> After that Server (192.168.1.11) connect to Switch's vlan100
and client PC (10.13.77.9) connect to Switch's vlan10 side.
Then I tried to access server from client side with VIP.
Router(2800) :- FEth 0/0 :- 10.13.77.1 ! FEth 0/1 :-- 192.168.1.1
Switch(2960):- Vlan 10 ! Vlan 100
Ace (4710) :- E2 :--10.13.77.4 ! E3 :-- 192.168.1.5 ,, ip route 0.0.0.0 0.0.0.0 10.13.77.1
Server :-- ip addre :- 192.168.1.11 SM :-- 255.255.255.0 Gateway :-- 192.168.1.1
This is my real scenario............
Thanx
Prem
10-05-2012 11:57 PM
Hello jorge,
PLz find the show command (Can I used nat-pool ip address as same as vip or used another ip address.)
LB/VC_web# show service-policy int10 class-map WEB_HTTP
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 10 100
service-policy: int10
class: WEB_HTTP
loadbalance:
L7 loadbalance policy: WEB_HTTP-l7slb
Regex dnld status : SUCCESSFUL
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP state: OUTOFSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
cisco_avs_parametermap
LB/VC_web# show stats http
+------------------------------------------+
+-------------- HTTP statistics -----------+
+------------------------------------------+
LB parse result msgs sent : 0 , TCP data msgs sent : 0
Inspect parse result msgs : 0 , SSL data msgs sent : 0
sent
TCP fin msgs sent : 0 , TCP rst msgs sent: : 0
Bounced fin msgs sent : 0 , Bounced rst msgs sent: : 0
SSL fin msgs sent : 0 , SSL rst msgs sent: : 0
Drain msgs sent : 0 , Particles read : 0
Reuse msgs sent : 0 , HTTP requests : 0
Reproxied requests : 0 , Headers removed : 0
Headers inserted : 0 , HTTP redirects : 0
HTTP chunks : 0 , Pipelined requests : 0
HTTP unproxy conns : 0 , Pipeline flushes : 0
Whitespace appends : 0 , Second pass parsing : 0
Response entries recycled : 0 , Analysis errors : 0
Header insert errors : 0 , Max parselen errors : 0
Static parse errors : 0 , Resource errors : 0
Invalid path errors : 0 , Bad HTTP version errors : 0
Headers rewritten : 0 , Header rewrite errors : 0
SSL headers inserted : 0 , SSL header insert errors : 0
SSL spoof headers deleted : 0 , Unproxy msgs sent : 0
LB/VC_web#
LB/VC_web#
LB/VC_web#
LB/VC_web# show probe HTTP_probe
probe : HTTP_probe
type : HTTP
state : ACTIVE
----------------------------------------------
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
real : web1[80]
serverfarm: Webserver_farm
192.168.1.11 80 PROBE 9 9 0 FAILED
serverfarm : Webserver_farm
real : web1[80]
192.168.1.11 80 PROBE 9 9 0 FAILED
real : web2[80]
192.168.1.10 80 PROBE 9 9 0 FAILED
LB/VC_web# show probe HTTP_probe detail
probe : HTTP_probe
type : HTTP
state : ACTIVE
description : Basic health check
----------------------------------------------
port : 80 address : 0.0.0.0 addr type : -
interval : 15 pass intvl : 60 pass count : 3
fail count: 3 recv timeout: 10
http method : HEAD
http url : /
conn termination : GRACEFUL
expect offset : 0 , open timeout : 1
expect regex : -
send data : -
------------------ probe results ------------------
associations ip-address port porttype probes failed passed health
------------ ---------------+-----+--------+--------+--------+--------+------
real : web1[80]
serverfarm: Webserver_farm
192.168.1.11 80 PROBE 10 10 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connect error (Network or Host is unreachable)
Last probe time : Fri Oct 5 22:50:45 2012
Last fail time : Fri Oct 5 22:43:30 2012
Last active time : Never
serverfarm : Webserver_farm
real : web1[80]
192.168.1.11 80 PROBE 10 10 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connect error (Network or Host is unreachable)
Last probe time : Fri Oct 5 22:50:45 2012
Last fail time : Fri Oct 5 22:43:30 2012
Last active time : Never
real : web2[80]
192.168.1.10 80 PROBE 10 10 0 FAILED
Socket state : CLOSED
No. Passed states : 0 No. Failed states : 1
No. Probes skipped : 0 Last status code : 0
No. Out of Sockets : 0 No. Internal error: 0
Last disconnect err : Connect error (Network or Host is unreachable)
Last probe time : Fri Oct 5 22:50:42 2012
Last fail time : Fri Oct 5 22:43:27 2012
Last active time : Never
Regards,
Prem
10-08-2012 05:46 AM
Hello Prem,
Please notice your VIP shows: VIP state: OUTOFSERVICE then this won't work since as it is shown in probe details, those servers cannot communicate properly to the ACE, Last disconnect err : Connect error (Network or Host is unreachable)
Could you remove the probe from the configuration and test it just to make sure? It looks like a connectivity issue in your backend side(server side)
Hope this helps.
Jorge
10-11-2012 02:16 AM
Hi Jorge,
I configured in routed mode but I have'n success then I tried to configure in Bridge mode and successfully responding from vip to servers . But when i configured Probe and put in serverfarm then I don't have to access servers from VIP and also ping not getting. For checking perpose when I remooved Probe from serverfarm afterthat VIP responding and working fine . so kindly adviced how to configured Probe...... Plz find the sh run status........
LB/Admin# sh run
Generating configuration....
no ft auto-sync startup-config
resource-class RC1
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A4_2_0.bin
hostname LB
interface gigabitEthernet 1/1
description Management
speed 1000M
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
description clientside
switchport access vlan 30
no shutdown
interface gigabitEthernet 1/3
description serverside
switchport access vlan 31
no shutdown
interface gigabitEthernet 1/4
no shutdown
context Admin
description Management
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
probe http probe1
description health check
interval 5
passdetect interval 10
request method head
expect status 200 200
open 1
rserver redirect https_redirect
description redirect traffic to https
inservice
rserver redirect maintenance_page
description maintenance page displayed
webhost-redirection /sry.html 301
inservice
rserver host web1
ip address 10.13.77.11
inservice
rserver host web2
ip address 10.13.77.12
inservice
serverfarm host http
probe probe1
rserver web1
inservice
rserver web2
inservice
sticky http-cookie Cookie1 StickyGroup1
serverfarm http
--More--
class-map match-all REMOTE-ACCESS
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
class-map match-all slb-vip
2 match virtual-address 10.13.77.50 tcp eq www
policy-map type management first-match remote_access
class class-default
permit
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm http
policy-map type inspect http all-match slb-vip-http
class class-default
permit
policy-map multi-match client-vips
class slb-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply active
inspect http policy slb-vip-http
interface vlan 30
description "Client Side"
bridge-group 3
access-group input everyone
service-policy input client-vips
no shutdown
interface vlan 31
description "Server Side"
bridge-group 3
service-policy input remote_access
no shutdown
interface vlan 1000
description managment
ip address 172.29.91.110 255.255.255.0
service-policy input remote_mgmt_allow_policy
no shutdown
interface bvi 3
ip address 10.13.77.5 255.255.255.0
description "client - server bridge group"
no shutdown
ip route 0.0.0.0 0.0.0.0 10.13.77.1
snmp-server contact "PHQ"
snmp-server community phq group Network-Monitor
snmp-server trap-source vlan 1000
username admin password 5 $1$y/CIGMQG$k9VUUNcldd0eVRS5eP9EM0 role Admin domain
default-domain
username www password 5 $1$.GuWwQEK$r8Ub4OcE3l190d5GA4kvR. role Admin domain de
fault-domain
username prem password 5 $1$4xFbsJYt$H5xb00uJYVRB9PXR6jY/b. role Admin domain d
efault-domain
ssh key rsa 1024 force
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide