11-01-2010 01:06 PM - edited 08-28-2017 10:22 PM
The purpose of this document is to explain how to configure ACE for TFTP load-balancing. Load-balancing TFPT can be tricky as the TFTP server opens a random UDP port to send data from. Because of this we need a catch-all VIP to source NAT the new connection in the opposite direction. For more info please refer to RFC 1350. TFTP uses two flows and we dont have tftp inpect/fix available in ACE. See below steps to understand the issue.
1) Client initiate the session using UDP flow to port 69 from a random port, lets say X.
2) server replies with data, opening a new UDP flow towards the client. Server's source port is random, while destination port for this response is X .
3) Now ACE has no clue about TFTP flows (lack of tftp fix/inspect), hence client will recieve tftp response from Real server directly.Since the response is not from VIP (where client sent the request),Client will drop the response.
Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP uploads and downloads, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values..
Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it.
Here is a sample config. The colored part is what is specific for TFTP scenario - this is the config that NATs all UDP connections originated from the servers and sets the VIP address as the source. The rest is classical L4 load-balancing on ACE.
// access-list to catch all traffic
access-list ANYONE line 10 extended permit ip any any probe icmp PING // define the tftp servers rserver host tftp-server1 ip address 10.10.10.101 inservice rserver host tftp-server2 ip address 10.10.10.102 inservice // allocate tftp servers to serverfarm serverfarm host TFTP-SFARM probe PING rserver tftp-server1 inservice rserver tftp-server2 inservice // create class map to match traffic to tftp server VIP class-map match-any TO-TFTP-VIP description class-map for client to TFTP VIP traffic match virtual-address 192.168.0.100 udp eq 69 // create class map to match all return traffic from tftp server class-map match-any FROM-TFTP-REAL description class-map from tftp server to client match virtual-address 0.0.0.0 0.0.0.0 udp eq any policy-map type loadbalance first-match TFTP-POLICY class class-default serverfarm TFTP-SFARM // create policy map to define action for traffic to the tftp server policy-map multi-match CLIENT-VLAN-VIPS class TO-TFTP-VIP loadbalance vip inservice loadbalance policy TFTP-POLICY loadbalance vip icmp-reply active // create policy map to define action for return traffic from tftp server policy-map multi-match SERVER-VLAN-VIPS class FROM-TFTP-REAL nat dynamic 100 vlan 20 // define the client side and server side vlans interface vlan 20 description CLIENT-VLAN ip address 192.168.0.1 255.255.255.0 access-group input ANYONE access-group output ANYONE nat-pool 100 192.168.0.100 192.168.0.100 netmask 255.255.255.255 service-policy input CLIENT-VLAN-VIPS no shutdown interface vlan 30 description SERVER-VLAN ip address 10.10.10.254 255.255.255.0 access-group input ANYONE access-group output ANYONE service-policy input SERVER-VLAN-VIPS no shutdown
The SERVER-VLAN-VIPS service-policy will NAT all UDP connections from this VLAN to the VIP. If this needs to be done only for certain source IPs, a more creative FROM-TFTP-REAL class-map needs to be configured.
shouldn't "loadbalance policy APP1-POLICY" be "loadbalance policy TFTP-POLICY" ?
Good catch, thanks! The error was occurred while I was changing policy names to something meaningful...
It should be correct now.
Hi,
Could you please elaborate how to configure this when there is a lot of realservers/serverfarms/VIP's and only these mentioned in this example should loadbalance TFTP.
Regards
Dennis
Hello,
I am not sure I understand your questions. The TFTP VIP on the front end id defined with IP address and with UDP port 69, like any ohther VIPs. This works in a usual way as any other VIP.
The problem with TFTP is when the server openes a new UDP connection. Thos connections need to be NATed to VIP address and this document shows how to do it. If the only application that needs to open UDP connection from inside is TFTP than you can leave as is. However, if there are some other UDP connections that need to initated from the server they will be NATed to VIP address. If this is a problem then you need to change the FROM-TFTP-REAL class-maps so it refern only to TFTP server IPs.
I hope this clarifies the idea.
Ivan
Hi Ivan,
I append out config to let you review it. We don't seem to be able to get a connection through the ACE. The addition to your config is that we do source-NAT on the incoming connections. Hope you can help.
probe udp TFTP
port 69
interval 5
passdetect interval 5
receive 5
rserver host RADINLB-SITE1
ip address 10.102.8.29
inservice
rserver host RADINLB-SITE2
ip address 10.102.8.30
inservice
rserver host RADINLB-SITE3
ip address 10.102.8.31
inservice
rserver host RADINLB-SITE4
ip address 10.102.8.32
inservice
rserver host RADINLB-SITE5
ip address 10.102.8.33
inservice
serverfarm host RADINLB-TFTP
probe TFTP
rserver RADINLB-SITE1 69
inservice
rserver RADINLB-SITE2 69
inservice
rserver RADINLB-SITE3 69
inservice
rserver RADINLB-SITE4 69
inservice
rserver RADINLB-SITE5 69
inservice
sticky ip-netmask 255.255.255.255 address source RADINLB-TFTP
timeout 60
replicate sticky
class-map match-any CLIENT-TRAFFIC
description source-NAT client
4 match destination-address 10.102.0.4 255.255.255.255
5 match destination-address 10.102.0.5 255.255.255.255
6 match destination-address 10.102.0.6 255.255.255.255
7 match destination-address 10.102.0.7 255.255.255.255
8 match destination-address 10.102.0.8 255.255.255.255
9 match destination-address 10.102.0.9 255.255.255.255
10 match destination-address 10.102.0.10 255.255.255.255
11 match destination-address 10.102.0.11 255.255.255.255
12 match destination-address 10.102.0.12 255.255.255.255
13 match destination-address 10.102.0.13 255.255.255.255
14 match destination-address 10.102.0.14 255.255.255.255
15 match destination-address 10.102.0.15 255.255.255.255
16 match destination-address 10.102.0.16 255.255.255.255
17 match destination-address 10.102.0.17 255.255.255.255
18 match destination-address 10.102.0.18 255.255.255.255
19 match destination-address 10.102.0.19 255.255.255.255
20 match destination-address 10.102.0.20 255.255.255.255
21 match destination-address 10.102.0.21 255.255.255.255
class-map match-any FROM-TFTP-REAL
description class-map from tftp server to client
2 match virtual-address 0.0.0.0 0.0.0.0 udp any
class-map match-all RADINLB-TFTP
2 match virtual-address 10.102.0.18 udp eq 69
policy-map type loadbalance first-match RADINLB-TFTP
class class-default
sticky-serverfarm RADINLB-TFTP
policy-map multi-match CLIENT-VIPS
class RADINLB-TFTP
loadbalance vip inservice
loadbalance policy RADINLB-TFTP
loadbalance vip icmp-reply active
appl-parameter http advanced-options CASE_PARAM
policy-map multi-match NAT-CLIENTS
class CLIENT-TRAFFIC
nat dynamic 1 vlan 100
policy-map multi-match SERVER-VIPS
class FROM-TFTP-REAL
nat dynamic 2 vlan 10
interface vlan 10
description op_pr_vip_lb
ip address 10.102.0.1 255.255.255.0
alias 10.102.0.3 255.255.255.0
peer ip address 10.102.0.2 255.255.255.0
access-group input anyone
nat-pool 2 10.102.0.18 10.102.0.18 netmask 255.255.255.255
service-policy input remote-mgmt
service-policy input CLIENT-VIPS
service-policy input NAT-CLIENTS
no shutdown
interface vlan 100
description op_pr_data_lb_srv
ip address 10.102.8.252 255.255.255.0
alias 10.102.8.254 255.255.255.0
peer ip address 10.102.8.253 255.255.255.0
access-group input anyone
nat-pool 1 10.102.15.1 10.102.15.1 netmask 255.255.255.0 pat
service-policy input remote-mgmt
service-policy input CLIENT-VIPS-INSIDE
service-policy input SERVER-VIPS
no shutdown
The only thing I see in the connection table is on the server-vlan:
lb-cdc01-stt/PROD1# sh conn | i UDP
127327 1 in UDP 100 10.102.8.252:62922 10.102.8.31:69 --
82451 1 out UDP 100 10.102.8.31:69 10.102.8.252:62922 --
175861 1 in UDP 100 10.102.8.33:51106 10.102.8.252:62921 --
226828 1 out UDP 100 10.102.8.252:62921 10.102.8.33:51106 --
778728 2 in UDP 100 10.102.8.252:62920 10.102.8.29:69 --
906746 2 out UDP 100 10.102.8.29:69 10.102.8.252:62920 --
1200654 3 in UDP 100 10.102.8.252:62921 10.102.8.33:69 --
1240634 3 out UDP 100 10.102.8.33:69 10.102.8.252:62921 --
1232464 3 in UDP 100 10.102.8.30:55491 10.102.8.252:62923 --
1248321 3 out UDP 100 10.102.8.252:62923 10.102.8.30:55491 --
1272611 3 in UDP 100 10.102.8.29:62303 10.102.8.252:62920 --
1232908 3 out UDP 100 10.102.8.252:62920 10.102.8.29:62303 --
1261618 3 in UDP 100 10.102.8.31:58809 10.102.8.252:62922 --
1261190 3 out UDP 100 10.102.8.252:62922 10.102.8.31:58809 --
643974 4 in UDP 100 10.102.8.252:62923 10.102.8.30:69 --
604642 4 out UDP 100 10.102.8.30:69 10.102.8.252:62923 --
lb-cdc01-stt/PROD1# sh service-policy CLIENT-VIPS class-map RADINLB-TFTP det
Status : ACTIVE
Description: -----------------------------------------
Interface: vlan 10
service-policy: CLIENT-VIPS
class: RADINLB-TFTP
VIP Address: Protocol: Port:
10.102.0.18 udp eq 69
loadbalance:
L7 loadbalance policy: RADINLB-TFTP
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
VIP DWS state: DWS_DISABLED
Persistence Rebalance: ENABLED
curr conns : 0 , hit count : 535
dropped conns : 0
conns per second : 0
client pkt count : 535 , client byte count: 39295
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
L7 Loadbalance policy : RADINLB-TFTP
class/match : class-default
LB action: :
sticky group: RADINLB-TFTP
primary serverfarm: RADINLB-TFTP
state:UP
backup serverfarm : -
hit count : 535
dropped conns : 0
compression : off
compression:
bytes_in : 0 bytes_out : 0
Compression ratio : 0.00%
Gzip: 0 Deflate: 0
compression errors:
User-Agent : 0 Accept-Encoding : 0
Content size: 0 Content type : 0
Not HTTP 1.1: 0 HTTP response error: 0
Others : 0
Parameter-map(s):
CASE_PARAM
lb-cdc01-stt/PROD1#
There is one error in your config. You should add the bolded line:
sticky ip-netmask 255.255.255.255 address source RADINLB-TFTP
timeout 60
replicate sticky
serverfarm RADINLB-TFTP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: