Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5783
Views
10
Helpful
7
Comments

TFTP load-balancing on ACE

Ivan Kovacevic
Cisco Employee
Cisco Employee

‎11-01-2010 01:06 PM - edited ‎08-28-2017 10:22 PM

 

 

Introduction

The purpose of this document is to explain how to configure ACE for TFTP load-balancing. Load-balancing TFPT can be tricky as the TFTP server opens a random UDP port to send data from. Because of this we need a catch-all VIP to source NAT the new connection in the opposite direction. For more info please refer to RFC 1350. TFTP uses two flows and we dont have tftp inpect/fix available in ACE. See below steps to understand the issue.

 

1) Client initiate the session using  UDP flow to port 69 from a random port,  lets say  X.

2) server replies with data, opening a new UDP flow towards the client. Server's  source port is random, while destination  port for this response  is X .

3) Now ACE has no clue about TFTP flows (lack of tftp fix/inspect), hence client will recieve tftp response from Real server directly.Since the response is not from VIP (where client sent the request),Client will drop the response.

 

Real Server and Server Farm

Real servers are dedicated physical servers that you typically configure in groups called server farms. These servers provide services to clients, such as HTTP or XML content, streaming media (video or audio), TFTP or FTP uploads and downloads, and so on. You identify real servers with names and characterize them with IP addresses, connection limits, and weight values..
Server farms are groups of networked real servers that contain the same content and that typically reside in the same physical location in a data center. Web sites often comprise groups of servers configured in a server farm. Load-balancing software distributes client requests for content or services among the real servers based on the configured policy and traffic classification, server availability and load, and other factors. If one server goes down, another server can take its place and continue to provide the same content to the clients who requested it.

 

Configuration

Here is a sample config. The colored part is what is specific for TFTP scenario - this is the config that NATs all UDP connections originated from the servers and sets the VIP address as the source. The rest is classical L4 load-balancing on ACE.

 

// access-list to catch all traffic

access-list ANYONE line 10 extended permit ip any any

probe icmp PING

// define the tftp servers
rserver host tftp-server1
   ip address 10.10.10.101
   inservice

rserver host tftp-server2
   ip address 10.10.10.102
   inservice

// allocate tftp servers to serverfarm
serverfarm host TFTP-SFARM
   probe PING
   rserver tftp-server1
    inservice
   rserver tftp-server2
    inservice

// create class map to match traffic to tftp server VIP
class-map match-any TO-TFTP-VIP
   description class-map for client to TFTP VIP traffic
   match virtual-address 192.168.0.100 udp eq 69

// create class map to match all return traffic from tftp server
class-map match-any FROM-TFTP-REAL
   description class-map from tftp server to client
   match virtual-address 0.0.0.0 0.0.0.0 udp eq any


policy-map type loadbalance first-match TFTP-POLICY
   class class-default
    serverfarm TFTP-SFARM

// create policy map to define action for traffic to the tftp server
policy-map multi-match CLIENT-VLAN-VIPS
   class TO-TFTP-VIP
    loadbalance vip inservice
    loadbalance policy TFTP-POLICY
    loadbalance vip icmp-reply active

// create policy map to define action for return traffic from tftp server
policy-map multi-match SERVER-VLAN-VIPS
   class FROM-TFTP-REAL
    nat dynamic 100 vlan 20

// define the client side and server side vlans
interface vlan 20
   description CLIENT-VLAN
   ip address 192.168.0.1 255.255.255.0
   access-group input ANYONE
   access-group output ANYONE
   nat-pool 100 192.168.0.100 192.168.0.100 netmask 255.255.255.255   service-policy input CLIENT-VLAN-VIPS
   no shutdown

interface vlan 30
   description SERVER-VLAN
   ip address 10.10.10.254 255.255.255.0
   access-group input ANYONE
   access-group output ANYONE
   service-policy input SERVER-VLAN-VIPS   no shutdown

 

 

The SERVER-VLAN-VIPS service-policy will NAT all UDP connections from this VLAN to the VIP. If this needs to be done only for certain source IPs, a more creative FROM-TFTP-REAL class-map needs to be configured.

 

Related Information

ACE Loadbalancing-TFTP server

ACE in HA Mode for FTP Traffic Loadbalancing

Server Load-Balancing Guide vA4(2.0)

Comments
fleischerj
Community Member
‎11-16-2010 11:16 AM

shouldn't "loadbalance policy APP1-POLICY" be "loadbalance policy TFTP-POLICY" ?

Ivan Kovacevic
Cisco Employee
Cisco Employee
‎11-16-2010 11:27 AM

Good catch, thanks! The error was occurred while I was changing policy names to something meaningful...

It should be correct now.

dsimonse
Level 1
Level 1
‎12-09-2011 12:39 AM

Hi,

Could you please elaborate how to configure this when there is a lot of realservers/serverfarms/VIP's and only these mentioned in this example should loadbalance TFTP.

Regards

Dennis

Ivan Kovacevic
Cisco Employee
Cisco Employee
‎12-09-2011 05:37 AM

Hello,

I am not sure I understand your questions. The TFTP VIP on the front end id defined with IP address and with UDP port 69, like any ohther VIPs. This works in a usual way as any other VIP.

The problem with TFTP is when the server openes a new UDP connection. Thos connections need to be NATed to VIP address and this document shows how to do it. If the only application that needs to open UDP connection from inside is TFTP than you can leave as is. However, if there are some other UDP connections that need to initated from the server they will be NATed to VIP address. If this is a problem then you need to change the FROM-TFTP-REAL class-maps so it refern only to TFTP server IPs.

I hope this clarifies the idea.

Ivan

dsimonse
Level 1
Level 1
‎12-09-2011 07:04 AM

Hi Ivan,

I append out config to let you review it. We don't seem to be able to get a connection through the ACE. The addition to your config is that we do source-NAT on the incoming connections. Hope you can help.

probe udp TFTP

  port 69

  interval 5

  passdetect interval 5

  receive 5

rserver host RADINLB-SITE1

  ip address 10.102.8.29

  inservice

rserver host RADINLB-SITE2

  ip address 10.102.8.30

  inservice

rserver host RADINLB-SITE3

  ip address 10.102.8.31

  inservice

rserver host RADINLB-SITE4

  ip address 10.102.8.32

  inservice

rserver host RADINLB-SITE5

  ip address 10.102.8.33

  inservice

serverfarm host RADINLB-TFTP

  probe TFTP

  rserver RADINLB-SITE1 69

    inservice

  rserver RADINLB-SITE2 69

    inservice

  rserver RADINLB-SITE3 69

    inservice

  rserver RADINLB-SITE4 69

    inservice

  rserver RADINLB-SITE5 69

    inservice

sticky ip-netmask 255.255.255.255 address source RADINLB-TFTP

  timeout 60

  replicate sticky

class-map match-any CLIENT-TRAFFIC

  description source-NAT client

  4 match destination-address 10.102.0.4 255.255.255.255

  5 match destination-address 10.102.0.5 255.255.255.255

  6 match destination-address 10.102.0.6 255.255.255.255

  7 match destination-address 10.102.0.7 255.255.255.255

  8 match destination-address 10.102.0.8 255.255.255.255

  9 match destination-address 10.102.0.9 255.255.255.255

  10 match destination-address 10.102.0.10 255.255.255.255

  11 match destination-address 10.102.0.11 255.255.255.255

  12 match destination-address 10.102.0.12 255.255.255.255

  13 match destination-address 10.102.0.13 255.255.255.255

  14 match destination-address 10.102.0.14 255.255.255.255

  15 match destination-address 10.102.0.15 255.255.255.255

  16 match destination-address 10.102.0.16 255.255.255.255

  17 match destination-address 10.102.0.17 255.255.255.255

  18 match destination-address 10.102.0.18 255.255.255.255

  19 match destination-address 10.102.0.19 255.255.255.255

  20 match destination-address 10.102.0.20 255.255.255.255

  21 match destination-address 10.102.0.21 255.255.255.255

class-map match-any FROM-TFTP-REAL

  description class-map from tftp server to client

  2 match virtual-address 0.0.0.0 0.0.0.0 udp any

class-map match-all RADINLB-TFTP

  2 match virtual-address 10.102.0.18 udp eq 69

policy-map type loadbalance first-match RADINLB-TFTP

  class class-default

    sticky-serverfarm RADINLB-TFTP

policy-map multi-match CLIENT-VIPS

  class RADINLB-TFTP

    loadbalance vip inservice

    loadbalance policy RADINLB-TFTP

    loadbalance vip icmp-reply active

    appl-parameter http advanced-options CASE_PARAM

policy-map multi-match NAT-CLIENTS

  class CLIENT-TRAFFIC

    nat dynamic 1 vlan 100

policy-map multi-match SERVER-VIPS

  class FROM-TFTP-REAL

    nat dynamic 2 vlan 10

interface vlan 10

  description op_pr_vip_lb

  ip address 10.102.0.1 255.255.255.0

  alias 10.102.0.3 255.255.255.0

  peer ip address 10.102.0.2 255.255.255.0

  access-group input anyone

  nat-pool 2 10.102.0.18 10.102.0.18 netmask 255.255.255.255

  service-policy input remote-mgmt

  service-policy input CLIENT-VIPS

  service-policy input NAT-CLIENTS

  no shutdown

interface vlan 100

  description op_pr_data_lb_srv

  ip address 10.102.8.252 255.255.255.0

  alias 10.102.8.254 255.255.255.0

  peer ip address 10.102.8.253 255.255.255.0

  access-group input anyone

  nat-pool 1 10.102.15.1 10.102.15.1 netmask 255.255.255.0 pat

  service-policy input remote-mgmt

  service-policy input CLIENT-VIPS-INSIDE

  service-policy input SERVER-VIPS

  no shutdown

dsimonse
Level 1
Level 1
‎12-09-2011 07:34 AM

The only thing I see in the connection table is on the server-vlan:

lb-cdc01-stt/PROD1# sh conn | i UDP

127327     1  in  UDP   100  10.102.8.252:62922    10.102.8.31:69        -- 

82451      1  out UDP   100  10.102.8.31:69        10.102.8.252:62922    -- 

175861     1  in  UDP   100  10.102.8.33:51106     10.102.8.252:62921    -- 

226828     1  out UDP   100  10.102.8.252:62921    10.102.8.33:51106     -- 

778728     2  in  UDP   100  10.102.8.252:62920    10.102.8.29:69        -- 

906746     2  out UDP   100  10.102.8.29:69        10.102.8.252:62920    -- 

1200654    3  in  UDP   100  10.102.8.252:62921    10.102.8.33:69        -- 

1240634    3  out UDP   100  10.102.8.33:69        10.102.8.252:62921    -- 

1232464    3  in  UDP   100  10.102.8.30:55491     10.102.8.252:62923    -- 

1248321    3  out UDP   100  10.102.8.252:62923    10.102.8.30:55491     -- 

1272611    3  in  UDP   100  10.102.8.29:62303     10.102.8.252:62920    -- 

1232908    3  out UDP   100  10.102.8.252:62920    10.102.8.29:62303     -- 

1261618    3  in  UDP   100  10.102.8.31:58809     10.102.8.252:62922    -- 

1261190    3  out UDP   100  10.102.8.252:62922    10.102.8.31:58809     -- 

643974     4  in  UDP   100  10.102.8.252:62923    10.102.8.30:69        -- 

604642     4  out UDP   100  10.102.8.30:69        10.102.8.252:62923    --

lb-cdc01-stt/PROD1# sh service-policy CLIENT-VIPS class-map RADINLB-TFTP det

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 10

  service-policy: CLIENT-VIPS

    class: RADINLB-TFTP

     VIP Address:    Protocol:  Port:

     10.102.0.18     udp        eq    69  

      loadbalance:

        L7 loadbalance policy: RADINLB-TFTP

        VIP Route Metric     : 77

        VIP Route Advertise  : DISABLED

        VIP ICMP Reply       : ENABLED-WHEN-ACTIVE

        VIP State: INSERVICE

        VIP DWS state: DWS_DISABLED

        Persistence Rebalance: ENABLED

        curr conns       : 0         , hit count        : 535      

        dropped conns    : 0        

        conns per second    : 0        

        client pkt count : 535       , client byte count: 39295              

        server pkt count : 0         , server byte count: 0                  

        conn-rate-limit      : 0         , drop-count : 0        

        bandwidth-rate-limit : 0         , drop-count : 0        

        L7 Loadbalance policy : RADINLB-TFTP

          class/match : class-default

            LB action: :

               sticky group: RADINLB-TFTP

                  primary serverfarm: RADINLB-TFTP

                    state:UP

                  backup serverfarm : -

            hit count        : 535      

            dropped conns    : 0        

            compression      : off

      compression:

        bytes_in  : 0                          bytes_out : 0                  

        Compression ratio : 0.00%

                Gzip: 0               Deflate: 0        

      compression errors:

        User-Agent  : 0               Accept-Encoding    : 0        

        Content size: 0               Content type       : 0        

        Not HTTP 1.1: 0               HTTP response error: 0        

        Others      : 0        

        Parameter-map(s):

          CASE_PARAM

lb-cdc01-stt/PROD1#

Ivan Kovacevic
Cisco Employee
Cisco Employee
‎12-20-2011 02:12 AM

There is one error in your config. You should add the bolded line:

sticky ip-netmask 255.255.255.255 address source RADINLB-TFTP

timeout 60

replicate sticky

serverfarm RADINLB-TFTP

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents