Thursday, January 10, 2013

CISCO ACE basic LB cfg

This is a very basic  ACE SLB configuration. One of my friend was configuring his first cisco ACE  module, to tie into his 6500 network. So I'm sharing with you my cfg.
Define your real servers that you want to loadbalance against. Typically you can assign weights to servers if you desire.

rserver host WEBAPP01

  ip address

rserver host WEBAPP02

  ip address

rserver host WEBAPP03

  ip address
! these will be all servers that will be loadbalanced in that farm

Build a ACL, but typical you will use "ANY ANY" but it can be tighten  down if you wanted;

access-list inbound line 10 extended permit ip any any
access-list inbound line 10 extended permit tcp any any eq 80
access-list inbound line 10 extended permit tcp any any eq 443

!   when building the site that's to be loadbalance, keep it simple, but it's also  nice to use names of the site
!   for the webfarm, some uses the site FQDN for the farmname convention

serverfarm host www_hyperfeed_com

  predictor hash url

  rserver WEBAPP01


  rserver WEBAPP02


  rserver WEBAPP03


!    now build a class-map for the traffic we will loadbance against, this will be the VIP exposed for the clients to !    hit from the outside


   description “outside address public facing”

   match virtual-address 217.XXX.XXX.1



Now let’s tie the items together

 policy-map type load-balance http first-match vip1_www_hyperfeed
    class-map default
    serverfarm www_hyperfeed_com
policy-map multi-match client-vips
      loadbalance policy vip1_www_hyperfeed
      loadbalance vip icmp-reply active
      loadbalance vip inservice

And lastly, you define the vlan interfaces for traffic to the server-web and internet, these interface are configured in the same as switch and apply the appropiate trunking to your core switch with the ACE module. So ensure your 802.1 trunking or whatever your doing is good and solid.

Interface vlan 10

   description “traffic to the internet via switchport 3/1 ASA5550- FW01.core02"

   ip address

   access-group inbound in

   service-policy input client_vips



interface vlan 20

description “traffic to backend webfarm via switchport 3/3 "

ip address


!  lastly install a default route for the internet traffic

ip route

To trouble-shoot;  make sure you  inspect routes and service-policy to ensure traffic is being match.

Cisco ACE has come along way from the landirector series, but it's not a Brocade ServerIron or F5 LTM. It does support  multiple context in the same similar fashion as a cisco ASA firewall. It's easy to configured and monitor.

I hope you find this  information helpful
Ken Felix
Freelance Network&Security Professional
kfelix at hyperfeed d_o_t com

No comments:

Post a Comment