Thursday, January 10, 2013

CISCO ACE basic LB cfg

-->
This is a very basic  ACE SLB configuration. One of my friend was configuring his first cisco ACE  module, to tie into his 6500 network. So I'm sharing with you my cfg.
Define your real servers that you want to loadbalance against. Typically you can assign weights to servers if you desire.

rserver host WEBAPP01

  ip address 10.112.23.1

rserver host WEBAPP02

  ip address 10.112.23.2

rserver host WEBAPP03

  ip address 10.112.23.3
! these will be all servers that will be loadbalanced in that farm

Build a ACL, but typical you will use "ANY ANY" but it can be tighten  down if you wanted;

access-list inbound line 10 extended permit ip any any
 
or
 
access-list inbound line 10 extended permit tcp any any eq 80
access-list inbound line 10 extended permit tcp any any eq 443

!   when building the site that's to be loadbalance, keep it simple, but it's also  nice to use names of the site
!   for the webfarm, some uses the site FQDN for the farmname convention

serverfarm host www_hyperfeed_com

  predictor hash url

  rserver WEBAPP01

    inservice

  rserver WEBAPP02

    inservice

  rserver WEBAPP03

    inservice

!    now build a class-map for the traffic we will loadbance against, this will be the VIP exposed for the clients to !    hit from the outside

class-map SLB_WWW_HYPERFEED

   description “outside address public facing”

   match virtual-address 217.XXX.XXX.1

!

!

Now let’s tie the items together

 policy-map type load-balance http first-match vip1_www_hyperfeed
    class-map default
    serverfarm www_hyperfeed_com
!
!
policy-map multi-match client-vips
     class SLB_WWW_HYPERFEED
      loadbalance policy vip1_www_hyperfeed
      loadbalance vip icmp-reply active
      loadbalance vip inservice
      
 


And lastly, you define the vlan interfaces for traffic to the server-web and internet, these interface are configured in the same as switch and apply the appropiate trunking to your core switch with the ACE module. So ensure your 802.1 trunking or whatever your doing is good and solid.

Interface vlan 10

   description “traffic to the internet via switchport 3/1 ASA5550- FW01.core02"

   ip address 1.1.1.1 255.255.255.0

   access-group inbound in

   service-policy input client_vips

!

!

interface vlan 20

description “traffic to backend webfarm via switchport 3/3 "

ip address 10.112.23.254 255.255.255.0



!

!
!
!  lastly install a default route for the internet traffic

ip route 0.0.0.0 0.0.0.0 1.1.1.254


To trouble-shoot;  make sure you  inspect routes and service-policy to ensure traffic is being match.

Cisco ACE has come along way from the landirector series, but it's not a Brocade ServerIron or F5 LTM. It does support  multiple context in the same similar fashion as a cisco ASA firewall. It's easy to configured and monitor.

I hope you find this  information helpful
Ken Felix
Freelance Network&Security Professional
kfelix at hyperfeed d_o_t com

No comments:

Post a Comment