This is a very basic ACE SLB configuration. One of my friend was configuring his first cisco ACE module, to tie into his 6500 network. So I'm sharing with you my cfg.
Define your
real servers that you want to loadbalance against. Typically you can assign weights to servers if you desire.
rserver
host WEBAPP01
ip
address 10.112.23.1
rserver
host WEBAPP02
ip
address 10.112.23.2
rserver
host WEBAPP03
ip
address 10.112.23.3
! these will be all servers that will be loadbalanced in that farm
Build a ACL, but
typical you will use "ANY ANY" but it can be tighten down if you wanted;
access-list inbound line 10 extended permit ip any any
or
access-list inbound line 10 extended permit tcp any any eq 80
access-list inbound line 10 extended permit tcp any any eq 443
! when building the
site that's to be loadbalance, keep it simple, but it's also nice to use names of the site
! for the
webfarm, some uses the site FQDN for the farmname convention
serverfarm host www_hyperfeed_com
predictor
hash url
rserver
WEBAPP01
inservice
rserver WEBAPP02
inservice
rserver WEBAPP03
inservice
! now build
a class-map for the traffic we will loadbance against, this will be the VIP exposed for the clients to ! hit from the outside
class-map
SLB_WWW_HYPERFEED
description “outside address public facing”
match virtual-address 217.XXX.XXX.1
!
!
Now let’s tie the items together
policy-map type load-balance http first-match vip1_www_hyperfeed
class-map default
serverfarm www_hyperfeed_com
!
!
policy-map multi-match client-vips
class SLB_WWW_HYPERFEED
loadbalance policy vip1_www_hyperfeed
loadbalance vip icmp-reply active
loadbalance vip inservice
And lastly, you define the vlan interfaces for traffic to
the server-web and internet, these interface are configured in the same as switch and apply the appropiate trunking to your core switch with the ACE module. So ensure your 802.1 trunking or whatever your doing is good and solid.
Interface vlan 10
description
“traffic to the internet via switchport 3/1 ASA5550- FW01.core02"
ip address 1.1.1.1
255.255.255.0
access-group
inbound in
service-policy input
client_vips
!
!
interface vlan 20
description “traffic to backend webfarm via switchport 3/3 "
ip address 10.112.23.254 255.255.255.0
!
!
!
! lastly install a default route for the internet traffic
ip route 0.0.0.0 0.0.0.0
1.1.1.254
To
trouble-shoot; make sure you inspect
routes and service-policy to ensure traffic is being match.
Cisco ACE has come along way from the landirector series, but it's not a Brocade ServerIron or F5 LTM. It does support multiple context in the same similar fashion as a cisco ASA firewall. It's easy to configured and monitor.
I hope you find this information helpful
Ken Felix
Freelance Network&Security Professional
kfelix at hyperfeed d_o_t com
No comments:
Post a Comment