Monday, July 12, 2010

Cisco ACE 4710 Load balancer configuration

Posted by Vivek on 11:07 PM Coming back with a BANG ! Lets start up with the Cisco ACE load balancer & its configuration. NOTE : Minimum understanding of how load balancing works is required to understand this topic. Cisco ACE does an application load balancer (i.e Layer 7) Cisco ACE load balancing works on two different modes

Routed Mode Bridged Mode

Pretty simple to remember them is Routed mode is a Layer 3 function & Bridged mode is a Layer 2 function. Below diagram would provide a clean overview of them.

Above diagram shows the Routed mode strategy. Load balancer has two legs, one connected to a different network & another one towards the Serverfarm. Now, for the servers the default gateway will always be the interface VLAN 40 as the gateway & routing needs to be available on LB to pass the packet to next hop (i.e Router). Now, what if the customer wants the Layer 3 boundary on router & make a load balancer as just another Layer 2 switch. For this, there is something called "Bridged mode".

If you have a clear look @ the diagram you notice that the servers behind the LB are in the same segment as the router. VLAN 30 & VLAN 31 would be part of the bridge & a virtual Bridged interface would created to bridge these two VLANs. Configuration will provide a better overview of the two modes. Lets start up with the configuration part now. ROUTED MODE ------------------First create Layer 3 interfaces as per the (1) Diagram interface vlan 20 description "Outside towards client interface" ip address 172.16.1.5 255.255.255.0 no shutdown interface vlan 40 description "Outside towards client interface" ip address 192.168.1.1 255.255.255.0 no shutdown Now add the physical ports into the respective VLAN. Assume, Gi1/1 is the interface connecting to the router & Gi1/2 is connected to the serverfarm segment with a Layer 2 switch in between. interface gigabitEthernet 1/1 description *** Interface connecting to the router *** switchport access vlan 20 no shutdown

interface gigabitEthernet 1/2 description *** Interface connecting to the serverfarm *** switchport access vlan 40 no shutdown Now we enter into the load balancing stuff ! We need to create real physical servers first & then associate them into a serverfarm. For an example, Within a serverfarm there could be more than 100 physical servers catering the application / web request. One such good example would be internet banking websites. Do you think there is only one server catering the request of millions of customers worldwide? No chance. Users from around the world would be hitting an IP address (Virtual IP) which is configured on the LB. LB does the load balancing between certain servers configured in the real server list. rserver host PROD1 ip address 192.168.1.10 inservice rserver host PROD2 ip address 192.168.1.11 inservice For this example, we will take up only two real servers. The command "inservice" states that the servers are not administratively shutdown & are in operational state. This command is a must to bring the servers alive. Now, we need to create a serverfarm. Serverfarm is nothing other than a farm holding multiple servers within it. serverfarm host PROD-web rserver PROD1 inservice rserver PROD2 inservice Serverfarm has been created & the real servers are associated with it. By Default, ACE doesnt allow any management traffic on the interface. So, we need to explicitly allow them by doing the below configuration class-map type management match-any MGMT 2 match protocol ssh any

3 match protocol telnet any 5 match protocol https any 6 match protocol http any 7 match protocol icmp any Now, a policy-map needs to be created to permit the MGMT traffic. policy-map type management first-match MGMT class MGMT permit We need to use a class-map to define the VIP when a client sends their requests. Users from inside or outside will be targetting this Virtual IP address class-map match-all slb-vip-PROD 2 match virtual-address 172.16.1.3 any Next step is to define the action when a new client requests arrives. This is called a Layer-4 policy. policy-map type loadbalance first-match LB_POLICY_PROD class class-default serverfarm PROD-web Now the Virtual IP & load balancing parameters are defined, they needs to be associated to make sure how the traffic is being handled when it hits the VIP. To define this, there is multimatch policy. This policy needs to be applied on interfaces where the traffic is hitting. icmp-reply feature needs to be enabled in order to have the VIP pingable. This policy is called a Layer 7 Policy. policy-map multi-match CLIENT-VIPS_PROD class slb-vip-PROD loadbalance vip inservice loadbalance policy LB_POLICY_PROD loadbalance vip icmp-reply active Now an ACL needs to be created to make sure all the users are allowed to reach the servers from outside the world or from the corporate network. access-list INBOUND line 8 extended permit ip any any access-list INBOUND line 16 extended permit icmp any any

Once all the above is done, its time to apply the service policy onto the respective interface & a default route pointing towards the router's interface. Where will the Layer 7 service policy be applied? Any idea? Think Think ... Well, it should be applied on the interface which is facing towards serverfarm as the packet is destined to the servers. interface vlan 40 ip address 192.168.1.1 255.255.255.0 access-group input everyone service-policy input CLIENT-VIPS_PROD service-policy input MGMT no shutdown ip route 0.0.0.0 0.0.0.0 172.16.1.1 Alrighty mate ! We have done with the routed mode configuration. Now we can publish the VIP into DNS with some DNS name.