Search


print PDF
Simple Loadbalancing Cisco ACE configuration

For simple 2-server loadbalancing based on Cisco ACE with basic tcp health checking please follow this guide.

Required elements:
- 2 (hg/mg/eg) hosts to make loadbalancing between them
- Professional use option on the servers above (we have to use vlan between hosts and ACE box)
- Cisco ACE box access
- IP RIPE block (we use one IP only here)


Testing the private network


Configure the two servers by following the guide http://help.ovh.ie/vrack.
First we set the ip 172.16.0.1 to 172.16.0.2 and the first machine on the second machine and so on.

IMPORTANT !!
You can set 172.16.0.0/12 with the exception of IP listed below, you must add the IP AUCUN CAS as an interface on your machine:
  • 172.16.0.0 => IP Network
  • 172.31.255.248 => Reserved IP used in our example
  • 172.31.255.249 => Reserved IP used in our example
  • 172.31.255.250 => Reserved IP used in our example
  • 172.31.255.251 => Reserved IP used in our example
  • 172.31.255.252 => IP reserved for internal use at OVH
  • 172.31.255.253 => IP reserved for internal use at OVH
  • 172.31.255.254 => Gateway IP of your virtual rack


Then check if your servers are able to communicate :

serverA:~# ping -c3 172.16.0.2
PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data.
64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=0.277 ms
64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=0.261 ms
64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=0.275 ms

serverB:~# ping -c3 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.277 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.261 ms
64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=0.275 ms



Cisco ACE configuration


We will now configure the ACE Load Balancer.

Note that for safety, during the ACE delivery it will be available ONLY from your private network.
So you must set one of your dedicated servers with private IP. Once done you can connect from your dedicated server on the private ip loadbalancer to configure an ACL.

user@machine ~ ssh admin@172.31.255.249
Password:
Cisco Application Control Software (ACSW)
TAC support: http://www.cisco.com/tac
Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained herein are owned by
other third parties and are used and distributed under license.
Some parts of this software are covered under the GNU Public
License. A copy of the license is available at
http://www.gnu.org/licenses/gpl.html.
rbx-s1-6k/vrack1234#


Enter configuration mode and create an ACL in order to access from outside to your ACE.
To find the 'public' vlan your ACE you can do a 'sh run'. The interface that contains the IP of your block is ripe interface 'vlan public'.


rbx-s1-ace/vrack2009# conf t
Enter configuration commands, one per line. End with CNTL/Z.
rbx-s1-ace/vrack2009(config)# class-map type management match-all PUBLIC_REMOTE
rbx-s1-ace/vrack2009(config-cmap-mgmt)# match protocol ssh source-address VOTRE.IP.ADSL.ICI 255.255.xxx.xxx
rbx-s1-ace/vrack2009(config-cmap-mgmt)# policy-map type management first-match REMOTE_PUBLIC_MGMT
rbx-s1-ace/vrack2009(config-pmap-mgmt)# class PUBLIC_REMOTE
rbx-s1-ace/vrack2009(config-pmap-mgmt-c)# permit
rbx-s1-ace/vrack2009(config-pmap-mgmt)# interface vlan209
rbx-s1-ace/vrack2009(config-if)# service-policy input REMOTE_PUBLIC_MGMT
rbx-s1-ace/vrack2009(config-if)# end
rbx-s1-ace/vrack2009# wr m
Generating configuration....
running config of context vrack2009 saved

Please wait ... sync to compact flash in progress.
This may take a few minutes to complete
Sync Done


Now the ACE context is accessible through ssh on the public IP you can also find in the sh run.

Tip
For more information, when you see "(config)" as above, you must do this: Type "conf t" or "configure" to enter configuration mode and then exit with CTRL + Z after the configuration entry.



Configure the private network


IMPORTANT !!
We use a VLAN tag which is close to yours to configure access to the ACE box. For vlan 2045, we generally use the vlan 245. It is possible that it is different. You can find out by doing a "show running-config". Do not remove above the interface vlan 245! If you do this, you will lose access to the Load Balancer and you will be charged for the restoration of the configuration of our administrators.


Tip !
You can cancel an input line by mistake. For example, if port forwarding provided the wrong gateway, check your configuration using "show running interface" then do:
rbx-99-6k-ace-1/vrack1234# configure
rbx-99-6k-ace-1/vrack1234(config)# no ip address 72.16.0.10 255.255.255.255
Then enter the correct rule :
rbx-99-6k-ace-1/vrack1234# configure
rbx-99-6k-ace-1/vrack1234(config)# ip address 172.16.0.10 255.240.0.0


First, add the "ANY" access-list to allow ICMP (ping) and TCP for everyone:
rbx-99-6k-ace-1/vrack1234(config)# access-list ANY line 8 extended permit icmp any any
rbx-99-6k-ace-1/vrack1234(config)# access-list ANY line 16 extended permit ip any any

Next, define the interface of the virtual rack for internal use.
OVH recommend using the IP range 172.0.0.0/12.

Your ACE is intended to have a fault tolerance of 0. It is therefore important for you to know that in case of failure on the first router, the second router must be able to take over.
This can occur only when the interfaces are configured.

The configuration will be done in the example too:


  • 172.31.255.248 => This IP will become the NAT POOL
  • 172.31.255.249 => P ALIAS (which fall on either router #1 or #2)
  • 172.31.255.250 => IP of router #1
  • 172.31.255.251 => IP of router #2



INFO!
The card which is in standby mode for ACE is not configurable! So you can not log on. The configuration is done on the active map that will send thanks to the FT (fault tolerance group) the information to the card is HOT standby.


So let's add the first private network interface:

rbx-99-6k-ace-1/vrack1234#conf t
rbx-99-6k-ace-1/vrack1234(config)# interface vlan 1234
( replacing 1234 with the tag of your virtual rack )

Add the private address to this interface:
rbx-99-6k-ace-1/vrack1234(config-if)#ip address 172.31.255.250 255.240.0.0

Add and send the ip to be on the second router:
rbx-99-6k-ace-1/vrack1234(config-if)#peer ip address 172.31.255.251 255.240.0.0

Set the alias for the above two IPs:
rbx-99-6k-ace-1/vrack1234(config-if)#alias 172.31.255.249 255.240.0.0


The three steps above have therefore set the ip interface vlan on private ROUTER1, ROUTER2 the 'floating' ip (alias) of the two.
We still need to add the nat-pool. Here we use port translation to the real servers in NAT:

rbx-99-6k-ace-1/vrack1234(config-if)# nat-pool 1 172.31.255.248 172.31.255.248 netmask 255.240.0.0 pat

then activate the interface and allow the ping:
rbx-99-6k-ace-1/vrack1234(config-if)# access-group input ANY
rbx-99-6k-ace-1/vrack1234(config-if)# no shutdown



Check the configuration


Make sure your servers A and B are accessed via the virtual rack from ACE:
rbx-s1-ace/vrack2199# ping 172.16.0.1
Pinging 172.16.0.1 with timeout = 2, count = 5, size = 100 ....

Response from 172.16.0.1 : seq 1 time 0.295 ms
Response from 172.16.0.1 : seq 2 time 0.161 ms
Response from 172.16.0.1 : seq 3 time 0.080 ms
Response from 172.16.0.1 : seq 4 time 0.160 ms
Response from 172.16.0.1 : seq 5 time 0.176 ms
5 packet sent, 5 responses received, 0% packet loss

rbx-s1-ace/vrack2199# ping 172.16.0.2
Pinging 172.16.0.2 with timeout = 2, count = 5, size = 100 ....

Response from 172.16.0.2 : seq 1 time 0.392 ms
Response from 172.16.0.2 : seq 2 time 0.378 ms
Response from 172.16.0.2 : seq 3 time 0.338 ms
Response from 172.16.0.2 : seq 4 time 0.302 ms
Response from 172.16.0.2 : seq 5 time 0.276 ms
5 packet sent, 5 responses received, 0% packet loss



Create a server farm


Above all, we ask the ACE to check the operation of your machines, then we define PROBE_TCP with an interval of 30 seconds and 60 seconds in case of error:
rbx-99-6k-ace-1/vrack1234(config)# probe tcp PROBE_TCP
interval 30
passdetect interval 60


Declare dedicated servers. We announce the loadbalancing machines and their IP and the connection protocol to follow.
In this example, we put a connection limit of 50,000 to prevent overload:

rbx-99-6k-ace-1/vrack1234(config)# rserver host SERVER1 # replace SERVER1 with the name of your first server
ip address 172.16.0.1
conn-limit max 50000 min 40000
inservice
rbx-99-6k-ace-1/vrack1234(config)# rserver host SERVER2 # replace SERVER2 with the name of your second server
ip address 172.16.0.2
conn-limit max 50000 min 40000
inservice


Create a Server Farm
In this example, the farm FARM_WEB is named, we will use the method "leastconns predictor" that creates a Load Balancer which is based on the number of connections. We use the PROBE_TCP configured earlier:

rbx-99-6k-ace-1/vrack1234(config)# serverfarm host FARM_WEB
predictor leastconns
probe PROBE_TCP
rserver SERVER1 # replace SERVER1 with the name of your first server
inservice
rserver SERVER2 # replace SERVER2 with the name of your second server
inservice



Configure Loadbalancing


Set http-parameter map. This instructs ACE to perform HTTP header modifications as well as put each new request to a potentially new real server:

rbx-99-6k-ace-1/vrack1234(config)# parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance

Ok, now we have to set a class-map for an inbound traffic selecting. For that we use IP 178.33.8.65 (one of IP RIPE block IPs) and port 80 (www):
rbx-99-6k-ace-1/vrack1234(config)# class-map match-all L4-WEB-IP
2 match virtual-address 178.33.8.65 tcp eq www

Now policy-map which puts client source IP into HTTP header while sending traffic to the serverfarm. We name it WEB_L7_POLICY:
rbx-99-6k-ace-1/vrack1234(config)# policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"

Combine the class-map IP-WEB-L4 and WEB_L7_POLICY HTTP_PARAMETER_MAP and apply.
rbx-99-6k-ace-1/vrack1234(config)# policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1234 # replace 1234 with your virtual rack tag
appl-parameter http advanced-options HTTP_PARAMETER_MAP

Apply the service-policy access-list to the incoming interface vlan:
rbx-99-6k-ace-1/vrack1234(config)# interface vlan 123 # if your tag is vrack 2045, use 245 here. It is possible that it is different. You will find by doing a "show running-config".
service-policy input WEB-to-vIPs
access-group input ANY


Configuration example


Your interface should look like this (178.33.8.77 IP administration is used to access the ACE Load Balancer)
rbx-99-6k-ace-1/vrack1234# show running-config
Generating configuration....

access-list ANY line 8 extended permit icmp any any
access-list ANY line 16 extended permit ip any any

probe tcp PROBE_TCP
interval 30
passdetect interval 60

parameter-map type http HTTP_PARAMETER_MAP
persistence-rebalance

rserver host testvrack1.ovh.net
ip address 172.16.0.1
conn-limit max 50000 min 40000
inservice
rserver host tesvrack2.ovh.net
ip address 172.16.0.2
conn-limit max 50000 min 40000
inservice

serverfarm host FARM_WEB
predictor leastconns
probe PROBE_TCP
rserver testvrack1.ovh.net
inservice

class-map match-all L4-WEB-IP
2 match virtual-address 178.33.8.65 tcp eq www
class-map type management match-all REMOTE_ACCESS
2 match protocol ssh any
class-map type management match-all TEST
2 match protocol icmp any

policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type management first-match TEST_ALLOW
class TEST
permit

policy-map type loadbalance http first-match WEB_L7_POLICY
class class-default
serverfarm FARM_WEB
insert-http x-forward header-value "%is"

policy-map multi-match WEB-to-vIPs
class L4-WEB-IP
loadbalance vip inservice
loadbalance policy WEB_L7_POLICY
loadbalance vip icmp-reply active
nat dynamic 1 vlan 1234
appl-parameter http advanced-options HTTP_PARAMETER_MAP

interface vlan 123
ip address 178.33.8.77 255.255.255.240
access-group input ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input WEB-to-vIPs
no shutdown
interface vlan 1234
ip address 172.31.255.251 255.240.0.0
access-group input ANY
nat-pool 1 172.31.255.250 172.31.255.250 netmask 255.240.0.0 pat
service-policy input TEST_ALLOW
no shutdown



Testing LoadBalancing


Make several telnet sessions:
user@machine ~ telnet 178.33.8.65 80
Trying 178.33.8.65...
Connected to 178.33.8.65.
Escape character is '^]'.
GET /


Apache (Debian) Server at 172.16.0.1 Port 80



user@machine ~] telnet 178.33.8.65 80
Trying 178.33.8.65...
Connected to 178.33.8.65.
Escape character is '^]'.
GET /


Apache (Debian) Server at 172.16.0.2 Port 80