|
Search |
For simple 2-server loadbalancing based on Cisco ACE with basic tcp health checking please follow this guide. Required elements: - 2 (hg/mg/eg) hosts to make loadbalancing between them - Professional use option on the servers above (we have to use vlan between hosts and ACE box) - Cisco ACE box access - IP RIPE block (we use one IP only here) Configure the two servers by following the guide http://help.ovh.ie/vrack. First we set the ip 172.16.0.1 to 172.16.0.2 and the first machine on the second machine and so on.
Then check if your servers are able to communicate : serverA:~# ping -c3 172.16.0.2 PING 172.16.0.2 (172.16.0.2) 56(84) bytes of data. 64 bytes from 172.16.0.2: icmp_seq=1 ttl=64 time=0.277 ms 64 bytes from 172.16.0.2: icmp_seq=2 ttl=64 time=0.261 ms 64 bytes from 172.16.0.2: icmp_seq=3 ttl=64 time=0.275 ms serverB:~# ping -c3 172.16.0.1 PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data. 64 bytes from 172.16.0.1: icmp_seq=1 ttl=64 time=0.277 ms 64 bytes from 172.16.0.1: icmp_seq=2 ttl=64 time=0.261 ms 64 bytes from 172.16.0.1: icmp_seq=3 ttl=64 time=0.275 ms We will now configure the ACE Load Balancing. Connect to it with the access codes that you received by mail : user@machine ~ ssh admin@ip_of_load_balancer Password: Cisco Application Control Software (ACSW) TAC support: http://www.cisco.com/tac Copyright (c) 2002-2009, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained herein are owned by other third parties and are used and distributed under license. Some parts of this software are covered under the GNU Public License. A copy of the license is available at http://www.gnu.org/licenses/gpl.html. rbx-99-6k-ace-1/vrack1234# Enter config mode and create an ACL form which is able to be accessed from outside the ACE: rbx-s1-ace/vrack2009 # conf t Enter configuration commands, one per line. End with CNTL / Z. rbx-s1-ace/vrack2009 (config) # class-map type management match-all PUBLIC_REMOTE rbx-s1-ace/vrack2009 (config-cmap-mgmt) # match protocol ssh source-address VOTRE.IP . ADSL.AQUI 255.255.xxx.xxx rbx-s1-ace/vrack2009 (config-cmap-mgmt) # policy-map type management first-match REMOTE_PUBLIC_MGMT rbx-s1-ace/vrack2009 (config-pmap-mgmt) # class PUBLIC_REMOTE rbx-s1-ace/vrack2009 (config-pmap-mgmt-c) # permit rbx-s1-ace/vrack2009 (config-pmap-mgmt) # interface vlan209 rbx-s1-ace/vrack2009 (config-if) # service- policy input REMOTE_PUBLIC_MGMT rbx-s1-ace/vrack2009 (config-if) # end
running config of context saved vrack2009 Please wait ... compact flash to sync in progress. This may take a few minutes to complete Sync Done
First, add the "ANY" access-list to allow ICMP (ping) and TCP for everyone: rbx-99-6k-ace-1/vrack1234(config)# access-list ANY line 16 extended permit ip any any Next, define the interface of the virtual rack for internal use. OVH recommend using the IP range 172.0.0.0/12. Your ACE is intended to have a fault tolerance of 0. It is therefore important for you to know that in case of failure on the first router, the second router must be able to take over. This can occur only when the interfaces are configured. The configuration will be done in the example too:
So let's add the first private network interface: rbx-99-6k-ace-1/vrack1234(config)# interface vlan 1234 ( replacing 1234 with the tag of your virtual rack ) Add the private address to this interface: Add and send the ip to be on the second router: Set the alias for the above two IPs: The three steps above have therefore set the ip interface vlan on private ROUTER1, ROUTER2 the 'floating' ip (alias) of the two. We still need to add the nat-pool. Here we use port translation to the real servers in NAT: then activate the interface and allow the ping: rbx-99-6k-ace-1/vrack1234(config-if)# no shutdown Make sure your servers A and B are accessed via the virtual rack from ACE: Pinging 172.16.0.1 with timeout = 2, count = 5, size = 100 .... Response from 172.16.0.1 : seq 1 time 0.295 ms Response from 172.16.0.1 : seq 2 time 0.161 ms Response from 172.16.0.1 : seq 3 time 0.080 ms Response from 172.16.0.1 : seq 4 time 0.160 ms Response from 172.16.0.1 : seq 5 time 0.176 ms 5 packet sent, 5 responses received, 0% packet loss rbx-s1-ace/vrack2199# ping 172.16.0.2 Pinging 172.16.0.2 with timeout = 2, count = 5, size = 100 .... Response from 172.16.0.2 : seq 1 time 0.392 ms Response from 172.16.0.2 : seq 2 time 0.378 ms Response from 172.16.0.2 : seq 3 time 0.338 ms Response from 172.16.0.2 : seq 4 time 0.302 ms Response from 172.16.0.2 : seq 5 time 0.276 ms 5 packet sent, 5 responses received, 0% packet loss Above all, we ask the ACE to check the operation of your machines, then we define PROBE_TCP with an interval of 30 seconds and 60 seconds in case of error: interval 30 passdetect interval 60 Declare dedicated servers. We announce the loadbalancing machines and their IP and the connection protocol to follow. In this example, we put a connection limit of 50,000 to prevent overload: ip address 172.16.0.1 conn-limit max 50000 min 40000 inservice rbx-99-6k-ace-1/vrack1234(config)# rserver host SERVER2 # replace SERVER2 with the name of your second server ip address 172.16.0.2 conn-limit max 50000 min 40000 inservice Create a Server Farm In this example, the farm FARM_WEB is named, we will use the method "leastconns predictor" that creates a Load Balancer which is based on the number of connections. We use the PROBE_TCP configured earlier: predictor leastconns probe PROBE_TCP rserver SERVER1 # replace SERVER1 with the name of your first server inservice rserver SERVER2 # replace SERVER2 with the name of your second server inservice Set http-parameter map. This instructs ACE to perform HTTP header modifications as well as put each new request to a potentially new real server: persistence-rebalance Ok, now we have to set a class-map for an inbound traffic selecting. For that we use IP 178.33.8.65 (one of IP RIPE block IPs) and port 80 (www): 2 match virtual-address 178.33.8.65 tcp eq www Now policy-map which puts client source IP into HTTP header while sending traffic to the serverfarm. We name it WEB_L7_POLICY: class class-default serverfarm FARM_WEB insert-http x-forward header-value "%is" Combine the class-map IP-WEB-L4 and WEB_L7_POLICY HTTP_PARAMETER_MAP and apply. class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 1234 # replace 1234 with your virtual rack tag appl-parameter http advanced-options HTTP_PARAMETER_MAP Apply the service-policy access-list to the incoming interface vlan: service-policy input WEB-to-vIPs access-group input ANY Your interface should look like this (178.33.8.77 IP administration is used to access the ACE Load Balancer) Generating configuration.... access-list ANY line 8 extended permit icmp any any access-list ANY line 16 extended permit ip any any probe tcp PROBE_TCP interval 30 passdetect interval 60 parameter-map type http HTTP_PARAMETER_MAP persistence-rebalance rserver host testvrack1.ovh.net ip address 172.16.0.1 conn-limit max 50000 min 40000 inservice rserver host tesvrack2.ovh.net ip address 172.16.0.2 conn-limit max 50000 min 40000 inservice serverfarm host FARM_WEB predictor leastconns probe PROBE_TCP rserver testvrack1.ovh.net inservice class-map match-all L4-WEB-IP 2 match virtual-address 178.33.8.65 tcp eq www class-map type management match-all REMOTE_ACCESS 2 match protocol ssh any class-map type management match-all TEST 2 match protocol icmp any policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY class REMOTE_ACCESS permit policy-map type management first-match TEST_ALLOW class TEST permit policy-map type loadbalance http first-match WEB_L7_POLICY class class-default serverfarm FARM_WEB insert-http x-forward header-value "%is" policy-map multi-match WEB-to-vIPs class L4-WEB-IP loadbalance vip inservice loadbalance policy WEB_L7_POLICY loadbalance vip icmp-reply active nat dynamic 1 vlan 1234 appl-parameter http advanced-options HTTP_PARAMETER_MAP interface vlan 123 ip address 178.33.8.77 255.255.255.240 access-group input ANY service-policy input REMOTE_MGMT_ALLOW_POLICY service-policy input WEB-to-vIPs no shutdown interface vlan 1234 ip address 172.31.255.251 255.240.0.0 access-group input ANY nat-pool 1 172.31.255.250 172.31.255.250 netmask 255.240.0.0 pat service-policy input TEST_ALLOW no shutdown Make several telnet sessions: Trying 178.33.8.65... Connected to 178.33.8.65. Escape character is '^]'. GET / Apache (Debian) Server at 172.16.0.1 Port 80 user@machine ~] telnet 178.33.8.65 80 Trying 178.33.8.65... Connected to 178.33.8.65. Escape character is '^]'. GET / Apache (Debian) Server at 172.16.0.2 Port 80 ^ |
||||||||||||||
