Cisco Interfaces and Modules : Cisco ACE Application Control Engine Module

Configurar o ACE no modo roteado com políticas L7

19 Setembro 2015 - Tradução por Computador
Outras Versões: Versão em PDFpdf | Inglês (22 Agosto 2015) | Feedback


Índice


Introdução

Este documento fornece uma configuração de exemplo do Application Control Module (ACE) configurado no modo roteado com as políticas da Camada 7 (L7). O ACE toma uma decisão de balanceamento de carga com base no conteúdo específico na URL.

Esta amostra usa dois contextos:

  • O contexto Admin é usado para o Gerenciamento remoto e a configuração tolerante da falha (FT).

  • O contexto C1 é usado para o Balanceamento de carga.

Pré-requisitos

Requisitos

Não existem requisitos específicos para este documento.

Componentes Utilizados

Este documento não se restringe a versões de software e hardware específicas.

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se a sua rede estiver ativa, certifique-se de que entende o impacto potencial de qualquer comando.

Convenções

Consulte as Convenções de Dicas Técnicas da Cisco para obter mais informações sobre convenções de documentos.

Configurar

Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.

Nota: Use a Command Lookup Tool (somente clientes registrados) para obter mais informações sobre os comandos usados nesta seção.

Diagrama de Rede

Este documento utiliza a seguinte configuração de rede:

http://www.cisco.com/c/dam/en/us/support/docs/interfaces-modules/ace-application-control-engine-module/107400-ace-l7-policies1-107400.gif

Configurações

Este documento utiliza as seguintes configurações:

  • Catalyst 6500 — Contexto C1 do entalhe 2 ACE

  • Catalyst 6500 — Contexto Admin do entalhe 2 ACE

  • Catalyst 6500 — Configuração de MSFC

Contexto ACE C1
switch/C1#show running-config
Generating configuration....




access-list any line 8 extended permit icmp any any 
access-list any line 16 extended permit ip any any 



!--- Access-list to permit or deny traffic from entering the ACE.
 


probe http WEB_SERVERS
  interval 5
  passdetect interval 10
  passdetect count 2
  request method get url /index.html
  expect status 200 200



!--- http probe used to detect the status of the web servers.



rserver host S1
  ip address 192.168.0.200
  inservice
rserver host S2
  ip address 192.168.0.201
  inservice
rserver host S3
  ip address 192.168.0.202
  inservice
rserver host S4
  ip address 192.168.0.203
  inservice

serverfarm host SF-1
  probe WEB_SERVERS
  rserver S1
    inservice
  rserver S2
    inservice
  rserver S3
    inservice
  rserver S4
    inservice



!--- Serverfarm used for traffic that matches the default class-map.
!--- Client traffic that does not match “/abc*” or “/xyz*” 
!--- uses this serverfarm.



serverfarm host SF-ABC
  probe WEB_SERVERS
  rserver S1
    inservice
  rserver S2
    inservice



!--- Serverfarm used to match traffic for /abc* content.



serverfarm host SF-XYZ
  probe WEB_SERVERS
  rserver S3
    inservice
  rserver S4
    inservice



!--- Serverfarm used to match traffic for /xyz* content.



class-map match-all L4VIPCLASS
  2 match virtual-address 172.16.0.15 tcp eq www



!--- Layer 4 class-map that defines the IP address and port.



class-map type http loadbalance match-all L7CLASS-ABC
  2 match http url /abc/*
class-map type http loadbalance match-all L7CLASS-XYZ
  2 match http url /xyz/*



!--- Layer 7 class-map that defines specific content 
!--- on which to parse.



class-map type management match-any REMOTE_ACCESS
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol http any



!--- Remote management class-map that defines 
!--- what protocols can manage the ACE.



policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit

policy-map type loadbalance http first-match WEB_L7_POLICY
  class L7CLASS-ABC
    serverfarm SF-ABC
  class L7CLASS-XYZ
    serverfarm SF-XYZ
  class class-default
    serverfarm SF-1


!--- Layer 7 policy-map that specifies serverfarms 
!--- for different layer 7 content.
!--- class-default is used if the traffic does 
!--- not match any of the layer 7 class-maps.



policy-map multi-match VIPs
  class L4VIPCLASS
    loadbalance vip inservice
    loadbalance policy WEB_L7_POLICY
    loadbalance vip icmp-reply active
    loadbalance vip advertise active



!--- Multi-match policy ties the class-maps and policy-maps together.



interface vlan 240
  ip address 172.16.0.130 255.255.255.0
  alias 172.16.0.128 255.255.255.0
  peer ip address 172.16.0.131 255.255.255.0
  access-group input any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input VIPs
  no shutdown


!--- Client side VLAN. This is the VLAN clients enter the ACE. 
!--- Apply access-lists and policies that are needed on this interface.



interface vlan 511
  ip address 192.168.0.130 255.255.255.0
  alias 192.168.0.128 255.255.255.0
  peer ip address 192.168.0.131 255.255.255.0
  no shutdown



!--- Server side VLAN.
!--- Alias is used for the servers default gateway.



ip route 0.0.0.0 0.0.0.0 172.16.0.1



!--- Default gateway points to the MSFC.




switch/C1#

Contexto ACE Admin
switch/Admin#show running-config
Generating configuration....



boot system image:c6ace-t1k9-mz.A2_1_0a.bin

resource-class RC1
  limit-resource all minimum 50.00 maximum equal-to-min



!--- Resource-class used to limit the amount of resources a specific context
!--- can use.



access-list any line 8 extended permit icmp any any 
access-list any line 16 extended permit ip any any 


rserver host test

class-map type management match-any REMOTE_ACCESS
  2 match protocol ssh any
  3 match protocol telnet any
  4 match protocol icmp any
  5 match protocol snmp any
  6 match protocol http any


policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
    permit


interface vlan 240
  ip address 172.16.0.4 255.255.255.0
  alias 172.16.0.10 255.255.255.0
  peer ip address 172.16.0.5 255.255.255.0
  access-group input any
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
interface vlan 511
  ip address 192.168.0.4 255.255.255.0
  alias 192.168.0.10 255.255.255.0
  peer ip address 192.168.0.5 255.255.255.0
  access-group input any
  no shutdown

ft interface vlan 550
  ip address 192.168.1.4 255.255.255.0
  peer ip address 192.168.1.5 255.255.255.0
  no shutdown



!--- VLAN used for fault tolerant traffic. 



ft peer 1
  heartbeat interval 300
  heartbeat count 10
  ft-interface vlan 550



!--- FT peer definition that defines heartbeat parameters and to associate
!--- the FT VLAN.



ft group 1
  peer 1
  peer priority 90
  associate-context Admin
  inservice



!--- FT group used for Admin context.



ip route 0.0.0.0 0.0.0.0 172.16.0.1

context C1
  allocate-interface vlan 240
  allocate-interface vlan 511
  member RC1



!--- Allocate VLANs the C1 context uses.


  
ft group 2
  peer 1
  no preempt
  associate-context C1
  inservice



!--- FT group used for the load balancing C1 context.



username admin password 5 $1$faXJEFBj$TJR1Nx7sLPTi5BZ97v08c/  role Admin domai
n default-domain 
username www password 5 $1$UZIiwUk7$QMVYN1JASaycabrHkhGcS/  role Admin domain 
default-domain 

switch/Admin#

Configuração do roteador

!--- Only portions of the config relevant to the 
!--- ACE are displayed.


sf-cat1-7606#show run
Building configuration...


!--- Output Omitted.


svclc multiple-vlan-interfaces
svclc module 2 vlan-group 2
svclc vlan-group 2  220,240,250,510,511,520,540,550

!




!--- Before the ACE can receive traffic from the supervisor engine 
!--- in the Catalyst 6500 or Cisco 6600 series router, you must create VLAN 
!--- groups on the supervisor engine, and then assign the groups to the ACE. 
!--- Add vlans to the vlan-group that are needed for ALL contexts on the ACE.



interface Vlan240
 description public-vip-172.16.0.x 
 ip address 172.16.0.2 255.255.255.0
 standby ip 172.16.0.1
 standby priority 20
 standby name ACE_slot2

!

!--- SVI (Switch Virtual Interface). The standby address is the default 
!--- gateway for the ACE.

!--- Output Ommited.


sf-cat1-7606#

Verificar

Use esta seção para confirmar se a sua configuração funciona corretamente.

A Output Interpreter Tool (apenas para clientes registrados) (OIT) suporta determinados comandos show. Use a OIT para exibir uma análise da saída do comando show.

  • Serverfarm da mostra — Informação dos indicadores sobre o serverfarm e o estado dos rservers.

    Este exemplo fornece o exemplo de saída:

    switch/C1# show serverfarm SF-1
     serverfarm     : SF-1, type: HOST
     total rservers : 4
    
     ---------------------------------
                                                    ----------connections---------
    --
           real                  weight state        current    total      failure
    s 
       ---+---------------------+------+------------+----------+----------+-------
    --
       rserver: S1
           192.168.0.200:0       8      OPERATIONAL  0          57         0
       rserver: S2
           192.168.0.201:0       8      OPERATIONAL  0          57         0
       rserver: S3
           192.168.0.202:0       8      OPERATIONAL  0          56         0
       rserver: S4
           192.168.0.203:0       8      OPERATIONAL  0          56         0
  • Mostre o detalhe do nome da serviço-política — Indica a informação sobre a política do multi-fósforo que inclui o estado do VIP, a contagem da batida para mapas de classe da camada 7, e conexões deixadas cair.

    Este exemplo fornece o exemplo de saída:

    switch/C1#show service-policy VIPs detail 
    -----------------------------------------
    Interface: vlan 240 
      service-policy: VIPs
        class: L4VIPCLASS
         VIP Address:    Protocol:  Port:
         172.16.0.15     tcp        eq    80   
          loadbalance:
            L7 loadbalance policy: WEB_L7_POLICY
            VIP Route Metric     : 77
            VIP Route Advertise  : ENABLED-WHEN-ACTIVE
            VIP ICMP Reply       : ENABLED-WHEN-ACTIVE
            VIP State: INSERVICE
    
    
    !--- VIP State: Inservice shows the policy is ready
    !--- to accept traffic.
    !--- There must be at least one rserver inservice for the policy
    !--- to show “Inservice”.
    
    
            curr conns       : 1         , hit count        : 233       
            dropped conns    : 0         
            client pkt count : 1202      , client byte count: 142327              
            server pkt count : 1213      , server byte count: 1206796             
            conn-rate-limit      : 0         , drop-count : 0         
            bandwidth-rate-limit : 0         , drop-count : 0         
            L7 Loadbalance policy : WEB_L7_POLICY
              class/match : L7CLASS-ABC
                LB action : 
                   primary serverfarm: SF-ABC
                        state: UP
                    backup serverfarm : -
                hit count        : 3         
                dropped conns    : 0  
    
    
     !--- Client traffic that matches the layer7 class-map matching /abc*
    
          
              class/match : L7CLASS-XYZ
                LB action : 
                   primary serverfarm: SF-XYZ
                        state: UP
                    backup serverfarm : -
                hit count        : 3         
                dropped conns    : 0  
    
    
     !--- Client traffic that matches the layer7 class-map matching /xyx*
    
          
              class/match : class-default
                LB action : 
                   primary serverfarm: SF-1
                        state: UP
                    backup serverfarm : -
                hit count        : 226       
                dropped conns    : 0  
        
    
    !--- Client traffic that matches the default class-map.
    
    
    switch/C1#
  • Show conn — Indica conexões atual no ACE.

    Este exemplo fornece o exemplo de saída:

    switch/C1#show conn
    
    total current connections : 2
    
    conn-id    np dir proto vlan source                destination           state
    ----------+--+---+-----+----+---------------------+---------------------+-----
    -+
    11         2  in  TCP   240  172.16.1.10:2142    172.16.0.15:80        ESTAB
    10         2  out TCP   511  192.168.0.203:80      172.16.1.10:2142    ESTAB
    switch/C1#

Troubleshooting

Atualmente, não existem informações disponíveis específicas sobre Troubleshooting para esta configuração.

Discussões relacionadas da comunidade de suporte da Cisco

A Comunidade de Suporte da Cisco é um fórum onde você pode perguntar e responder, oferecer sugestões e colaborar com colegas.


Informações Relacionadas


Document ID: 107400