Cisco ACE （第四篇）

lqmartin

Cisco ACE 第四讲主要介绍ACE的路由模式下的单臂路由。也可以用这个标题；
Basic Load Balancing using One Arm Mode with Source NAT on ACE；
Goal
Configure basic load balancing (Layer 3) where client traffic enters on one VLAN and is source NAT’d and sent out the same VLAN to the servers.  The servers will respond to the ACE, where the server’s IP is replaced with the VIP and the response message is sent to the client via the MSFC.
Design
Clients will send application requests through the MFSC, which routes them to a virtual IP address (VIP) within ACE.  The VIP used in this example resides in an ACE context which is configured with a single VLAN to handle client and server communication.  Client requests will hit the VIP and ACE will pick the appropriate server to handle the request.  ACE will rewrite the destination IP to that of the rserver, and rewrite the source IP with one from a nat-pool.  Once the client request is fully NAT’d it will be sent to the server over the same VLAN which it was originally received.  The server will respond to the ACE, based on the source IP of the request.  The ACE will receive the response, change the source IP to be the VIP, and send it to the MSFC.  The MSFC will forward the response to the client.

Configuration
The ACE needs to be configured via ACLs to allow traffic into the ACE data plane.  After the ACL checks are made a service-policy, which is applied to the interface, is used to classify traffic destined to the VIP.  The VIP is associated to a load balancing action within the multi-match policy.  The load balancing action tells ACE how to handle traffic which has hit a VIP.  In this example all traffic is sent to a serverfarm, where it is distributed in round robin fashion to one of five real servers.  The ACE configuration is layered, such that it builds from the real IPs to applying the VIP on an interface.  Due to this building structure, it is optimal to create the configuration working backwards from how the flow is processed.  Thus, to enable server load balancing you need to configure the following objects:
   1.1 Enable the ACL allow the traffic

ACE-1/onearm(config)# access-list everyone extended permit ip any any
ACE-1/onearm(config)# access-list everyone extended permit icmp any any

1.2 Denfine the Real Servers

ACE-1/onearm(config)# rserver lnx1
ACE-1/onearm(config-rserver-host)# ip add 192.168.5.11
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx2
ACE-1/onearm(config-rserver-host)# ip add 192.168.5.12
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx3
ACE-1/onearm(config-rserver-host)# ip add 192.168.5.13
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx4
ACE-1/onearm(config-rserver-host)# ip add 192.168.5.14
ACE-1/onearm(config-rserver-host)# inservice
ACE-1/onearm(config-rserver-host)# rserver lnx5
ACE-1/onearm(config-rserver-host)# ip add 192.168.5.15
ACE-1/onearm(config-rserver-host)# inservice

1.3 Denfine the ServerFarm

ACE-1/onearm(config-cmap)# serverfarm web
ACE-1/onearm(config-sfarm-host)# rserver lnx1
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx2
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx3
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx4
ACE-1/onearm(config-sfarm-host-rs)# inservice
ACE-1/onearm(config-sfarm-host-rs)# rserver lnx5
ACE-1/onearm(config-sfarm-host-rs)# inservice

1.4 Define the VIP

ACE-1/onearm(config)# class-map slb-vip
ACE-1/onearm(config-cmap)# match virtual-address 172.16.5.100 any
1.5 denfine the policy-map
ACE-1/onearm(config)# policy-map type loadbalance http first-match slb
ACE-1/onearm(config-pmap-lb)# class class-default
ACE-1/onearm(config-pmap-lb-c)# serverfarm web
ACE-1/onearm(config)# policy-map multi-match client-vips
ACE-1/onearm(config-pmap)# class slb-vip
ACE-1/onearm(config-pmap-c)# loadbalance policy slb
ACE-1/onearm(config-pmap-c)# loadbalance vip inservice
ACE-1/onearm(config-pmap-c)# nat dynamic 5 vlan 50

1.6 denfine the vlan
ACE-1/onearm(config)# interface vlan 50
ACE-1/onearm(config-if)# description “Client-Sever VLAN”
ACE-1/onearm(config-if)# ip address 172.16.5.5 255.255.255.0
ACE-1/onearm(config-if)# no shutdown
ACE-1/onearm(config)# interface vlan 50
ACE-1/onearm(config-if)# access-group input everyone
ACE-1/onearm(config-if)# service-policy input client-vips
ACE-1/onearm(config-if)# nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat

注意：上述配置文档为基本的配置文档，其他需要配置信息再次不在列出，如果需要，可以联系MSN或者mail到
coolkingbutterfly@gmail.com




本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/24661/showart_2112854.html