Copyright 2009 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture.
4Gps Throughput
4Gps Throughput
multiple-vlan-interfaces
module 1 vlan-group 1,2,
vlan-group 1 10,20
vlan-group 2 30,40
!##
!##
!##
!##
!##
context CIO-CHP-BANG6-LB1A
!## Create VDC
description CIO LB CONTEXT
allocate-interface vlan 502
!## Allocate VLAN Interface to VDC
allocate-interface vlan 802
member ClassA
!## Assign Resource Class to Context
ft group 2 !## Create FT Group for VDC
peer 1
priority 115
peer priority 105
associate-context CIO-CHP-BANG6-LB1A
inservice
Copyright 2009 Accenture All Rights Reserved.
10
11
Virtual IP address
Real Servers
Server Farms
Load Balancing Algorithm
Class Maps
Policy Maps
Service Policies
Persistence (Optional)
Probes
Akin to Modular QOS Command-line (MQC Cisco IOS) or Modular Policy Framework (MPF Cisco Firewalls).
Slightly different functionality but concepts are the same.
The following slide contains a base Load Balancing policy which demonstrates the configuration for all the above components, to a site
listening for SSL/TLS requests.
12
rserver host
ip address
inservice
rserver host
ip address
inservice
SVR1
10.1.1.1
!## set the expected healthy status code from the server
!##Enable Server
SVR2
10.1.1.2
!##
!##
!##
!##
!##
!##
sticky ip-netmask 255.255.255.255 address source APP1.accenture.com_STICKY !## Enable src ip sticky
timeout 30
!## Set sticky table timeout
replicate sticky
!## Ensure sticky table is replicated across cluster
serverfarm SFARM1
!## State which farm to apply stickiness to
Copyright 2009 Accenture All Rights Reserved.
13
!##
!##
!##
!##
!##
!##
Note: The above load balancing policy will not work until the service-policy is applied to the interface.
The service-policy is generally applied to the public facing vlan interface (depending on design).
14
15
memory info:
total: 956180 kB, free: 245800 kB
shared: 0 kB, buffers: 5048 kB, cached 0 kB
cf info:
filesystem: /dev/cf
total: 1014624 kB, used: 418464 kB, available:
596160 kB
last boot reason: reload command by admin
configuration register: 0x1
CHP-BANG6-LB1A kernel uptime is 55 days 0 hour 36
minute(s) 8 second(s)
CHP-BANG6-LB1A/Admin#
Hardware
Cisco ACE (slot: 1)
cpu info:
number of cpu(s): 2
cpu type: SiByte
cpu: 0, model: SiByte SB1 V0.2, speed: 700 MHz
cpu: 1, model: SiByte SB1 V0.2, speed: 700 MHz
16
Show license
Count
----5000
20
4
CHP-BANG6-LB1A/Admin#
Copyright 2009 Accenture All Rights Reserved.
17
18
19
20
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
CIO-DEV-BANG6-WEB-LB1A
2
in-service
MAINT_MODE_OFF
FSM_FT_STATE_ACTIVE
115
115
Enabled
FSM_FT_STATE_STANDBY_COLD
105
105
Enabled
1
Wed Dec 17 10:40:28 2008
Enabled
Peer in Cold State. Incremental Sync Failure: SSL Certificate does not exist
Enabled
Peer in Cold State. Incremental Sync Failure: SSL Certificate does not exist
21
ft auto-sync running
ft auto-sync startup
auto-sync running
auto-sync startup
ft group detail
!##
!##
!##
!##
!##
Below is a truncated version of the successful output after certificates are imported and re-syncing of both running and startup config.
Context Name
Configured Status
My State
My Preempt
Peer State
Peer Preempt
Running cfg sync enabled
Running cfg sync status
Startup cfg sync enabled
Startup cfg sync status
:
:
:
:
:
:
:
:
:
:
CIO-DEV-BANG6-WEB-LB1A
in-service
FSM_FT_STATE_ACTIVE
Enabled
FSM_FT_STATE_STANDBY_HOT
Enabled
Enabled
Running configuration sync has completed
Enabled
Startup configuration sync has completed
Note: During device synchronisation configuration is disabled and the following messages will be displayed.
Configuration mode is currently disabled
NOTE: Configuration mode is enabled on all sessions
Copyright 2009 Accenture All Rights Reserved.
22
23
Show logging
- needs to be enabled with logging level to function
Show conn
- show state table for current connections through the device
Capture
- captures traffic thru the device based on an access-l / interface etc.
CHP-BANG6-LB1A/Admin# sh logging
Syslog logging:
enabled
Facility:
20
History logging:
disabled
Trap logging:
disabled
Timestamp logging:
enabled
Fastpath logging:
disabled
Console logging:
disabled
Monitor logging:
disabled
Logging to 10.200.86.25 udp/514
Device ID:
disabled
Reject-newconn:
rate-limit-reached:
disabled
tcp-queue-full:
disabled
cp-buffer-full:
disabled
Buffered logging:
enabled (level - warnings) maximum size 4096
Buffer info: current size - 4096 global pool - 4194304 used pool - 4194304
min - 0 max - 4096
cur ptr = 1536 wrapped - yes
This output is truncated and will be followed by the log buffer contents.
Copyright 2009 Accenture All Rights Reserved.
24
Show conn
Show conn detail
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# sh conn
total current connections : 218
conn-id
np dir proto vlan source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
393
1 in UDP
309 10.200.116.7:50218
10.200.87.65:53
-753
1 out UDP
360 10.200.87.65:53
10.200.116.7:50218
-913
1 in TCP
309 10.200.116.43:3083
170.252.165.50:5615
ESTAB
408
1 out TCP
360 170.252.165.50:5615
10.200.116.43:3083
ESTAB
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# sh conn detail
total current connections : 212
conn-id
np dir proto vlan source
destination
state
----------+--+---+-----+----+---------------------+---------------------+------+
393
1 in UDP
309 10.200.116.7:50218
10.200.87.65:53
-[ idle time
: 00:00:44,
byte count : 76
]
[ elapsed time: 00:00:44,
packet count: 1
]
913
1 in TCP
309 10.200.116.43:3083
170.252.165.50:5615
ESTAB
[ idle time
: 00:00:55,
byte count : 42753
]
[ elapsed time: 18:22:44,
packet count: 338
]
This output is truncated.
Copyright 2009 Accenture All Rights Reserved.
25
Capture
This example will show how to capture traffic real time through the device via capture using an access-list to filter traffic.
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A(config)# access-l stu ext permit ip any any
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# capture STUCAP int vlan 360 access-list stu
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# capture STUCAP start
13:21:11.880025 0:1d:70:58:b6:40 0:b:fc:fe:1b:7 0800 74: 10.10.140.36 > 10.200.116.50: icmp: echo request (ttl
114, id 22207, len 60)
13:21:11.880404 0:b:fc:fe:1b:7 0:50:56:90:24:81 0800 74: 10.10.140.36 > 10.200.116.50: icmp: echo request (ttl
114, id 22207, len 60)
13:21:11.880763 0:50:56:90:24:81 0:b:fc:fe:1b:7 0800 74: 10.200.116.50 > 10.10.140.36: icmp: echo reply (ttl
128, id 6314, len 60)
13:21:11.881136 0:b:fc:fe:1b:7 0:0:c:7:ac:5a 0800 74: 10.200.116.50 > 10.10.140.36: icmp: echo reply (ttl 128,
id 6314, len 60)
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# capture STUCAP stop
CHP-BANG6-LB1A/CIO-DEV-BANG6-WEB-LB1A# sh cap
0007: msg_type: ACE_HIT
ace_id: 1049633
0008: msg_type: CON_SETUP con_id: 1107299107
0009: msg_type: PKT_RCV
con_id: 1107299107
0010: msg_type: PKT_XMT
con_id: 16780023
0011: msg_type: PKT_RCV
con_id: 16780023
0012: msg_type: PKT_XMT
con_id: 1107299107
0013: msg_type: ACE_HIT
ace_id: 1049633
0014: msg_type: CON_CLOSE con_id: 1090521171
STUCAP
action_flag:
out_con_id:
other_con_id:
other_con_id:
other_con_id:
other_con_id:
action_flag:
reason:
0x3
16780023
0
0
0
0
0x3
0
26
Show probe
- displays the status of probes for individual server farms / real servers.
probe
: PING
type
: ICMP
state
: ACTIVE
---------------------------------------------port
: 0
address
: 0.0.0.0
addr type : interval : 30
pass intvl : 300
pass count : 3
fail count: 3
recv timeout: 10
--------------------- probe results -------------------probe association
probed-address probes
failed
passed
health
------------------- ---------------+----------+----------+----------+------serverfarm : AbacusLite-DIME-Bang6.accenture.com
real
: TSTPVH1001-2[0]
10.200.102.36
79640
3
79637
SUCCESS
serverfarm : AbacusLite-Test-Bang6.accenture.com
real
: TSTPVH1001-1[0]
10.200.102.35
72473
3
72470
SUCCESS
27
28
29
30
31
32
Policy-map : MTPOC_LB_POL
L7 Loadbalance policy : MTPOC_L7_POL
Status
: ACTIVE
class/match : MTPOC_APP1_L7_Class
Description: ssl-proxy client : CLIENT_SSL_INITIATION
----------------------------------------LB action :
Interface: vlan 358
primary serverfarm: MTPOC_APP1_FARM
service-policy: MTPOC_LB_POL
state: UP
class: MTPOC_L4_VIP_Class
backup serverfarm : GoFish-B6-Prod-RD-SF
ssl-proxy server: MTPOC_SSL_PS
state: UP
VIP Address:
Protocol: Port:
hit count
: 71
170.251.150.42 tcp
eq
443
dropped conns
: 7
loadbalance:
class/match : MTPOC_APP2_L7_Class
L7 loadbalance policy: MTPOC_L7_POL
LB action :
VIP Route Metric
: 77
primary serverfarm: MTPOC_APP2_RD_FARM
VIP Route Advertise : ENABLED
state: UP
VIP ICMP Reply
: ENABLED
backup serverfarm : VIP State: INSERVICE
hit count
: 31
curr conns
: 0
, hit count
: 393
dropped conns
: 0
dropped conns
: 212
Parameter-map(s):
client pkt count : 1787
, client byte count: 203127
HTTP_REBALANCE_MAP
server pkt count : 660
, server byte count: 395457
conn-rate-limit
: 0
, drop-count : 0
bandwidth-rate-limit : 0
, drop-count : 0
33
Show license [status] | [usage] - displays license files and status e.g. how many licenses you have / are in use
Show running-config
Show parameter-map
- displays output relating to the back end LB-server encryption including hits and ciphers
- used etc.
- displays output relating to the front end client-LB encryption including hits and ciphers
- used etc.
Show conn
Show logg
- displays detailed output for the fault tolerant group i.e. Active / Standby device pair
No ft auto-sync running
No ft auto-sync startup
Ft auto-sync running
Ft auto-sync startup
Show sticky database
Note: Most of the commands can be appended with the detail sub command to provide more information.
34