Showing posts from 2012

ACE Load Balancer: Configure the Load-Balancing Service

There are quite a few ways to structure the configuration of the Load Balancing Service on a Cisco ACE device, or a Load Balancer (LB). The official Cisco documentation can be a bit overwhelming, as you can see here. Heres the approach that I´ve always found simple to understand.Step 1
Define the REAL SERVERS (rservers or physical servers) that will participate the Load-Balancing process. The number of Real Servers (rservers) within the Server Farm can vary, where 1 server would logically be the minimum, and the maximum depend on the Balancer model. In this example two Real Servers are configured, with names SERVERCISQUEROS03 and SERVERCISQUEROS04, and the respective IP Addresses and

Define the ratio between the Real Servers in the farm using the "weight X" command. In this case the value X will be 1, so the load will be equally ballanced between the two servers.

From the Global Configuration mode:

 rserver host SERVERCISQUEROS03
 ip address

ACE Load Balancer: Redirection - HTTP to HTTP/HTTPS

In this document I´ll explain how to filter the http protocol on a Cisco ACE Load Balancer, and how to redirect the filtered http traffic to another URL. This concept is widely used for http-to-https redirection.

Step 1 Create the redirection rserver

rserver redirect REDIRECT-HTTP-APP
  webhost-redirection url_redirect HTTP_CODE

The url_ url_redirect is the URL where the traffic will be redirected to, and the HTTP_CODE is the code of redirection (normaly it will be 301 or 302).
If we wish the URL to stay the same, as is normally the case of redirection to Https, we will use the %h%p instead of the URL.

%h stands for Hostname. If you have only %h then will redirect you to

%p stands for Path

301 redirects are permanent. They mean that the page has moved, and they request any search engine or user agent coming to the page to update the URL in their database. This is the most common type of redirect that people s…

DAI - Dynamic ARP Inspection

(config)#ip arp inspection vlan 2 <--- Inspect ARP within the VLAN 2

You can create a ARP Access List and map the IP to MAC, and apply it to DAI:
 (config)#arp access-list ARP_ACL_20
 (config-arp-nacl)#permit ip host mac host 0000.1111.1111
 (config-arp-nacl)#permit ip host mac host 0000.3333.3333
And now APPLY:
 (config)#ip arp inspection filter ARP_ACL_20 vlan 2

 #show ip arp inspection

Source Mac Validation      : Disabled
Destination Mac Validation : Disabled
IP Address Validation      : Disabled

 Vlan     Configuration    Operation   ACL Match          Static ACL
 ----     -------------    ---------   ---------          ----------
    2     Enabled          Active      ARP_ACL_20         No

 Vlan     ACL Logging      DHCP Logging      Probe Logging
 ----     -----------      ------------      -------------
    2     Deny             Deny              Off

 Vlan      Forwarded        Dropped     DHCP Drops      ACL Drops
 ----      ---------        -------     ----------      …

ACE Load Balancer SSL Certificate Part I, Generate the CSR

ACE Load Balancer SSL Certificate Part I, Generate the CSR (Certificate Signing Request)
You have more than one Real Servers, and its much more practical to install an SSL certificate once, on the ACE Load Balancer, then to install it on each and any of the Servers within the Balanced Service.

The CSR is needed for generate or order a new certificate. New certificates are generated by Certificates Authorities (CA) using the CSR as a seed for the certificate generation.
In order to terminate the SSL certificate on the Load Balancer, a few steps must be performed.

Step 1 Define and Configure the Parameters
First thing we need to do is to generate the CSR based on the RSA key and a set of parameters that we need to define and configure on the ACE Load Balancer in the Global Configuration mode:
  (config)# crypto csr-params CSR_CISQUEROS (config-csr-params)# country SP (config-csr-params)# state MA (config-csr-params)# locality MADRID (config-csr-params)# organization-name CISQUEROS TECHNOLOGY (con…

ACE Load Balancer SSL Certificate Part II: Install the SSL Certificate

ACE Load Balancer SSL Certificate Part II: Install the SSL Certificate

Once you´ve obtained an actual certificate from one of the Certificate Authorities, such as VeriSign or Thawte you may proceed to the certificate implementation.
As you may see on the picture below, the SSL certificate in this architecture ends on the ACE Load Balancer, therefore saving you the time and money needed to implement the certificate on each of the balanced Servers within the Server Farm behind the ACE Load Balancer.

The next step is performed on the Load Balancer, and it consists of identifying the KEY created and described in the first part of this guide. Once the right KEY is identified we need to EXPORT it and save it temporarily (I tend to simply paste it into the advanced hard-to-use Windows feature called "The Notepad").

LB_Active# crypto export CSRPPPREVOLRSAKEY.PEM

Within the same notepad file we should then paste the CERTIFICATE, so that it looks something like this:


VTP - Should we use it?

VLAN Trunking Protocol: most commands can be configured in PRIVILEGED, CONFIGURE or DATABASE mode

- Have in mind that there is no way to dis-configure the VTP DOMAIN NAME (by default its NULL). You have to delete flash:vlan.dat and erase the Startup config and reload the router

VTP messages source IP (the IP from which the VTP messages are sourced):
(config)#vtp interface Loopback 1 [only]<- It will not be propagated

Restrict FLOOD TRAFFIC to the TRUNK Interfaces - use VTP PRUNING>
There are 4 types of VTP Advertisments exchanged between the switches:
1. Summary Advertisments - every time VTP database changes (every 300 ms)
2. Subset Advertisments - sent right after SUMMARY, includes what exactly changed
3. Advertisments requested from clients - client requests info to update the VTP database, server responds
4. VTP Membership announcements - when PRUNING is enabled, they tell the neighbor WHAT VLANs they want (if the VLAN is not announced with this message, it is not on the trun…

Spanning Tree: Root Election and Path Tuning

The concept is rather simple - The Switches send these probes called the BPDUs (Bridge Protocol Data Units) to discover loops in the network. If the BPDU “returns” – there is a loop in the network!

BPDU = 4-bit-PRIORITY + MAC Address
Spanning tree is no game, so be extremely careful when tuning the Priorities, Costs and Port-Priorities in order to manually make the Switch set your desired path as preferred. Each problem and mis-configuration can easily cause a major critical situation, as most of the Layer2 Loop Problems cause your Switches to immediately increase the CPU usage drastically. For your own stress-free dreams be sure to test in the Pre-Production environment everything you need to change in your production network regarding the Spanning Tree. I´m not going to get into the explaining the Spanning Tree basics here, as I guess most of the CCIE candidates should be familiar with it. The focus of this post will be the pure control of the Root Bridge in your network, and the prefe…