Wednesday, August 13, 2008

Cisco ACE and Private VLANs in Switch Mode

This one comes from the esigence to create a housing zone with a shared load balancer. The idea is to keep things as simple as possible providing isolation and all advanced load balancing feature.
So there will be only one vlan for one-armed servers and isolation will be provided by Private VLANs. However, being the ACE shared across the pvlans I had to add access lists to control traffic from one pvlan through another's vip.
Another element of simplicity in this design is the ACE module in switch-mode, this way providing a unique default gateway for all the servers (loadbalanced and not).

The network diagram :

The ACE configuration :

switch-mode

rserver host SERVER-10.1
ip address 10.0.10.1
inservice
rserver host SERVER-10.2
ip address 10.0.10.2
inservice

serverfarm host LAB-A_20.1:80
rserver SERVER-10.1 80
inservice
rserver SERVER-10.2 80
inservice

serverfarm host LAB-B_21.1:80
rserver SERVER-10.3 80
inservice
rserver SERVER-10.4 80
inservice


class-map match-any L4-SNAT
2 match source-address 1.0.10.0 255.255.255.0


class-map match-all L4-LAB-A_20.1:80
2 match virtual-address 10.0.20.1 tcp eq www

class-map match-all L4-LAB-B_21.1:80
2 match virtual-address 10.0.21.1 tcp eq www


policy-map type loadbalance first-match L7-LAB-A_20.1:80
class class-default
serverfarm LAB-A_20.1:80


policy-map type loadbalance first-match L7-LAB-B_21.1:80
class class-default
serverfarm LAB-B_21.1:80


policy-map multi-match L4-POLICYMAPMULTI
class L4-SNAT
nat dynamic 10 vlan 100
class L4-LAB-A_20.1:80
loadbalance vip inservice
loadbalance policy L7-LAB-A_20.1:80
loadbalance vip icmp-reply active
class L4-LAB-B_21.1:80
loadbalance vip inservice
loadbalance policy L7-LAB-B_21.1:80
loadbalance vip icmp-reply active

service-policy input L4-POLICYMAPMULTI


interface vlan 100
description SERVERSIDE
ip address 1.1.1.200 255.255.255.0
no normalization
no icmp-guard
nat-pool 10 10.0.100.1 10.0.100.15 netmask 255.255.255.224 pat
no shutdown
interface vlan 150
description FIREWALLSIDE
ip address 1.0.0.2 255.255.255.0
no normalization
no icmp-guard
no shutdown

ip route 0.0.0.0 0.0.0.0 1.0.0.1

The router's configuration :



svclc module 11 vlan-group 100
svclc vlan-group 100  10,20,100,150

vlan 10
  private-vlan community

vlan 20
  private-vlan community

vlan 100
  name SERVERSIDE
  private-vlan primary
  private-vlan association 10,20

vlan 150
 name P2P-C65-ACE

interface Vlan100
 ip vrf forwarding LAB
  private-vlan mapping 10,20
 
interface Vlan150
 ip vrf forwarding LAB
 ip address 10.0.0.1 255.255.255.240

As usual, on the ACE there's a nat pool to permit server to server load balancing, further information here and here.
"Horizontal" connections across the VLAN's broadcast are prevented by the private vlans' mechanism. However, a server belonging to the PVLAN A can connect to a VIP belonging (logically, as VIPs on the ACE are not PVLAN aware) to PVLAN B.
Being the ACE the default gateway, default behavior must be permit ip any any. Using access-lists and object-groups I created a matrix of negations between real servers on each pvlan versus all the VIPs of the other PVLANs :

object-group network GROUPA
host 10.0.10.1
host 10.0.10.2
object-group network GROUPB
host 10.0.10.3
host 10.0.10.4
object-group network VIPSGROUPA
host 10.0.20.1
object-group network VIPSGROUPB
host 10.0.20.2

access-list ACL01 line 7 extended deny ip object-group GROUPA object-group VIPSGROUPB
access-list ACL01 line 11 extended deny ip object-group GROUPA object-group VIPSGROUPB
access-list ACL01 line 15 extended permit ip any any
access-group input ACL01


Again, many thanks to Daniele and Marco   for support on the lab.

No comments: