cisco ACE can rserver use it's own VIP address ?

Unanswered Question
Oct 18th, 2007

we've configured a serverfarm with a real server and a VIP.

The serverfarm can be reached and is functioning well.

Now we want the rserver to be able to reach it's own VIP address.

This is needed because the rserver has multiple websites which need each other

and we want to have load balancing.

Is this a supported configuration ?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
sebastianvandijk Fri, 10/19/2007 - 00:36

Hi Syed,

We don't use NAT at our context's.

There are just routed subnets.

We have to 2 vlan's 10 and 20

vlan 10 has subnet

vlan 20 has subnet

the vip address is and is applied to vlan 20.

I tried to apply the vip address to the vlan 10 interface, but that seemed to go wrong.

Gilles Dufour Fri, 10/19/2007 - 04:01

you don't use nat but you HAVE to use nat for accessing a vip from a real server.

This is true for any loadbalancer.

The reason is the return traffic from the server to the client [in this case another server].

Since the client and server are on the same subnet, the response from the server goes directly to the client bypassing the ACE which can't reverse nat the server ip into the vip.

The client will reset the connection after receiving the illegal packet directly from the server.

So, you need to configure client for traffic originating from the real servers.

Put the policy with your vip inside vlan 20 and create another policy for doing client nat that you will also put on vlan 20.

Use a class-map matching only the rserver ip address to avoid nating everything.


wowsersusa Mon, 11/26/2007 - 12:41

were you able to get the configuration working for you? I aam running into the same problem where servers on the same vlan need to use the vip on the same vlan but with out a NAT.

Roble Mumin Tue, 11/27/2007 - 00:34

Very interesting thread. I am actually having the same issue and cued this problem until next year.

Could you provide a simple sample config for this scenario. And can this source nat feature be "simply" added to an existing context or do i need to reconfigure my whole design for it.

Additionally i also have issues accessing the VIP from a different context. Can this also be solved the same way?


Context A:

VIP-A <--- RSERVER A1 (Source NAT needed)

Context A to B:

VIP-A <--- Context B <--- RSERVER B1 (Does not work - also due to missing source NAT?)


Gilles Dufour Tue, 11/27/2007 - 04:17

you can simply add a new policy to match the servers ip addresses and then configure nat.


class-map match-all servers

2 match source-address

policy-map multi-match client-nat

class servers

nat dynamic 1 vlan 30

interface vlan 20

ip address


peer ip address

no normalization

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input client-nat

service-policy input SLB1

no shutdown

interface vlan 30

bridge-group 30

no normalization

mac-sticky enable

access-group input PERMIT-ANY

nat-pool 1 netmask

In this case I nat the to an address in subnet and I have a static route on the servers pointing this subnet to ACE.

You could also use a free ip from the same server subnet and no static route would be required.

Also if ACE is already the default gateway for the servers, no specific static route is required.

Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.


Roble Mumin Tue, 11/27/2007 - 05:49

Thanks for the example Gilles.

Do i need to do a 1:1 or 1:n NAT (Static IP or Pool) or can i also overload a single address i.e. m:1 and do PAT?


wowsersusa Tue, 11/27/2007 - 07:53

The pat stuff works fine however for logging issues it does pose an issue. With my issue the clien-side vlan and server side vlan are one in the same. Where servers on the same subnet need to point to a vip on the same subnet.

sebastianvandijk Tue, 11/27/2007 - 01:04


I haven't spend time on in yet. I still have to take a look at how to configure that NAT.

We also use the rserver ip addresses for NAT on our outside firewall so it might end up in some other choices. But i am very interested in a sample config if anyone has one.


This Discussion