cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1483
Views
15
Helpful
10
Replies

cisco ACE can rserver use it's own VIP address ?

we've configured a serverfarm with a real server and a VIP.

The serverfarm can be reached and is functioning well.

Now we want the rserver to be able to reach it's own VIP address.

This is needed because the rserver has multiple websites which need each other

and we want to have load balancing.

Is this a supported configuration ?

regards,

Sebastian

10 Replies 10

Yes you can do it.

You need to source nat traffic from reals to VIP.

Syed

Hi Syed,

We don't use NAT at our context's.

There are just routed subnets.

We have to 2 vlan's 10 and 20

vlan 10 has subnet 10.210.100.0/24

vlan 20 has subnet 10.240.100.0/24

the vip address is 10.210.100.4 and is applied to vlan 20.

I tried to apply the vip address to the vlan 10 interface, but that seemed to go wrong.

you don't use nat but you HAVE to use nat for accessing a vip from a real server.

This is true for any loadbalancer.

The reason is the return traffic from the server to the client [in this case another server].

Since the client and server are on the same subnet, the response from the server goes directly to the client bypassing the ACE which can't reverse nat the server ip into the vip.

The client will reset the connection after receiving the illegal packet directly from the server.

So, you need to configure client for traffic originating from the real servers.

Put the policy with your vip inside vlan 20 and create another policy for doing client nat that you will also put on vlan 20.

Use a class-map matching only the rserver ip address to avoid nating everything.

Gilles.

wowsersusa
Level 1
Level 1

were you able to get the configuration working for you? I aam running into the same problem where servers on the same vlan need to use the vip on the same vlan but with out a NAT.

Very interesting thread. I am actually having the same issue and cued this problem until next year.

Could you provide a simple sample config for this scenario. And can this source nat feature be "simply" added to an existing context or do i need to reconfigure my whole design for it.

Additionally i also have issues accessing the VIP from a different context. Can this also be solved the same way?

Example:

Context A:

VIP-A <--- RSERVER A1 (Source NAT needed)

Context A to B:

VIP-A <--- Context B <--- RSERVER B1 (Does not work - also due to missing source NAT?)

Roble

you can simply add a new policy to match the servers ip addresses and then configure nat.

ie:

class-map match-all servers

2 match source-address 192.168.30.48 255.255.255.255

policy-map multi-match client-nat

class servers

nat dynamic 1 vlan 30

interface vlan 20

ip address 192.168.20.121 255.255.255.0

alias 192.168.20.124 255.255.255.0

peer ip address 192.168.20.123 255.255.255.0

no normalization

mac-sticky enable

access-group input PERMIT-ANY

service-policy input ALLOW-ALL

service-policy input client-nat

service-policy input SLB1

no shutdown

interface vlan 30

bridge-group 30

no normalization

mac-sticky enable

access-group input PERMIT-ANY

nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0

In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.

You could also use a free ip from the same server subnet and no static route would be required.

Also if ACE is already the default gateway for the servers, no specific static route is required.

Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.

Gilles.

Thanks for the example Gilles.

Do i need to do a 1:1 or 1:n NAT (Static IP or Pool) or can i also overload a single address i.e. m:1 and do PAT?

Roble

you can do anything you want, including pat.

Gilles.

The pat stuff works fine however for logging issues it does pose an issue. With my issue the clien-side vlan and server side vlan are one in the same. Where servers on the same subnet need to point to a vip on the same subnet.

Hi,

I haven't spend time on in yet. I still have to take a look at how to configure that NAT.

We also use the rserver ip addresses for NAT on our outside firewall so it might end up in some other choices. But i am very interested in a sample config if anyone has one.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: