10-18-2007 09:03 AM
we've configured a serverfarm with a real server and a VIP.
The serverfarm can be reached and is functioning well.
Now we want the rserver to be able to reach it's own VIP address.
This is needed because the rserver has multiple websites which need each other
and we want to have load balancing.
Is this a supported configuration ?
regards,
Sebastian
10-18-2007 12:50 PM
Yes you can do it.
You need to source nat traffic from reals to VIP.
Syed
10-19-2007 12:36 AM
Hi Syed,
We don't use NAT at our context's.
There are just routed subnets.
We have to 2 vlan's 10 and 20
vlan 10 has subnet 10.210.100.0/24
vlan 20 has subnet 10.240.100.0/24
the vip address is 10.210.100.4 and is applied to vlan 20.
I tried to apply the vip address to the vlan 10 interface, but that seemed to go wrong.
10-19-2007 04:01 AM
you don't use nat but you HAVE to use nat for accessing a vip from a real server.
This is true for any loadbalancer.
The reason is the return traffic from the server to the client [in this case another server].
Since the client and server are on the same subnet, the response from the server goes directly to the client bypassing the ACE which can't reverse nat the server ip into the vip.
The client will reset the connection after receiving the illegal packet directly from the server.
So, you need to configure client for traffic originating from the real servers.
Put the policy with your vip inside vlan 20 and create another policy for doing client nat that you will also put on vlan 20.
Use a class-map matching only the rserver ip address to avoid nating everything.
Gilles.
11-26-2007 12:41 PM
were you able to get the configuration working for you? I aam running into the same problem where servers on the same vlan need to use the vip on the same vlan but with out a NAT.
11-27-2007 12:34 AM
Very interesting thread. I am actually having the same issue and cued this problem until next year.
Could you provide a simple sample config for this scenario. And can this source nat feature be "simply" added to an existing context or do i need to reconfigure my whole design for it.
Additionally i also have issues accessing the VIP from a different context. Can this also be solved the same way?
Example:
Context A:
VIP-A <--- RSERVER A1 (Source NAT needed)
Context A to B:
VIP-A <--- Context B <--- RSERVER B1 (Does not work - also due to missing source NAT?)
Roble
11-27-2007 04:17 AM
you can simply add a new policy to match the servers ip addresses and then configure nat.
ie:
class-map match-all servers
2 match source-address 192.168.30.48 255.255.255.255
policy-map multi-match client-nat
class servers
nat dynamic 1 vlan 30
interface vlan 20
ip address 192.168.20.121 255.255.255.0
alias 192.168.20.124 255.255.255.0
peer ip address 192.168.20.123 255.255.255.0
no normalization
mac-sticky enable
access-group input PERMIT-ANY
service-policy input ALLOW-ALL
service-policy input client-nat
service-policy input SLB1
no shutdown
interface vlan 30
bridge-group 30
no normalization
mac-sticky enable
access-group input PERMIT-ANY
nat-pool 1 10.10.20.1 10.10.20.100 netmask 255.255.255.0
In this case I nat the to an address in 10.10.20.0/24 subnet and I have a static route on the servers pointing this subnet to ACE.
You could also use a free ip from the same server subnet and no static route would be required.
Also if ACE is already the default gateway for the servers, no specific static route is required.
Also, in this example, I'm not really nating a server. But the idea is the same. The only difference is that in your case, the outgoing interface will be the same as the incoming interface. Me I have everything in vlan 20 and vlan 30. You will have everything in vlan X and only vlan X.
Gilles.
11-27-2007 05:49 AM
Thanks for the example Gilles.
Do i need to do a 1:1 or 1:n NAT (Static IP or Pool) or can i also overload a single address i.e. m:1 and do PAT?
Roble
11-27-2007 07:23 AM
you can do anything you want, including pat.
Gilles.
11-27-2007 07:53 AM
The pat stuff works fine however for logging issues it does pose an issue. With my issue the clien-side vlan and server side vlan are one in the same. Where servers on the same subnet need to point to a vip on the same subnet.
11-27-2007 01:04 AM
Hi,
I haven't spend time on in yet. I still have to take a look at how to configure that NAT.
We also use the rserver ip addresses for NAT on our outside firewall so it might end up in some other choices. But i am very interested in a sample config if anyone has one.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: