07-24-2008 11:53 AM
I'm going to be replacing a CSS with a 4710 ACE. The CSS is one-armed, with the VIPS using a 192.168.50.0 addressing. The CSS used the "group" config to NAT each client's source IP address with that of the VIP, when forwarding the packet to the server. The CCO NAT examples don't explicitly specify how I would do this. Could someone please help out?
THANKS!
07-24-2008 12:12 PM
I have written this example. Hopefully it will help you understand. Remember that only latest code on ACE allows to use VIP as Natted address.
rserver host app1-srvr1
ip address 10.10.10.22
inservice
rserver host app1-srvr2
ip address 10.10.10.17
inservice
serverfarm host app1-sf
predictor leastconns
probe TCP80
rserver app1-srvr1
inservice
rserver app1-srvr1
inservice
class-map match-all app1-classmap
2 match virtual-address 10.10.10.100 tcp eq 80
policy-map type loadbalance first-match app1-policy
class class-default
serverfarm app1-sf
nat dynamic 1000 vlan 10 serverfarm primary
policy-map multi-match VIPS
class app1-classmap
loadbalance vip inservice
loadbalance policy app1-policy
loadbalance vip icmp-reply active
interface vlan 10
ip address 10.10.10.1 255.255.255.0
peer ip address 10.10.10.2 255.255.255.0
access-group input ANYONE
nat-pool 1000 10.10.10.100 10.10.10.100 netmask 255.255.255.0 pat
service-policy input VIPS
no shutdown
Syed Iftekhar Ahmed
07-24-2008 12:17 PM
Syed,
Thanks!!!! I think this does what I'm looking for; in affect, the "group" command on the CSS.
09-18-2008 06:17 AM
Hi Syed,
With this config it means that you do not need the PBR or source NAT on the upstream router (e.g MSFC) right?
./G
09-18-2008 08:36 AM
This example is with SRC NAT
nat dynamic 1000 vlan 10 serverfarm primary
command translates client's source address to the Address in the NAT pool.
Syed
09-19-2008 04:12 AM
Thanks Syed for you prompt answer. So PBR or Src Nat is not required. If the ACE is within the the serverfarm vlan (L2 one arm - see attachement) how is this affect the solution? Servers must have an ARP entry for the VIP since ACE and servers will be L2 adjacent. Is SSL termination supported with this config?
./G
09-19-2008 04:49 AM
The slide you have attached is discussing DSR (Direct server return) topology. With DSR the client requests are forwarded to the Servers through ACE and the response from servers bypass ACE to get maximum throughput.
DSR is only valid for Layer 4 traffic. You cannot loadbalance Layer 7 traffic using this.
DSR is not recommended and cannot be used for L7 load balanced connection and it requires special configurations (requires VIP to be configured as loopback of secondary address) on the servers.
Using the same diagram If you introduce PBR/SRC NAT on ACE then it will become typical One ARM mode and you can loadbalance all type of traffic L4/L7 and you dont need any special config on Servers.
Syed Iftekhar Ahmed
09-19-2008 04:52 AM
Ok, but it will need to be on a different network than the serverfarm. In my case a new zone on the firewall.
./G
09-19-2008 05:09 AM
It doesnt need to be on a diff vlan.
You can have ACE and Rservers on the same vlan with Rservers & ACE using the firewall as the default gateway.
The traffic destined to VIP will be forwarded to ACE by the firewall. ACE will select the server using LB predictor configured and will source NAT the request before sending it to the selected Server.
The Server response will be destined to the Natted IP (configured on ACE in the nat pool).
ACE will change the dest address to the client's source address and will handover the server response to the firewall.
Syed Iftekhar Ahmed
09-19-2008 05:19 AM
Ok i got this straight this time. In the L2 one-arm the ACE is like in bridge mode (so the L2 one-arm) thus the servers need the VIP as loopback.
Thanks for your help. You are great!!!
./G
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: