Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
750
Views
0
Helpful
5
Replies

restricted source nat on ACE

followurself
Level 1
Level 1

‎09-11-2009 03:24 AM

access-list oracle extended permit tcp host 10.7.40.124 host 10.7.40.245 eq 8060

access-list oracle extended permit tcp host 10.7.40.125 host 10.7.40.245 eq 8060

serverfarm host sfarm1_oracle_hostfile

description DB servers to preeb.mfl.co.u.uk

predictor leastconn

failaction purge

probe port-8060

rserver zhc1nora5 8060

inservice

rserver zhc1nora6 8060

inservice

class-map match-all sfarm1_oracle_hostfile_classmap

description host file issue

3 match access-list oracle_hostfile

4 match virtual-address 10.7.40.245 tcp eq 8060

policy-map type loadbalance first-match sfarm1_oracle_hostfile_pol

class class-default

sticky-serverfarm ORACLE-DB-STICKY-GP

policy-map multi-match Oracle-hostfile

class sfarm1_oracle_hostfile_classmap

loadbalance vip inservice

loadbalance policy sfarm1_oracle_hostfile_pol

loadbalance vip icmp-reply active

nat dynamic 1 vlan 740

Sticky ip-netmask 255.255.255.255 address source ORACLE-DB-STICKY-GP

timeout 60

replicate sticky

server-farm sfarm1_oracle_hostfile

nterface vlan 740

description interface facing Servers

bridge-group 2

access-group input BPDU

access-group input ALLOW_ALL

nat-pool 1 10.7.40.246 10.7.40.254 netmask 255.255.255.0 pat

service-policy input Oracle-hostfile

above is the config

looking to allow some servers hitting a vip on the same vlan. have enabled source nat and used access-list to match the conditions. i tried connecting to port via telnet 10.7.40.245 8060 and its connected with the below

service-policy: Oracle-hostfile

class: sfarm1_oracle_hostfile_classmap

nat:

nat dynamic 1 vlan 740

curr conns : 0 , hit count : 9

dropped conns : 0

client pkt count : 45 , client byte count: 1930

server pkt count : 45 , server byte count: 4192

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

loadbalance:

L7 loadbalance policy: sfarm1_oracle_hostfile_pol

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED-WHEN-ACTIVE

VIP State: INSERVICE

curr conns : 0 , hit count : 13

dropped conns : 4

client pkt count : 49 , client byte count: 2122

server pkt count : 45 , server byte count: 4192

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

but i can connect from any system in the subnet 10.7.40.x. the class map have a match-all statement. does match-all means both the conditions or any

if i want to achieve the above what is the best option

Labels:
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎09-11-2009 06:06 AM

usually, you put the src ip match statement in a class-map and use the class-map under the policy.

ie:

class-map type http loadbalance match-any SERVERS

2 match source-address 192.168.30.27 255.255.255.255

3 match source-address 192.168.30.48 255.255.255.255

Then

policy-map type loadbalance first-match sfarm1_oracle_hostfile_pol

class SERVERS

sticky-serverfarm ORACLE-DB-STICKY-GP

nat dynamic 1 vlan 740

class class-default

sticky-serverfarm ORACLE-DB-STICKY-GP

Gilles.

0 Helpful

followurself
Level 1
Level 1
In response to Gilles Dufour

‎09-11-2009 06:53 AM

in the same class-map

class-map type http loadbalance match-any SERVERS

how can i add the vip address?

both condition should match , traffic coming from a specific source address to a specific vip address. if both conditions match then apply the policy

0 Helpful

followurself
Level 1
Level 1
In response to followurself

‎09-15-2009 07:25 AM

any suggestions

also is it possible to get static nat instead of dynamic nat

thnx

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to followurself

‎09-15-2009 07:29 AM

you need to use separate class-map.

One to catch the vip traffic and used in the multimatch policy and another class-map as described in my previous post to catch traffic from the servers and used in the type loadbalance policy.

G.

0 Helpful

helenokeeffe
Level 1
Level 1
In response to Gilles Dufour

‎09-17-2009 07:11 AM

Agreed, I'm also of the opinion that you need a class and a policy for loadbalancing and a class and policy for nat. Both policies receive the incoming traffic, then perform their seperate operations on it and meet up afterwards.

In it's simplest form...

NAT:

class-map match-any NAT_Class

2 match access-list NAT_ACL

policy-map multi-match NAT_Policy

class NAT_Class

nat dynamic 1 vlan 123

LB:

policy-map type loadbalance first-match L7_Policy

class class-default

sticky ServerfarmX

policy-map multi-match LB_Policy

class VIP_Class

loadbalance vip inservice

loadbalance policy L7_Policy

loadbalance vip icmp-reply active

loadbalance vip advertise active

In NAT_ACL you will specify your conditions as desired.

Cheers,

Claire

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents