4710 in one-armed mode

Answered Question
May 26th, 2010

is it possible to preserve the clients originating IP address somewhere while using the 4710 in one armed mode?  I have a situation where the client source ip is needed, and I am deciding between one-armed mode and inline.  I'd like to use one-armed, so that only load balanced traffic traverses the load balancer, but I haven't seen an example where that can be done without  loosing the clients src address.

I have this problem too.
0 votes
Correct Answer by UHansen1976 about 6 years 8 months ago

Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:

action-list type modify http name

  header insert both Host header-value %is:%ps

Then apply the action-list to your loadbalance policy-map.

Take a look at the url below for futher information:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842

But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?

If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.

hth

/Ulrich

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
UHansen1976 Wed, 05/26/2010 - 17:21

Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:

action-list type modify http name

  header insert both Host header-value %is:%ps

Then apply the action-list to your loadbalance policy-map.

Take a look at the url below for futher information:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842

But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?

If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.

hth

/Ulrich

jbeltrame Wed, 05/26/2010 - 17:46

Thanks!!! That looks very promising.  The Original SRC IP will just be used for some statisical based information, the I don't need the original SRC ip in the L3 headers.  Thanks so much!!

Marwan ALshawi Sun, 05/30/2010 - 01:26

if u don't nat the

client source address you will preserve the source address but using this way with one arm topology u need to make sure u have a PBR in the interface/SVI facing the server ( server default gateway) to enforce the returning traffic of HTTP to go back to the ACE

Actions

This Discussion