10-20-2010 02:54 AM
HI All,
Hope someone can help me out here. I'm facing an issue on an ACE module in a CAT6500 is nto SNATting
Basic physcial topology is
Server1>VLAN413>ACE(Bridged)>VLAN513>MSFC
Basic Logical is
Server1>VLAN413>VLAN513(GW)>VIP(onACE)>VLAN413>NTPServer
So basically Server1 is trying to connect to NTPServer (for NTP) using the VIP on the ACE.
The VIP is in a different subnet than the servers, but the servers are in the same subnet.
Need to use the VIP for scaling out NTP.
MSFC handles routing to/from VIP and Server subnet. MSFC INT VLAN 513 is the GW for the subnet.
My problem is that SNAT is not natting traffic from Server1 to the VIP and hence on to the NTP Server.
Is this topology even valid for SNAT
See sanitised config below.
class-map match-all SNAT-1
2 match source-address 1.1.1.0 255.255.255.0
policy-map multi-match vips
class time.domain.com
loadbalance vip inservice
loadbalance policy time.domain.com
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 513
class SNAT-1
nat dynamic 1 vlan 413
interface vlan 413
bridge-group 1
access-group input anyone
nat-pool 1 1.1.1.11 1.1.1.11 netmask 255.255.255.0 pat
service-policy input vips
no shutdown
interface vlan 513
description L3 Interface facing MSFC
bridge-group 1
access-group input anyone
nat-pool 2 1.1.1.12 1.1.1.12 netmask 255.255.255.0 pat
service-policy input vips
no shutdown
interface bvi 1
ip address 1.1.1.3 255.255.255.0
alias 1.1.1.6 255.255.255.0
peer ip address 1.1.1.4 255.255.255.0
no shutdown
Thanks in advance
Stephen
Solved! Go to Solution.
10-20-2010 04:42 AM
class time.domain.com
loadbalance vip inservice
loadbalance policy time.domain.com
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 513
class SNAT-1
nat dynamic 1 vlan 413
The problem is the nat statement under the vip.
Since it is listed first, this is the one ACE will attempt to use.
But because the ntp server is on vlan413, and not vlan 513, traffic can't be nated.
Remove it from the vip class.
Then add a class class-default after the class snat-1 and add the nat statement there
class time.domain.com
loadbalance vip inservice
loadbalance policy time.domain.com
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 513
class SNAT-1
nat dynamic 1 vlan 413
class class-default
nat dynamic 2 vlan 513
This is the right way to do it.
Gilles.
10-20-2010 04:42 AM
class time.domain.com
loadbalance vip inservice
loadbalance policy time.domain.com
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 513
class SNAT-1
nat dynamic 1 vlan 413
The problem is the nat statement under the vip.
Since it is listed first, this is the one ACE will attempt to use.
But because the ntp server is on vlan413, and not vlan 513, traffic can't be nated.
Remove it from the vip class.
Then add a class class-default after the class snat-1 and add the nat statement there
class time.domain.com
loadbalance vip inservice
loadbalance policy time.domain.com
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 2 vlan 513
class SNAT-1
nat dynamic 1 vlan 413
class class-default
nat dynamic 2 vlan 513
This is the right way to do it.
Gilles.
10-20-2010 07:33 AM
Hi Gilles,
Thanks, thats a very sensible answer, when you put it that way
I will implement as soon as and revert with an answer
regards
Stephen
10-21-2010 01:44 AM
Gilles,
Thanks for your help on this one. For the sake of closure, our solution was to move the SNAT-1 class above the current time.domain.com class.
We may move this to the top, given that (and it was not shown in my config output) there is a sourced ACL attached to the SNAT-1 class.
everything worked as we would expect it to.
Thanks & Regards
Stephen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide