Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[Ace20] Static PAT with more than one port

Hi experts,

i need your help. I have a two-arm Loadbalancer concept for ldap and ldaps.  The LDAP Clients talk to the VIP of the Loadbalancer on port 389 or 636 in the Frontend VLAN of the Loadbalancer. The Loadbalancer distribute the TCP Connection (L4) Roundrobin to the LDAP Server Farm in the Loadbalancer Backend VLAN. For this it is required, that the Loadbalancer perform SRC-NAT and DST-PAT. DST-PAT means the LDAP Clients talk to Port 389 or 636 of the VIP, but the Loadbalancer send the TCP connection to Port 3389 or 6636 to the LDAP Server. This depends on the used port by the LDAP Clients.

My problem is, that i do not know how to configure the DST-PAT on the ACE for 389->3389 and 636->6636.

Could you please show me an example?

BR,

Sebastian

3 REPLIES
Bronze

[Ace20] Static PAT with more than one port

Hi Sebastian,

If I understand this correctly you need to send the traffic from the ACE to the servers in port 3389 and 6636

If this is correct you just need to configure a couple of serverfarms and specified the port number, like this:

serverfarm host sample

   rserver server 1 3389

     inservice

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
New Member

[Ace20] Static PAT with more than one port

Hi Cesar Roque

thanks for your reply.

LDAP CLient 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy (3389)

LDAP Client 2 ---> Loadbalancer VIP(636) ----> LDAP Proxy (6639)

If I understand you correctly, th config should look like this?

class-map match-all LDAP

  2 match virtual-address 10.70.136.161 tcp eq 389

class-map match-all LDAPS

  2 match virtual-address 10.70.136.161 tcp eq 636

policy-map multi-match LDAP-Service

  description traffic LDAP VIP

  class LDAP

    loadbalance vip inservice

    loadbalance policy LDAP

    loadbalance vip icmp-reply

    loadbalance vip advertise

  class LDAPS

    loadbalance vip inservice

    loadbalance policy LDAPS

    loadbalance vip icmp-reply

    loadbalance vip advertise

rserver host LDAPPROXYBAM#1

  ip address 192.168.2.129

  inservice

rserver host LDAPPROXYBAM#2

  ip address 192.168.2.130

  inservice

rserver host LDAPPROXYFFM#1

  ip address 192.170.2.193

  inservice

rserver host LDAPPROXYFFM#2

  ip address 192.170.2.194

  inservice

serverfarm host LDAPPROXY

  probe LDAP-3389

  rserver LDAPPROXYBAM#1 3389

    inservice

  rserver LDAPPROXYBAM#2 3389

    inservice

  rserver LDAPPROXYFFM#1 3389

    inservice

  rserver LDAPPROXYFFM#2 3389

    inservice

serverfarm host LDAPPROXYS

  probe LDAPS-6636

  rserver LDAPPROXYBAM#1 6636

    inservice

  rserver LDAPPROXYBAM#2 6636

    inservice

  rserver LDAPPROXYFFM#1 6636

    inservice

  rserver LDAPPROXYFFM#2 6636

    inservice

policy-map type loadbalance first-match LDAP

  class class-default

    serverfarm LDAPPROXY

policy-map type loadbalance first-match LDAPS

  class class-default

    serverfarm LDAPPROXYS

But now I think the load is not distributed correctly any longer.

Example:

Not correct

LDAP Client 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy 1 (3389)

LDAP Client 2 ---> Loadbalancer VIP(389) ----> LDAP Proxy2  (3389)

LDAP Client 3 ---> Loadbalancer VIP (636) ----> LDAP Proxy1 (6636)

LDAP Client 4---> Loadbalancer VIP(636) ----> LDAP Proxy2 (6639)

Correct

LDAP Client 1 ---> Loadbalancer VIP (389) ----> LDAP Proxy 1 (3389)

LDAP Client 2 ---> Loadbalancer VIP(389) ----> LDAP Proxy2  (3389)

LDAP Client 3 ---> Loadbalancer VIP (636) ----> LDAP Proxy3 (6636)

LDAP Client 4---> Loadbalancer VIP(636) ----> LDAP Proxy4 (6639)

My thoughts are so right? How can i solve this?

Bronze

[Ace20] Static PAT with more than one port

Hi Sebastian

Please clear the serverfarm counters and then gather a couple of outputs of show serverfarm {name} detail while you send traffic to the VIPs.

---------------------
Cesar R
ANS Team

--------------------- Cesar R ANS Team
390
Views
0
Helpful
3
Replies
CreatePlease login to create content