Just wondering if I can ask an opinion. We have recently setup a Cisco ACE 4710 in routed mode in order to load balance between our client traffic from the internet and our webservers inside.
The requirement was to set up the ACE to load balance for the incomming web traffic, but to have a separate default gateway for the real server's initiated traffic to the internet. To achieve this I have configured the ACE in routed mode with a nat-pool on the inside vlan (as per the config below), but the problem is that this hides the remote client's public ip address from our servers, as the traffic is seen to come from the NAT ip address.
I have got limited knowledge about Cisco ACE so am not convinced whether the routed configuration I have gone with is the correct one, or if it have made a difference to go with a different mode.
Just wondering if someone can help with deciding what is the most efficient way to set up the ACE to handle loadbalancing for the incoming web traffic to our e-commerce servers, whilst having seperate gateway for the real servers initiated traffic, but also for the real servers to be able to see the IP address of the remote client.
Here is the current config:
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http Probe_dph_HTTP
passdetect interval 10
request method get url /ping.html
expect status 200 200
probe http Probe_dph_TCP
passdetect interval 60
rserver host Web_Server_01
description Web Server 01
ip address 192.168.100.101
rserver host Web_Server_02
description Web Server 02
ip address 192.168.100.102
rserver host Web_Server_03
description Web Server 03
ip address 192.168.100.103
serverfarm host dph_Web_Servers
rserver Web_Server_01 80
rserver Web_Server_02 80
rserver Web_Server_03 80
class-map match-all VIP_Website_dph_HTTP
2 match virtual-address 192.168.1.100 tcp eq www
policy-map type loadbalance http first-match LoadBalance_dph_HTTP
policy-map multi-match Public_Policies
nat dynamic 1 vlan 101
loadbalance vip inservice
loadbalance policy LoadBalance_dph_HTTP
interface vlan 100
ip address 192.168.1.2 255.255.255.0
access-group input INBOUND
service-policy input Public_Policies
interface vlan 101
ip address 192.168.100.1 255.255.255.0
nat-pool 1 192.168.100.254 192.168.100.254 netmask 255.255.255.255 pat
Based on your requirement, i guess NAT pool is logical. For accountability of real IP address of client, you can go for advance HTTP options like header insert, where in you will insert client actual IP in HTTP header.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...