10-12-2013 01:53 PM
Hi there,
Just wondering if I can ask an opinion. We have recently setup a Cisco ACE 4710 in routed mode in order to load balance between our client traffic from the internet and our webservers inside.
The requirement was to set up the ACE to load balance for the incomming web traffic, but to have a separate default gateway for the real server's initiated traffic to the internet. To achieve this I have configured the ACE in routed mode with a nat-pool on the inside vlan (as per the config below), but the problem is that this hides the remote client's public ip address from our servers, as the traffic is seen to come from the NAT ip address.
I have got limited knowledge about Cisco ACE so am not convinced whether the routed configuration I have gone with is the correct one, or if it have made a difference to go with a different mode.
Just wondering if someone can help with deciding what is the most efficient way to set up the ACE to handle loadbalancing for the incoming web traffic to our e-commerce servers, whilst having seperate gateway for the real servers initiated traffic, but also for the real servers to be able to see the IP address of the remote client.
Here is the current config:
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http Probe_dph_HTTP
interval 10
passdetect interval 10
request method get url /ping.html
expect status 200 200
open 1
probe http Probe_dph_TCP
interval 15
passdetect interval 60
open 1
rserver host Web_Server_01
description Web Server 01
ip address 192.168.100.101
inservice
rserver host Web_Server_02
description Web Server 02
ip address 192.168.100.102
inservice
rserver host Web_Server_03
description Web Server 03
ip address 192.168.100.103
inservice
serverfarm host dph_Web_Servers
probe Probe_dph_HTTP
rserver Web_Server_01 80
inservice
rserver Web_Server_02 80
inservice
rserver Web_Server_03 80
inservice
class-map match-all VIP_Website_dph_HTTP
2 match virtual-address 192.168.1.100 tcp eq www
policy-map type loadbalance http first-match LoadBalance_dph_HTTP
class class-default
serverfarm dph_Web_Servers
policy-map multi-match Public_Policies
class VIP_Website_dph_HTTP
nat dynamic 1 vlan 101
loadbalance vip inservice
loadbalance policy LoadBalance_dph_HTTP
interface vlan 100
ip address 192.168.1.2 255.255.255.0
access-group input INBOUND
service-policy input Public_Policies
no shutdown
interface vlan 101
ip address 192.168.100.1 255.255.255.0
nat-pool 1 192.168.100.254 192.168.100.254 netmask 255.255.255.255 pat
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.1.1
10-12-2013 09:34 PM
Hi Ali,
Based on your requirement, i guess NAT pool is logical. For accountability of real IP address of client, you can go for advance HTTP options like header insert, where in you will insert client actual IP in HTTP header.
Hope this satisfy your requirement.
10-13-2013 01:44 AM
Hi Gaurav,
Thank you very much for your reply.
With regards to the NAT confguration, do you think it matter that I only have 1 address allocated in the NAT pool (192.168.100.254), in terms of concurrency of many clients, and/or resource usage etc?
Also do you think the HTTP header insert would be very resource intensive for the ACE?
Thank you for your help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: