ā10-27-2010 07:01 AM
when a client makes a connection to a vip which is in the client side vlan, and the ace sends the load balanced request to the rserver, and the rserver replies - does the rserver always get nat'd to the vip in the reply - if no nat is configured? Because if teh client sends a syn to the vip and receives a syn,ack from a different ip, it'll just send a reset correct?
how about in this example using nat~? Does teh rserver's reply get patted to 172.19.192.26, then get nated again to the vip? Or do they go straight to the client?
vlan 195 is teh client side
vlan 719 is the server side
access-list acl_NAT_VIP line 40 extended permit ip 172.19.254.0 255.255.254.0 172.19.192.0 255.255.252.0
class-map match-any NAT_CLASS_VIP
2 match access-list acl_NAT_VIP
policy-map multi-match NAT_POLICY
class NAT_CLASS_VIP
nat dynamic 5 vlan 719
interface vlan 195
ip address 172.19.192.19 255.255.252.0
alias 172.19.192.18 255.255.252.0
peer ip address 172.19.192.20 255.255.252.0
access-group input allowall
access-group output allowall
nat-pool 2 172.19.195.37 172.19.195.37 netmask 255.255.255.255 pat
nat-pool 3 172.19.195.39 172.19.195.39 netmask 255.255.255.255 pat
nat-pool 4 172.19.195.40 172.19.195.40 netmask 255.255.255.255 pat
nat-pool 1 172.19.195.46 172.19.195.46 netmask 255.255.255.255 pat
nat-pool 6 172.19.195.36 172.19.195.36 netmask 255.255.255.255 pat
service-policy input LB_POLICY
no shutdown
interface vlan 719
ip address 10.1.9.66 255.255.255.240
alias 10.1.9.65 255.255.255.240
peer ip address 10.1.9.67 255.255.255.240
access-group input allowall
access-group output allowall
nat-pool 5 172.19.192.26 172.19.192.26 netmask 255.255.255.255 pat
service-policy input LB_POLICY
service-policy input NAT_POLICY
no shutdown
Solved! Go to Solution.
ā10-27-2010 11:56 AM
Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim
ā10-27-2010 11:56 AM
Bryan,
As long as the server replies back to the ACE the client should only be commmunicating with the VIP address in either of your two examples.
In your first example the flow will look like this.
client > VIP after the ACE client > rserver
the reply would be
rserver > client after the ACE VIP > rserver
In your second example using client nat it will look like this
Client > VIP After ACE Natpool > rserver.
the reply would be
rserver > Nat-pool after ACE VIP > client.
The ACE by default will always nat the vip to the server ip unless you use the command "transparent" under the serverfarm. When using this command we send the packet to the MAC address of the server leaving the destination IP of the VIP. The server would need to have the VIP address configured under the loopback interface.
Regards
Jim
ā10-28-2010 11:15 AM
Jim,
I'm slightly confused. Are you saying the the traffic flow using the ACE in one arm mode with source NAT would look like this:
Client>NAT Pool>VIP>Rserver
Reply:
Rserver>VIP>NAT Pool>Client?
Regards,
John...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide