Should be a simple question and I hope I have the answer, just want to see if someone can verify this will work. This is on a CSS 11501 with 8.2 code. Have to be sure the client data flows which are served by the same 2 servers but with different VIPS are correctly returned to the client. Assume all routing is correct. Thanks in advance for your feedback.
Client 1 SRC ip 192.168.1.2 SRC port UDP 4932 (random port)
DST ip 10.1.2.100 DST port UDP 1120
Client 2 SRC ip 172.16.12.12 SRC port UDP 8374 (random port)
DST ip 10.1.2.101 DST port UDP 1120
Client 1 must have return packet - SRC ip 10.1.2.100 SRC port 1120
DST ip 192.168.1.2 DST port 4932
Client 2 must have return packet - SRC ip 10.1.2.101 SRC port 1120
The CSS sets up a Flow Control Block (FCB) in one direction only when a UDP packet is processed. The FCB for the return path will only be set up if the response packet arrives. Because of the uni-directional nature of UDP source A UDP content rule must have a corresponding source group to handle the return UDP traffic and to provide the mapping between the two sides of the UDP flow.
the problem here is that you want to have 2 different source nat.
So, the only way is to use ACL to define which group to use.
You first need to define 2 groups one for each VIP. Do not assign any service.
Then create an acl like this to tell the CSS when to use one group or the other.
clause 10 permit udp destination sourcegroup
As you can see you need to know in advance which group to use - so one client will always receive traffic from the same vip.
Another solution is to do client nat when forwarding the client request to the server.
In this case, a FCB for the reverse path will also be setup. And the CSS will do the automatic reverse-nating when the server responds. The only drawback is that the server always see traffic coming from the same ip.
If you go for this solution, you need a group but instead of using 'add service' you use 'add destination service'.
Thanks Giles, only problem is that there is a requirement for the original source IP to hit the server. I will be doing nats a level above this as there are two public IPs that the clients will hit, so I will nat them to different VIPs in order to differentiate them. So would I use the natted VIP in the ACL to point to the source group? This may require several different nats. The question posed had two, actually there are about eight or nine I need to worry about.
This document will provide screenshots to outline the steps to setup
TACACS+ configuration to ACI and also the configuration required on
Cisco ACS server. Please find the official Cisco guide for configuring
TACACS+ Authentication to ACI:
Is it supported or NOT supported? It's a frequently asked question.
Before APIC, release 2.3(1f), transit routing was not supported within a
single L3Out profile. In APIC, release 2.3(1f) and later, you can
configure transit routing with a single L3Out pr...
Cisco Documents are usually accurate, but when it came to the document
on Cisco APIC Signature-Based Transactions it was slightly off the mark.
This document is for those novices to API like me who cant seem to
figure out how to go about performing signat...