Here you have diagram about it
Below you have a configuration sample:
rserver host lnx1 ip address 172.16.3.11 inservice rserver host lnx2 ip address 172.16.3.12 inservice rserver host lnx3 ip address 172.16.3.13 inservice rserver host lnx4 ip address 172.16.3.14 inservice rserver host lnx5 ip address 172.16.3.15 inservice serverfarm host web rserver lnx1 inservice rserver lnx2 inservice rserver lnx3 inservice rserver lnx4 inservice rserver lnx5 inservice class-map match-all slb-vip 2 match virtual-address 172.16.3.100 any policy-map type management first-match remote-access class class-default permit policy-map type loadbalance http first-match slb class class-default serverfarm web policy-map multi-match client-vips class slb-vip loadbalance vip inservice loadbalance policy slb interface vlan 30 description "Client Side" bridge-group 3 access-group input everyone service-policy input client-vips no shutdown interface vlan 31 description "Server Side" bridge-group 3 service-policy input remote-access no shutdown interface bvi 3 ip address 172.16.3.5 255.255.255.0 description "client - server bridge group" no shutdown ip route 0.0.0.0 0.0.0.0 172.16.3.1
Those servers need to point at the router in front of the ACE as the default gateway and the ACE will point at it as well.
Hope this helps!!!
Thanks for your reply. I understand the rationale of pointing the back-end servers to the router as the default gateway, but can't think of any reason for doing the same for the ACE. Can someone please shed the light on this?
When you receive the packet on the VIP it forward the packet back to the server but when the reply comes back and then it change the server IP to VIP. So thats when it need routing to send the packet back to the client. That's the reason for default gateway.
So it's like this:
(Client IP -- VIP IP) >>[ ACE is between ] (Client IP -Server IP)
(Server IP - Client IP) >>[ ACE is between ] ( VIP IP - Client IP) Now ACE wants to route the packet to client. Thats when it need a route. So is the need for default gateway.
Hope that helps.
Ajay, thanks for your response. Your example applies to the ACE in routed mode. In this case, we're talking about the ACE in transparrent (Layer 2) mode, which is basically a device bridging 2 vlans. You wouldn't want to introduce a layer 2 IP address in this case, would you?
Your example applies to the ACE in routed mode. In this case, we're talking about the ACE in transparrent (Layer 2) mode, which is basically a device bridging 2 vlans. You wouldn't want to introduce a layer 2 IP address in this case, would you?
Even in Layer 2 the same logic applies the VIP remains on ACE and it has to do destination NAT...
Lets say for example:
Client IP --- 10.10.10.10
VIP IP - 10.10.10.12
server IP - 10.10.10.14
Packet from client to VIP :
[10.10.10.10-10.10.10.12] >> ACE after making load balancing decision >> [10.10.10.10-10.10.10.14]
Response from Server :
[10.10.10.14-10.10.10.10] ACE will intercept and change it [ 10.10.10.12-10.10.10.10 ]
In case if you dont need load balancing then yes for direct communication between server and client ACE does not need default gateway.
Ajay, having the ACE in transparrent or routed mode has no impact on the way it processes a packet. What sets apart these two modes is the fact that ACE doesn't route a packet when it's in the transparrent mode; - instead, it acts a a bridge and does Layer 2 processing. I have pleanty of functional configurations for the ACE SM being in transparrent mode and none of it has a default gateway for the ACE. Yet, it looks like Cisco's best practice requires a Layer 3 default gateway for the ACE configured in transparrent mode and I would like to understand the rationale for it.
I understand what you are willing to say:
till every client IP come with the same L2 subnet everything will work fine. As ACE will not require default gateway in those cases. The issue will occur when the source of the packet is not local.
Say for example:
Client IP >> Firewall >> ACE >> server
Think of a scenerio when firewall forward a packet with destination NAT. ACE will perceive the source as a IP from different subnet so while sending the response it will need default route otherwise it will simply drop the packet saying no route found..
I think thats the reason why best practicerequires a Layer 3 default gateway for the ACE.
Sorry, I ammissing your point. But I am wondering if you would need a dfg if the ACE is initiating connections, like for FTP, TFTP, etc?