02-14-2012 09:07 AM
We have two context’s, contextA and contextB. They both share vlan 100 on the internet side and vlan 200 on the rserver side.
Now to the problem.
One rserver, rserver1, need to communicate with both contextA and contextB. Rserver1 is used for static information during releases and so on. Rserver1 are a member in server farms in both contextA and contextB but on different TCP ports. Normaly rserver1 is in status OUTOFSERVICE in the different server farms. When we need to do releases on a specific server farm we put rserver1 INSERVICE and the other rservers in that server farm OUTOFSERVICE. The default gateway in rserver1 points to contextA. When requests comes from contextB the answer goes to contextA.
Is there any solution to that problem? I have been thinking SNAT in contextB to this rserver1 could solve the problem. But how is that done? Any solutions?
Thanks in advance
Per-Anders Edlund
02-15-2012 01:50 AM
Hi Per-Anders
If I understood you correctly - yes, SNAT seems to be a proper solution in your case.
Basic configuration you just need to defind a nat pool and nat statement in policy map (multi-match one)
Nat pool is defined on interface which faces your real server , e.g.:
nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 pat << "pat keyword is if you want to do PAT"
Then in your multi-match policy, under class map which leads to necessary serverfarm you just add this line:nat dynamic 1(this is a number of nat-pool) vlan 200 (this is an interface which faces rserver and has nat pool configured)
More detailed you can see here:
02-15-2012 03:39 AM
Hi Borys, and thank you for your answer.
As I understand with your suggestion the whole serverfarm will be SNAT:ed (all rservers in the farm)
What I would like to do is SNAT only one of the rservers in the serverfarm. (rserver avbrott-VIP 4806)
The config looks like this today:
contextB#:
serverfarm host vmiv75
description xxxxxxx
rserver avbrott-VIP 4806
probe prod4806
rserver lppwww1 9280
inservice
rserver lppwww2 9280
inservice
sticky ip-netmask 255.255.255.255 address source sticky-vmiv75
timeout 30
replicate sticky
serverfarm vmiv75
class-map match-all VIP-vmiv75
10 match virtual-address a.b.c.d tcp eq https
policy-map type loadbalance first-match VIP-pol-vmiv75-443
class class-default
sticky-serverfarm sticky-vmiv75
policy-map multi-match lb-web2.0-trav
class VIP-vmiv75
loadbalance vip inservice
loadbalance policy VIP-pol-vmiv75-443
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server www_vmiv75
interface vlan 100
description *** VIP-interface Internet ***
ip address x.x.x.1 255.255.255.0
alias x.x.x.2 255.255.255.0
peer ip address x.x.x.3 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input icmp
service-policy input lb-web2.0-trav
no shutdown
interface vlan 200
description *** Server-interface ***
ip address y.y.y.1 255.255.255.0
alias y.y.y.2 255.255.255.0
peer ip address y.y.y.3 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input icmp
no shutdown
02-15-2012 08:01 AM
Hi Per-Anders
In this case everything is much worse.
If you want to have a loadbalancing to serverfarm and NAT only flows which are going to one server in this serverfarm - it's not possible.
However as you wrote :
When we need to do releases on a specific server farm we put
rserver1
INSERVICE and the other rservers in that server farm OUTOFSERVICE
You shouldn't be afraid of adding NAT for whole serverfarm, but yes - you will need to remove it when you finish with task
I'd say that the most easiest way is to change routing on the server (of course if you don't need to have it Inservice on both ACEs simultaneously
02-15-2012 09:15 AM
Hi Borys, and thank you for your answer,
But it was not what I hoped to hear.
Is it possible to send traffic from rserver avbrott-VIP 4806 to another VIP address in this context (contextB) or contextA and do the SNAT in the new policy-map multi-match-->class-map?
- pAe
02-17-2012 01:56 AM
Hi Per-Anders
Hm, as I understood from your previous email you have context A with VIP X.X.X.X which is tied to serverfarm ServerFarm#1 which has a few real servers and one of them is realserver Rserver1. You have the same situation in context B , let's say with VIP Y.Y.Y.Y and serverfarm ServerFarm#2 and the same Rserver1 is a part of it. Rserver1 routing points to contextA. And you want to be able to SNAT traffic going to Rserver1 only, but in the same time don't SNAT traffic which is going to other real servers in this serverfarm.
This configuration can't be done on ACE.
However there are different possibilites such as - move this server to another serverfarm, add/remove NAT statement when it's necessary, etc - but all of them demand configuration change each time you need to do so.
And your last questions isn't clear for me. Could you please clarify it? (I mean, you can send traffic from server to any IP you want, you want to redirect traffic on ACE from one VIP to another ? )
02-17-2012 06:15 AM
Hi again Borys, and thak you for still answering on my question.
I understand this is a tricky question. This time I have a simple picture of the situation and config for both context's:
____________________________________________________________________
contextA#:
serverfarm host Serverfarm#A
description xxxxxxx
rserver rserver1 4906
rserver rserver4 9280
inservice
rserver rserver5 9280
inservice
sticky ip-netmask 255.255.255.255 address source sticky-Serverfarm#A
timeout 30
replicate sticky
serverfarm Serverfarm#A
class-map match-all VIP-Serverfarm#A
10 match virtual-address a.b.c.d tcp eq https
policy-map type loadbalance first-match VIP-pol-Serverfarm#A
class class-default
sticky-serverfarm sticky-Serverfarm#A
policy-map multi-match lb-vlan100-1
class VIP-Serverfarm#A
loadbalance vip inservice
loadbalance policy VIP-pol-Serverfarm#A
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server www_Serverfarm#A
interface vlan 100
description *** VIP-interface Internet ***
ip address x.x.x.1 255.255.255.0
alias x.x.x.2 255.255.255.0
peer ip address x.x.x.3 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input icmp
service-policy input lb-vlan100-1
no shutdown
interface vlan 200
description *** Server-interface ***
ip address y.y.y.1 255.255.255.0
alias y.y.y.2 255.255.255.0
peer ip address y.y.y.3 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input icmp
no shutdown
_______________________________________________________
contextB#:
serverfarm host Serverfarm#B
description xxxxxxx
rserver rserver1 4806
rserver rserver2 9220
inservice
rserver rserver3 9220
inservice
sticky ip-netmask 255.255.255.255 address source sticky-Serverfarm#B
timeout 30
replicate sticky
serverfarm Serverfarm#B
class-map match-all VIP-Serverfarm#B
10 match virtual-address e.f.g.h tcp eq https
policy-map type loadbalance first-match VIP-pol-Serverfarm#B
class class-default
sticky-serverfarm sticky-Serverfarm#B
policy-map multi-match lb-vlan100-2
class VIP-Serverfarm#B
loadbalance vip inservice
loadbalance policy VIP-pol-Serverfarm#B
loadbalance vip icmp-reply active
loadbalance vip advertise active
ssl-proxy server www_Serverfarm#B
interface vlan 100
description *** VIP-interface Internet ***
ip address x.x.x.4 255.255.255.0
alias x.x.x.5 255.255.255.0
peer ip address x.x.x.6 255.255.255.0
access-group input everyone
access-group output everyone
rservice-policy input icmp
service-policy input lb-vlan100-2
no shutdown
interface vlan 200
description *** Server-interface ***
ip address y.y.y.4 255.255.255.0
alias y.y.y.5 255.255.255.0
peer ip address y.y.y.6 255.255.255.0
access-group input everyone
access-group output everyone
service-policy input icmp
no shutdown
______________________________________________________
rserver1 is only used when I manually want to display a maintenance/servicing page to our internet customers.
In the normal case with rserver1 in OUTOFSERVICE everything works fine. rserver1, rserver2 and rserver3 have the default gateway to x.x.x.5, and rserver4 and rserver5 has the default gateway to x.x.x.2.
When I put rserver2 and rserver3 in OUTOFSERVICE and rserver1 INSERVICE in ContextB serverfarmB# everything is ok. The default gateway is ok.
When I do the same thing in ContextA e.g. rserver4 and rserver5 in OUTOFSERVICE and rserver1 INSERVICE in serverfarmA#, rserver1 sends the traffic to contextB due to the default gateway.
What I would like to do is to manipulate the source address when packets comes from ContextA serverfarmA# to rserver1
It is not possible to manipulate the source address when I have landed in the serverfarm. (Se above).
Is it possible to define rserver1 IP address as a new VIP address either in contextA or contextB? That VIP and serverfarm would only consist of one rserver, rserver1. Then I can do SNAT for that new serverfam.
Or is there any other solutions? Open for any suggestions.
Hope you get my point here.
- pAe
02-21-2012 04:19 AM
Hi
Thanks for this explanation.
So, as I understand the main issue that you want to have rserver1 active in both serverfarm/contexts simultaneously and hitting a routing issue.
IMHO, the best way - just take one more server and use it for different context with different default route
The main problem with your task that ACE can't do rserver specific NAT. So, you can do NAT in layer 4 or layer 7 policy map only, thus it's either VIP or Serverfarm specific.
Another way - just to modify configuration on one of the contexts each time, e.g. when you put all servers OUTOFSERVICE, you can just add NAT cofiguration for this serverfarm/VIP, as all but rserver1 are OUTOFSERVICE it won't cause any damage. Later, when you want to enable all other servers and disalbe rserver1 - you will need to remove this NAT configuration.
If you have HTTP there, there is one more "sofisticated" idea based on HTTP redirection message - to use redirecting serverfarm, as a backup serverfarm for current one, so it will redirect customers to new VIP , where new serverfarm only with rserver#1 is located and NAT is done. If you use HTTP and need a clarification about last option - let me know.
02-24-2012 06:19 AM
I am having a similar issue where I need to NAT only one server within a farm. I have set up a backup farm redirecting HTTP to another VIP where I perform NAT and it works ok for HTTP but doesn't seem to work for HTTPS. I am using the command webhost-redirection http://x.x.x.x under the rserver redirect to redirect to the other VIP but when I change it to https://x.x.x.x it doesn't work although going direct to the VIP address does. Is it possible to redirect HTTPS in this way? If not are there any other ways to do this , I could possibly insert the client IP in the http header but I would rather find another way to do this.
02-24-2012 06:29 AM
Hi Graham
In general - it's possible and there shouldn't be any problem. Maybe you don't catch it with class map.
Another important point - HTTPS is nothing but HTTP in SSL. So, to be able to do someting with HTTP you need to decrypt SSL first. And redirection serverfarm is nothing but instance which sends HTTP 301/302 redirect message. So, it will work only if you're doing SSL offload on ACE for this flow (if you try to send something before SSL connection is established it will be igonred by client)
03-09-2012 02:58 AM
Hi again Borys, (and others).
I think we can close this case.
I have done SNAT for the whole server farm and 'insert-http X-Forwarded-For header-value "%is"' and finally got our server guy's to look in the http header for the source ip address (not the tcp source field) when creating the access logs for this servers. .
Thank you Borys for your engagement.
- pAe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: