Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE One-Arm Mode - NAT

Hopefully someone can help me here.

I am trying to load balance a set of servers and need to do this in a one-arm mode configuration.

Client - Router - ACE - Router - Server Farm

I cannot get ACE to change the SRC address of the packet before it gets sent to the server farm. Appears that ACE makes the load balance decision and forwards the packet on. Doing traces, I see that the server is responding directly to the client and not to the ACE.

Can someone post a config in which they have implemenet both Load Balancing and NAT like I want to do above.

Again, I want to change the SRC address before it gets sent to the server farm.

Thanks,

Phil

5 REPLIES

Re: ACE One-Arm Mode - NAT

Lets assume that your client vlan (where the VIP resides) is vlan 10 and server vlan is vlan 20 then you need following config

policy-map multi-match VIPS

class VIP-APP1

loadbalance vip inservice

loadbalance SLB_LOGIC

nat dynamic 1 vlan 20

interface vlan 10

description Client vlan

ip address 10.10.10.1 255.255.255.0

service-policy input VIPS

no shutdown

interface vlan 20

description Servers vlan

ip address 20.20.20.1 255.255.255.0

nat-pool 1 20.20.20.10 20.20.20.20 netmask 255.255.255.0

no shutdown

nat-pool is always configured on the egress traffic interface.

If ACE is connected via a single vlan (One arm mode) the both service policy and nat pools will be applied on the same interface.

policy-map multi-match VIPS

class VIP-APP1

loadbalance vip inservice

loadbalance SLB_LOGIC

nat dynamic 1 vlan 10

interface vlan 10

description Onearm vlan

ip address 10.10.10.1 255.255.255.0

service-policy input VIPS

nat-pool 1 20.20.20.10 20.20.20.20 netmask 255.255.255.0

no shutdown

Best place to ask ACE related questions is "Data center" area.

Thanks

Syed Iftekhar Ahmed

New Member

Re: ACE One-Arm Mode - NAT

Ok, that is how I have it configured and it does not work. The ACE passes the client IP onto the server. The server attempts to respond directly back to the client!! Maybe I did something wrong?? Looking at my network traces, it is not using the NAT ip's. Now I have gotten it to work if I put the server on the same segment as the ACE and put the LoadBalance and the NAT statements in different Class-Maps referenced the 2 Class-Maps in the same Policy Multi-Match. I need for the Client, ACE, and Server to all be on different segments. I will post that config if you care to see it. Here is the config as suggested that does not do NATing....

access-list EVERYONE line 1 extended permit ip any any

rserver host Server1

ip address 10.10.10.100

inservice

serverfarm host WEBFARM

rserver Server1 80

inservice

class-map type management match-any MGMT-POLICY

201 match protocol snmp any

202 match protocol xml-https any

203 match protocol telnet any

204 match protocol ssh any

205 match protocol icmp any

206 match protocol https any

207 match protocol http any

class-map match-any VIP-10

2 match virtual-address 10.10.10.20 any

policy-map type management first-match MGMT-POLICY

class MGMT-POLICY

permit

policy-map type loadbalance first-match VIP-10-l7slb

class class-default

serverfarm WEBFARM

policy-map multi-match NAT-POLICY

class VIP-10

loadbalance vip inservice

loadbalance policy VIP-10-l7slb

nat dynamic 1 vlan 10

interface vlan 10

ip address 10.10.10.15 255.255.255.0

access-group input EVERYONE

nat-pool 1 10.10.110.30 10.10.110.35 netmask 255.255.255.0 pat

service-policy input NAT-POLICY

no shutdown

interface vlan 5

ip address 10.10.5.15 255.255.255.0

service-policy input MGMT-POLICY

no shutdown

ip route 0.0.0.0 0.0.0.0 10.10.5.1

snmp-server contact "ANM"

snmp-server location "ANM"

snmp-server community public group Network-Monitor

snmp-server trap-source vlan 5

Re: ACE One-Arm Mode - NAT

I think its your default route.

Due to default route traffic is egressing through wrong interface.

If you are in one arm mode shouldnt the default route be pointing towards 10.10.110.x gateway?

You can also try using "mac-sticky enable" under the vlan configuration if you canont change the default gateway. This will make sure that the same interface will be used for return traffic where the request was recieved.

Syed

New Member

Re: ACE One-Arm Mode - NAT

That is exactly what it was. Cant beleive I overlooked that. In bridged mode and routed mode the default gateway does not matter so I never bothered with it. Thank you for your help!

Re: ACE One-Arm Mode - NAT

I am glad it helped.

Just to let you know "Data Center section" is the right place to ask ACE related questions.

Thanks

Syed

391
Views
0
Helpful
5
Replies