topic Re: question about dynamic nat on ACE in Application Networking

question about dynamic nat on ACE

nygenxny123 — Wed, 02 Feb 2011 17:39:51 GMT

per documentation and training...i have always seen nat applied..using an accesss-list to define traffic,

class and policy maps than applied to an interface

howerver i ran across this configuration and wondering what exaclty it is doing..it seems overly simplified

I will post the only mention of NAT in the config

class-map match-all CUSOMERC-VIP
2 match virtual-address 172.20.200.33 tcp eq www

policy-map multi-match VIPs

class CUSOMERC-VIP
    loadbalance vip inservice
    loadbalance policy CUSOMERC-POLICY-L7
    loadbalance vip icmp-reply active
    nat dynamic 722 vlan 722

interface vlan 120

ip address 10.11.20.8 255.255.255.0

peer ip address 10.11.20.9 255.255.255.0

no normalization

no icmp-guard

access-group input any

nat-pool 120 10.11.20.30 10.11.20.30 netmask 255.255.252.0 pat

service-policy input ALLOW_ICMP_POLICY

interface vlan 722

ip address 172.20.200.4 255.255.255.0

alias 172.20.200.10 255.255.255.0

peer ip address 172.20.200.5 255.255.255.0

no normalization

access-group input any

nat-pool 722 172.20.200.20 172.20.200.20 netmask 255.255.255.0 pat

service-policy input VIPs

service-policy input ALLOW_ICMP_POLICY

no shutdown

could this be considered a proper configuration?..i don't even see global service policies which reference NAT

when i hit the vip of CUSOMERC-VIP it doesn not appear that i am being translated.but do show a connection

apptier# sh xlate
apptier# sh conn | inc 172.20.200.33
1624825 1 in TCP 722 172.20.34.70:3481 172.20.200.33:80 ESTAB

Re: question about dynamic nat on ACE

Andrew Nam — Thu, 03 Feb 2011 04:22:34 GMT

The config looks to be ok. However just one condition.

Your vip address is 172.20.200.33 and sitting on vlan 722. So your client side vlan is the vlan 722. This is ok. However, your nat statement applied to the same vlan 722. So your server should be in the vlan 722. If the request is not sent to this particular vlan, the nat will not happen.

Here is the explanation.

....

policy-map multi-match VIPs

class CUSOMERC-VIP
    loadbalance vip inservice
    loadbalance policy CUSOMERC-POLICY-L7
    loadbalance vip icmp-reply active
    nat dynamic 722 vlan 722   <<<----

interface vlan 722

ip address 172.20.200.4 255.255.255.0

alias 172.20.200.10 255.255.255.0

peer ip address 172.20.200.5 255.255.255.0

no normalization

access-group input any

nat-pool 722 172.20.200.20 172.20.200.20 netmask 255.255.255.0 pat

service-policy input VIPs

service-policy input ALLOW_ICMP_POLICY

no shutdown

....

Now look closely with "nat dynamic 722 vlan 722" cmd.

The above cmd basically tells the ACE to make action when the request leaves the ACE.

So the ACE will change client source ip address of the packet to natted ip. Your natted ip will be 172.20.200.20. This change will happen only if the request leaves the ACE to the vlan 722. The first "722" refers to "nat-pool 722" and the "vlan 722" specifies the outbound interface after the LB decision (i.e. forwarding to the serverfarm).

I hope this answers your question.

-Andrew

Re: question about dynamic nat on ACE

nygenxny123 — Thu, 03 Feb 2011 17:20:36 GMT

thx.

so trying to understand this

we can assume that the only time a NAT will happen is when a "user" attempt to hit that particular VIP?

other than that...any user trying to hit another VIP which is in the same VLAN 722 will not be NAT'd

unless we add that nat dynamic statement under the Layer 3 class map?

if for example i wanted to nat all "user incoming to that vlan" i would simpley creat an access list with a permit "any any"

and than apply that to a class map and than policy map?

Re: question about dynamic nat on ACE

Andrew Nam — Fri, 04 Feb 2011 01:44:18 GMT

First of all, it is more important to understand why nat is needed in ACE environment. Asymetric routing is often not accepted by loadbalancers. Therefore, you will need to check the reverse path making sure the server will respond to the client THROUGH the ACE.

Here is common topology you should use the nat on ACE.

client----- internet ---- router1 --- vlan10 -- ACE --- vlan 20 --- router2 --- serverfarm -- server1

| |

eth1 eth2

|_______________________________|

Let's say

client ip : 64.1.1.1

server1 : 40.1.1.1

vip address on vlan 10 of ACE : 10.1.1.10

int vlan 10 of ACE is : 10.1.1.1

int vlan 20 of ACE is : 20.1.1.1

int eth1 of router1 : 30.1.1.1

int eth2 of router2 : 30.1.1.2

1. client sends tcp request to the vip address. So the first packet will be tcp syn and its address should be source with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10.

2. If there is no routing issue, this request should get to the ACE and the ACE will go through classification to see if the request hits the vip or not.

3. If the request hits the vip, then the ACE will make forwarding decision to the serverfarm. When this happens, the ACE will be doing destination natting. i.e. the ACE will only replace the dest ip from vip to server1. So the address should be like source with client ip : 64.1.1.1 and dest with server1 : 40.1.1.1.

4. When the server receives this request, the server1 will respond to the client 64.1.1.1. So the reponse packet should be syn/ack and its address should be source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.

5. This response will get to the router2 and if the router thinks shortest path to the client1 is via eth2, then the response will bypass the ACE.

6. This is the problem I said earlier as asymmetric routing.

7. The client sends the request with client ip : 64.1.1.1 and dest with vip address on vlan 10 of ACE : 10.1.1.10 but the response with source with server1 : 40.1.1.1 and dest with client ip : 64.1.1.1.

8. The client will reset the connection.

So let's apply dynamic natting to the ACE to avoid this sort of failure.

access-group input any

class-map match-all CUSOMERC-VIP
2 match virtual-address 10.1.1.10 tcp eq www

policy-map multi-match VIPs
class CUSOMERC-VIP
    loadbalance vip inservice
    loadbalance policy CUSOMERC-POLICY-L7
    loadbalance vip icmp-reply active
    nat dynamic 20 vlan 20

interface vlan 10

ip address 10.1.1.1 255.255.255.0

service-policy input VIPs <<<<-----

access-group input any

interface vlan 20

ip address 20.1.1.1 255.255.255.0

access-group input any

nat-pool 20 20.1.1.30 20.1.1.30 netmask 255.255.252.0 pat <<<-----

Now two things to remember.

+ We apply the service policy to the incoming interface which is int vlan 10 in this case.

+ We need to change the client source ip to the natted ip as per the nat-pool. This should be applied to the outgoing interface vlan 20.

So thus a sequence to process the dynamic natting for the request should be

service-policy input VIPs --> policy-map multi-match VIPs ---> class CUSOMERC-VIP ----> loadbalance policy CUSOMERC-POLICY-L7 ---> nat dynamic 20 vlan 20

Step1. request comes to int vlan 10. Then it will check "service-policy input VIPs".

Step2. since the service policy applied to the int vlan 10, it will check "policy-map multi-match VIPs".

Step3. "policy-map multi-match VIPs" comtains only one class-map which is "class CUSOMERC-VIP" and the ACE will check if the request hits the vip defined on the class-map.

Step4. Once it verifies if this is good request, then the ACE will find associated "policy-map type". The policy-map type basically perform "forwarding deciscion" which is load balaincing to the serverfarm.

Step5. However, we has defined one more condition to perform "natting" with " nat dynamic 20 vlan 20".

Step6. when the ACE performs the natting, it will change the client source ip to the natted ip with nat-pool 20 which applied on int vlan 20.

I hope this clarifies your question.

-Andrew

Re: question about dynamic nat on ACE

nygenxny123 — Mon, 07 Feb 2011 17:17:54 GMT

it does

thx!!!