10-19-2012 11:55 AM
So I have an ACE30 set up in a one-arm config trying to replicate the configuration that we have on our production environment with the older CSM module for a 6509. I set up a test server, attached it to a port and VLAN and confirmed connectivity. I can browse to the website on that server from my laptop. If I try to hit the VIP that I have set up on the ACE, it fails. Client packets incriment but the server packets stay at zero. I can ping the server from the ace admin context and the load balancing context (that's the context attached here). The only thing I can think is I need to open up the svclc?
So, with that....any suggestions? Configs follow
-----------ACE 30--------------------
Generating configuration....
access-list INBOUND line 8 extended permit ip any any
access-list OUTBOUND line 8 extended permit ip any any
rserver host TEST_1
description Test webserver
ip address 10.10.20.30
inservice
serverfarm host TEST_WEB
predictor leastconns
rserver TEST_1
inservice
class-map match-all TEST_VS
3 match virtual-address 10.10.252.23 tcp eq www
policy-map type loadbalance first-match TEST_LB
class class-default
serverfarm TEST_WEB
policy-map multi-match PROD_WWW
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_LB
loadbalance vip icmp-reply active
loadbalance vip advertise active
interface vlan 9
ip address 10.9.5.3 255.255.0.0
alias 10.9.5.1 255.255.0.0
access-group input INBOUND
access-group output OUTBOUND
service-policy input PROD_WWW
no shutdown
ip route 0.0.0.0 0.0.0.0 10.9.1.2
------------Catalyst 6509------------------
----snip---
svclc module 9 vlan-group 1
svclc vlan-group 1 9
----snip---
ip access-list extended return-traffic-csm
permit tcp any eq www any
permit tcp any eq 443 any
permit tcp any eq ftp any
permit tcp any eq 8080 any
permit tcp any eq 81 any
permit tcp any eq 82 any
permit tcp any eq 83 any
permit tcp any eq 54320 54320 any
permit tcp any eq 389 any
permit tcp any eq 686 any
deny ip any any
---snip---
interface Vlan1
no ip address
!
interface Vlan9
ip address 10.9.1.2 255.255.0.0
!
interface Vlan10
ip address 10.10.1.2 255.255.0.0
ip flow ingress
ip policy route-map csm-traffic
!
interface Vlan20
ip address 10.20.1.2 255.255.0.0
ip flow ingress
ip policy route-map csm-traffic
---snip---
route-map csm-traffic permit 10
match ip address return-traffic-csm
set ip next-hop 10.9.5.3
10-22-2012 01:43 AM
Looks like the issue is the realserver responds directly back to the client PC. Because the source address seen by the server is from client PC only & not that of the loadbalancer.
Adding Source NAT on the ACE should fix the issue.
You create a dynamic nat-pool with a pool or a single IP & have all the traffic routed via the cisco ACE.
policy-map multi-match PROD_WWW
class TEST_VS
loadbalance vip inservice
loadbalance policy TEST_LB
loadbalance vip icmp-reply active
loadbalance vip advertise active
nat dynamic 1 vlan 9
interface Vlan9
nat-pool 1 10.9.1.X netmask 255.255.255.0 pat
Hope that helps.
regards,
Ajay Kumar
10-22-2012 08:30 AM
The only issue with that is that we have to have the originating IP in our web logs for security and analytics purposes. We are using PBR on our current CSM configuration to specifially avoid having to use source nat.
Anything else?
10-22-2012 01:21 PM
Hi William,
I see that you are willing to use PBR. I am wondering why you have not applied PBR on VLAN 9.
ip policy route-map csm-traffic << This is missing.
I believe after fixing PBR it should work.
regards,
Ajay Kumar
10-22-2012 01:43 PM
Interesting...I didn't think of it this way as our PBR does not exist on the 9 VLAN where the older CSM resides. I'll give it a shot and see what happens.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide