Hi. I attached our topology

ciscoworlds · ‎05-27-2014

Hi. I'm working on the Cisco ACE 4710 to be able to load balance web Traffic between several web servers. but despite following the steps mentioned on the Cisco configuration guide (specially this link and related docs: http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context) we did not managed to make it. we tested both the "bridged scenario" and "routed scenario" but none of them is working. specifically "configuring Nat" in the above link is very confusing and is not clear; because it's not the same as Cisco IOS, which we used to implement it that way.

Routed Scenario:

==========================================

probe http Http_Probe
description Server Healty Check
port 80
request method head url /index.htm
probe icmp ICMP_Check
interval 10
passdetect interval 5

rserver host NetCad_Server_1
ip address 172.16.1.100
probe ICMP_Check
inservice
rserver host NetCad_Server_2
ip address 172.16.1.101
probe ICMP_Check
inservice
rserver host NetCad_Server_3
ip address 172.16.1.102
probe ICMP_Check
inservice

serverfarm host NetCad_Servers
probe Http_Probe
rserver NetCad_Server_1 80
inservice
rserver NetCad_Server_2 80
inservice
rserver NetCad_Server_3 80
inservice

sticky http-cookie Cookie1 1
serverfarm NetCad_Servers

class-map match-all VS_NetCad
2 match virtual-address 192.168.13.162 255.255.252.0 tcp any

policy-map type management first-match mgmt-pm
class class-default
permit

policy-map type loadbalance first-match VS_NetCad-l7slb
class class-default
serverfarm NetCad_Servers

policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply

interface vlan 40
description Client Side
ip address 192.168.13.161 255.255.252.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
service-policy input mgmt-pm
service-policy input int40
no shutdown
interface vlan 41
description Server Side
ip address 172.16.1.1 255.255.255.0
ip options allow
no normalization
no icmp-guard
access-group input Permit_ALL
nat-pool 1 172.16.1.110 172.16.1.110 netmask 255.255.255.255 pat
service-policy input mgmt-pm
no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.12.1

==========================================

Kanwaljeet Singh · ‎05-28-2014

Hi,

Add the bold line in your configuration and try again.

policy-map multi-match int40
class VS_NetCad
loadbalance vip inservice
loadbalance policy VS_NetCad-l7slb
loadbalance vip icmp-reply

nat dynamic 1 vlan 41.

You have defined NAT-POOL but you have not defined to which traffic NAT should be applied. That might be the reason it is not working(if the nat is needed for things to work).

Also, do show conn address <client IP> and see what do you get in the connection table. Ensure that servers are all "operational" in serverfarm.

Also, do show service-policy <policy name> detail and see where the drops are occurring.

Hope this helps!

Regards,

Kanwal

ciscoworlds · ‎06-06-2014

Hi. I've worked mainly on Cisco routers and used them for NAT and anything else. but considering documents related to ACE, there are differences between routers and ACE device in implementing NAT (and probably other stuffs). I am looking for answers for some question and appreciate any help.

regarding the help document published at this link (http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Creating_a_Virtual_Context), in the "NAT pool configuration section", what addresses should be mentioned for "start IP address" and "End IP address"?

in the mentioned document, they wrote 10.10.50.101 and 10.10.50.104 for start and end IP addresses respectively. but regarding the topology they used for this example (found in the previous topic at http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide,_Release_A3(1.0)_--_Setting_Up_an_ACE_Appliance), the real IP address of servers are 10.10.50.10 through 10.10.50.13. so is there any mistake in the text or what? this question comes from my experiences about IOS routers and rotary pools which we are using to load balance traffic among servers. you know in that situation, the rotary NAT pool we are creating, should contain the real servers' IP address.

depending on what the answers will be, I will ask other subsequent questions. thanks a lot.

Kanwaljeet Singh · ‎06-06-2014

Hi,

Let me explain you.

Assuming client IP as 1.1.1.1, VIP as 2.2.2.2 and Real Server as 3.3.3.3

Consider the simple situation where client needs to access an application hosted on 3.3.3.3. Client sends a request which comes to VIP.

src 1.1.1.1----->dst------->2.2.2.2. ACE after matching conditions and taking LB decision decides to send it to 3.3.3.3 real server. Performs destination NAT and forwards the client request to 3.3.3.3. So the above packet L3 header will now look like:

src 1.1.1.1 dst 3.3.3.3. When reply comes from server, ACE will change src 3.3.3.3 back to 2.2.2.2 and forwards the request to client 1.1.1.1. SIMPLE LB.

Now comes a situation where let's say you want to hide the client IP from server or let's say server's default GW is not ACE or client and server are in same subnet but need to communicate through VIP on ACE etc.

Src 1.1.1.1 dst 2.2.2.2

After LB ace decides to send it to 3.3.3.3 but also policy multi match has nat rule (nat dynamic 1 vlan x). But packet would be forwarded from server vlan where you have NAT pool defined. So let's say pool IP is 3.3.3.4. So ACE will perform both destination as well as src NAT here before forwarding the packet to server and packet L3 header will look like:

src 3.3.3.4 ----->dst 3.3.3.3

Now when 3.3.3.3 has to send packet back, ACE will answer ARP for 3.3.3.3 and hence packet will come back to ACE which will again change the L3 header IP's and send it out the client VLAN towards client.

So NAT is always applied to server side vlan and that's why pool is chosen from server side subnet.

Let me know if you have any questions.

Regards,

Kanwal

ciscoworlds · ‎06-08-2014

thanks for your detailed answer. As I understand, with regard to provided links in my previous post, the servers' real IP address are 10.10.50.10 through 10.10.50.113 and The IP addresses in NAT is 10.10.50.101 through 10.10.50.104 in which the NAT IP addresses are chosen from server VLAN (10.10.50.0/24) but must be different than server's real IP addresses. Am I right?

and another question; if we want to use PAT instead of NAT, we can use one IP from server side VLAN (10.10.50.0/24), e.g. 10.10.50.101 that is not used anywhere and put the check box to "PAT" in GUI. am I right in this too? tnx a lot.

Kanwaljeet Singh · ‎06-09-2014

Hi,

Yes the NAT IP should be different than real server IP's. Also, your understanding is correct regarding the PAT. But note that you can only do NAT for 64K clients. If you have more clients than that you will need more IP's in the pool. 1 IP in pool cannot have more than 64K ports and hence you need to know how many clients are coming approximately and increase the NAT pool accordingly.

Hope this helps!

Regards,

Kanwal

Note: For next 90 days each answer rated will mean $1 donation to KIVA( a non-profit organization). Please rate if it helped.

ciscoworlds · ‎06-13-2014

so, if we decide to use "Bridge Mode", does it pass-through the BPDU packets? I need this feature because I have more than one physical path and ACE sits between the 2 switches.

Kanwaljeet Singh · ‎06-13-2014

Hi,

It allows BPDU packets. Please read below:

You can permit or deny BPDUs. By default, all BPDUs are denied. The ACE receives trunk port (Cisco proprietary) BPDUs because ACE ports are trunk ports. Trunk BPDUs have VLAN information inside the payload, so the ACE modifies the payload with the outgoing VLAN if you permit BPDUs. BPDU packets are not subjected to bandwidth policing in a bridge-mode configuration.

Note If you configure failover on the ACE, you must permit BPDUs on both interfaces with an EtherType ACL to avoid bridging loops.

The following example shows an EtherType ACL that permits BDPUs:

host1/Admin(config)# access-list NONIP ethertype permit bdpu

Note : The ACE does not forward multiple spanning tree (MST) BPDUs.

Regards,

Kanwal

ciscoworlds · ‎06-16-2014

Hi. I attached our topology to the post. I have difficulties in understanding the mechanism of ACE in bridge mode. If you clear some questions, I will be appreciated.

according to topology, I've created 2 vlans in network, 40 for clients and 41 just for servers. I've assigned switch port to appropriate vlans as seen in topology. for the sake of explaining the situation, suppose the IP address of a client is 192.168.1.100, the IP of server is 192.168.1.200 and the IP address of BVI on ACE is 192.168.1.10.

when client want to send a traffic to server (192.168.1.200), it generates ARP request as broadcast. then switch receives it and flood that traffic out of all ports that belong to vlan 40, including the port attached to ACE. the ACE device receives the ARP request through vlan 40 and bridge it to vlan 41. the packet gets to switch and in vlan 41 and then flooded out of the port attached to server. so, which device (server or ACE) originate and send the ARP reply?

and another thing; if we configure ACE to pass the BPDU packets and finally switch block one of links to ACE, our scenario gets corrupted, because one leg of the ACE will be blocked by STP. so it is not the case here.

I'm really confused! any clearance? tnx.

ACE 4710 is not working