cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1766
Views
0
Helpful
2
Replies

ACE: 4710 Policy-Map NAT

brian_nc
Level 1
Level 1

Greets. I have a scenario where the rservers are located on two different VLAN's in One Arm Mode.

My question is, am I able to assign two different NAT commands in my policy map (as written below)? Will the NAT command only kick off for the selected rservers vlan?

policy-map multi-match PM_Loadbalance
  class VIP_Farm
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 7 vlan 7
    nat dynamic 741 vlan 741

Thanks,

-b

1 Accepted Solution

Accepted Solutions

chrhiggi
Level 3
Level 3

Hello Brian-

You can apply 2 different NAT statements, yes.

The way it works:

1.)  A client sends a SYN into a vlan where the vip is applied as a service-policy input.

2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.

3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.

4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement.  This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.

i.e.

rserver host server_1

ip address 10.0.0.10

inservice

rserver host server_2

ip address 172.16.35.60

inservice

serverfarm host SF_1

rserver server_1

  inservice

class-map match-any VIP_80

2 match virtual-address 172.16.35.80 tcp eq 80

policy map type loadbalance first-match LB

class class-default

  serverfarm SF_1

policy map multi-match X

class VIP_80

  loadbalance policy LB

  loadbalance vip inservice

  nat dynamic 5 vlan 7

  nat dynamic 7 vlan 741

interface vlan 7

ip address 172.16.35.2 255.255.255.0

nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat

service-policy input X

Interface vlan 741

ip address 10.0.0.2 255.255.255.0

nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat

service-policy input X

If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60.  If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741.  If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.

Regards,

Chris Higgins

View solution in original post

2 Replies 2

chrhiggi
Level 3
Level 3

Hello Brian-

You can apply 2 different NAT statements, yes.

The way it works:

1.)  A client sends a SYN into a vlan where the vip is applied as a service-policy input.

2.) The ACE matches the SYN to the class in question, the loadbalance policy is checked, and eventually a server in the associated serverfarm is chosen.

3.) ACE prepares to forward the SYN out of the appropriate VLAN based on the route table.

4.) Before the packet leaves, if the packet will egress either vlan 7 or 741, the the packet would be source NATted by the group number mentioned in the statement.  This occurs because the "vlan 7" and "vlan 741" in the NAT statements under the class are filters. If the destination matches either vlan, then the nat group for that statement is used.

i.e.

rserver host server_1

ip address 10.0.0.10

inservice

rserver host server_2

ip address 172.16.35.60

inservice

serverfarm host SF_1

rserver server_1

  inservice

class-map match-any VIP_80

2 match virtual-address 172.16.35.80 tcp eq 80

policy map type loadbalance first-match LB

class class-default

  serverfarm SF_1

policy map multi-match X

class VIP_80

  loadbalance policy LB

  loadbalance vip inservice

  nat dynamic 5 vlan 7

  nat dynamic 7 vlan 741

interface vlan 7

ip address 172.16.35.2 255.255.255.0

nat 5 172.16.35.100 172.16.35.100 netmask 255.255.255.0 pat

service-policy input X

Interface vlan 741

ip address 10.0.0.2 255.255.255.0

nat 7 10.0.0.100 10.0.0.100 netmask 255.255.255.0 pat

service-policy input X

If a packet comes into either vlan destine to 172.16.35.80 on port 80, it will be balanced to either 10.0.0.10 or 172.16.35.60.  If 10.0.0.10 was chosen, then natpool 7 under vlan 741 would be used because 10.0.0.10 is layer 2 adjacent to vlan 741.  If 172.16.35.60 was chosen, then natpool 5 would be chosen because that server is layer 2 adjacent to vlan 7.

Regards,

Chris Higgins

Thanks. I was hoping it was that simple!

-b

Review Cisco Networking for a $25 gift card