Re: ACE - hiding client addresses...

benediktsv · ‎09-24-2012

Hi all, wonder if you can help me here - perhaps messed up in termilogy .

We are in the situation we have a active configuration with ACE30 doing normal loadbalancing in routed mode, we have tons of rservers going out on a VIP.

we now had to add a new private network to a provider that strangely enough does not want to see our public or private addresses. we need to loadbalance towards him on a priovided subnet (still rfc1918) (IOS VRF bug? is that correct?)

I have two options, add the network (new interface) to the active loadbalancers (contexts) and then tie in new policies to the active serverfarms or make a new context just to load balance towards this provider.(preferred)

Now - If I do this, the rservers see the client source addresses from this new provider. as the loadbalancer does not "hide" the client IP's. I would then have to add static routers toward the new context - I would want to skip that.

is there a way, to make the loadbalancer hide the client addresses towards the rservers ? perhaps I'm just needing the correct search term to find the config example.

client request -> VIP -> (client address hidded) -> rserver sees some local address..

- Benedikt

Surya ARBY · ‎09-24-2012

What you need (if my understanding is correct) is Source (client) NAT

config guide is here :

http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_One_Arm_Mode_with_Source_NAT_on_the_Cisco_Application_Control_Engine_Configuration_Example

The key parts are

ACE-1/onearm(config)# policy-map multi-match client-vips
ACE-1/onearm(config-pmap)# class slb-vip
ACE-1/onearm(config-pmap-c)# [...]
ACE-1/onearm(config-pmap-c)# nat dynamic 5 vlan 50

ACE-1/onearm(config)# interface vlan 50
ACE-1/onearm(config-if)# [...]
ACE-1/onearm(config-if)# nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat