03-28-2012 08:35 AM
Dear Fellows,
I have the following working scenario:
I need the following result:
Please find the Configuration Attached.
Please help me out at your earliest.
Thanks & Regards,
Rameez
03-28-2012 12:41 PM
I would think that this could be accomplished by an ICMP class-map and such because normal ICMP traffic would be routed using the most specific match, which is the directly connected interface.
03-29-2012 09:22 AM
For doing NAT, you would have to create a VIP, which will create the arp entry on the box.
Without matching the VIP, it wont be responding.
03-29-2012 09:40 AM
I double-checked the config.
I think this is an issue because there are two service policies that each has a valid class-map that recognize ICMP packets and both those service policies are applied to the same interface. I would think you could test by removing the icmp protocol line from the mgmt class-map and see what results you get. I suspect that the ACE is processing the ICMP packet as part of the mgmt class-map first.
03-31-2012 06:07 AM
Dear Jbartoldus,
I tried according to your suggestion but no luck.
Let me be more clear, From the Server Side, if a Server sends traffic to VIP, it should get the response with VIP as source address.
Please let know if there are any other possible solutions.
Regards,
Rameez
03-31-2012 11:50 AM
The only other thing I can think of would be to add the loadbalance vip icmp-reply active command to your L4_VIP_PE_CMAP class statement in your multi-match policy-map.
04-06-2012 09:02 PM
Hi Muhammad,
The problem is the NAT you are using, it is not good, that is why you are having an asymmetric flow. You have a layer 2 asymmetric flow, I will assume a couple of variables, so please correct me if I am wrong, but must likely this will solve the problem:
- The servers are using the ACE as default gateway, since you do not have a NAT applied and the external clients are working that means that there is no a L3 devices in between.
- The switches between the ACE and the backend servers have the L2 information of the servers, so without NAT that is the switches can see each other.
Now, back to the ACE, in order to correct this, I will assume that the rservers you have configured are the ones, that are opening connections to the VIP, so in this case, we need to NAT the traffic through the outgoing interface, in other words, the NATPOOL needs to be configured on the interface that the ACE will use to send the traffic to the servers, so the configuration should looks like this:
policy-map multi-match L4_LB_VIP_PMAP
class L4_VIP_PE_CMAP
loadbalance vip inservice
loadbalance policy L7_VIP_PE_PMAP
nat dynamic 1 vlan 130 -------------------------------------- > HERE
interface vlan 130
description Server Side
ip address 10.1.3.6 255.255.255.0
alias 10.1.3.252 255.255.255.0
peer ip address 10.1.3.5 255.255.255.0
no normalization
no icmp-guard
access-group input PE
access-group output PE
service-policy input PE-SERVER-PMAP
natpool 1 10.1.3.X 10.1.3.X netmask 255.255.255.0 pat --------------------------> here
no shutdown
You need to replace X for an available IP on the server's range, now, you need to configure the Natpool first and then apply it to the class under the policy multi-match.
Let me know, it should works. Since you are not doing NAT, what happen is that the backend server knows the MAC address of the other Server that is opening the connection, so when it replies back, the destination MAC is the Server one, as soon as the packet hits the L2 switch, this will send the traffic throught the port when that MAC address was learned, and the packet will end to the Client Server which will drop the packet.
HTH.
Rodrigo.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide