07-12-2011 12:10 PM
Hello I have a trouble with the ace, i am configuring this scenary with two real servers with different network rsrv1 (10.1.1.10) and rsrv2 (11.1.1.11), i have configured statics route in ACE, and i have created svi 10 and svi 20 on the switch core. i have configured too source-nat, but my configuration is not work. any idea for solution?
too actually exist svi 1 with network 10.1.1.1 and default gateway of rsrv1 is 10.1.1.1 and the rsrv2 is for routing.
The configuration:
access-list nat_access line 8 extended permit ip host 10.1.1.10 host 192.168.1.20
access-list nat_access line 16 extended permit ip host 11.1.1.11 host 192.168.1.20
access-list someone line 8 extended permit ip any any
access-list someone line 16 extended permit icmp any any
rserver host rsrv1
ip address 10.1.1.10
inservice
rserver host rsrv2
ip address 11.1.1.11
inservice
serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice
class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
2 match virtual-address 192.168.1.10 any
class-map match-any nat_class
2 match access-list nat_access
policy-map type management first-match mgmt
class MGMT
permit
policy-map type loadbalance first-match server-balance
class class-default
serverfarm farm-demo
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy server-balance
loadbalance vip icmp-reply active
policy-map multi-match nat_policy
class nat_class
nat dynamic 1 vlan 10
interface vlan 20
description side-server
ip address 172.16.1.1 255.255.255.0
access-group input someone
access-group output someone
service-policy input mgmt
service-policy input nat_policy
service-policy input client-side
no shutdown
interface vlan 10
description side-client
ip address 192.168.1.1 255.255.255.0
access-group input someone
access-group output someone
nat-pool 1 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
service-policy input mgmt
service-policy input client-side
no shutdown
ip route 10.1.1.10 255.255.255.255 172.16.1.100 (SVI Core)
ip route 11.1.1.11 255.255.255.255 172.16.1.100 (SVI Core)
ip route 0.0.0.0 0.0.0.0 192.168.1.100 (SVI Core)
the proof:
ace-demo/C1# sh conn
total current connections : 2
conn-id np dir proto vlan source destination state
----------+--+---+-----+----+---------------------+---------------------+------+
5009 1 in TCP 10 10.1.1.200:6244 192.168.1.10:22 SYNSEEN
5010 1 out TCP 20 10.1.1.10:22 10.1.1.200:6244 INIT
ace-demo/C1# sh xlate
ace-demo/C1#
ace-demo/C1# ping 10.1.1.10
Pinging 10.1.1.10 with timeout = 2, count = 5, size = 100 ....
Response from 10.1.1.10 : seq 1 time 1.034 ms
Response from 10.1.1.10 : seq 2 time 0.000 ms
Response from 10.1.1.10 : seq 3 time 1.467 ms
Response from 10.1.1.10 : seq 4 time 0.705 ms
Response from 10.1.1.10 : seq 5 time 0.000 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1# ping 11.1.1.11
Pinging 11.1.1.11 with timeout = 2, count = 5, size = 100 ....
Response from 11.1.1.11 : seq 1 time 0.728 ms
Response from 11.1.1.11 : seq 2 time 1.247 ms
Response from 11.1.1.11 : seq 3 time 1.828 ms
Response from 11.1.1.11 : seq 4 time 1.942 ms
Response from 11.1.1.11 : seq 5 time 2.001 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1#
ace-demo/C1# sh serverfarm farm-demo
serverfarm : farm-demo, type: HOST
total rservers : 2
---------------------------------
----------connections-----------
real weight state current total failures
---+---------------------+------+------------+----------+----------+---------
rserver: rsrv1
10.1.1.10:0 8 OPERATIONAL 0 73 1082
rserver: rsrv2
11.1.1.11:0 8 OPERATIONAL 0 69 1084
Solved! Go to Solution.
07-12-2011 01:34 PM
Hi Alvaro,
Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.
Try something like this
interface vlan 20
description side-server
ip address 172.16.1.1 255.255.255.0
access-group input someone
access-group output someone
service-policy input mgmt
service-policy input nat_policy <---- This needs to be removed.
service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.
nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat <<<<<---- Use any available IP from 172.16.1.X/24
no shutdown
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy server-balance
loadbalance vip icmp-reply active
nat dynamic 20 vlan 20 <--- This needs to be added.
* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.
HTH
__ __
Pablo
07-12-2011 01:34 PM
Hi Alvaro,
Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.
Try something like this
interface vlan 20
description side-server
ip address 172.16.1.1 255.255.255.0
access-group input someone
access-group output someone
service-policy input mgmt
service-policy input nat_policy <---- This needs to be removed.
service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.
nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat <<<<<---- Use any available IP from 172.16.1.X/24
no shutdown
policy-map multi-match client-side
class VIP
loadbalance vip inservice
loadbalance policy server-balance
loadbalance vip icmp-reply active
nat dynamic 20 vlan 20 <--- This needs to be added.
* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.
HTH
__ __
Pablo
07-13-2011 09:25 AM
Pablo, I configured how you say me and its work!!
Thank you
Alvaro
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide