Solved: ACE: Problem with real servers in networks different and not connected directly ace

Alvaro Perez Unzueta · ‎07-12-2011

Hello I have a trouble with the ace, i am configuring this scenary with two real servers with different network rsrv1 (10.1.1.10) and rsrv2 (11.1.1.11), i have configured statics route in ACE, and i have created svi 10 and svi 20 on the switch core. i have configured too source-nat, but my configuration is not work. any idea for solution?

too actually exist svi 1 with network 10.1.1.1 and default gateway of rsrv1 is 10.1.1.1 and the rsrv2 is for routing.

The configuration:

access-list nat_access line 8 extended permit ip host 10.1.1.10 host 192.168.1.20
access-list nat_access line 16 extended permit ip host 11.1.1.11 host 192.168.1.20
access-list someone line 8 extended permit ip any any
access-list someone line 16 extended permit icmp any any

rserver host rsrv1
ip address 10.1.1.10
inservice
rserver host rsrv2
ip address 11.1.1.11
inservice

serverfarm host farm-demo
rserver rsrv1
inservice
rserver rsrv2
inservice

class-map type management match-any MGMT
2 match protocol icmp any
3 match protocol http any
4 match protocol https any
5 match protocol snmp any
6 match protocol telnet any
7 match protocol ssh any
class-map match-any VIP
2 match virtual-address 192.168.1.10 any
class-map match-any nat_class
2 match access-list nat_access

policy-map type management first-match mgmt
class MGMT
permit

policy-map type loadbalance first-match server-balance
class class-default
serverfarm farm-demo

policy-map multi-match client-side
class VIP
    loadbalance vip inservice
    loadbalance policy server-balance
    loadbalance vip icmp-reply active
policy-map multi-match nat_policy
class nat_class
    nat dynamic 1 vlan 10

interface vlan 20
description side-server
ip address 172.16.1.1 255.255.255.0
access-group input someone
access-group output someone
service-policy input mgmt
service-policy input nat_policy
service-policy input client-side
no shutdown
interface vlan 10
description side-client
ip address 192.168.1.1 255.255.255.0
access-group input someone
access-group output someone
nat-pool 1 192.168.1.20 192.168.1.20 netmask 255.255.255.0 pat
service-policy input mgmt
service-policy input client-side
no shutdown

ip route 10.1.1.10 255.255.255.255 172.16.1.100 (SVI Core)

ip route 11.1.1.11 255.255.255.255 172.16.1.100 (SVI Core)

ip route 0.0.0.0 0.0.0.0 192.168.1.100 (SVI Core)

the proof:

ace-demo/C1# sh conn

total current connections : 2

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
5009       1 in TCP   10   10.1.1.200:6244      192.168.1.10:22       SYNSEEN
5010       1 out TCP   20   10.1.1.10:22          10.1.1.200:6244 INIT
ace-demo/C1# sh xlate
ace-demo/C1#
ace-demo/C1# ping 10.1.1.10
Pinging 10.1.1.10 with timeout = 2, count = 5, size = 100 ....

Response from 10.1.1.10 : seq 1 time 1.034 ms
Response from 10.1.1.10 : seq 2 time 0.000 ms
Response from 10.1.1.10 : seq 3 time 1.467 ms
Response from 10.1.1.10 : seq 4 time 0.705 ms
Response from 10.1.1.10 : seq 5 time 0.000 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1# ping 11.1.1.11
Pinging 11.1.1.11 with timeout = 2, count = 5, size = 100 ....

Response from 11.1.1.11 : seq 1 time 0.728 ms
Response from 11.1.1.11 : seq 2 time 1.247 ms
Response from 11.1.1.11 : seq 3 time 1.828 ms
Response from 11.1.1.11 : seq 4 time 1.942 ms
Response from 11.1.1.11 : seq 5 time 2.001 ms
5 packet sent, 5 responses received, 0% packet loss
ace-demo/C1#
ace-demo/C1# sh serverfarm farm-demo
serverfarm     : farm-demo, type: HOST
total rservers : 2
---------------------------------
                                                ----------connections-----------
       real                  weight state        current    total      failures
   ---+---------------------+------+------------+----------+----------+---------
   rserver: rsrv1
       10.1.1.10:0       8      OPERATIONAL 0          73         1082
   rserver: rsrv2
       11.1.1.11:0      8      OPERATIONAL 0          69         1084

pablo.nxh · ‎07-12-2011

Hi Alvaro,

Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.

Try something like this

interface vlan 20

description side-server

ip address 172.16.1.1 255.255.255.0

access-group input someone

access-group output someone

service-policy input mgmt

service-policy input nat_policy <---- This needs to be removed.

service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.

nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat <<<<<---- Use any available IP from 172.16.1.X/24

no shutdown

policy-map multi-match client-side

class VIP

loadbalance vip inservice

loadbalance policy server-balance

loadbalance vip icmp-reply active

nat dynamic 20 vlan 20 <--- This needs to be added.

* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.

HTH

__ __

Pablo

View solution in original post

pablo.nxh · ‎07-12-2011

Hi Alvaro,

Key word seems to be NAT; at the moment you have a server VLAN and client VLAN configured then you're in a routed mode scenario; commonly you won't need NAT for routed mode just because rservers "should" be L2 adjacent to the ACE so asymmetic routing isn't possible but in your case your rservers are sitting on different networks than 172.16.1.X/24 so NAT is now a requirement, but it has to be configured with a pool from the server VLAN because that's the network your rservers are supposedly to have a route for. NAT that is in place won't work because your server will use their default gateway to reach 192.168.1.X, core switch then will do intervlan routing to move traffic from vlan 20 to 10 and back to ACE, ACE will end up seeing server return traffic from same interface it received initial client traffic.

Try something like this

interface vlan 20

description side-server

ip address 172.16.1.1 255.255.255.0

access-group input someone

access-group output someone

service-policy input mgmt

service-policy input nat_policy <---- This needs to be removed.

service-policy input client-side <---- Unless you need to hit the VIP from the servers this can removed as well.

nat-pool 20 172.16.1.20 172.16.1.20 netmask 255.255.255.0 pat <<<<<---- Use any available IP from 172.16.1.X/24

no shutdown

policy-map multi-match client-side

class VIP

loadbalance vip inservice

loadbalance policy server-balance

loadbalance vip icmp-reply active

nat dynamic 20 vlan 20 <--- This needs to be added.

* Not sure if you really need the multi-match "nat_policy" but if it was configured for this scenario you can safely delete it.

HTH

__ __

Pablo

Alvaro Perez Unzueta · ‎07-13-2011

Pablo, I configured how you say me and its work!!

Thank you

Alvaro