ACE routed mode issue

tyechristy · ‎12-04-2012

I am in the process of migrating from the CSS to the ACE. Our CSS setup was routed mode, so I've built the ACE as routed mode. The issue I struggle with is the server side vlan is strictly for web servers. Previously the web servers had a 2nd NIC for management access and for connection to application and database servers. This became a static routing nightmare, as there are 4 other server vlans that it would need to access.

I've been trying to setup a static NAT for each webserver to the VIP network and only have 1 NIC on the webservers. That way management, app, and DB traffic wouldn't be asymmetric routed or need static routes. I can get the source NAT to work fine for outbound traffic, but it doesn't seem like this is possible without setting up a LB policy through the serverfarm and rserver.

I've seen another setup where the web server didn't use the ACE as the default gateway, they were using a SVI on the core that is in the same vlan as the server side ACE. They would PAT inbound clients through the ACE to the server side vlan, so return LB traffic would go back through the ace, all other traffic would be routed by the core. The only issue I see with this is when troubleshooting clients directly on the webservers you'll see the PAT IP for all clients. Sorting through that on the fly would be a nightmare and something that I would like to avoid.

Does anyone have any ideas on how your are handling this type of traffic around or through the ACE when in routed mode?

Thanks in advance.

Tye

Kanwaljeet Singh · ‎12-04-2012

Hi Tye,

You have list two ways and i don't see any other ways. And yes you have to set up LB policy and class maps etc as you mention in your first case for traffic classification and action.

You can also exclude traffic hitting the VIP to be source natted (not in scenarios where default gateway is not ACE) and only nat outbound traffic. Pasting an example below:

- Clients coming in on VLAN 251 connect to the VIP and are load balanced without source NAT.
- Servers connecting to the VIP on VLAN 451 are load balanced AND source NAT'd because they match both class-maps.



login timeout 0

access-list ANYONE line 10 extended permit ip any any

rserver host SERVER_01
  ip address 192.168.1.11
  inservice
rserver host SERVER_02
  ip address 192.168.1.12
  inservice
rserver host SERVER_03
  ip address 192.168.1.13
  inservice

serverfarm host REAL_SERVERS
  rserver SERVER_01
    inservice
  rserver SERVER_02
    inservice
  rserver SERVER_03
    inservice

class-map match-all REAL_SERVERS
  2 match source-address 192.168.1.0 255.255.255.0
class-map match-all VIP-30
  2 match virtual-address 172.16.51.30 tcp eq www
class-map type management match-any REMOTE_ACCESS
  description remote-access-traffic-match
  2 match protocol telnet any
  3 match protocol ssh any
  4 match protocol icmp any

policy-map type management first-match REMOTE_MGT
  class REMOTE_ACCESS
    permit
policy-map type loadbalance first-match SLB_LOGIC
  class class-default
    serverfarm REAL_SERVERS
policy-map multi-match CLIENT_VIPS
  class VIP-30
    loadbalance vip inservice
    loadbalance policy SLB_LOGIC
    loadbalance vip icmp-reply active
  class REAL_SERVERS
    nat dynamic 1 vlan 451

interface vlan 251
  description Client vlan
  ip address 172.16.51.11 255.255.255.0
  access-group input ANYONE
  service-policy input REMOTE_MGT
  service-policy input CLIENT_VIPS
  no shutdown
interface vlan 451
  description Servers vlan
  ip address 192.168.1.1 255.255.255.0
  access-group input ANYONE
  service-policy input CLIENT_VIPS
  nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat
  no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.51.1

 
 Let me know if that answers your question or you were looking for something else.
 
 Regards,
Kanwal