12-04-2012 07:54 AM
I am in the process of migrating from the CSS to the ACE. Our CSS setup was routed mode, so I've built the ACE as routed mode. The issue I struggle with is the server side vlan is strictly for web servers. Previously the web servers had a 2nd NIC for management access and for connection to application and database servers. This became a static routing nightmare, as there are 4 other server vlans that it would need to access.
I've been trying to setup a static NAT for each webserver to the VIP network and only have 1 NIC on the webservers. That way management, app, and DB traffic wouldn't be asymmetric routed or need static routes. I can get the source NAT to work fine for outbound traffic, but it doesn't seem like this is possible without setting up a LB policy through the serverfarm and rserver.
I've seen another setup where the web server didn't use the ACE as the default gateway, they were using a SVI on the core that is in the same vlan as the server side ACE. They would PAT inbound clients through the ACE to the server side vlan, so return LB traffic would go back through the ace, all other traffic would be routed by the core. The only issue I see with this is when troubleshooting clients directly on the webservers you'll see the PAT IP for all clients. Sorting through that on the fly would be a nightmare and something that I would like to avoid.
Does anyone have any ideas on how your are handling this type of traffic around or through the ACE when in routed mode?
Thanks in advance.
Tye
12-04-2012 06:19 PM
Hi Tye,
You have list two ways and i don't see any other ways. And yes you have to set up LB policy and class maps etc as you mention in your first case for traffic classification and action.
You can also exclude traffic hitting the VIP to be source natted (not in scenarios where default gateway is not ACE) and only nat outbound traffic. Pasting an example below:
- Clients coming in on VLAN 251 connect to the VIP and are load balanced without source NAT. - Servers connecting to the VIP on VLAN 451 are load balanced AND source NAT'd because they match both class-maps. login timeout 0 access-list ANYONE line 10 extended permit ip any any rserver host SERVER_01 ip address 192.168.1.11 inservice rserver host SERVER_02 ip address 192.168.1.12 inservice rserver host SERVER_03 ip address 192.168.1.13 inservice serverfarm host REAL_SERVERS rserver SERVER_01 inservice rserver SERVER_02 inservice rserver SERVER_03 inservice class-map match-all REAL_SERVERS 2 match source-address 192.168.1.0 255.255.255.0 class-map match-all VIP-30 2 match virtual-address 172.16.51.30 tcp eq www class-map type management match-any REMOTE_ACCESS description remote-access-traffic-match 2 match protocol telnet any 3 match protocol ssh any 4 match protocol icmp any policy-map type management first-match REMOTE_MGT class REMOTE_ACCESS permit policy-map type loadbalance first-match SLB_LOGIC class class-default serverfarm REAL_SERVERS policy-map multi-match CLIENT_VIPS class VIP-30 loadbalance vip inservice loadbalance policy SLB_LOGIC loadbalance vip icmp-reply active class REAL_SERVERS nat dynamic 1 vlan 451 interface vlan 251 description Client vlan ip address 172.16.51.11 255.255.255.0 access-group input ANYONE service-policy input REMOTE_MGT service-policy input CLIENT_VIPS no shutdown interface vlan 451 description Servers vlan ip address 192.168.1.1 255.255.255.0 access-group input ANYONE service-policy input CLIENT_VIPS nat-pool 1 192.168.1.10 192.168.1.10 netmask 255.255.255.0 pat no shutdown ip route 0.0.0.0 0.0.0.0 172.16.51.1
Let me know if that answers your question or you were looking for something else.
Regards,
Kanwal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide