Solved: ACE SNAT - Routing Issue

muhammadrameezkhan · ‎02-20-2012

Dear Fellows,

I have the following enviroment:

2 6500 Core Switch
2 ACE10-6500-K9 installed in 2 Core Switch
3 context > AE,CE,PE
6 SERVERS -> 2 servers for AE Context, 2 Server for CE Context, 2 Servers for PE Context
Default Round Robin Load Balancing for Each context
Vlan 20; Client Side Vlan
vlan 130; Server Side Vlan

I have the following Scenario:

ACE is configured in Routed Mode, Multiple context share same VLAN

I have to achieve following objectives:

All servers should be accessible using their 172.20.0.X IP addresses from Client Side - > I configured Static NAT - Work Fine
All server should access client side network using their 172.20.0.X IP addresses - > I configured SNAT - Work Fine
Servers should access each other within same context and between context using 172.20.0.X IP address - > I CANNOT achieve this result

Please find configuration in attached file.

Please try to give a solution at your earliest.

Thanks,

Rameez

Borys Berlog · ‎02-21-2012

Hi Muhammad

Let's take AE context as example (to make it more specific). As I understnad you want to be able to access VIPs from server vlan 130, e.g. VIP -172.20.0.45

Am I correct?

If yes - you need to add such configuration

1) Confgiure the same policy as you have on your client interface , but add NAT statement to it with IP from vlan 130

something like that :

policy-map multi-match L4_LB_VIP_PMAP_NEW

class L4_VIP_AE_CMAP

loadbalance vip inservice

loadbalance policy L7_VIP_AE_PMAP

nat 10 dynamic vlan 130 <-- this is a difference and it's very important, as you want rserver to send traffic back to ACE, not directly to client

2) on interface vlan 130 you need to add a nat pool

nat-pool 10 10.1.3.100 10.1.3.100 netmask 255.255.255.255 pat <-- IP can be any IP from vlan 130

3) add L4_LB_VIP_PMAP_NEW on vlan 130 

Let me know if it helped.

View solution in original post

Borys Berlog · ‎02-21-2012

Hi Muhammad

Let's take AE context as example (to make it more specific). As I understnad you want to be able to access VIPs from server vlan 130, e.g. VIP -172.20.0.45

Am I correct?

If yes - you need to add such configuration

1) Confgiure the same policy as you have on your client interface , but add NAT statement to it with IP from vlan 130

something like that :

policy-map multi-match L4_LB_VIP_PMAP_NEW

class L4_VIP_AE_CMAP

loadbalance vip inservice

loadbalance policy L7_VIP_AE_PMAP

nat 10 dynamic vlan 130 <-- this is a difference and it's very important, as you want rserver to send traffic back to ACE, not directly to client

2) on interface vlan 130 you need to add a nat pool

nat-pool 10 10.1.3.100 10.1.3.100 netmask 255.255.255.255 pat <-- IP can be any IP from vlan 130

3) add L4_LB_VIP_PMAP_NEW on vlan 130 

Let me know if it helped.

muhammadrameezkhan · ‎02-21-2012

Hi Borys,

Thanks for offering help.

Yes, i want to access all VIPs of all context from Server Vlan 130.

With reference to point 1, If i configure same policy on Server Side, do i need configure VIP address as well?

Can you confirm if this configuration will NOT impact or conflict with present SNAT config?

Servers will intiate connection to VIP and i think configuration should be other way around.

Let me give it a try and i will update you.

Borys Berlog · ‎02-22-2012

Hi Muhammad

Muhammad Khan wrote:

With reference to point 1, If i configure same policy on Server Side, do i need configure VIP address as well?

Didn't get what exactly you're asking about. As you already have class map L4_VIP_AE_CMAP where VIP address is configured and you will use the same class map in this new service policy. So, there is no real reason to configure a new class map, but if you want - you can do it.


About conflict - it depends what you're exactly want. Again based on AE context, you have
these NAT policies :
policy-map multi-match AE-SERVER-PMAP
  class AE-SERVER-2-CMAP
    nat static 172.20.0.215 netmask 255.255.255.255 vlan 20
  class AE-SERVER-1-CMAP
    nat static 172.20.0.205 netmask 255.255.255.255 vlan 20

+ these class maps

class-map match-all AE-SERVER-1-CMAP

2 match source-address 10.1.3.205 255.255.255.255

class-map match-all AE-SERVER-2-CMAP

2 match source-address 10.1.3.215 255.255.255.255

So, I'd propose to put a new class map with VIP above these two and then you will have such behaviour :

If traffic matches class map in the first policy map (say L4_LB_VIP_PMAP_NEW) , it will be processed accordigly to instruction in this policy map and other will be ignored. Which is logical from my point of view. And if e.g. traffic is coming from 10.1.3.205 to any other IP but VIP , it will be processed by AE-SERVER-PMAP policy map.

So, order matters.

muhammadrameezkhan · ‎03-10-2012

Dear Borys,

I tried your first proposed solution and i am able to ping 172.20.0.45 from AE Context Servers.

But i want the following scenario:

From AE Context/Rservers, i should be able to reach 172.20.0.47(CE_VIP), 172.20.0.56(PE_VIP)
Similarly, Each Context Server should be able to reach VIP of Other Contexts

Waiting for your help.

Please find modified configuration for AE context in attached file for reference.

Thanks & Regards,

Rameez