Just wondering if I can ask an opinion. We have recently setup a Cisco ACE 4710 in routed mode in order to load balance between our client traffic from the internet and our webservers inside.
The requirement was to set up the ACE to load balance for the incomming web traffic, but to have a separate default gateway for the real server's initiated traffic to the internet. To achieve this I have configured the ACE in routed mode with a nat-pool on the inside vlan (as per the config below), but the problem is that this hides the remote client's public ip address from our servers, as the traffic is seen to come from the NAT ip address.
I have got limited knowledge about Cisco ACE so am not convinced whether the routed configuration I have gone with is the correct one, or if it have made a difference to go with a different mode.
Just wondering if someone can help with deciding what is the most efficient way to set up the ACE to handle loadbalancing for the incoming web traffic to our e-commerce servers, whilst having seperate gateway for the real servers initiated traffic, but also for the real servers to be able to see the IP address of the remote client.
Here is the current config:
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http Probe_dph_HTTP
passdetect interval 10
request method get url /ping.html
expect status 200 200
probe http Probe_dph_TCP
passdetect interval 60
rserver host Web_Server_01
description Web Server 01
ip address 192.168.100.101
rserver host Web_Server_02
description Web Server 02
ip address 192.168.100.102
rserver host Web_Server_03
description Web Server 03
ip address 192.168.100.103
serverfarm host dph_Web_Servers
rserver Web_Server_01 80
rserver Web_Server_02 80
rserver Web_Server_03 80
class-map match-all VIP_Website_dph_HTTP
2 match virtual-address 192.168.1.100 tcp eq www
policy-map type loadbalance http first-match LoadBalance_dph_HTTP
policy-map multi-match Public_Policies
nat dynamic 1 vlan 101
loadbalance vip inservice
loadbalance policy LoadBalance_dph_HTTP
interface vlan 100
ip address 192.168.1.2 255.255.255.0
access-group input INBOUND
service-policy input Public_Policies
interface vlan 101
ip address 192.168.100.1 255.255.255.0
nat-pool 1 192.168.100.254 192.168.100.254 netmask 255.255.255.255 pat
Based on your requirement, i guess NAT pool is logical. For accountability of real IP address of client, you can go for advance HTTP options like header insert, where in you will insert client actual IP in HTTP header.
Join us on Wednesday, June 2 at 10 am PT/ 1 pm ET as we discuss what tomorrow's cloud will be and what you need to know to prepare.
Accelerate your IT to a cloud operating model and get the information you need to be cloud smart, no matter how many cloud...
Thanks for attending our ATXs sessions! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology questions through produ...
Thanks for attending our Ask the Experts (ATXs) sessions! Here’s the post-session resources for easy reference.
New to ATXs? An ATXs session, offered at no cost, is an hour of real-time learning led by Cisco experts, who will answer your technology quest...
New Cisco Champion Radio release on Cisco Intersight Cloud Operations PlatformListen: https://smarturl.it/CCRS8E15Follow us: https://twitter.com/CiscoChampion Known as Project Starship when it was introduced in June 2017, Cisco Intersight has come a ...