cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1795
Views
0
Helpful
2
Replies

Cisco ACE 4710 - Correct set up mode question

dolphinfitness
Level 1
Level 1

Hi there,

Just wondering if I can ask an opinion. We have recently setup a Cisco ACE 4710 in routed mode in order to load balance between our client traffic from the internet and our webservers inside.

The requirement was to set up the ACE to load balance for the incomming web traffic, but to have a separate default gateway for the real server's initiated traffic to the internet. To achieve this I have configured the ACE in routed mode with a nat-pool on the inside vlan (as per the config below), but the problem is that this hides the remote client's public ip address from our servers, as the traffic is seen to come from the NAT ip address.

I have got limited knowledge about Cisco ACE so am not convinced whether the routed configuration I have gone with is the correct one, or if it have made a difference to go with a different mode.

Just wondering if someone can help with deciding what is the most efficient way to set up the ACE to handle loadbalancing for the incoming web traffic to our e-commerce servers, whilst having seperate gateway for the real servers initiated traffic, but also for the real servers to be able to see the IP address of the remote client.

Here is the current config:

access-list INBOUND line 8 extended permit ip any any

access-list INBOUND line 16 extended permit icmp any any

probe http Probe_dph_HTTP

  interval 10

  passdetect interval 10

  request method get url /ping.html

  expect status 200 200

  open 1

probe http Probe_dph_TCP

  interval 15

   passdetect interval 60

  open 1

rserver host Web_Server_01

  description Web Server 01

  ip address 192.168.100.101

  inservice

rserver host Web_Server_02

  description Web Server 02

  ip address 192.168.100.102

  inservice

rserver host Web_Server_03

  description Web Server 03

  ip address 192.168.100.103

  inservice

serverfarm host dph_Web_Servers

  probe Probe_dph_HTTP

  rserver Web_Server_01 80

    inservice

  rserver Web_Server_02 80

    inservice

   rserver Web_Server_03 80

    inservice

class-map match-all VIP_Website_dph_HTTP

  2 match virtual-address 192.168.1.100 tcp eq www

policy-map type loadbalance http first-match LoadBalance_dph_HTTP

  class class-default

    serverfarm dph_Web_Servers

policy-map multi-match Public_Policies

   class VIP_Website_dph_HTTP

    nat dynamic 1 vlan 101

    loadbalance vip inservice

    loadbalance policy LoadBalance_dph_HTTP

interface vlan 100

  ip address 192.168.1.2 255.255.255.0

  access-group input INBOUND

  service-policy input Public_Policies

  no shutdown

interface vlan 101

  ip address 192.168.100.1 255.255.255.0

  nat-pool 1 192.168.100.254 192.168.100.254 netmask 255.255.255.255 pat

  no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

2 Replies 2

gaursin2
Level 1
Level 1

Hi Ali,

Based on your requirement, i guess NAT pool is logical. For accountability of real IP address of client, you can go for advance HTTP options like header insert, where in you will insert client actual IP in HTTP header.

Hope this satisfy your requirement.

Hi Gaurav,

Thank you very much for your reply.

With regards to the NAT confguration, do you think it matter that I only have 1 address allocated in the NAT pool (192.168.100.254), in terms of concurrency of many clients, and/or resource usage etc?

Also do you think the HTTP header insert would be very resource intensive for the ACE?

Thank you for your help.

Review Cisco Networking for a $25 gift card