05-31-2011 05:59 AM
I just wondered if I could please ask a question I have in regards SNAT on the ACE modules that someone might have encountered elsewhere.
Scenrio is currently the CSS load balancers we use in one enviroment are being consolidated into a ACE module.
Current CSS handles a inbound VIP and a outbound source NAT for the same IP and is placed directly infront of servers and we use the service group rules on the CSS to SNAT
new ACE module will be installed 2 hops away from the servers and we can`t change the current IP/VIP due to extensive use with various 3rd party`s.
My question is relating to the Source NAT functions on the ACE. Redirecting Inbound traffic flows to the VIP causes us no issues however due to the new location of the ACE module we would like the cleanest solution possible for the outbound SNAT. We intend to PBR the outbound traffic into the ACE and route the traffic va the ACE - so the ACE owns the inbound and outbound IP/VIP.
From what I`ve read this seems it may be possible but I wondered if you`d seen this elsewhere/configured it previous etc to let us know if this is even fesiable as wondered how the ACE would handles the inbound client NAT alongside the outbound static source NAT.
Is it also possible to have a VIP IP without actually having any VLAN interfaces in the subnet other then the VIP IP`s ? Due to legacy constraints we have host route the above VIP into the ACE.
Thanks for any advice.
Solved! Go to Solution.
06-01-2011 12:22 AM
Good morning,
For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.
To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)
For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.
Regards
Daniel
06-01-2011 12:22 AM
Good morning,
For your first question, I can confirm it's possible to do it, but your traffic flow is going to end up being a bit messy.
To keep things a bit more clear and facilitate the configuration, I would configure two different vlans on the ACE as you had on the CSS. One for the client side and one for the server. This way you can route the traffic to one or the other vlan depending on what you want to do with it (load-balance or nat)
For the second question, yes, it's fine to have a VIP on a vlan that is not defined on the ACE. As long as the traffic arrives to the ACE, it will be matched against all the VIPs associated with the incoming vlan, regardless of the IP range to which these VIPs belong.
Regards
Daniel
06-01-2011 03:36 AM
Hi,
Many thanks for your reply - its not an ideal scenrio but we have to work with various constraints and a complete uplift of the subnet was not possible. The alternative was splitting NAT onto various external firewalls which would have been a lot worse imho.
Cheers
01-19-2012 02:51 AM
Would apprieciate if someone could check the logic/config for the above scenerio ?
Traffic inbound and using the VIP will be routed into vlan 100 using a /32
Traffic outbound needing the static NAT will be PBR`ed into vlan 200 via a SVI on the same device.
I`m not sure about the default route or if I should be using static nat statement on the nat multimatch...only this generates a error when used.
Example ( its not a http application just using for example )
access-list 10 line 8 extended permit ip any any
access-list 10 line 16 extended permit icmp any any
rserver host SERVER1
ip address 192.168.1.1
rserver host SERVER2
ip address 192.168.1.2
serverfarm host sf1
rserver SERVER1
rserver SERVER2
class-map match-any cm-nat-src
2 match source-address 192.168.1.1 255.255.255.255
3 match source-address 192.168.1.2 255.255.255.255
class-map match-any cm-lb-match
2 match virtual-address 10.10.10.10 tcp eq 80
policy-map type loadbalance generic first-match pm-lb-match
class class-default
serverfarm sf1
policy-map multi-match pm-client-vips
class cm-lb-match
loadbalance vip inservice
loadbalance policy pm-lb-match
loadbalance vip icmp-reply
nat dynamic 10 vlan 100
policy-map multi-match pm-source-nat
class cm-nat-src
nat dynamic 20 vlan 200
interface vlan 100
description lb-vip
access-group input 10
ip address 10.1.1.1 255.255.255.0
nat-pool 10 10.1.1.10 10.1.1.10 netmask 255.255.255.255 pat
service-policy input pm-client-vips
interface vlan 200
description src-nat
access-group input 10
ip address 10.2.1.1 255.255.255.0
nat-pool 10 10.10.10.10 10.10.10.10 netmask 255.255.255.255
ip route 0.0.0.0 10.1.1.2 ( vlan 100..would this impact return traffic for the src nat but the external routing will force it in this way anyway )
01-19-2012 05:52 AM
This post suggests the above config is not valid...i.e using the src nat which is the same as the inbound VIP.
https://supportforums.cisco.com/message/452403#452403
If any one could please confirm
01-29-2012 04:16 AM
If any one else is looking for this solution ( server having a source NAT the same as a inbound VIP ) I actually located some documentation on Cisco TKL called "ACE NAT design" and the configuration IS supported on A2(2.x) upwards and managed a test which worked - although using a single VLAN for in/out traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide