Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
0
Helpful
7
Replies

CSM outbound config migration to ACE20 module

Go to solution
alex.romaya
Level 1
Level 1

‎05-10-2013 09:46 AM

Hi There,

I am a bit stuck with regards on how to migrate the following config from a CSM to and ACE20 module.

Currently we have a CSM configured as below:-

452 Client and 453 Server sharing the same Public vlan. 

We require outbound access from groups of internal individual servers to external addresses.

CSM config

module ContentSwitchingModule 8

vlan 452 client

  ip address 10.206.135.252 255.255.252.0

  gateway 10.206.135.254

!

vlan 453 server

  ip address 10.206.135.252 255.255.252.0

!

!

vserver OXDBGATE2VIP

  virtual 193.19.98.150 any

  vlan 453

  serverfarm PORTAL-OUT

  persistent rebalance

  client 10.206.132.71 255.255.255.255

  client 10.206.133.4 255.255.255.255

  client 10.206.133.12 255.255.255.255

  inservice

!

serverfarm PORTAL-OUT

  nat server

  nat client PORT-OUT

  predictor forward

!

natpool EBSIIS-OUT 10.206.134.40 10.206.134.40 netmask 255.255.254.0

natpool PORT-OUT 10.206.134.15 10.206.134.15 netmask 255.255.252.0

natpool FC-SMTP-OUT 10.206.134.9 10.206.134.9 netmask 255.255.252.0

natpool BACKDOOR-OUT 10.206.135.250 10.206.135.250 netmask 255.255.252.0

!

FWSM:

static (PUBLIC_DMZ,Outside) 82.203.1.149 PORTAL-OUT-VIP netmask 255.255.255.255

                

Does anyone know or have any idea how the equivalent config would look like for the ACE ?

I was told its running in one armed mode but it looks like it is bridged to be as two different Vlans are using the same subnet.

The ACE is configured using the contexts is attached

Vlan 452 sits in the following conext and is working for inbound traffic, can I add vlan 453 with the same credentials etc open to suggections.

access-list ACL-ALLOW-VIPS line 102 extended permit icmp any any
access-list ACL-ALLOW-VIPS line 103 extended permit ip any any


probe https HTTPS-PROBE
  interval 10
  faildetect 5
  passdetect count 5
  request method get url /index.html
  expect status 200 200
probe icmp PING
  interval 10
  faildetect 5
  passdetect count 5


rserver host CENSIMSIIS01
  ip address 10.206.132.49
  inservice
rserver host CENSIMSTS01
  ip address 10.206.132.33
  inservice
rserver host CENSIMSTS02
  ip address 10.206.132.34
  inservice
rserver host CENSIMSTS03
  ip address 10.206.132.35
  inservice
rserver host CENSIMSTS04
  ip address 10.206.132.37
  inservice
rserver host CENSIMSTS05
  ip address 10.206.132.38
  inservice
rserver host CENSIMSTS06
  ip address 10.206.132.39
  inservice
rserver host CENSIMSTS07
  ip address 10.206.132.40
  inservice
rserver host CENSIMSTS08
  ip address 10.206.132.41
  inservice
rserver host CENSIMSTS09
  ip address 10.206.132.42
  inservice
rserver host CENSIMSTS10
  ip address 10.206.132.43
  inservice
rserver host CENSIMSTS11
  ip address 10.206.132.44
  inservice
rserver host CENSIMSTS12
  ip address 10.206.132.45
rserver host CENWEBDAV01
  ip address 10.206.132.79
rserver host CITRIX-CAG-01
  ip address 10.206.132.190
  inservice
rserver host CITY-CAG-SVR
  ip address 10.206.132.188
  inservice
rserver host DOMINO01
  ip address 10.206.132.53
  inservice
rserver host DOMINO02
  ip address 10.206.132.54
  inservice
rserver host DOMINO03
  ip address 10.206.132.55
  inservice
rserver host INFOBLOX
  ip address 10.206.132.250
  probe PING
  inservice
rserver host NETILLA-SCHOOL-14
  ip address 10.206.132.14
  inservice
rserver host NETILLA-SCHOOL-64
  ip address 10.206.132.64
  inservice
rserver host NETILLA1
  ip address 10.206.132.61
  inservice
rserver host NETILLA2
  ip address 10.206.132.62
  inservice
rserver host NETILLA3
  ip address 10.206.132.63
  inservice
rserver host S07-SAN-TS-01
  ip address 10.206.132.46
  inservice
rserver host S08-SAN-FTP-01
  ip address 10.206.132.18
rserver host S08-SAN-STS-01
  ip address 10.206.132.36
  inservice
rserver host S08-SAN-STS-02
  ip address 10.206.132.82
  inservice
rserver host S08-SAN-STS-03
  ip address 10.206.132.83
  inservice
rserver host S08-SAN-STS-04
    inservice
  rserver S11-VM-TS-S13
    inservice
  rserver S11-VM-TS-S14
    inservice
  rserver S11-VM-TS-S15
  rserver S11-VM-TS-S16
    inservice
  rserver S11-VM-TS-S17
  rserver S11-VM-TS-S18
serverfarm host CENWEBDAV-SFARM
  failaction reassign
  predictor leastconns
  rserver CENWEBDAV01
    inservice
serverfarm host CITRIX-CAG-SFARM
  failaction reassign
  predictor leastconns
  rserver CITRIX-CAG-01
    inservice
serverfarm host CITY-CAG-SFARM
  failaction reassign
  predictor leastconns
  rserver CITY-CAG-SVR
    inservice
serverfarm host CITY-CAG-XEN-SFARM
  failaction purge
  predictor leastconns
  rserver S13-VM-CAG-C01
    inservice
serverfarm host CITY-CANACT-SFARM
  failaction reassign
  predictor leastconns
  rserver S09-SAN-ISA-C02
    inservice
serverfarm host CITY-ECITIZEN-SFARM
  failaction reassign
  predictor leastconns
  rserver S09-SAN-ISA-C04
    inservice
serverfarm host CITY-LAGAN-CRM-SFARM
  failaction reassign
  predictor leastconns
  rserver S09-SAN-ISA-C01
    inservice
serverfarm host CITY-ZMAN-SFARM
  failaction reassign
  predictor leastconns
  rserver S09-SAN-ISA-C03
    inservice
serverfarm host DOMINO-1-SFARM
  failaction reassign
  predictor leastconns
  rserver DOMINO01
    inservice
serverfarm host DOMINO-2-SFARM
  failaction reassign
  predictor leastconns
  rserver DOMINO02
    inservice
serverfarm host DOMINO-3-SFARM
  failaction reassign
  predictor leastconns
  rserver DOMINO03
    inservice
serverfarm host EPLANNING2-SFARM
  failaction reassign
  predictor leastconns
  rserver S12-VM-IIS-L22
    inservice
serverfarm host ETON--SFARM
  failaction reassign
  predictor leastconns
  rserver S08-SAN-FTP-01
serverfarm host EXOR-V45-SFARM
  failaction reassign
  predictor leastconns
  rserver S12-VM-APP-L51
    inservice
serverfarm host GCSX-OWA-SFARM
  failaction reassign
  predictor leastconns
  rserver NETILLA1
    inservice
  rserver NETILLA2
    inservice
  rserver NETILLA3
    inservice
serverfarm host HDR-TEST-SFARM
  failaction reassign
  predictor leastconns
  rserver s09-san-web-02
    inservice
serverfarm host INFOBLOX-SFARM
  failaction reassign
  predictor leastconns
  rserver INFOBLOX
    inservice
serverfarm host INTRANET-SFARM
failaction reassign
  predictor leastconns
  rserver S11-VM-WEB-05_206
    inservice
serverfarm host MILLARTS-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-VM-WEB-05
    inservice
serverfarm host MY-INT-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-SAN-TMG01-1
    inservice
  rserver S11-SAN-TMG02-1
    inservice
  rserver S12-SAN-TMG03-1
    inservice
serverfarm host MY-TMG-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-SAN-TMG01-2
    inservice
  rserver S11-SAN-TMG02-2
    inservice
  rserver S12-SAN-TMG03-2
    inservice
serverfarm host NETILLA-SSL-SFARM
  failaction reassign
  predictor leastconns
  rserver NETILLA1
    weight 1
    inservice
  rserver NETILLA2
    weight 3
    inservice
  rserver NETILLA3
    weight 1
    inservice
serverfarm host NETILLA-SUPPORT-SFARM
  failaction reassign
  predictor leastconns
  rserver NETILLA-SCHOOL-14
  rserver NETILLA-SCHOOL-64
  rserver NETILLA1
  rserver NETILLA2
    inservice
  rserver NETILLA3
serverfarm host OCNNETILLA-SFARM
  failaction reassign
  predictor leastconns
  rserver NETILLA-SCHOOL-14
    weight 16
    inservice standby
  rserver NETILLA-SCHOOL-64
    inservice
serverfarm host OWA-CITY-SFARM
  failaction reassign
  predictor leastconns
  rserver S09-SAN-ISA-C0X
    inservice
serverfarm host PUBINVNET-SFARM
  failaction reassign
  predictor leastconns
  rserver S10-SAN-IIS-01-2
    inservice
serverfarm host SIMS-DTS-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-VM-DTS-S01
    inservice
  rserver S11-VM-DTS-S02
    inservice
serverfarm host SIMSTS_N1-SFARM
  failaction reassign
  predictor leastconns
  rserver CENSIMSTS01
    inservice
  rserver CENSIMSTS02
    inservice
  rserver CENSIMSTS03
    inservice
  rserver CENSIMSTS04
    inservice
  rserver CENSIMSTS05
    inservice
  rserver CENSIMSTS06
    inservice
  rserver CENSIMSTS07
    inservice
  rserver CENSIMSTS08
    inservice
  rserver CENSIMSTS09
    inservice
  rserver CENSIMSTS10
    inservice
  rserver CENSIMSTS11
    inservice
  rserver CENSIMSTS12
    inservice
  rserver S07-SAN-TS-01
    inservice
  rserver S08-SAN-STS-01
    inservice
  rserver S08-SAN-STS-02
    inservice
  rserver S08-SAN-STS-03
    inservice
  rserver S08-SAN-STS-04
    inservice
  rserver S11-VM-TS-S13
    inservice
  rserver S11-VM-TS-S14
    inservice
  rserver S11-VM-TS-S15
  rserver S11-VM-TS-S16
    inservice
  rserver S11-VM-TS-S17
  rserver S11-VM-TS-S18
serverfarm host SIMSTS_N2-SFARM
  failaction reassign
  predictor leastconns
  rserver CENSIMSTS01
    inservice
  rserver CENSIMSTS02
    inservice
  rserver CENSIMSTS03
    inservice
  rserver CENSIMSTS04
    inservice
  rserver CENSIMSTS05
    inservice
  rserver CENSIMSTS06
    inservice
  rserver CENSIMSTS07
    inservice
  rserver CENSIMSTS08
    inservice
  rserver CENSIMSTS09
    inservice
  rserver CENSIMSTS10
    inservice
  rserver CENSIMSTS11
    inservice
  rserver CENSIMSTS12
    inservice
  rserver S07-SAN-TS-01
    inservice
  rserver S08-SAN-STS-01
    inservice
  rserver S08-SAN-STS-02
    inservice
  rserver S08-SAN-STS-03
    inservice
  rserver S08-SAN-STS-04
    inservice
  rserver S11-VM-TS-S13
    inservice
  rserver S11-VM-TS-S14
    inservice
  rserver S11-VM-TS-S15
  rserver S11-VM-TS-S16
    inservice
  rserver S11-VM-TS-S17
  rserver S11-VM-TS-S18
serverfarm host TMG-LYNC-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-SAN-TMG01-3
    inservice
  rserver S11-SAN-TMG02-3
    inservice
serverfarm host TMG-REDIRECT-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-SAN-TMG-01-RD
    inservice
  rserver S11-SAN-TMG-02-RD
    inservice
  rserver S11-SAN-TMG-03-RD
    inservice
serverfarm host TMG-STANDARD-SFARM
  failaction reassign
  predictor leastconns
  rserver S11-SAN-TMG-01
    inservice
  rserver S11-SAN-TMG-02
    inservice
  rserver S11-SAN-TMG-03
    inservice

parameter-map type http HTTP_CLIENT_PARAMETER_MAP
  persistence-rebalance

sticky ip-netmask 255.255.255.255 address both INFOBLOX-STICKY
  timeout 60
  replicate sticky

  class class-default
    sticky-serverfarm SIMSTS_N1-SFARM-STICKY
policy-map type loadbalance first-match SLB-SIMSTS_N2-POLICY
  description Filter traffic matching the VIP
  class class-default
    sticky-serverfarm SIMSTS_N1-SFARM-STICKY
policy-map type loadbalance first-match SLB-TMG-LYNC-SFARM-POLICY
  description Filter traffic matching the VIP
  class class-default
    sticky-serverfarm TMG-LYNC-SFARM-STICKY
policy-map type loadbalance first-match TMG-REDIRECT-POLICY
  class class-default
    sticky-serverfarm TMG-REDIRECT-SFARM-STICKY
policy-map type loadbalance first-match TMG-STANDARD-POLICY
  class class-default
    sticky-serverfarm TMG-STANDARD-SFARM-STICKY

policy-map multi-match CLIENT-VIPS
  class INFOBLOX-VIP
    loadbalance vip inservice
    loadbalance policy SLB-INFOBLOX-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CENSIMSTS-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CENSIMSTS-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class SIMSTS_N1-VIP
    loadbalance vip inservice
    loadbalance policy SLB-SIMSTS_N1-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class SIMSTS_N2-VIP
    loadbalance vip inservice
    loadbalance policy SLB-SIMSTS_N2-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class SIMS-DTS-VIP
    loadbalance vip inservice
    loadbalance policy SLB-SIMS-DTS-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CENSIMSIIS-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CENSIMSIIS-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CENSIMSTS-453-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CENSIMSTS-453-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CENSIMSTS2T-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CENSIMSTS2T-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class OCNNETILLA-VIP
    loadbalance vip inservice
    loadbalance policy SLB-OCNNETILLA-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 2 vlan 452
  class NETILLA-SSL-VIP
    loadbalance vip inservice
    loadbalance policy SLB-NETILLA-SSL-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class GCSX-OWA-VIP
    loadbalance vip inservice
    loadbalance policy SLB-GCSX-OWA-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CITRIX-CAG-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITRIX-CAG-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class NETILLA-SUPPORT-VIP
    loadbalance vip inservice
    loadbalance policy SLB-NETILLA-SUPPORT-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CENWEBDAV-VIP
    loadbalance policy SLB-CENWEBDAV-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class DOMINO-1-VIP
    loadbalance policy SLB-DOMINO-1-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class DOMINO-2-VIP
    loadbalance policy SLB-DOMINO-2-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class DOMINO-3-VIP
    loadbalance policy SLB-DOMINO-3-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class ETON-213-FTP-VIP
    loadbalance policy SLB-ETON-213-FTP-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class ETON-VSVR-FTP-213-VIP
    loadbalance policy SLB-ETON-213-FTP-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class MY-INT-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-MY-INT-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class MY-TMG-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-MY-TMG-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class TMG-LYNC-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-TMG-LYNC-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CITY-CAG-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITY-CAG-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 4 vlan 452
  class CITY-CANACT-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITY-CANACT-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 452
  class CITY-ZMAN-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITY-ZMAN-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 452
  class CITY-ECITIZEN-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITY-ECITIZEN-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 452
  class CITY-LAGAN-CRM-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-CITY-LAGAN-CRM-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 452
  class OWA-CITY-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-OWA-CITY-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 3 vlan 452
  class EPLANNING2-VIP
    loadbalance vip inservice
    loadbalance policy SLB-EPLANNING2-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class MILLARTS-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-MILLARTS-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class INTRANET-SFARM-VIP
    loadbalance vip inservice
    loadbalance policy SLB-INTRANET-SFARM-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class EXOR-V45-VIP
    loadbalance vip inservice
    loadbalance policy SLB-EXOR-V45-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class HDR-TEST-VIP
    loadbalance vip inservice
    loadbalance policy SLB-HDR-TEST-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class TMG-REDIRECT-VIP
    loadbalance vip inservice
    loadbalance policy TMG-REDIRECT-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class TMG-STANDARD-VIP
    loadbalance vip inservice
    loadbalance policy TMG-STANDARD-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class PUBINVNET-VIP
    loadbalance vip inservice
    loadbalance policy SLB-PUBINVNET-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452
  class CITY-CAG-XEN-VIP
    loadbalance vip inservice
    loadbalance policy CITY-CAG-XEN-SLB-POLICY
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 452

Thanks for any help

Alex

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎05-11-2013 02:29 AM

Hi Alex,

Here is what you need :

http://www.cisco.com/en/US/docs/solutions/Verticals/ansmsocs.html

ACE can be configured to perform source NAT only on server initiated connections and not client to server load balanced connections. This is done with multiple class statements under the multi-match load balance policy map, as shown in the following example. ACE intercepts all messages directed to the VIP regardless of whether they originated from the local subnet or externally. Traffic originating from external clients only matches the class EEPOOL-VIP and not the class for the real servers defined by their source IP address. Traffic originating from the front nd servers matches both the class EEPOOL-VIP and REAL_SERVERS and the additional NAT action is performed. Note that the source NAT address is identified on the actual interface that the traffic is expected to be seen on, in this case, the server-side VLAN 110.

class-map match-any EEPOOL-VIP


  2 match virtual-address 10.1.100.6 any



class-map match-all REAL_SERVERS


  2 match source-address 10.1.100.0 255.255.255.0



policy-map multi-match Office Communications Server-POLICY-MAP


  class EEPOOL-VIP


    loadbalance vip inservice


    loadbalance policy EEPOOL-LB-POLICY


    loadbalance vip icmp-reply


    connection advanced-options TCP_IDLE_30min


  class REAL_SERVERS


    nat dynamic 1 vlan 110



interface vlan 110


  description Server-side-vlan


  bridge-group 1


  access-group input BPDU-Allow


  access-group input Office Communications Server-Traffic-Outbound


  nat-pool 1 10.1.100.200 10.1.100.200 netmask 255.255.255.0 pat


  service-policy input Office Communications Server-POLICY-MAP


  no shutdown

Here are some more :

If ACE is confgiured in routing mode ace just  become a router and allow the connections through, without any load balancing or matching of a class-map.

There are two conditions

1. ACLs should be configured on ACE to allow the through traffic.

2. There is no SLB policy applied on Server side interface

Also  valid routes for realserver vlans should exist on upstream L3 devices to ensure that the return traffic can reach real servers.

Hope that helps,

Ajay Kumar

View solution in original post

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to alex.romaya

‎05-13-2013 04:15 AM

Hi Alex,

Here are most of the policy which are relevent.  

class-map match-any EEPOOL-VIP


  2 match virtual-address 10.1.100.6 any


class-map match-all REAL_SERVERS


  2 match source-address 10.1.100.0 255.255.255.0


policy-map type loadbalance first-match EEPOOL-LB-POLICY







 class class-default


  sticky-serverfarm EEPOOLGP




serverfarm host EEPOOL







 predictor leastconns

  probe PING


 




   rserver OCS1










    inservice


   rserver OCS2


  inservice 


 

 


 



sticky ip-netmask 255.255.255.255 address source EEPOOLGP






timeout 30







replicate sticky





serverfarm EEPOOL

 

policy-map multi-match Office Communications Server-POLICY-MAP


  class EEPOOL-VIP


    loadbalance vip inservice


    loadbalance policy EEPOOL-LB-POLICY


    loadbalance vip icmp-reply


    connection advanced-options TCP_IDLE_30min


  class REAL_SERVERS


    nat dynamic 1 vlan 110

-----------------------------------------

access-group input Office Communications Server-Traffic-Outbound   <<< This will be server subnet allowed from inside to outside.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
ajayku2
Cisco Employee
Cisco Employee

‎05-11-2013 02:29 AM

Hi Alex,

Here is what you need :

http://www.cisco.com/en/US/docs/solutions/Verticals/ansmsocs.html

ACE can be configured to perform source NAT only on server initiated connections and not client to server load balanced connections. This is done with multiple class statements under the multi-match load balance policy map, as shown in the following example. ACE intercepts all messages directed to the VIP regardless of whether they originated from the local subnet or externally. Traffic originating from external clients only matches the class EEPOOL-VIP and not the class for the real servers defined by their source IP address. Traffic originating from the front nd servers matches both the class EEPOOL-VIP and REAL_SERVERS and the additional NAT action is performed. Note that the source NAT address is identified on the actual interface that the traffic is expected to be seen on, in this case, the server-side VLAN 110.

class-map match-any EEPOOL-VIP


  2 match virtual-address 10.1.100.6 any



class-map match-all REAL_SERVERS


  2 match source-address 10.1.100.0 255.255.255.0



policy-map multi-match Office Communications Server-POLICY-MAP


  class EEPOOL-VIP


    loadbalance vip inservice


    loadbalance policy EEPOOL-LB-POLICY


    loadbalance vip icmp-reply


    connection advanced-options TCP_IDLE_30min


  class REAL_SERVERS


    nat dynamic 1 vlan 110



interface vlan 110


  description Server-side-vlan


  bridge-group 1


  access-group input BPDU-Allow


  access-group input Office Communications Server-Traffic-Outbound


  nat-pool 1 10.1.100.200 10.1.100.200 netmask 255.255.255.0 pat


  service-policy input Office Communications Server-POLICY-MAP


  no shutdown

Here are some more :

If ACE is confgiured in routing mode ace just  become a router and allow the connections through, without any load balancing or matching of a class-map.

There are two conditions

1. ACLs should be configured on ACE to allow the through traffic.

2. There is no SLB policy applied on Server side interface

Also  valid routes for realserver vlans should exist on upstream L3 devices to ensure that the return traffic can reach real servers.

Hope that helps,

Ajay Kumar

0 Helpful

Go to solution
alex.romaya
Level 1
Level 1
In response to ajayku2

‎05-11-2013 10:57 AM

Thanks for the reply Ajay, its very useful.

Can I ask what the access groups and service policy look like in your configuration ?
under 

interface vlan 110

#

  description Server-side-vlan

#

  bridge-group 1

#

  access-group input BPDU-Allow

#

  access-group input Office Communications Server-Traffic-Outbound

#

  nat-pool 1 10.1.100.200 10.1.100.200 netmask 255.255.255.0 pat

#

  service-policy input Office Communications Server-POLICY-MAP

#

  no shutdown

And what Vlans are you bridging out of interest?

Many thanks

Alex

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to alex.romaya

‎05-13-2013 04:15 AM

Hi Alex,

Here are most of the policy which are relevent.  

class-map match-any EEPOOL-VIP


  2 match virtual-address 10.1.100.6 any


class-map match-all REAL_SERVERS


  2 match source-address 10.1.100.0 255.255.255.0


policy-map type loadbalance first-match EEPOOL-LB-POLICY







 class class-default


  sticky-serverfarm EEPOOLGP




serverfarm host EEPOOL







 predictor leastconns

  probe PING


 




   rserver OCS1










    inservice


   rserver OCS2


  inservice 


 

 


 



sticky ip-netmask 255.255.255.255 address source EEPOOLGP






timeout 30







replicate sticky





serverfarm EEPOOL

 

policy-map multi-match Office Communications Server-POLICY-MAP


  class EEPOOL-VIP


    loadbalance vip inservice


    loadbalance policy EEPOOL-LB-POLICY


    loadbalance vip icmp-reply


    connection advanced-options TCP_IDLE_30min


  class REAL_SERVERS


    nat dynamic 1 vlan 110

-----------------------------------------

access-group input Office Communications Server-Traffic-Outbound   <<< This will be server subnet allowed from inside to outside.
0 Helpful

Go to solution
alex.romaya
Level 1
Level 1
In response to ajayku2

‎05-13-2013 04:28 AM

Thanks Ajay,

I will let you know how I get on by posting the config update that I apply here.

0 Helpful

Go to solution
alex.romaya
Level 1
Level 1
In response to alex.romaya

‎05-13-2013 04:41 AM

Hi Ajay,

Going back to my question.

What was the other vlan you bridged to vlan 100, was it for example 200 for clients?

Could you share that config as well?

Was/Is the Client Vlan on the same conext ?

Many thanks

Alex

0 Helpful

Go to solution
ajayku2
Cisco Employee
Cisco Employee
In response to alex.romaya

‎05-13-2013 04:52 AM

Hi Alex,

Everything is well explained in the given link :

http://www.cisco.com/en/US/docs/solutions/Verticals/ansmsocs.html

In the above you will find that the bridging was done between 105 and 110. Look below line :

Minimum Baseline Configurations for FWSM and ACE Modules

regards,

Ajay Kumar

0 Helpful

Go to solution
alex.romaya
Level 1
Level 1
In response to ajayku2

‎05-13-2013 05:18 AM

Great,

Thanks Ajay :-)

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card