do I nee to include a VIP into the service policy

axfalk · ‎03-30-2011

We're running the ACE SM (3.2) and need to be able to hit a VIP from the 192.168.92.206 back-end server. We have put the following config in place:

class-map type http loadbalance match-any ES-SERVER-INIT
2 match source-address 192.168.92.206 255.255.255.255

policy-map multi-match SERVER-VIPS
class ES-SERVER-INIT
nat dyn 2 vlan 812

interface vlan 812
description server side vlan
ip address 192.168.84.2 255.255.252.0
alias 192.168.84.1 255.255.252.0
peer ip address 192.168.84.3 255.255.252.0
access-group input any
nat-pool 2 192.168.84.10 192.168.84.10 netmask 255.255.252.0 pat
service-policy input SERVER-VIPS
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown

Does the service policy have to have the VIP that the server is tryng to hit?

Thanks..

Andrew Nam · ‎03-30-2011

Let's say you have vip on the client side as below :

class-map match-all VIP-WEB
2 match virtual-address x.x.x.x tcp eq www

You also need to add the class-map WIP-WEB to the below multi-match policy.

policy-map multi-match SERVER-VIPS
class ES-SERVER-INIT
nat dyn 2 vlan 812

class VIP-WEB      <<<<------
     loadbalance vip inservice
     loadbalance policy WEB-POLICY
     loadbalance vip icmp-reply active

Then you should be ok to ping ot telnet to the vip on the client side from the server behind the ACE.

Below is test config and worked ok.

rserver host r1
ip address 172.16.4.4
inservice

class-map match-all VIP-WEB
2 match virtual-address 10.66.85.7 tcp eq www

policy-map multi-match Server-Traffic
class Server-Traffic
    nat dynamic 20 vlan 903
    nat dynamic 10 vlan 800
class VIP-WEB
    loadbalance vip inservice
    loadbalance policy WEB-POLICY
    loadbalance vip icmp-reply active

interface vlan 903
ip address 172.16.4.3 255.255.255.240
alias 172.16.4.1 255.255.255.240
peer ip address 172.16.4.2 255.255.255.240
access-group input everyones
access-group output everyones
nat-pool 20 10.66.85.9 10.66.85.9 netmask 255.255.255.255
service-policy input remote-mgmt
service-policy input Server-Traffic
no shutdown

ACE20-Rack3-Primary/Routed-c1-STATIC# sh conn

total current connections : 4

conn-id    np dir proto vlan source                destination           state
----------+--+---+-----+----+---------------------+---------------------+------+
2068698    1 in ICMP 800 10.66.85.124:32761    10.66.85.7:2048       --
2068699    1 out ICMP 800 10.66.85.7:32761      10.66.85.124:0        --
1894819    2 in TCP   903 172.16.4.4:52647      10.66.85.7:80         ESTAB
1894820    2 out TCP   903 172.16.4.4:80         10.66.85.9:52647      ESTAB
ACE20-Rack3-Primary/Routed-c1-STATIC#

regards

Andrew

axfalk · ‎03-31-2011

Thanks for your response.

If that server needs to hit another VIP, would I have to create a new class-map policy for that VIP and add it to the nulti-match policy? In other words, whatever VIPs the server needs to hit would have to have a class-map policy and be a part of the service-policy, which is what my original question was? - Thanks again...

rserver host r1
ip address 172.16.4.4
inservice

class-map match-all VIP-WEB
2 match virtual-address 10.66.85.7 tcp eq www

class-map match-all VIP-WEB-2

2 match virtual-address 10.66.85.10 tcp eq www

policy-map multi-match Server-Traffic
class Server-Traffic
    nat dynamic 20 vlan 903
    nat dynamic 10 vlan 800
class VIP-WEB
    loadbalance vip inservice
    loadbalance policy WEB-POLICY
    loadbalance vip icmp-reply active

class VIP-WEB-2
    loadbalance vip inservice
    loadbalance policy WEB-POLICY-2
    loadbalance vip icmp-reply active

interface vlan 903
ip address 172.16.4.3 255.255.255.240
alias 172.16.4.1 255.255.255.240
peer ip address 172.16.4.2 255.255.255.240
access-group input everyones
access-group output everyones
nat-pool 20 10.66.85.9 10.66.85.9 netmask 255.255.255.255
service-policy input remote-mgmt
service-policy input Server-Traffic
no shutdown

Andrew Nam · ‎03-31-2011

Yes. You need to configure LB class-map (i.e. vip) and Nat class-map together.

-Andrew