Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
0
Helpful
4
Replies

How do I configure ACE30 to allow server to server and server to VIP communications

Go to solution
tporembski
Level 1
Level 1

‎10-10-2012 02:37 PM

       I have a ACE30 with 2 client vlans and 2 server vlans in a 2-arm routed mode.  I want to allow  server initiated traffic from either server vlan to access both client vlans via a VIP and also allow server to server traffic between the 2 server vlans via the server IP address.  This is all in a single context. Attached is a diagram of the environment.  The server's gateway is the ACE interface for that particular vlan.

ace13-environment.png

so servers on vlan 206 will initiate traffic to either vlan 296 or 298 and therefore load balance to servers on either vlan 206 or 216.  same goes for server vlan 216. 

In conjunction with that how do i configure the ACE so that the servers in one vlan can talk to the servers in the other via directly via their IP address.  for instance the source would be vlan 206 and the destination would be vlan.

Thank you

Tony.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
chrhiggi
Level 3
Level 3

‎10-12-2012 10:18 AM

Tony-

  All you need to do is create a nat pool on each of the server vlans.  Create a new policy map multimatch and put the vip classes in it. Apply both nat statements to all vips in the policy.  Then apply the multmatch to each of the server vlans. By doing this, only traffic headed to a VIP will be natted. Server to server communication will not apply.

Server traffic between the vlans is only blocked via ACL by default, you just need to apply an inbound ACL to permit whatever you want to allow. 

Regards,

Chris Higgins

View solution in original post

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3
In response to tporembski

‎10-17-2012 03:54 PM

Not exactly, no.  This:

policy-map multi-match INTRA-server_P

  class LYNCP2F_C

    loadbalance vip inservice

    loadbalance policy LYNCP2F_P

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 246

    nat dynamic 1 vlan 226

  class LYNCP-FE_C

    loadbalance vip inservice

    loadbalance policy LYNCP-FE_P

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 246

    nat dynamic 1 vlan 226

interface vlan 226
  description Intranet Services Server Vlan 226
  ip address 10.192.34.2 255.255.255.0
  alias 10.192.34.1 255.255.255.0
  peer ip address 10.192.34.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 1 10.192.34.254 10.192.34.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

interface vlan 246
  description Intranet Services Server Vlan 246
  ip address 10.192.44.2 255.255.255.0
  alias 10.192.44.1 255.255.255.0
  peer ip address 10.192.44.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 2 10.192.44.254 10.192.44.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

View solution in original post

0 Helpful
4 Replies 4

Go to solution
chrhiggi
Level 3
Level 3

‎10-12-2012 10:18 AM

Tony-

  All you need to do is create a nat pool on each of the server vlans.  Create a new policy map multimatch and put the vip classes in it. Apply both nat statements to all vips in the policy.  Then apply the multmatch to each of the server vlans. By doing this, only traffic headed to a VIP will be natted. Server to server communication will not apply.

Server traffic between the vlans is only blocked via ACL by default, you just need to apply an inbound ACL to permit whatever you want to allow. 

Regards,

Chris Higgins

0 Helpful

Go to solution
tporembski
Level 1
Level 1
In response to chrhiggi

‎10-17-2012 07:50 AM

Chris,  does this look correct based on your description of how to configure:

class-map match-all REAL-SERVERS-VL226
  2 match source-address 10.192.34.0 255.255.255.0

class-map match-all REAL-SERVERS-VL246
  2 match source-address 10.192.44.0 255.255.255.0

policy-map multi-match INTRA-server_P
  class LYNCP2F_C
    loadbalance vip inservice
    loadbalance policy LYNCP2F_P
    loadbalance vip icmp-reply active
    nat dynamic 5 vlan 246
  class LYNCP-FE_C
    loadbalance vip inservice
    loadbalance policy LYNCP-FE_P
    loadbalance vip icmp-reply active
  class REAL-SERVERS-VL226
     nat dynamic 1 vlan 226
  class REAL-SERVERS-VL246
     nat dynamic 2 vlan 246

interface vlan 226
  description Intranet Services Server Vlan 226
  ip address 10.192.34.2 255.255.255.0
  alias 10.192.34.1 255.255.255.0
  peer ip address 10.192.34.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 1 10.192.34.254 10.192.34.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

interface vlan 246
  description Intranet Services Server Vlan 246
  ip address 10.192.44.2 255.255.255.0
  alias 10.192.44.1 255.255.255.0
  peer ip address 10.192.44.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 2 10.192.44.254 10.192.44.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

interface vlan 292
  description Intranet Services Client Vlan 292
  ip address 10.192.8.4 255.255.254.0
  alias 10.192.8.6 255.255.254.0
  peer ip address 10.192.8.5 255.255.254.0
  mac-sticky enable
  no icmp-guard
  access-group input ALL-IN
  no shutdown

interface vlan 294
  description Intranet Services Client Vlan 294
  ip address 10.192.6.4 255.255.254.0
  alias 10.192.6.6 255.255.254.0
  peer ip address 10.192.6.5 255.255.254.0
  mac-sticky enable
  no icmp-guard
  access-group input ALL-IN
  no shutdown

0 Helpful

Go to solution
chrhiggi
Level 3
Level 3
In response to tporembski

‎10-17-2012 03:54 PM

Not exactly, no.  This:

policy-map multi-match INTRA-server_P

  class LYNCP2F_C

    loadbalance vip inservice

    loadbalance policy LYNCP2F_P

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 246

    nat dynamic 1 vlan 226

  class LYNCP-FE_C

    loadbalance vip inservice

    loadbalance policy LYNCP-FE_P

    loadbalance vip icmp-reply active

    nat dynamic 2 vlan 246

    nat dynamic 1 vlan 226

interface vlan 226
  description Intranet Services Server Vlan 226
  ip address 10.192.34.2 255.255.255.0
  alias 10.192.34.1 255.255.255.0
  peer ip address 10.192.34.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 1 10.192.34.254 10.192.34.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

interface vlan 246
  description Intranet Services Server Vlan 246
  ip address 10.192.44.2 255.255.255.0
  alias 10.192.44.1 255.255.255.0
  peer ip address 10.192.44.3 255.255.255.0
  no icmp-guard
  access-group input ALL-IN
  nat-pool 2 10.192.44.254 10.192.44.254 netmask 255.255.255.0 pat
  service-policy input INTRA-server_P
  no shutdown

0 Helpful

Go to solution
tporembski
Level 1
Level 1
In response to chrhiggi

‎10-18-2012 07:06 AM

Thanks Chris.

I get it now.

0 Helpful
Customers Also Viewed These Support Documents