Solved: Re: NATing to VIP from servers on the sam LAN

nygenxny123 · ‎02-09-2011

I believe this is sort of a one armed mode configuration

We have servers that are on the same LAN as the configured rservers

all these servers use the vlan interface of the ACE as a default gatway

We would like the server to use a configured VIP to hit the rservers that are in the VIP serverfarm

I configured dynamic nat on the class 3 class map for the vip-however this does not seem to be working

servers are on vlan 712---172.20.222.5, 222.6...rserver configured on ACE 222.10, 222.12

(222.5 and .6 will hit VIP--which is associated with rservers 222.10 and .12)

interface vlan 712
ip address 172.20.222.3 255.255.255.0
alias 172.20.222.1 255.255.255.0
peer ip address 172.20.222.2 255.255.255.0
no normalization
access-group input any
service-policy input ALLOW_ICMP_POLICY
no shutdown

the following was configured

class-map match-all MYCUSTOMER-VIP
2 match virtual-address 172.20.200.35 tcp eq www

class MYCUSTOMER-VIP
    loadbalance vip inservice
    loadbalance policy ACTIVECARETEAM-VIP
    loadbalance vip icmp-reply active
    nat dynamic 712 vlan 712

interface vlan 712
ip address 172.20.222.3 255.255.255.0
alias 172.20.222.1 255.255.255.0
peer ip address 172.20.222.2 255.255.255.0
no normalization
access-group input any
nat-pool 712 172.20.222.60 172.20.222.60 netmask 255.255.255.0 pat
service-policy input ALLOW_ICMP_POLICY
no shutdown

interface vlan 722
ip address 172.20.200.4 255.255.255.0
alias 172.20.200.10 255.255.255.0
peer ip address 172.20.200.5 255.255.255.0
no normalization
access-group input any
nat-pool 722 172.20.200.20 172.20.200.20 netmask 255.255.255.0 pat
service-policy input VIPs
service-policy input ALLOW_ICMP_POLICY
no shutdown

the translation is working from outside the
vlan..i.e i see translation when i try and hit the vip...but it is not working from within the same vlan

this is from my desktop

ACE3-apptier# sh xlate
TCP PAT from vlan722:172.20.90.70/2966 to vlan712:172.20.222.60/1028

rvavale · ‎02-09-2011

Hi,

With your VIP in vlan 722, you will need to Route traffic upstream from Reals which are in vlan 712 to VIP. A simpler
solution will be to create a New VIP which belongs to Vlan 712 (172.20.222.x) and apply it to Interface Vlan 712

Example:
class-map match-all New-VIP-Vlan712
2 match virtual-address 172.20.222.x tcp eq www

Policy-map multi-match Real-Policy-VIP
class Real-Loadbalancing
    loadbalance vip inservice
    loadbalance policy Real-Loadbalancing-Policy
    loadbalance vip icmp-reply active
    nat dynamic 712 vlan 712

interface vlan 712
ip address 172.20.222.3 255.255.255.0
alias 172.20.222.1 255.255.255.0
peer ip address 172.20.222.2 255.255.255.0
no normalization
access-group input any
nat-pool 712 172.20.222.60 172.20.222.60 netmask 255.255.255.0 pat
service-policy input Real-Policy-VIP <--- Apply it on Interface Vlan 712
service-policy input ALLOW_ICMP_POLICY
no shutdown

Let me know if this helps,

Best Regards,
Rahul

View solution in original post

rvavale · ‎02-09-2011

Hi,

Can your real servers 222.5 and 222.6 ping VIP address 172.20.200.35?

If its ok with you, you can give the VIP an vlan 712 address '172.20.222.x' and apply it on interface vlan 712. With current config, real servers on vlan 712 will need to be routed upstream to reach vip on vlan 722 before they can be loadbalanced on vlan 712.

Best Regards,

Rahul

nygenxny123 · ‎02-09-2011

hello rvavale-

no the servers can not ping the VIP..i assume this is becuase the NATing is associated with the Layer 3 class

map and this is directly associated with port 80

the servers can not telnet to port 80 on the VIP either..but I can from my desktop..and I do get translated

I would assume the flow would be

servers hit the vip...get nat'd with the .60 address which is only on the ace..

these get load balanced to the rservers on the same subnet...the rservers through arp

see the .60 address on the ACE and send it back to the ace

(one question would be is if there is an arp address associated with NAT)

The ace than "un" nats and sends it back to the servers..

on option i though of was nating to a pool on the interface but changing the pool to a "random" network..i.e 172.20.111.x

so the rservers would know that this ip is not on the same layer 2 lan and send it back to its default gw...the ACE

would this work?

I see that NAT does produce an arp address on the interface

172.20.222.60 00.0b.fc.fe.1b.02 vlan712 NAT LOCAL

Total arp entries 27
ACE3-apptier# sh arp | inc 1b.02
172.20.200.10   00.0b.fc.fe.1b.02 vlan722   ALIAS      LOCAL     _         up
172.20.200.20   00.0b.fc.fe.1b.02 vlan722   NAT        LOCAL     _         up
172.20.200.31   00.0b.fc.fe.1b.02 vlan722   VSERVER    LOCAL     _         up
172.20.200.32   00.0b.fc.fe.1b.02 vlan722   VSERVER    LOCAL     _         up
172.20.200.33   00.0b.fc.fe.1b.02 vlan722   VSERVER    LOCAL     _         up
172.20.200.34   00.0b.fc.fe.1b.02 vlan722   VSERVER    LOCAL     _         up
172.20.200.35   00.0b.fc.fe.1b.02 vlan722   VSERVER    LOCAL     _         up
10.11.20.30     00.0b.fc.fe.1b.02 vlan120   NAT        LOCAL     _         up
172.20.222.1    00.0b.fc.fe.1b.02 vlan712   ALIAS      LOCAL     _         up
172.20.222.60   00.0b.fc.fe.1b.02 vlan712   NAT        LOCAL     _         up

rvavale · ‎02-09-2011

Hi,