Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
782
Views
0
Helpful
9
Replies

Rserver/Vip same network

Don Brack
Level 1
Level 1

‎10-20-2011 12:11 PM

This may sound like a silly question but can I configure the rservers and the vip address on the same network? If so does anyone have a example config?

NAT, policy, etc

Labels:
0 Helpful
9 Replies 9

Don Brack
Level 1
Level 1

‎10-20-2011 12:13 PM

Sorry this is for a ACE 4710.

0 Helpful

asharmav
Level 1
Level 1
In response to Don Brack

‎10-20-2011 12:30 PM

Hi Don,

Yes you should be able to configure this, this setup is called Direct server return, since the client will be directly reachable from the server, only incoming connections comes through the vip and the return connection is directly established from the server to the client bypassing the ace.

you can find further information on this configuration (Asymmetric Server Normalization) here :

http://snippets101.blogspot.com/2008/08/asymmetric-server-normalization-on.html

Regards

Abijith

0 Helpful

Surya ARBY
Level 4
Level 4

‎10-20-2011 03:02 PM

If you need don't need to keep the source ip address for log purposes, use source NAT

If you need to keep the source ip address for log purposes :

- for HTTP insert the source IP into the header and use source nat

- otherwise use DSR.

Source NAT config

policy-map multi-match DOMINO-WEB-PM
  class DOMINO-WEB-VIP
    nat dynamic 1 vlan 3
    loadbalance vip inservice
    loadbalance policy DOMINO-WEB-CLASSIFY
    loadbalance vip icmp-reply
    appl-parameter http advanced-options http_parameter_map
  exit
exit
interface vlan 3
  ip address 10.123.3.X 255.255.255.0
  alias 10.123.3.X+1 255.255.255.0
  peer ip address 10.123.3.X+2 255.255.255.0
  access-group input PERMIT-ALL
  nat-pool 1 10.123.3.245 10.123.3.245 netmask 255.255.255.0 pat
  no shutdown

and apply the service policy

0 Helpful

Don Brack
Level 1
Level 1
In response to Surya ARBY

‎10-21-2011 06:57 AM

Thanks for quick response....

I have many services configured with the VIP on a different network then the Rservers, and having no issues.

Now I'm having issues because the VIP and Rserver is on same network. Here is my config.

I cannot ping or access the VIP..

Thanks Again for all help..

probe icmp icmp
  ip address 10.201.13.61
  interval 5
  passdetect interval 60

probe tcp episfdasp-80-probe
  port 80
  interval 5
  passdetect interval 5
  connection term forced
  open 1

rserver host w8v-episfdasp1
  ip address 10.201.13.10
  conn-limit max 4000000 min 4000000
  inservice
rserver host w8v-episfdasp2
  ip address 10.201.13.11
  conn-limit max 4000000 min 4000000
  inservice

serverfarm host episfdasp-443
  transparent
  predictor leastconns
  probe episfdasp-443-probe
  probe icmp
  rserver w8v-episfdasp1
    inservice
  rserver w8v-episfdasp2
    inservice

sticky ip-netmask 255.255.255.255 address source episfdasp-443-sticky
  replicate sticky
  serverfarm episfdasp-443

class-map match-all episfdasp-443
  2 match virtual-address 10.201.13.61 tcp eq https

policy-map type loadbalance first-match episfdasp-443-policy
  class class-default
    sticky-serverfarm episfdasp-443-sticky
    nat dynamic 1 vlan 15 serverfarm primary

policy-map multi-match client-vips
  class episfdasp-443
    loadbalance vip inservice
    loadbalance policy episfdasp-443-policy
    loadbalance vip icmp-reply active
    nat dynamic 1 vlan 15

interface vlan 15
  description dmz network
  ip address 10.201.13.8 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input inbound
  nat-pool 1 10.201.13.240 10.201.13.245 netmask 255.255.255.0 pat
  service-policy input remote_mgmt_allow_policy
  no shutdown


ip route 0.0.0.0 0.0.0.0 10.201.13.1

0 Helpful

Surya ARBY
Level 4
Level 4
In response to Don Brack

‎10-21-2011 07:02 AM

Why do you use the "transparent" keyword ?

0 Helpful

Don Brack
Level 1
Level 1
In response to Surya ARBY

‎10-21-2011 07:14 AM

Probably bcause I'm reading to much info on a simple problem.

This is what I read:

The transparent command prevents the ACE to make a destination NAT, sending the packet as to the real server.

0 Helpful

Surya ARBY
Level 4
Level 4
In response to Don Brack

‎10-21-2011 07:57 AM

Using the transparent option on the serverfarm is a non standard design which should be only used when using IDS / FW load balancing.

Remove the transparent keyword (eventually issue a shut / no shut on the interface or reboot the appliance to be sure to flush the whole memory and reinit all the processes)

Then put a PC in the VLAN15 or try to access the VIP from a server located into that VLAN.

At least the VIP should reply to a ping.

0 Helpful

Surya ARBY
Level 4
Level 4
In response to Don Brack

‎10-21-2011 10:06 AM

Just let me know if you need further assistance.

0 Helpful

Don Brack
Level 1
Level 1
In response to Surya ARBY

‎10-24-2011 09:54 AM

To resolve this I had to remove and add:

interface vlan 15
  description dmz network
  ip address 10.201.13.8 255.255.255.0
  no normalization
  mac-sticky enable
  no icmp-guard
  access-group input inbound
  nat-pool 1 10.201.13.240 10.201.13.245 netmask 255.255.255.0 pat
  -----service-policy input remote_mgmt_allow_policy----removed

-------service-policy input clients-vips---added
  no shutdown

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card