Catch-all VIP with forward or transparent serverfarm options

Ahmad Basel Jaber · ‎08-08-2011

Introduction
Topology overview
Catch-All with forward option:
Catch-All with non-transparent serverfarm:
Catch-All with transparent serverfarm:
Catch-All with out-of-service transparent serverfarm:
References

Introduction

In one-arm mode, you configure the ACE with a single VLAN that handles both client requests and server responses. For one-arm mode, you must configure the ACE with client-source network address translation (NAT) or policy-based routing (PBR) to send requests through the same VLAN to the server. For the remainder of this document, NAT is used for the traffic flows through the ACE.

One-arm mode on the ACE has the following configuration guidelines and limitations:

• Layer 2 rewrite is not supported.

•One-arm mode requires policy-based routing or source NAT.

Topology overview

ACE One-arm deployment (VLAN 903). Two servers for testing r1,r2 both of them are L2 connected to VLAN 903, the ACE VLAN 903 IP address is the default gateway for both servers. r2 is acting as the client and r1 is the servers.

Version:

The configuration shown in this document is created on ACE-20 module running A2(3.4) version software.

Common ACE Configuration:

rserver host r1

ip address 172.16.4.4

inservice

rserver host r2

ip address 172.16.4.5

inservice

serverfarm host sfarm1

rserver r1

inservice

rserver r2

inservice

class-map match-all ABMJ

2 match virtual-address 0.0.0.0 0.0.0.0 any

policy-map multi-match ABMJ-service

class ABMJ

loadbalance vip inservice

loadbalance policy ABMJ-policy

loadbalance vip icmp-reply

nat dynamic 20 vlan 903

interface vlan 903

ip address 172.16.4.2 255.255.255.240

alias 172.16.4.1 255.255.255.240

peer ip address 172.16.4.3 255.255.255.240

access-group input everyones

access-group output everyones

nat-pool 20 172.16.4.8 172.16.4.8 netmask 255.255.255.255

service-policy input remote-mgmt

service-policy input ABMJ-service

no shutdown

ARP Table:

================================================================================

IP ADDRESS MAC-ADDRESS Interface Type Encap NextArp(s) Status

================================================================================

172.16.4.1 00.0b.fc.fe.1b.03 vlan903 ALIAS LOCAL _ up

172.16.4.2 00.30.f2.75.f3.d9 vlan903 INTERFACE LOCAL _ up

172.16.4.3 00.30.f2.75.f4.01 vlan903 LEARNED 21 12504 sec up

172.16.4.4 00.50.56.80.16.c8 vlan903 RSERVER 18 286 sec up

172.16.4.5 00.50.56.80.3f.80 vlan903 RSERVER 17 286 sec up

172.16.4.6 00.50.56.80.31.e3 vlan903 GATEWAY 22 138 sec up

172.16.4.7 00.00.00.00.00.00 vlan903 LEARNED - * 1 req dn

172.16.4.8 00.0b.fc.fe.1b.03 vlan903 NAT LOCAL _ up

================================================================================

Catch-All with forward option:

Test Configuration:

policy-map type loadbalance first-match ABMJ-policy

class class-default

forward

The routing table:

Destination Gateway Interface Flags

------------------------------------------------------------------------

0.0.0.0 10.66.85.1 vlan800 S [0xc]

55.55.55.55/32 172.16.4.6 vlan903 S [0xc]

ACE capture for client HTTP request toward 55.55.55.55:

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.38681 > 55.55.55.55.80: S 286227032:286227032(0)

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 74: 172.16.4.8.38681 > 55.55.55.55.80: S 1067368602:1067368602(0)

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.38681 > 55.55.55.55.80: S 286227032:286227032(0)

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 74: 172.16.4.8.38681 > 55.55.55.55.80: S 1067368602:1067368602(0)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.38681: R 0:0(0) ack 286227033

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 54: 172.16.4.8.38681 > 55.55.55.55.80: R 1067368603:1067368603(0)

Conclusion:

The ACE will use the routing table to forward the traffic and will keep the original destination IP address.

Catch-All with non-transparent serverfarm:

Test Configuration:

policy-map type loadbalance first-match ABMJ-policy

class class-default

serverfarm sfarm1

serverfarm host sfarm1

rserver r1

inservice

Show conn output:

ACE20-Rack3-Primary/Routed-c1-STATIC# show conn

total current connections : 2

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

13007 1 in TCP 903 172.16.4.5:60496 55.55.55.55:80 ESTAB

13008 1 out TCP 903 172.16.4.4:80 172.16.4.8:60496 ESTAB

ACE capture for client HTTP request toward 55.55.55.55:

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.60496 > 55.55.55.55.80: S 847445964:847445964(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.60496 > 172.16.4.4.80: S 2018948849:2018948849(0)

0:50:56:80:16:c8 0:b:fc:fe:1b:3 0800 60: 172.16.4.4.80 > 172.16.4.8.60496: S 1281515174:1281515174(0) ack 2018948850

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 60: 55.55.55.55.80 > 172.16.4.5.60496: S 110012289:110012289(0) ack 847445965

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 60: 172.16.4.5.60496 > 55.55.55.55.80: . ack 1 win 5840 (DF) (ttl 64, id 54434, len 40)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 60: 172.16.4.8.60496 > 172.16.4.4.80: . ack 1 win 5840 (DF) (ttl 64, id 54434, len 40,

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 60: 172.16.4.5.60496 > 55.55.55.55.80: P 1:6(5) ack 1 win 5840 (DF) (ttl 64, id 54435, len 45)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 60: 172.16.4.8.60496 > 172.16.4.4.80: P 1:6(5) ack 1 win 5840 (DF) (ttl 64, id 54435, len 45,

0:50:56:80:16:c8 0:b:fc:fe:1b:3 0800 60: 172.16.4.4.80 > 172.16.4.8.60496: . ack 6 win 5840 (DF) (ttl 64, id 47547, len 40)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 60: 55.55.55.55.80 > 172.16.4.5.60496: . ack 6 win 5840 (DF) (ttl 64, id 47547, len 40,

Conclusion:

The ACE will perform load balancing, then will forward the traffic to the server MAC address which has been selected and will translate the destination IP address to rserver's IP.

Catch-All with out-of-service non-transparent serverfarm:

Test Configuration:

policy-map type loadbalance first-match ABMJ-policy

class class-default

serverfarm sfarm1

serverfarm host sfarm1

rserver r1

Show serverfarm output:

ACE20-Rack3-Primary/Routed-c1-STATIC# show serverfarm sfarm1

serverfarm : sfarm1, type: HOST

total rservers : 1

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: r1

172.16.4.4:0 8 OUTOFSERVICE 0 11 0

Show service-policy ABMJ-Service detail:

ACE20-Rack3-Primary/Routed-c1-STATIC# show service-policy ABMJ-service detail

Status : ACTIVE

Description: -----------------------------------------

Interface: vlan 903

service-policy: ABMJ-service

class: ABMJ

nat:

nat dynamic 10 vlan 800

curr conns : 0 , hit count : 155

dropped conns : 0

client pkt count : 17 , client byte count: 1292

server pkt count : 5 , server byte count: 380

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

nat dynamic 20 vlan 903

curr conns : 0 , hit count : 3

dropped conns : 1

client pkt count : 6 , client byte count: 305

server pkt count : 4 , server byte count: 164

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

VIP Address: Protocol: Port:

0.0.0.0 any

loadbalance:

L7 loadbalance policy: ABMJ-policy

VIP Route Metric : 77

VIP Route Advertise : DISABLED

VIP ICMP Reply : ENABLED

VIP state: OUTOFSERVICE

curr conns : 0 , hit count : 5

dropped conns : 4

client pkt count : 8 , client byte count: 425

server pkt count : 4 , server byte count: 164

conn-rate-limit : 0 , drop-count : 0

bandwidth-rate-limit : 0 , drop-count : 0

L7 Loadbalance policy : ABMJ-policy

class/match : class-default

LB action: :

primary serverfarm: sfarm1

state: DOWN

backup serverfarm : -

hit count : 1

dropped conns : 0

ACE capture for client HTTP request toward 55.55.55.55:

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.60497: R 0:0(0) ack 1050506268 win 5840

Conclusion:

The ACE RST the connection as expected.

Catch-All with transparent serverfarm:

Test Configuration:

serverfarm host sfarm1

transparent

rserver r1

inservice

policy-map type loadbalance first-match ABMJ-policy

class class-default

serverfarm sfarm1

ACE capture for client HTTP request toward 55.55.55.55:

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.40474 > 55.55.55.55.80: S 1460790854:1460790854(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.40474 > 55.55.55.55.80: S 0:0(0)

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.40474 > 55.55.55.55.80: S 1460790854:1460790854(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.40474 > 55.55.55.55.80: S 0:0(0)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.40474: R 0:0(0) ack 1460790855

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 54: 172.16.4.8.40474 > 55.55.55.55.80: R 1:1(0)

Conclusion:

The ACE will perform load balancing, then will forward the traffic to the server MAC address which has been selected and will keep the original destination IP address the same.

Catch-All with out-of-service transparent serverfarm:

Test Configuration:

serverfarm host sfarm1

transparent

rserver r1

policy-map type loadbalance first-match ABMJ-policy

class class-default

serverfarm sfarm1

Show serverfarm output:

ACE20-Rack3-Primary/Routed-c1-STATIC# show serverfarm sfarm1

serverfarm : sfarm1, type: HOST

total rservers : 1

---------------------------------

----------connections-----------

real weight state current total failures

---+---------------------+------+------------+----------+----------+---------

rserver: r1

172.16.4.4:0 8 OUTOFSERVICE 0 11 4

ACE capture for client HTTP request toward 55.55.55.55:

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.40475: R 0:0(0) ack 1740604511

Conclusion:

The ACE RST the connection as expected.

References

Cisco ACE: Troubleshooting Network Address Translation

Configuring One-Arm Mode