cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Catch-all VIP with forward or transparent serverfarm options

3903
Views
0
Helpful
0
Comments

 

 

Introduction

In one-arm mode, you configure the ACE with a single VLAN that handles both client requests and server responses. For one-arm mode, you must configure the ACE with client-source network address translation (NAT) or policy-based routing (PBR) to send requests through the same VLAN to the server. For the remainder of this document, NAT is used for the traffic flows through the ACE.

One-arm mode on the ACE has the following configuration guidelines and limitations:

• Layer 2 rewrite is not supported.

•One-arm mode requires policy-based routing or source NAT.

 

 

Topology overview

 

ACE One-arm deployment (VLAN 903). Two servers for testing r1,r2 both of them are L2 connected to VLAN 903, the ACE VLAN 903 IP address is the default gateway for both servers. r2 is acting as the client and r1 is the servers.

 

Version:

 

The configuration shown in this document is created on ACE-20 module running A2(3.4) version software.

 

Common ACE Configuration:

 

rserver host r1

ip address 172.16.4.4

inservice

rserver host r2

ip address 172.16.4.5

inservice

 

serverfarm host sfarm1

rserver r1

   inservice

rserver r2

   inservice

 

class-map match-all ABMJ

2 match virtual-address 0.0.0.0 0.0.0.0 any

 

policy-map multi-match ABMJ-service

class ABMJ

   loadbalance vip inservice

   loadbalance policy ABMJ-policy

   loadbalance vip icmp-reply

   nat dynamic 20 vlan 903

 

interface vlan 903

ip address 172.16.4.2 255.255.255.240

alias 172.16.4.1 255.255.255.240

peer ip address 172.16.4.3 255.255.255.240

access-group input everyones

access-group output everyones

nat-pool 20 172.16.4.8 172.16.4.8 netmask 255.255.255.255

service-policy input remote-mgmt

service-policy input ABMJ-service

no shutdown

 

ARP Table:

 

================================================================================

IP ADDRESS     MAC-ADDRESS       Interface Type     Encap NextArp(s) Status

================================================================================

172.16.4.1     00.0b.fc.fe.1b.03 vlan903   ALIAS     LOCAL     _         up

172.16.4.2     00.30.f2.75.f3.d9 vlan903   INTERFACE LOCAL     _         up

172.16.4.3     00.30.f2.75.f4.01 vlan903   LEARNED   21     12504 sec   up

172.16.4.4     00.50.56.80.16.c8 vlan903   RSERVER   18     286 sec     up

172.16.4.5     00.50.56.80.3f.80 vlan903   RSERVER   17     286 sec     up

172.16.4.6     00.50.56.80.31.e3 vlan903   GATEWAY   22     138 sec     up

172.16.4.7     00.00.00.00.00.00 vlan903   LEARNED   -       * 1 req     dn

172.16.4.8     00.0b.fc.fe.1b.03 vlan903   NAT       LOCAL     _         up

================================================================================

 

 

 

Catch-All with forward option:

Test Configuration:

 

policy-map type loadbalance first-match ABMJ-policy

class class-default

   forward

 

 

The routing table:

 

Destination         Gateway         Interface         Flags

------------------------------------------------------------------------

0.0.0.0             10.66.85.1       vlan800           S [0xc]

55.55.55.55/32     172.16.4.6       vlan903           S [0xc]

 

ACE capture for client HTTP request toward 55.55.55.55:

 

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.38681 > 55.55.55.55.80: S 286227032:286227032(0)

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 74: 172.16.4.8.38681 > 55.55.55.55.80: S 1067368602:1067368602(0)

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.38681 > 55.55.55.55.80: S 286227032:286227032(0)

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 74: 172.16.4.8.38681 > 55.55.55.55.80: S 1067368602:1067368602(0)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.38681: R 0:0(0) ack 286227033

0:b:fc:fe:1b:3 0:50:56:80:31:e3 0800 54: 172.16.4.8.38681 > 55.55.55.55.80: R 1067368603:1067368603(0)

 

Conclusion:

 

The ACE will use the routing table to forward the traffic and will keep the original destination IP address.

 

 

Catch-All with non-transparent serverfarm:

Test Configuration:

 

policy-map type loadbalance first-match ABMJ-policy

class class-default

   serverfarm sfarm1

 

serverfarm host sfarm1

rserver r1

   inservice

 

Show conn output:

 

ACE20-Rack3-Primary/Routed-c1-STATIC# show conn

 

total current connections : 2

 

conn-id   np dir proto vlan source               destination           state

----------+--+---+-----+----+---------------------+---------------------+------+

13007     1 in TCP   903 172.16.4.5:60496     55.55.55.55:80       ESTAB

13008     1 out TCP   903 172.16.4.4:80         172.16.4.8:60496     ESTAB

 

ACE capture for client HTTP request toward 55.55.55.55:

 

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.60496 > 55.55.55.55.80: S 847445964:847445964(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.60496 > 172.16.4.4.80: S 2018948849:2018948849(0)

0:50:56:80:16:c8 0:b:fc:fe:1b:3 0800 60: 172.16.4.4.80 > 172.16.4.8.60496: S 1281515174:1281515174(0) ack 2018948850

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 60: 55.55.55.55.80 > 172.16.4.5.60496: S 110012289:110012289(0) ack 847445965

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 60: 172.16.4.5.60496 > 55.55.55.55.80: . ack 1 win 5840 (DF) (ttl 64, id 54434, len 40)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 60: 172.16.4.8.60496 > 172.16.4.4.80: . ack 1 win 5840 (DF) (ttl 64, id 54434, len 40,

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 60: 172.16.4.5.60496 > 55.55.55.55.80: P 1:6(5) ack 1 win 5840 (DF) (ttl 64, id 54435, len 45)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 60: 172.16.4.8.60496 > 172.16.4.4.80: P 1:6(5) ack 1 win 5840 (DF) (ttl 64, id 54435, len 45,

0:50:56:80:16:c8 0:b:fc:fe:1b:3 0800 60: 172.16.4.4.80 > 172.16.4.8.60496: . ack 6 win 5840 (DF) (ttl 64, id 47547, len 40)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 60: 55.55.55.55.80 > 172.16.4.5.60496: . ack 6 win 5840 (DF) (ttl 64, id 47547, len 40,

 

 

Conclusion:

 

The ACE will perform load balancing, then will forward the traffic to the server MAC address which has been selected and will translate the destination IP address to rserver's IP.

 

 

Catch-All with out-of-service non-transparent serverfarm:

 

Test Configuration:

 

policy-map type loadbalance first-match ABMJ-policy

class class-default

   serverfarm sfarm1

 

serverfarm host sfarm1

rserver r1

 

Show serverfarm output:

 

ACE20-Rack3-Primary/Routed-c1-STATIC# show serverfarm sfarm1

serverfarm     : sfarm1, type: HOST

total rservers : 1

---------------------------------

                                               ----------connections-----------

       real                 weight state       current   total     failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver: r1

       172.16.4.4:0         8     OUTOFSERVICE 0         11         0

 

Show service-policy ABMJ-Service detail:

 

ACE20-Rack3-Primary/Routed-c1-STATIC# show service-policy ABMJ-service detail

 

Status     : ACTIVE

Description: -----------------------------------------

Interface: vlan 903

service-policy: ABMJ-service

   class: ABMJ

     nat:

       nat dynamic 10 vlan 800

       curr conns       : 0         , hit count       : 155

       dropped conns   : 0

       client pkt count : 17       , client byte count: 1292

       server pkt count : 5         , server byte count: 380

       conn-rate-limit     : 0         , drop-count : 0

       bandwidth-rate-limit : 0         , drop-count : 0

       nat dynamic 20 vlan 903

       curr conns       : 0         , hit count       : 3

       dropped conns   : 1

       client pkt count : 6         , client byte count: 305

       server pkt count : 4         , server byte count: 164

       conn-rate-limit     : 0         , drop-count : 0

       bandwidth-rate-limit : 0         , drop-count : 0

     VIP Address:   Protocol: Port:

     0.0.0.0         any

     loadbalance:

       L7 loadbalance policy: ABMJ-policy

       VIP Route Metric     : 77

       VIP Route Advertise : DISABLED

       VIP ICMP Reply       : ENABLED

       VIP state: OUTOFSERVICE

       curr conns       : 0         , hit count       : 5

       dropped conns   : 4

       client pkt count : 8         , client byte count: 425

       server pkt count : 4         , server byte count: 164

       conn-rate-limit     : 0         , drop-count : 0

       bandwidth-rate-limit : 0         , drop-count : 0

       L7 Loadbalance policy : ABMJ-policy

         class/match : class-default

           LB action: :

               primary serverfarm: sfarm1

                   state: DOWN

                 backup serverfarm : -

           hit count       : 1

           dropped conns   : 0

 

ACE capture for client HTTP request toward 55.55.55.55:

 

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.60497: R 0:0(0) ack 1050506268 win 5840

 

 

Conclusion:

 

The ACE RST the connection as expected.

 

 

 

Catch-All with transparent serverfarm:

Test Configuration:

 

serverfarm host sfarm1

transparent

rserver r1

   inservice

 

 

policy-map type loadbalance first-match ABMJ-policy

class class-default

   serverfarm sfarm1

 

ACE capture for client HTTP request toward 55.55.55.55:

 

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.40474 > 55.55.55.55.80: S 1460790854:1460790854(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.40474 > 55.55.55.55.80: S 0:0(0)

0:50:56:80:3f:80 0:b:fc:fe:1b:3 0800 74: 172.16.4.5.40474 > 55.55.55.55.80: S 1460790854:1460790854(0)

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 74: 172.16.4.8.40474 > 55.55.55.55.80: S 0:0(0)

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.40474: R 0:0(0) ack 1460790855

0:b:fc:fe:1b:3 0:50:56:80:16:c8 0800 54: 172.16.4.8.40474 > 55.55.55.55.80: R 1:1(0)

 

Conclusion:

 

The ACE will perform load balancing, then will forward the traffic to the server MAC address which has been selected and will keep the original destination IP address the same.

 

 

 

Catch-All with out-of-service transparent serverfarm:

Test Configuration:

 

serverfarm host sfarm1

transparent

rserver r1

 

policy-map type loadbalance first-match ABMJ-policy

class class-default

   serverfarm sfarm1

 

 

Show serverfarm output:

 

ACE20-Rack3-Primary/Routed-c1-STATIC# show serverfarm sfarm1

serverfarm     : sfarm1, type: HOST

total rservers : 1

---------------------------------

                                               ----------connections-----------

       real                 weight state       current   total     failures

   ---+---------------------+------+------------+----------+----------+---------

   rserver: r1

       172.16.4.4:0         8     OUTOFSERVICE 0         11         4

 

 

ACE capture for client HTTP request toward 55.55.55.55:

 

0:b:fc:fe:1b:3 0:50:56:80:3f:80 0800 54: 55.55.55.55.80 > 172.16.4.5.40475: R 0:0(0) ack 1740604511

 

Conclusion:

 

The ACE RST the connection as expected.

 

 

References

 

Cisco ACE: Troubleshooting Network Address Translation

Configuring One-Arm Mode

CreatePlease to create content