Cisco ACE – Enterprise Load Balancing on a Stick using Source NAT – Part 3

Two VIPS with Two NAT Pools

Why do this ? Simple, it’s easier to troubleshoot. By having a different source address for each VIP it’s much easier to sniff traffic. Remember that each server farm will have multiple servers and troubleshooting flows is harder is you have to specify the IP address of each server in the farm, this way you can capture packets from LB to Server for each VIP by using the NAT source address.

Second, if you need to migrate LB in the future, then each VIP is logically decoupled from the other. You can use a different subnet for each VIP / NAT set so that migrating LB VIPs around your corporate core is nothing more than a routing issue.

Cisco ACE Two VIP Two NAT

switch/ACE-TEST# sh run Generating configuration....
!
! Setup logging to console (not enabled by default) logging enable logging timestamp logging monitor 7
!
!ACLs for the interface - traffic is not permitted by default.
access-list vip-traffic remark allow any any traffic to the vip
access-list vip-traffic line 1 extended permit icmp any any
access-list vip-traffic line 2 extended permit ip any any
!
! Setup the server probes. PING for Server up/down
! TCP 80 for application up/down
!
probe icmp PING
description simple ping monitor
interval 10
passdetect
interval 60
probe tcp TCP80
interval 10
passdetect interval 10
passdetect count 2
receive 1
open 5
!
!Define the probes that check the server. Use ICMP so that "show rserver" reflects actual OS status.
!
rserver host 169.254.0.100
ip address 169.254.0.100
probe PING
inservice
rserver host 169.254.0.200
ip address 169.254.0.200
probe PING
inservice
!
!Create the server farm with the two servers. Use a TCP80 probe so that "show serverfarm TESTFARM"
! shows the application status (not the server status)
!
serverfarm host TESTFARM
probe TCP80
rserver 169.254.0.100
inservice
rserver 169.254.0.200
inservice
!
!Create a sticky database - your mileage may vary according to application.
!
sticky ip-netmask 255.255.255.255 address source stuck
timeout 60
replicate sticky
serverfarm TESTFARM
!
!Create the class maps for service policy
!Allow the interface to reachable by ICMP !Allow the VIP to be reachable over HTTP on TCP80
!
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match.
3 match protocol icmp any
!
!define the VIP Class-map ! class-map match-all VIP_CLASS
2 match virtual-address 169.254.1.1 tcp eq www
!
!
! Apply the traffic class map to the traffic policy
!
policy-map type management first-match REMOTE_MGMT
class REMOTE_ACCESS
permit
!
!Define the load-balancing policy - here a simple sticky round robin.
!
policy-map type loadbalance first-match POLICY_MAP
class class-default
sticky-serverfarm stuck
!
!Create the 'mother' policy map for the VIP
!
policy-map multi-match VIP_FARM
class VIP_CLASS
loadbalance vip inservice
loadbalance policy POLICY_MAP
loadbalance vip icmp-reply active
nat dynamic 100 vlan 100
!
! Create a second NAT pool (here I've just used another IP address of existing subnet,
!but it could be any routable subnet
!
nat dynamic 101 vlan 100
!
!Define the interface and allow the traffic in and out the interface.
!
interface vlan 100
ip address 169.254.0.70 255.255.0.0
access-group input vip-traffic
access-group output vip-traffic
!
!Define two NAT Pools for each VIP.
!
nat-pool 100 169.254.3.1 169.254.3.1 netmask 255.255.255.255 pat
nat-pool 101 169.254.3.2 169.254.3.2 netmask 255.255.255.255 pat
!
!Apple the service policy for load balancing to the Interface.
!
service-policy input REMOTE_MGMT
service-policy input VIP_FARM
no shutdown
!
switch/ACE-TEST#

Show Service-Policy

switch/ACE-TEST# sh service-policy
Policy-map : VIP_FARM
Status : ACTIVE
-----------------------------------------
Interface: vlan 1 100
service-policy: VIP_FARM
class: VIP_CLASS
nat:
nat dynamic 100 vlan 100
curr conns : 0 , hit count : 4
dropped conns : 0
client pkt count : 38 , client byte count: 7226
server pkt count : 27 , server byte count: 3399
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: POLICY_MAP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 4
dropped conns : 0
client pkt count : 38 , client byte count: 7226
server pkt count : 27 , server byte count: 3399
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%
class: VIP_CLASS_2
nat:
nat dynamic 101 vlan 100
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
loadbalance:
L7 loadbalance policy: POLICY_MAP
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
Persistence Rebalance: DISABLED
curr conns : 0 , hit count : 0
dropped conns : 0
client pkt count : 0 , client byte count: 0
server pkt count : 0 , server byte count: 0
conn-rate-limit : 0 , drop-count : 0
bandwidth-rate-limit : 0 , drop-count : 0
compression:
bytes_in : 0
bytes_out : 0
Compression ratio : 0.00%

switch/ACE-TEST# sh xlate
TCP PAT from vlan100:169.254.0.69/51548 to vlan100:169.254.3.2/1025
switch/ACE-TEST#

Other Posts in A Series On The Same Topic

  1. Cisco ACE - Enterprise Load Balancing on a Stick using Source NAT - Part 3 (14th February 2011)
  2. Cisco ACE - Enterprise Load Balancing on a Stick using Source NAT - Part 2 (9th February 2011)
  3. Cisco ACE - Enterprise Load Balancing on a Stick using Source NAT - Part 1 (8th February 2011)
About Greg Ferro

Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count.

He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus

You can contact Greg via the site contact page.

  • http://ltlnetworker.blogspot.com LTLnetworker

    I guess you missed parts of the config (stuff of 2nd VIP)

  • Tristan Rhodes

    I agree, it looks like this config is almost exactly like the first example, with the addition of a second NAT pool.  Greg still needs to add more rservers, a second serverfarm, a second VIP, etc.

    BTW, thanks for sharing this info Greg. I am still learning how to master the ACE.

  • Acedeno

     GREG hello how are you, I wanted to consult you as follows: I am currently doing a migration from a content services switch to a ACE load balancers. The customer segment does not have valid IP addresses to place in parallel with ACE load balancers. Within the content switch and there is 4 applications to migrate one by one. Is it possible to configure a customer segment the network IP addresses of 192.168.20.0 / 24 with a virtual network address 172.16.16.1 for example? Basically what I want to validate whether it is possible to use a VIP address on a different network segment the client vlan.

    • http://etherealmind.com Etherealmind

      Hard to know for sure without more details, but I think the answer is yes. Just make sure your routing is configured correctly.

Subscribe For Weekly Updates by Email

Get a Weekly Summary of Latest Articles and Posts to your Email Inbox Every Sunday

Thanks for signing up. Look for the email from MailChimp & make sure you confirm your email address. You may need to check your spam or gmail settings to be sure of receiving the email.

Note: You can unsubscribe at any time using the link at the bottom of every email.