Getting Started Guide vA5(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring One-Arm Mode
Downloads: This chapterpdf (PDF - 175.0KB) The complete bookPDF (PDF - 2.98MB) | Feedback

Configuring One-Arm Mode

Table Of Contents

Configuring One-Arm Mode

Information About One-Arm Mode

Guidelines and Limitations

Prerequisites for One-Arm Mode on the ACE

Configuring One-Arm Mode on the ACE

Configuring Server Load Balancing and Source NAT

Configuring One-Arm Mode Using the Device Manager GUI

Configuring One-Arm Mode Using the CLI

Configuration Example for One-Arm Mode

Where to Go Next


Configuring One-Arm Mode


This chapter describes how to configure the ACE to receive requests from clients and send them to servers on the same VLAN.

This chapter includes the following sections:

Information About One-Arm Mode

Guidelines and Limitations

Prerequisites for One-Arm Mode on the ACE

Configuring One-Arm Mode on the ACE

Configuration Example for One-Arm Mode

Where to Go Next

Information About One-Arm Mode

After reading this chapter, you should have a basic understanding of one-arm mode, how it works in the ACE, and how to configure it.

In one-arm mode, you configure the ACE with a single VLAN that handles both client requests and server responses. For one-arm mode, you must configure the ACE with client-source network address translation (NAT) or policy-based routing (PBR) to send requests through the same VLAN to the server. For the remainder of this document, NAT is used for the traffic flows through the ACE.

The ACE is not inline with the traffic and receives and sends requests through the Multilayer Switching Feature card (MSFC) that acts as a default gateway to the servers. The MSFC routes requests to a VIP that is configured on the ACE. When the ACE selects the server for the request based on the configured policy, it rewrites the source IP address with an address in the NAT pool. Then the ACE forwards the request to the server on the same VLAN through the default gateway on the MSFC.

The server sends a response to the default server gateway on the MSFC. The server response contains its source IP address and the NAT address of the ACE as the destination IP address. The MSFC forwards the response to the ACE. The ACE receives the response, changes the source IP address to the VIP, and sends it to the MFSC. Then the MFSC forwards the response to the client.

This chapter describes how to configure one-arm mode using the example shown in Figure 13-1.

Figure 13-1 Example Network Setup

The configuration of the example is as follows:

A client and server VLAN interface is configured for the user context VC_web with VLAN 100.

A virtual server VS_WEB3 is created with a virtual IP (VIP) address 172.16.5.100 where the clients send requests.

There are four real servers grouped into the server farm SF_WEB3.

The IP address 192.168.5.1 is the gateway for the real servers.

Guidelines and Limitations

One-arm mode on the ACE has the following configuration guidelines and limitations:

Layer 2 rewrite is not supported.

One-arm mode requires policy-based routing or source NAT.

Prerequisites for One-Arm Mode on the ACE

One-arm mode on an ACE has the following prerequisites:

An available VLAN for both clients and servers. Find out what VLANs and addresses are available for use by the ACE.

Configure a default route on the ACE (see the "Enabling Management Connectivity Using the Setup Script" section in Chapter , "Setting Up an ACE Appliance").

Configure an access list to allow traffic (see the "Configuring an ACL" section in Chapter , "Configuring Access Control Lists").

Configuring One-Arm Mode on the ACE

To configure one-arm mode, you can use either the ACE Device Manager user interface (GUI) or the CLI.

Prerequisites for One-Arm Mode on the ACE

Configuring Server Load Balancing and Source NAT

Configuring One-Arm Mode Using the Device Manager GUI

Configuring One-Arm Mode Using the CLI

Configuring Server Load Balancing and Source NAT

Procedure


Step 1 Add the four real servers (see the "Configuring Real Servers" section in Chapter , "Configuring Server Load Balancing"), using the following real server names, descriptions, and IP addresses and place each server in service for use:

Name: RS_WEB9, Description: content server web-nine, IP Address: 192.168.5.11

Name: RS_WEB10, Description: content server web-ten, IP Address: 192.168.5.12

Name: RS_WEB11, Description: content server web-eleven, IP Address: 192.168.5.13

Name: RS_WEB12, Description: content server web-twelve, IP Address: 192.168.5.14

Step 2 Group these real servers into a server farm (see the "Creating a Server Farm" section in Chapter , "Configuring Server Load Balancing") and place each server in service. In this example, name the server farm SF_WEB3.

Step 3 Configure a TCP probe and associate it with the server farm. See the "Configuration Example for One-Arm Mode" section.

Step 4 Create a virtual server traffic policy (see Steps 1 through 12 in the "Creating a Virtual Server Traffic Policy" section, in Chapter , "Configuring Server Load Balancing"). For this example, you create the following configuration objects:

The policy map for the action when the client request arrives and is sent to the server farm. In this example, name the load-balancing policy PM_ONE_ARM_LB, configure a default class map, and associate the server farm SF_WEB3.

The class map to define the VIP where the clients will send their requests. In this example, name the class map VS_WEB3 with a match virtual address of 172.16.5.100 with a match on any port.

A multi-match service policy map to direct classified incoming requests to the load-balancing policy map. In this example, you do the following:

Name the policy PM_ONE_ARM_MULTI_MATCH.

Associate the VS_WEB3 class map and the PM_ONE_ARM_LB policy map.

Configure the nat dynamic 5 vlan 100 command to allow the ACE to source NAT all client requests. The 5 indicates the NAT pool ID as configured in VLAN 100.

Enable the VIP for load-balancing operations by placing it in service.


Configuring One-Arm Mode Using the Device Manager GUI

Configure one-arm mode using the Device Manager user interface by following these steps


Step 1 Choose VC_web in the virtual contexts drop-down list.

Step 2 Perform the following actions to configure interface attributes for the client-side and server-side VLANs.

a. Select Config > Virtual Contexts > Network > VLAN Interfaces. The VLAN Interface table appears.

b. Click Add (+) to add a new VLAN interface. Click More Settings to access the additional VLAN interface attributes. By default, ACE appliance Device Manager hides the default VLAN interface attributes and the VLAN interface attributes which are not commonly used.

c. Enter the following interface attributes for the VLAN. Leave the remaining attributes blank or with their default values.

VLAN: 100

Description: Client and server VLAN

Interface Type: Routed

IP Address: 172.16.5.5

Netmask: 255.255.255.0

Admin Status: Up

Input Policies: PM_ONE_ARM_MULTI_MATCH

Input Access Group: INBOUND

d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

e. Enter the following interface attributes for the server-side VLAN. Leave the remaining attributes blank or with their default values.

VLAN: 41

Description: Server_side

Interface Type: Bridged

BVI: 1

Admin Status: Up

Input Policies: HTTP_MULTI_MATCH

Input Access Group: INBOUND

f. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Step 3 Perform the following actions to create a pool of IP addresses for dynamic NAT:

a. Select Config > Virtual Contexts > Network > NAT Pools. The NAT Pools table appears.

b. In the NAT Pools table, click Add (+) to add a new entry. The NAT Pool configuration screen appears.

c. Enter the following attributes for the NAT pool. Leave the remaining attributes blank or with their default values.

VLAN ID: 100

NAT Pool ID: 5

IP Address Type: IPv4

Start IP Address: 172.16.5.200

End IP Address: 172.5.16.209

Netmask: 255.255.255.0

PAT Enabled: Enabled

d. Click Deploy Now to deploy this configuration on the ACE and save your entries to the running-configuration and startup-configuration files.

Step 4 (Optional) To display statistics and status information for a VLAN interface, choose the VLAN interface from the VLAN Interface table, then click Details. The show interface vlan CLI command output appears.

a.


Configuring One-Arm Mode Using the CLI

You can configure the one-arm mode VLAN on the ACE with a NAT pool.

Configure the one-arm VLAN using the CLI by following these steps:


Step 1 Verify that you are operating in the desired context by checking the CLI prompt. If necessary, change to the correct context.

host1/Admin# changeto VC_web
host1/VC_web#
 
   

Step 2 Enter configuration mode.

host1/VC_web# config
host1/VC_web(config)#
 
   

Step 3 Access the interface for the client-side VLAN.

host1/VC_web(config)# interface vlan 100
host1/VC_web(config-if)#
 
   

Step 4 Enter a description of the VLAN.

host1/VC_web(config-if)# description Client and server VLAN
 
   

Step 5 Assign the IP address to the VLAN.

host1/VC_web(config-if)# ip address 172.16.5.5 255.255.255.0
 
   

Step 6 Apply the ACL to the interface.

host1/VC_web(config-if)# access-group input INBOUND
 
   

Step 7 Apply the multi-match policy map to the VLAN.

host1/VC_web(config-if)# service-policy input PM_ONE_ARM_MULTI_MATCH
 
   

Step 8 Creates a pool of IP addresses for dynamic NAT:

Note If you configure more than one NAT pool with the same ID, the ACE uses the last-configured NAT pool first and then the other NAT pools.

Note You cannot configure an IP address range across subnets. For example, the following command is not allowed and will generate an Invalid IP address error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0.

host1/VC_web(config-if)# nat-pool 5 172.16.5.200 172.5.16.209 netmask 255.255.255.0 pat
 
   

Step 9 Place the VLAN in service.

host1/VC_web(config-if)# no shutdown
 
   

Step 10 Exit interface configuration mode.

host1/VC_web(config-if)# exit
host1/VC_web(config)#
 
   

Step 11 Return to Exec mode directly from any configuration mode.

host1/Admin(config-if)# Ctrl+Z
host1/Admin#
 
   

Step 12 Display the interface configuration.

host1/Admin# show running-config interface
 
   

Step 13 Display the status and statistics about the VLAN interface.

host1/Admin# show interface vlan 100
 
   

Step 14 (Optional) Copy the running configuration to the startup configuration.

host1/Admin# copy running-config startup-config

Configuration Example for One-Arm Mode

The following example shows how to configure one-arm mode.

access-list INBOUND extended permit ip any any
 
   
probe tcp TCP_PROBE2
 
   
rserver host RS_WEB9
  description content server web-nine
  ip address 192.168.5.11
  inservice
rserver host RS_WEB10
  description content server web-ten
  ip address 192.168.5.12
  inservice
rserver host RS_WEB11
  description content server web-eleven
  ip address 192.168.5.13
  inservice
rserver host RS_WEB12
  description content server web-twelve
  ip address 192.168.5.14
  inservice
 
   
serverfarm SF_WEB3
  probe TCP_PROBE2
  rserver RS_WEB9 80
    inservice
  rserver RS_WEB10 80
    inservice
  rserver RS_WEB11 80
    inservice
  rserver RS_WEB12 80
    inservice
 
   
policy-map type loadbalance first-match PM_ONE_ARM_LB
  class class-default
  serverfarm SF_WEB3
 
   
class-map VS_WEB3
  match virtual-address 172.16.5.100 any
 
   
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
  class VS_WEB3
    loadbalance policy PM_ONE_ARM_LB
    nat dynamic 5 vlan 100
  loadbalance vip inservice
 
   
interface vlan 100
  description Client_server
  ip address 172.16.5.5 255.255.255.0
  access-group input INBOUND
  service-policy input PM_ONE_ARM_MULTI_MATCH
  nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat
  no shutdown
 
   
context VC_web
  allocate-interface vlan 100
  member RC_WEB
 
   
ip route 0.0.0.0 0.0.0.0 172.16.5.1
 
   

Where to Go Next

In this chapter, you have learned how to configure one-arm mode.

This chapter concludes the ACE appliance getting started guide. In this guide, you have learned how to configure the basics of many ACE features.

For more advanced ACE features and functionality, see the configuration guides in the ACE documentation set at the following URL:

http://www.cisco.com/en/US/products/ps7027/products_installation_and_configuration_guides_list.html

For ease in locating features and topics of interest, see the master index in the configuration guide list.

For command-specific information, see the Command Reference, Cisco ACE Application Control Engine.

For troubleshooting information, see the ACE Troubleshooting Wiki at the following URL:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Troubleshooting_Guide

For configuration examples, see the ACE Configuration Examples Wiki at the following URL:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Configuration_Examples