Application Control Engine Module Getting Started Guide (Software Version A2(3.0)) - Configuring One-Arm Mode [Cisco Services Modules]

Table Of Contents

Configuring One-Arm Mode

Information About One-Arm Mode

Guidelines and Limitations

Configuring One-Arm Mode on the ACE

Task Flow for Configuring One-Arm Mode

Configuring Server Load Balancing and Source NAT

Configuring the One-Arm VLAN

Configuration Example for One-Arm Mode

Where to Go Next

Configuring One-Arm Mode

This chapter describes how to configure the Cisco Application Control Engine (ACE) module to receive requests from clients and send them to servers on the same VLAN.

This chapter includes the following sections:

•Information About One-Arm Mode

•Guidelines and Limitations

•Task Flow for Configuring One-Arm Mode

•Configuring One-Arm Mode on the ACE

•Configuration Example for One-Arm Mode

•Where to Go Next

Information About One-Arm Mode

After reading this chapter, you should have a basic understanding of one-arm mode, how it works in the ACE, and how to configure it.

In one-arm mode, you configure the ACE with a single VLAN that handles both client requests and server responses. For one-arm mode, you must configure the ACE with client-source network address translation (NAT) or policy-based routing (PBR) to send requests through the same VLAN to the server. For the remainder of this document, NAT is used for the traffic flows through the ACE.

The ACE is not inline with the traffic and receives and sends requests through the Multilayer Switching Feature card (MSFC) that acts as a default gateway to the servers. The MSFC routes requests to a VIP that is configured on the ACE. When the ACE selects the server for the request based on the configured policy, it rewrites the source IP address with an address in the NAT pool. Then the ACE forwards the request to the server on the same VLAN through the default gateway on the MSFC.

The server sends a response to the default server gateway on the MSFC. The server response contains its source IP address and the NAT address of the ACE as the destination IP address. The MSFC forwards the response to the ACE. The ACE receives the response, changes the source IP address to the VIP, and sends it to the MFSC. Then the MFSC forwards the response to the client.

Guidelines and Limitations

One-arm mode on the ACE has the following configuration guidelines and limitations:

•Layer 2 rewrite is not supported.

•One-arm mode requires policy-based routing or source NAT.

Configuring One-Arm Mode on the ACE

This section describes how to configure one-arm mode using the example shown in Figure 14-1.

Figure 14-1 Example Network Setup

The configuration of the example is as follows:

•A client and server VLAN interface is configured for the user context VC_WEB with VLAN 100.

•A virtual server VS_WEB3 is created with a virtual IP (VIP) address 172.16.5.100 where the clients send requests.

•There are four real servers grouped into the server farm SF_WEB3.

•The IP address 192.168.5.1 is the gateway for the real servers.

This section contains the following topics:

•Prerequisites for One-Arm Mode on the ACE

•Configuring Server Load Balancing and Source NAT

•Configuring the One-Arm VLAN

Prerequisites for One-Arm Mode on the ACE

One-arm mode on an ACE has the following prerequisites:

•An available VLAN for both clients and servers. Find out what VLANs and addresses are available for use by the ACE.

•A default route on the ACE (see the "Configuring a Default Route" section in Chapter 2, Setting Up an ACE).

•An access list to allow traffic to the ACE (see the "Configuring an ACL" section in Chapter 4, Configuring Access Control Lists).

Task Flow for Configuring One-Arm Mode

Follow these steps to configure one-arm mode on the ACE:

Step 1 Configure the real servers and a server farm.

Step 2 Configure a TCP probe and associate it with the server farm.

Step 3 Create a virtual server policy to load balance client requests.

Step 4 Configure the client and server VLAN.

Step 5 Apply the access group for the ACL, the virtual server policy, and the NAT pool to the VLAN.

Configuring Server Load Balancing and Source NAT

Procedure

Step 1 Add the four real servers (see the "Configuring Real Servers" section in Chapter 6, Configuring Server Load Balancing), using the following real server names, descriptions, and IP addresses and place each server in service for use:

•Name: RS_WEB9, Description: content server web-nine, IP Address: 192.168.5.11

•Name: RS_WEB10, Description: content server web-ten, IP Address: 192.168.5.12

•Name: RS_WEB11, Description: content server web-eleven, IP Address: 192.168.5.13

•Name: RS_WEB12, Description: content server web-twelve, IP Address: 192.168.5.14

Step 2 Group these real servers into a server farm (see the "Creating a Server Farm" section in Chapter 6, Configuring Server Load Balancing) and place each server in service. In this example, name the server farm SF_WEB3.

Step 3 Configure a TCP probe and associate it with the server farm. See the "Configuration Example for One-Arm Mode" section.

Step 4 Create a virtual server traffic policy (see Steps 1 through 12 in the "Creating a Virtual Server Traffic Policy" section, in Chapter 6, Configuring Server Load Balancing). For this example, you create the following configuration objects:

•The policy map for the action when the client request arrives and is sent to the server farm. In this example, name the load-balancing policy PM_ONE_ARM_LB, configure a default class map, and associate the server farm SF_WEB3.

•The class map to define the VIP where the clients will send their requests. In this example, name the class map VS_WEB3 with a match virtual address of 172.16.5.100 with a match on any port.

•A multi-match service policy map to direct classified incoming requests to the load-balancing policy map. In this example, you do the following:

–Name the policy PM_ONE_ARM_MULTI_MATCH.

–Associate the VS_WEB3 class map and the PM_ONE_ARM_LB policy map.

–Configure the nat dynamic 5 vlan 100 command to allow the ACE to source NAT all client requests. The 5 indicates the NAT pool ID as configured in VLAN 100 (see "Configuring the One-Arm VLAN" section.

–Enable the VIP for load-balancing operations by placing it in service.

Configuring the One-Arm VLAN

You can configure the one-arm mode VLAN on the ACE with a NAT pool.

Procedure
Command

Purpose
Step 1
changeto context
Example:
host1/Admin# changeto VC_WEB
host1/VC_WEB#
Changes to the correct context if necessary. Check the CLI prompt to verify that you are operating in the desired context.
Step 2
config
Example:
host1/VC_WEB# config
host1/VC_WEB(config)# 
Enters configuration mode.
Step 3
interface vlan vlan_id
Example:
host1/VC_WEB(config)# interface vlan 
100
host1/VC_WEB(config-if)#
Accesses the interface for the client-side VLAN.
Step 4
description string
Example:
host1/VC_WEB(config-if)# description 
Client and server VLAN
Enters a description of the VLAN.
Step 5
ip address address subnet_mask
Example:
host1/VC_WEB(config-if)# ip address 
172.16.5.5 255.255.255.0
Assigns the IP address to the VLAN.
Step 6
access-group input acl_name
Example:
host1/VC_WEB(config-if)# access-group 
input INBOUND
Applies the ACL to the interface.
Step 7
service-policy input policy_name
Example:
host1/VC_WEB(config-if)# service-policy 
input PM_ONE_ARM_MULTI_MATCH
Applies the multi-match policy map to the VLAN.
Step 8
nat-pool pool_id ip_address1 ip_address2 netmask mask [pat]
Example:
host1/VC_WEB(config-if)# nat-pool 5 
172.16.5.200 172.5.16.209 netmask 
255.255.255.0 pat
Creates a pool of IP addresses for dynamic NAT:

•pool_id—Identifier of the NAT pool of global IP addresses. Enter an integer from 1 to 2147483647.

Note If you configure more than one NAT pool with the same ID, the ACE uses the last-configured NAT pool first and then the other NAT pools.

•ip_address1—Single IP address, or if also using the ip_address2 argument, the first IP address in a range of global addresses used for NAT. Enter an IP address in dotted-decimal notation (for example, 172.27.5.200).

•ip_address2—Highest IP address in a range of global IP addresses used for NAT. Enter an IP address in dotted-decimal notation (for example, 172.27.5.209). You can configure a maximum of 65,535 addresses in a NAT pool.

Note You cannot configure an IP address range across subnets. For example, the following command is not allowed and will generate an Invalid IP address error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0.

•netmask mask—Specifies the subnet mask for the IP address pool. Enter a mask in dotted-decimal notation (for example, 255.255.255.255). A network mask of 255.255.255.255 instructs the ACE to use all the IP addresses in the specified range.

•pat—Enables port address translation. The pat option instructs the ACE to translate port numbers and IP addresses. If you omit the pat option, the ACE will be limited to the number of IP addresses in the pool for the number of concurrent NAT connections
Step 9
no shutdown
Example:
host1/VC_WEB(config-if)# no shutdown
Places the VLAN in service.
Step 10
exit
Example:
host1/VC_WEB(config-if)# exit
host1/VC_WEB(config)#
Exits interface configuration mode.
Step 11
Ctrl+Z
Example:
host1/Admin(config-if)# Ctrl+Z
host1/Admin#
Returns to Exec mode directly from any configuration mode.
Step 12
show running-config interface
Example:
host1/Admin# show running-config 
interface
Displays the interface configuration.
Step 13
show interface vlan number
Example:
host1/Admin# show interface vlan 100
Displays the status and statistics about the VLAN interface.
Step 14
copy running-config startup-config
Example:
host1/Admin# copy running-config startup-config
(Optional) Copies the running configuration to the startup configuration.
Configuration Example for One-Arm Mode

The following example shows how to configure one-arm mode.
access-list INBOUND extended permit ip any any
probe tcp TCP_PROBE2
rserver host RS_WEB9
  description content server web-nine
  ip address 192.168.5.11
  inservice
rserver host RS_WEB10
  description content server web-ten
  ip address 192.168.5.12
  inservice
rserver host RS_WEB11
  description content server web-eleven
  ip address 192.168.5.13
  inservice
rserver host RS_WEB12
  description content server web-twelve
  ip address 192.168.5.14
  inservice
serverfarm SF_WEB3
  probe TCP_PROBE2
  rserver RS_WEB9 80
    inservice
  rserver RS_WEB10 80
    inservice
  rserver RS_WEB11 80
    inservice
  rserver RS_WEB12 80
    inservice
policy-map type loadbalance first-match PM_ONE_ARM_LB
  class class-default
  serverfarm SF_WEB3
class-map VS_WEB3
  match virtual-address 172.16.5.100 any
policy-map multi-match PM_ONE_ARM_MULTI_MATCH
  class VS_WEB3
    loadbalance policy PM_ONE_ARM_LB
    nat dynamic 5 vlan 100
  loadbalance vip inservice
interface vlan 100
  description Client_server
  ip address 172.16.5.5 255.255.255.0
  access-group input INBOUND
  service-policy input PM_ONE_ARM_MULTI_MATCH
  nat-pool 5 172.16.5.200 172.16.5.209 netmask 255.255.255.0 pat
  no shutdown
context VC_WEB
  allocate-interface vlan 100
  member RC_WEB
ip route 0.0.0.0 0.0.0.0 172.16.5.1
Where to Go Next

In this chapter, you have learned how to configure one-arm mode.

This chapter concludes the ACE quick start guide. In this guide, you have learned how to configure the basics of many ACE features. For more advanced ACE features and functionality, see the configuration guides in the ACE documentation set at the following URL:

http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

For ease in locating features and topics of interest, see the master index in the configuration guide list.

For command-specific information, see the Cisco Application Control Engine Module Command Reference.

For troubleshooting information, see the ACE Module Troubleshooting Wiki at the following URL:

http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_(ACE)_Module_Troubleshooting_Guide%2C_Release_A2(x)