Meaning of one-arm setup and src nat

Similar Messages

• One armed VIP and FTP

  I have a need to use the one armed load balance for some servers. I have 4 contens setup using this and I have the four corresponding Groups setup. Two of the contents work fine they are using SSL. The other 2 fail and they are both using FTP. It looks like it is failing on the data channel connection because I can login to the server but cannot get any data. Is there a way to correct this.

  check the following URL:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_tech_note09186a0080093de6.shtml
  it explains you need a source group for the ftp data connection.
  Since you also need a group to nat client ip address, you have a problem since you can't do both at the same time.
  The solution is to use ACL and the 'sourcegroup option'.
  So you keep your group but you removed all the service attach inside it.
  Then you create an ACL like this one
  acl 1
  clause 10 permit tcp any destination eq 21 sourgroup
  apply circuit(VLAN-client)
  acl2
  clause 1o permit tcp destination any sourcegroup
  apply circuit(vlan-server)
  This should work.
  If not, make sure to try both passive and active ftp to see if at least one works.
  Gilles.

• CSS 11503 One-arm Design and Server Default Gateway

  Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
  Thanks!
  Tom

  Hi Tom,
  If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
  You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
  Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
  I hope you find this helpful. Thanks!
  Regards,
  Jose Quesada.

• CSS one-armed-config and SMTP reverse lookup problems?

  I was wondering if there would be potential reverse lookup problems from other company's when we try to send mail to their mail Domains.
  If I configure failover for our mail server, I am thinking if we are sending mail, there could be a reverse-lookup issue, because our mail server would be configured with public IP Addresses other than what the MX record points to in DNS.
  If we originate mail from our inside users, it will originate from the service IP address and not the VIP address.
  Is this a valid concern?

  The main advantage of this configuration is that the web servers will receive the IP address of the client that made the request. This is often required by web servers' administrators for accounting purposes.
  In a one-armed configuration only, the network port ( Enet0) is used on the SCA. Only this specific port can be used for this setup. Encrypted and decrypted traffic will go through the same link
  http://www.cisco.com/en/US/products/hw/contnetw/ps2083/products_configuration_example09186a00801bbf4e.shtml

• One armed bandit and one port to another

  I was trying to setup a CSS in one-armed bandit mode for the first time per the URL below. But I want to be able to have arbitrary ports on the "real" servers. E.g. use https://hooty.com as the VIP but on the backend take you to hoot1.hooty.com port 8443 say while http://hooty.com would direct you to hoot1.hoot.com port 8080. Must the port number on the VIP equal the port number on the real server in one-armed-bandit mode?
  http://www.cisco.com/warp/public/117/one_armed_bandit.html
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  active
  group Servers2
  vip address 26.19.98.45
  add destination service oldwww:443
  css-n1-1(config)# group Servers2
  css-n1-1(config-group[Servers2])# active
  %% An active source group with that address already exists

  The port number of the vip does not have to to be the same as the real server.
  You can set the port you want for the real server with the 'port' command under the service definition.
  This is true for one-armed or any other type of setup.
  The problem in your config is that you can't create 2 groups using the same vip ip address.
  So, simply configure all your servers under one group.
  ie:
  group Servers1
  vip address 26.19.98.45
  add destination service oldwww:80
  add destination service oldwww:443
  active
  Gilles.

• ACE One Arm Setup

  Hi,
  I would like to know whether CIsco ACE MODULE can be configured in such :
  CLIENTS : 10.10.10.X
  ACE VIP : 10.20.20.20
  SERVER 1 ACTUAL IP : 10.20.20.21
  SERVER 2 ACTUAL IP : 10.20.20.22
  Both the VIP and Server are in one segment. This segment also are behind FWSM and in the same chassis.
  Thanks in advance.
  Rama

  Hi Rama,
  Yes, it would be fine to use this kind of setup. You just need to take into account a few points points:
  The policy-map has to be applied on the vlan on which the client traffic is arriving
  Traffic towards the VIPs needs to be routed towards the ACE
  You need to ensure that the return traffic from the servers towards the clients also goes through the ACE, so, you probably will need to configure either some source-nat or policy-based-routing to achieve this.
  Let me know if you need more clarification on any of the points.
  Regards
  Daniel

• HH5 and Xbox One - randomly open and moderate NAT

  Having this annoying problem where the NAT keeps showing as randomly open and moderate. I have set a static I.p for it with no luck so far. I can switch it on and off a dozen times and it can show open, then be turned on the next dozen times and be moderate.
   The odd thing is that I have a PS4 and Xbox 360 attached and they both show as always having an open NAT. All devices are connected wired. Tearing my hair out over this.  I can't recall the last time I had to mess around with static I.p's a d whatnot. Everything just worked with my old Virginia set up. I do a fair bit of online gaming and so having an open Nat is important to me as even moderate with xbox live can be a real nuisance.  Thanks for any help.

  Well after googling non stop since around 4am this morning I have found what I think the problem is - and that makes the most sense.
   I can't port forward because the HH5 has assigned some of the ports to my Xbox 360 (this was with me only using upnp and NOT having tried any port forwarding) and so now it won't let me manually assign those ports to my Xbox one - hence the error message that I'm getting.
   The worst part is, that upnp SHOULD open those ports as needed when I switch my Xbox One on (I live alone and so both machines are never conencted at the same time) but it isn't, because for some reason it is keeping the shared ports solely for the Xbox 360.
   So I was trying to manually assign those ports with port forwading to force it to open those same ports on my Xbox One...but so far I haven't got as far as doing any port forwading whatsoever.
   I had a router with DD-WRT firmware on my old Virgin connection, and that allowed me to open whatever ports I wanted to whatever device I wanted, but it didn't matter because upnp worked properly on it. Unlike the HH5 which after all my reading has the same problems going back as far as the HH2. The internet is awash with people who couldn't get upnp or port forwading to work how it should.
   So far the only people gettng a stable open NAT seem to be those with one Xbox or the other, but NOT both. Which is ridiculous and only seems to affect home hub users.

• Virtualisation and One Arm mode

  Hi All ,
  Is it possible to make one context and one arm mode and rest in normal
  -parvees

  Yes, no restriction. 1-arm mode is just placing the VIP in server's subnet and using source NAT for clients.

• Trying to run CSS11503 08.10.0.02 one-armed DNAT+SNAT with UDP 921

  Is there a way to perform DNAT + SNAT and portmap disable on the CIsco CSS 11503. I need to do a DNAT in a one-armed configuration and the to SNAT for UDP traffic with SRC Port 9211 and DST Port 9211. I don't need loadbalancing but only NAT. Is there a way to solve this issue with ACL. Any help will be appreciated...
  Thanks

  if you want to do DNAT, you have to it a content rule.
  The vip will be nated to the service address.
  Then you need a group to nat the client ip.
  Finally, you need to use the command 'portmap disable' under the group to avoid port mapping.
  Gilles.

• 4710 in one-armed mode

  is it possible to preserve the clients originating IP address somewhere while using the 4710 in one armed mode?  I have a situation where the client source ip is needed, and I am deciding between one-armed mode and inline.  I'd like to use one-armed, so that only load balanced traffic traverses the load balancer, but I haven't seen an example where that can be done without  loosing the clients src address.

  Only thing I can think of is http header-insertion. Create an action-list, that inserts the original client src.ip/port into the http-header. The configuration is quite simple:
  action-list type modify http name
    header insert both Host header-value %is:%ps
  Then apply the action-list to your loadbalance policy-map.
  Take a look at the url below for futher information:
  http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/slb/guide/classlb.html#wp1131842
  But that depends on your situation. If is the original client src.ip/port is expected in the L3/L4 header, this won't cut it. Is this for logging purposes or some form of packet filtering ?
  If you intend to run your ACE in one-arm mode, in my opponion, src.nat and header-insertion is your only option.
  hth
  /Ulrich

• CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

  With Reference to the following CCO documentation;
  1). "How to Configure the CSS to Load Balance Using 1 Interface"
  In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
  2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
  In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
  Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
  (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
  (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
  Method a)
  1.Configure the Real Server's gateway to Router's Gateway
  2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
  3.Configure VIP(non-shared) redundancy for the VIP on the CSS
  4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
  Method b)
  1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
  2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
  3. Configure VIP(non-shared) redundancy for the VIP on the CSS

  if you use method a) (server gateway is the router) you need the CSS to nat
  the source ip address of the client in order to force the server to send traffic back to the CSS.
  The issue then is that the server does not see the IP address of real client.
  The server only see connections with source IP address = CSS ip address.
  With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
  You have a performance issue because the traffic will cross 2 times the one-armed interface.
  If this is a new design, it is strongly recommended not to use one-armed setup.
  Regards,
  Gilles.

• ACE 4700 one-arm design with SSL termination

  Hi,
  We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
  1. Are there any limitations in the one-arm design and the SSL offloading
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  I would appreciate if you can share some sample configs
  Regards,
  George Georgiou

  There are two ways to implement One Arm topology.
  1. One Arm with PBR & 2.One Arm with SRC NAT
  PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
  1. Are there any limitations in the one-arm design and the SSL offloading
  The limitations/config issues I can think of are following
  One ARM with PBR:
  Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
  One ARM with SRC NAT:
  You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
  2. Can the ACE be configured with an IN and an OUT vlan to the router
  CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
  so that the SSL and the clear text traffic is in a separate Vlan?
  Yes you can do that but wouldnt it make it routed mode topology?
  3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
  As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
  Details at
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
  HTH
  Syed Iftekhar Ahmed

• CSM in one armed mode Redundancy

  Hi,
  I have a customer with a one arm setup. However they have no server vlan, only a client vlan. They are using source nat and it is working, however I am unsure how to setup redundancy as the alias command seems to be generally used on the server vlan.
  i am running hsrp and a ft vlan accross the csm's
  Does anyone have any experience of this type of setup, do i need to add any additional config for fault tolerence??
  Cheers
  Scott

  Scott,
  you can use the alias and whatever vlan [client or server].
  It is required if your servers or clients are using the CSM as default gateway.
  There is no special config required when doing fault tolerance in one-armed mode.
  It's the same as inline mode.
  Gilles.

• How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

  I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
  Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
  The Interfaces and Nat configs are:
  interface vlan 200
    description Server-Side-VLAN
    bridge-group 5
    nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
    service-policy input VIPS
  interface vlan 300
    description Client-Side-VLAN
    bridge-group 5
  interface bvi 5
    ip address 10.1.1.3 255.255.248.0
    description Client-Server-Virtual-Interface
  ip route 0.0.0.0 0.0.0.0 10.1.1.1
  and the policy map looks like this
  policy-map multi-match VIPS
    class Port80
      loadbalance vip inservice
      loadbalance policy Port80
      nat dynamic 5 vlan 200
  Resource assignment:
  sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
    timeout 5
    serverfarm Service80
  Any suggestions will be appreciated,
  Thanks

  Hi Kanwal,
  Thanks for your quick reply,
  I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
  The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
  But I'll try again tomorrow and let you know how it goes.
  Thank you again.

• One-armed config

  We've done a one-armed setup in our production env using CSS11506(s) and have no issues. We're bring up a smaller setup using CSS 11150(s) and was wondering if they work just as well, performance wise, with a one-armed config?
  Thanks
  chad

  I think it should work just fine. The same configuration would work for CSS 11000 series switches.
  Check the config document:
  http://www.cisco.com/en/US/products/hw/contnetw/ps789/products_configuration_example09186a0080093dff.shtml