Source Nating in CSM one armed design

What is the best practice for creating Source Nating in CSM One armed design? I am doing CSS to CSM migration. I have created the NATPOOL used the VIP address like natpool CSS0 10.xxx.xx.xxx 10.xxx.xx.xxx netmask 255.255.255.0. I did experience some latency after migrating to CSM. Then I used diffrent Ip address is the NATPOOL that improved the latency. Is there any documentation which clearly explains this issue?
Thanks

the natpool will have no impact on performance.
The problem must come from somewhere else.
You should capture a sniffer trace and verify what is going on.
Gilles.

Similar Messages

  • Sniffer Trace on ACE w/VACLs and One-Arm Design

    Wow...that was a mouthful of a title!
    Here is what I'm trying to accomplish. There is an application that is having issues. This application is being load balanced by the ACE. The ACE is configured in a One-Armed design. Essentially the application flow is as follows:
    client --> ACE VIP --> SNAT Pool --> rserver and then the reverse.
    The vlan for my ACE is 3002. It is the only vlan in this context. I have a WildPackets OmniEngine connected to port on the 6500. Here is its config:
    interface GigabitEthernet x/xx
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    switchport capture
    switchport capture allowed vlan 3002
    no ip address
    no cdp enable
    Here is the problem. When I take a trace I only see the back half of the conversation. That is I only see from the SNAT pool IPs to the rservers and back. I need to be able to see the conversation between the client IPs and the VIP. Does anyone know how this can be done? If you need more details or have questions please fire away! Thanks for the help...
    bc

    This can be done by setting up a monitor session on the Sup, with the
    TenGig/1 as SPAN
    source, and a trunk port as SPAN destination.
    For example, if the ACE is in slot X, the configuration would be:
    monitor session 10 source interface TeX/1
    monitor session 10 destination interface Giy/z
    The configuration for this port would be:
    int giy/z
    switchport
    switchport trunk encapsulation dot1q
    switchport mode trunk
    switchport nonegotiate
    Syed Iftekhar Ahmed

  • ACE 4700 one-arm design with SSL termination

    Hi,
    We are evaluating the one-arm design for the ACE 4700 and need some clarifications:
    1. Are there any limitations in the one-arm design and the SSL offloading
    2. Can the ACE be configured with an IN and an OUT vlan to the router
    CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
    so that the SSL and the clear text traffic is in a separate Vlan?
    3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
    I would appreciate if you can share some sample configs
    Regards,
    George Georgiou

    There are two ways to implement One Arm topology.
    1. One Arm with PBR & 2.One Arm with SRC NAT
    PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.
    1. Are there any limitations in the one-arm design and the SSL offloading
    The limitations/config issues I can think of are following
    One ARM with PBR:
    Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).
    One ARM with SRC NAT:
    You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.
    2. Can the ACE be configured with an IN and an OUT vlan to the router
    CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan
    so that the SSL and the clear text traffic is in a separate Vlan?
    Yes you can do that but wouldnt it make it routed mode topology?
    3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?
    As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.
    Details at
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008
    HTH
    Syed Iftekhar Ahmed

  • CSS11500 one arm design configuration assistance.

    Is it possible to configure the CSS11500 as single arm design? if yes how to configure the source nat on the CSS11500, it is not possibe for me to change the default gateway as well as configure CSS as inline.
    Regards

    yes you can configure CSS in one armed mode. You would do the nat with a group config ie:
    service yada
    ip address 192.168.20.40
    active
    content yadayada
    vip address 192.168.20.55
    add service yada
    group yadayadayada
    vip address 192.168.20.55
    add destination service yada

  • CSS 11503 One-arm Design and Server Default Gateway

    Our problem is determining the correct default gateway for our web servers. All IP addresses are in the same subnet (VIP, interfaces, and servers). Should the servers default gateway be the L3 switch, or the CSS?
    Thanks!
    Tom

    Hi Tom,
    If you have one arm mode, you might have problems with asymmetric flows, due that the CSS behaves similar to a firewall when it comes to flows, as it needs to see both sides of the flow ( client and server side ) in order to handle things correctly. Having this kind of setup, and even when the server pointing to the CSS as its default gateway, ICMP redirects might force the traffic to change dynamically.
    You can put as default gateway the L3 switch, but you need to force the traffic that has been load balanced by the CSS to go back to the CSS, otherwise the flow would fail. You can do this by using a group on the CSS, adding the service with the following command: 'add destination service xxxx'. This would NAT the client's IP address for the VIP that you use on the group and would force the flow to go back to the CSS.
    Another thing that you can do is to use the CSS as the server's DG, but you must make sure that all L3 devices, including the CSS have ICMP redirects turned off on this subnet. If you have a firewall on this subnet, you would need to turn off proxy ARP as well.
    I hope you find this helpful. Thanks!
    Regards,
    Jose Quesada.

  • Source IP in One armed Mode ACE

    Hi,
    How do we find actual Client Source IP address in One armed mode ACE for NON-HTTP application like LDAP,FTP and etc....

    It's not possible. Insertion within header works only for HTTP and HTTPS with SSL offload.

  • Can I configure csm as one arm and routing mode at the same time?

    My csm currently is configured as the routing mode and bridge mode, resently I have a service requirement which I think the one arm mode should be the best resolution. Can anybody let me know if there will be any affect if I add the one arm mode to the currently production environment?
    Thanks in advance.
    Jason

    Gille,
    Thanks for your quick response. I notice you have same opinion about the one arm mode in your other post, but I think in the multi-tire data center design with fw in bridge mode and csm in one arm mode with RHI, do give us a lot of flexibilty. If I use policy routing instead of source nat, can I overcome these limit you metioned?
    Do you know who csm could handle the TFTP traffic? I may have too much question, I am realy looking for your suggestion.
    Thanks
    Jason

  • CSM-S, move to one-arm configuration.

    Hello.
    We  are using a couple of CSM-S with a single subnet bridge and fault  tolerance configuration. Now we are evaluating to move to an one-arm  configuration, so I’m reading some design guides.
    We want to move to this topology because there are some advantages like efficient utilization of resources.
    Because we are serving different areas with different security level I’m looking for best practices also.
    The main question is about security because CSM does not support virtual contexts like ACE.
    Any suggestions?
    Thanks.
    Andrea

    Hello Andrea,
    As you noted, the capability for ACE to be able to keep traffic segregated is much easier to work with than the CSM's.  Basically, you have to utilize both client groups and the VLAN statement under Vservers to be able to keep traffic segregated.  Here is an example:
    module ContentSwitchingModule 4
    vlan 100 client
      ip address 192.168.100.1 255.255.255.0
    vlan 150 client
       ip address 192.168.150.1 255.255.255.0
    vlan 200 client
       ip address 192.168.200.1 255.255.255.0
    vlan 250 client
       ip address 192.168.250.1 255.255.255.0
    natpool POOL-1 192.168.100.2 192.168.250.2 netmask 255.255.255.0
    natpool POOL-2 192.168.150.2 192.168.250.2 netmask 255.255.255.0
    natpool POOL-3 192.168.200.2 192.168.250.2 netmask 255.255.255.0
    natpool POOL-4 192.168.250.2 192.168.250.2 netmask 255.255.255.0
    serverfarm DMZ1
    nat server
    nat client POOL-1
    real 192.168.100.50
      no inservice
    real 192.168.100.51
      inservice
    real 192.168.100.52
      inservice
    serverfarm DMZ2
    nat server
    nat client POOL-2
    real 192.168.150.82
       no inservice
      real 192.168.150.83
       inservice
      real 192.168.150.84
       inservice
    serverfarm DMZ3
    nat server
    nat client POOL-3
    real 192.168.200.75
       no inservice
      real 192.168.200.78
       inservice
      real 192.168.200.90
       inservice
    serverfarm DMZ4
    nat server
    nat client POOL-1
    real 192.168.250.82
       no inservice
      real 192.168.250.83
       inservice
      real 192.168.250.84
       inservice
    vserver DMZ1
      virtual 192.168.100.10 tcp www
      vlan 100
      serverfarm DMZ1
      persistent rebalance
      inservice
    vserver DMZ2
      virtual 192.168.150.10 tcp www
      vlan 150
      serverfarm DMZ2
      persistent rebalance
      inservice
    vserver DMZ3
      virtual 192.168.200.10 tcp www
      vlan 200
      serverfarm DMZ3
      persistent rebalance
      inservice
    vserver DMZ4
      virtual 192.168.250.10 tcp www
      vlan 250
      serverfarm DMZ4
      persistent rebalance
      inservice
    In the above configuration, if any packet comes into vlan 100 destine to 192.168.100.10 on port 80, it can hit the vip.  If the same packet comes into any other vlan, it will not be able to hit the vip.  The "vlan 100" statement under DMZ1 vserver filters the traffic so that only traffic that came into that vlan can hit that specific vserver.
    If you need to do additional filtering, say by source subnet range, you can use client groups to furthur permit/deny traffic at a more granular level.  Here is an example:
    (The access-list is created globally on the 6500 - the access list is then referenced by number in the CSM configuration. ONLY standard access lists can be used!!)
    access-list 2 permit 192.168.0.0 0.0.255.255
    access-list 2 deny   any
    access-list 3 permit 10.10.0.0 0.0.255.255
    access-list 3 deny   any
    policy 192_subnet_filter
      client-group 2
      serverfarm DMZ4
    vserver DMZ4
       virtual 192.168.250.10 tcp www
       vlan 250
      slb-policy 250_subnet_filter
       persistent rebalance
       inservice
    With this configuration, only traffic with a source IP of 192.168.0.0/16 or 10.10.0.0/16 that arrive on vlan 250 will be allowed to hit the vserver. "Client-Group 2" refers to the "Access-list 2" in the global config.
    Note that the serverfarm that used to be under the vserver was removed.  If you leave the serverfarm DMZ4 statement under the vserver along with the slb-policy applied, and traffic that does not match your client group is sent to that serverfarm.  It is another way of filtering traffic out.  If you do not include a fallback serverfarm (like the example above), any traffic that doesn't match the client group is reset.
    Let me know if you have any furthur questions!
    Regards,
    Chris Higgins

  • CSM in one armed mode Redundancy

    Hi,
    I have a customer with a one arm setup. However they have no server vlan, only a client vlan. They are using source nat and it is working, however I am unsure how to setup redundancy as the alias command seems to be generally used on the server vlan.
    i am running hsrp and a ft vlan accross the csm's
    Does anyone have any experience of this type of setup, do i need to add any additional config for fault tolerence??
    Cheers
    Scott

    Scott,
    you can use the alias and whatever vlan [client or server].
    It is required if your servers or clients are using the CSM as default gateway.
    There is no special config required when doing fault tolerance in one-armed mode.
    It's the same as inline mode.
    Gilles.

  • CSM-S mode -One-Arm-vs- routed

    We currently have an environment with CSS running in routed mode. We are building a new data center with 6509s and CSM-S. My question is what is the best mode to run the CSM-S in routed or one-arm and why?

    Gilles,
    What do you recommend when the traffic flows from the load balanced server are significant?
    ie: you are using Oracle application and database servers, load balancing http and https to the app servers. There is significant traffic flow from the app server to the database servers, such that the load balancer in a 2-armed configuration(particularly a CSS11501 w/ 8 10/100 interfaces and a single 1000Base-T interface) would be a significant bandwidth bottleneck.
    Also, if Cisco usually does not recommend one-armed config.... why does the latest Server Farm Security Solution Reference Network Design v2.0 (http://www.cisco.com/warp/public/732/systems/docs/dcsrndbk.pdf) recommend a one-armed configuration for the CSS?

  • How to see the Source IP Address of a client using ACE One-armed-mode to load balance HTTP proxy request

    I'm using an Ace 4710 Appliance deployed in One-Armed mode, using Source NAT to loadbalance HTTP request to a couple of Proxy servers.
    Everything is working fine, but the thing is that I can't see the Clients IP addresses on Proxy's logs, so I can't keep track of them.
    The Interfaces and Nat configs are:
    interface vlan 200
      description Server-Side-VLAN
      bridge-group 5
      nat-pool 5 10.1.1.5 10.1.1.5 netmask 255.255.255.0 pat
      service-policy input VIPS
    interface vlan 300
      description Client-Side-VLAN
      bridge-group 5
    interface bvi 5
      ip address 10.1.1.3 255.255.248.0
      description Client-Server-Virtual-Interface
    ip route 0.0.0.0 0.0.0.0 10.1.1.1
    and the policy map looks like this
    policy-map multi-match VIPS
      class Port80
        loadbalance vip inservice
        loadbalance policy Port80
        nat dynamic 5 vlan 200
    Resource assignment:
    sticky ip-netmask 255.255.255.255 address both RESOURCE-CLASS
      timeout 5
      serverfarm Service80
    Any suggestions will be appreciated,
    Thanks

    Hi Kanwal,
    Thanks for your quick reply,
    I've already tried this but it didn't work. The problem is that I don't manage the proxy servers so I rely on their skills to see the logs.
    The Proxies are Squid. Do you know if they need to do something else on the servers to see that field of the HTTP header?
    But I'll try again tomorrow and let you know how it goes.
    Thank you again.

  • Trade-off between the one-arm and two-arm WAE designs

    We are configuring a WAE (model 512) for a branch office and I was wondering if someone could please tell me the trade-off between the one-arm and two-arm WAE designs..
    thanks..
    greg..

    if you are using WCCP then the WAE becomes the client withing the servcie groups 61, 62. In order to accelerate both vlans then apply the ip redirect 61 in on the client vlan ineterfaces to the one interface.
    If inline, you can use both 2 port groups for each client interface or trunk all to a single inetrface and configure which vlans you would like to accelerate.
    Now in terms of of using both GE inetrfaces, I would have to check. A topology diagram would help

  • CSS One Arm Configuration with VIP(non-shared)/IP Interface Redundancy

    With Reference to the following CCO documentation;
    1). "How to Configure the CSS to Load Balance Using 1 Interface"
    In this example, the Real Server's (10.10.10.2 etc) gateway are pointed to the router's gateway(10.10.10.1) and used the 'add destination service' command to NAT the RealServer's IP address back to the VIP (10.10.10.6).
    2). "Understanding and Configuring VIP and Interface Redundancy on the CSS11000".
    In the interface redundancy configuration, the gateway of the Real Server are configured as the CSS11000's Interface Redundancy Address (192.168.1.1), not the Router's gateway.
    Can anyone help to advise on the preferred one arm configuration with VIP/IP redundancy?
    (i). Is the reason for configuring the gateway of the Real Server to CSS11000's Interface Redundancy Address in 2) same as using 'add destination service' command in 1)? That is to make sure that the return path from Real Server back to Client passes through the CSS and is NAT back to the VIP.
    (ii). To configure VIP(non-shared)/IP Interface redundancy(Active/Backup Mode) in a one arm configuration, my understanding is that there are 2 methods of configuration. Is it correct? Which method is preferred?
    Method a)
    1.Configure the Real Server's gateway to Router's Gateway
    2.Configure 'add destination service' command on the CSS to NAT the RealServer's IP address back to the VIP
    3.Configure VIP(non-shared) redundancy for the VIP on the CSS
    4.IP Interface Redundancy on the CSS is not required as the Real Server's gateway is already pointing to the Router's gateway. (Assuming that HSRP redundancy is already running on the Router)
    Method b)
    1. Configure the Real Server's gateway to the CSS's IP Interface Redundancy IP Address
    2. Configure IP Interface Redundancy on the CSS (as the Real Server's gateway)
    3. Configure VIP(non-shared) redundancy for the VIP on the CSS

    if you use method a) (server gateway is the router) you need the CSS to nat
    the source ip address of the client in order to force the server to send traffic back to the CSS.
    The issue then is that the server does not see the IP address of real client.
    The server only see connections with source IP address = CSS ip address.
    With method b) you don't have the above problem, but connection initiated by the servers are sent to the CSS that will then send it to the router.
    You have a performance issue because the traffic will cross 2 times the one-armed interface.
    If this is a new design, it is strongly recommended not to use one-armed setup.
    Regards,
    Gilles.

  • One-Armed Load Balancing

    Can CSS 11000 load balance multiple server farms, using different load balancing algorithms on the same ip subnet and having multiple VIPs in the one-armed configuration.
    I know this is not an ideal configuration but have to do it for a relocation project.
    Thank yoi

    yes you can.
    No need for a trunk.
    But you have to keep in mind that the CSS must see both sides of a connection.
    So, obviously the traffic from the client will hit the CSS vip, but for the server response, you have to make sure it goes back to the CSS.
    This can be done with source nating or policy routing.
    Gilles.

  • One-armed ACE with servers gateway to ACE (no SNAT?)

    Hello ACE experts, I have two questions;
    Design;
    One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)
    Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?
    (This would eliminate the SNAT requirement for one-armed)
    I know I need;
    -no icmp-guard                 to allow ‘asymmetric icmp’
    -no normalisation            to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)
    And other question;
    Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?
    So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?
    Regards Kristof

    Hi
    the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.
    The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.
    regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy.

Maybe you are looking for

  • How come since updating to ios 6.1.2 AOL emails are not being pushed?

    Since updating the only way my iphone 4s receives emails is by manually checking. How do I fix this???

  • FM For Check File is Already Open in CLIENT.

    Hi Experts, I have a program that, User gives a file name (file has some rows), Program runs with data that included in file, and when program finishes, write something to file which user given before using (WS_DOWNLOAD) But if user dont close the fi

  • KT4 Ultra Bios 1.2 Doesnt Work

    I have just updated my Bios to verison 1.2 and the computer wont go into windows. Infact I have found the problem to be the USB Via chipset thats at fault. I have Windows Me and the the computer freezes every time it tries to load USB. I have put ver

  • Logical Volumes Not Creating w lvcreate? Install??

    After following the arch raid guide i have gotten all tge way down to creating logical volumes and i get  this lvcreate -L 20G VolGroupArray -n lvroot /dev/VolGroupArray/lvroot: not found: device not cleared   Aborting. Failed to wipe start of new LV

  • Why wont Flash Player Install on my Mac? Says Safari isnt closed?

    I need help. I have got a notion saying that i need to install the new Flash Player, but when i try to do it. It wont install on my mac, becasue it says that safari isnt closed, when it in fact is closed. Can somebody help me?