ACE internal and external network routing

Answered Question

I'm have difficulty understanding how to put my ACE blade in service. I have 1 vlan with external ips on my 6500 msfc. All the internal internal vlans default gateways on on my msfc as well (e.g. vlan 10 is 192.168.10.1). My plan is to create a new ip on the internal vlan on the ACE (e.g. 192.168.10.10) and the default gateway for the load balanced servers be 192.168.10. There will also be a route for the internal networks 192.168.0.0/16 and the gateway is set to the MSFC 192.168.10.1.

Is my thinking correct here or can I run into some loops this way?

I'm also confused on where I should be natting the external ips. Do I nat the external ips on the ACE or on the MSFC?

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 9 years 1 month ago

If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.

Syed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Syed Iftekhar Ahmed Mon, 10/29/2007 - 12:29

By internal Vlans do you mean Real server Vlans?

In typical routing mode there are no SVIs created on the MSFC for the server vlan. Real Servers points to the alias (similar to hsrp stanby ip) Server Vlan ip configured on ACE.

If its not possible to isolate server vlans then you will need to use either Policy based routing or Source nat to make sure that the return traffic from Reals doesnt bypass ACE.

Destination NAT is by default (unless you change the default settings) performed by ACE when you configure virtual and assign reals to it.

Syed

Yes I mean real server vlans. So if my ACE interface is the default gateway for all my real servers, doesn't that mean that all my internal traffic between real servers and internal network, such as my web server mounting a nfs volume on an internal ip is going to have to pass through the ACE which is limited to a 16Gig backplane connection and also consuming another tcp connection?

Syed Iftekhar Ahmed Mon, 10/29/2007 - 14:29

There are two way to work around that.

If the only issue is the NAS device then you can have a second NIC on servers configured for the NAS VLAN.

The other option would be go with one arm design. In one arm design only the load balanced traffic hits the ACE.The servers will have Vlan interface defined on MSFC as the default gateway. The only issue in this case is to ensure that the return traffic shouldnt bypass ACE.

In order to ensure the return traffic traverse ACE, You will need to configure PBR

. Policy based routing will look for the return traffic from servers (fo example srcip: "server IP" Src port:"80" -- in case of www return traffic) and will forward that traffic to the VLan interface of ACE.

With "one arm design", Ace is like connected to Cat on a stick. Only traffic hitting the Vips will be forwarded to the ACE and every other traffic to/from Servers (like backup / NAS) will bypass ACE.

Syed

Correct Answer
Syed Iftekhar Ahmed Tue, 10/30/2007 - 10:28

If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.

Syed

Actions

This Discussion