Solved: ACE internal and external network routing

mbittman · ‎10-29-2007

I'm have difficulty understanding how to put my ACE blade in service. I have 1 vlan with external ips on my 6500 msfc. All the internal internal vlans default gateways on on my msfc as well (e.g. vlan 10 is 192.168.10.1). My plan is to create a new ip on the internal vlan on the ACE (e.g. 192.168.10.10) and the default gateway for the load balanced servers be 192.168.10. There will also be a route for the internal networks 192.168.0.0/16 and the gateway is set to the MSFC 192.168.10.1.

Is my thinking correct here or can I run into some loops this way?

I'm also confused on where I should be natting the external ips. Do I nat the external ips on the ACE or on the MSFC?

Syed Iftekhar Ahmed · ‎10-30-2007

If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.

Syed

View solution in original post

Syed Iftekhar Ahmed · ‎10-29-2007

By internal Vlans do you mean Real server Vlans?

In typical routing mode there are no SVIs created on the MSFC for the server vlan. Real Servers points to the alias (similar to hsrp stanby ip) Server Vlan ip configured on ACE.

If its not possible to isolate server vlans then you will need to use either Policy based routing or Source nat to make sure that the return traffic from Reals doesnt bypass ACE.

Destination NAT is by default (unless you change the default settings) performed by ACE when you configure virtual and assign reals to it.

Syed

mbittman · ‎10-29-2007

Yes I mean real server vlans. So if my ACE interface is the default gateway for all my real servers, doesn't that mean that all my internal traffic between real servers and internal network, such as my web server mounting a nfs volume on an internal ip is going to have to pass through the ACE which is limited to a 16Gig backplane connection and also consuming another tcp connection?

mbittman · ‎10-29-2007

here is a picture I have in my head of my configuration.

the /29 on the external ip was suppsoed to be a /23

Syed Iftekhar Ahmed · ‎10-29-2007

There are two way to work around that.

If the only issue is the NAS device then you can have a second NIC on servers configured for the NAS VLAN.

The other option would be go with one arm design. In one arm design only the load balanced traffic hits the ACE.The servers will have Vlan interface defined on MSFC as the default gateway. The only issue in this case is to ensure that the return traffic shouldnt bypass ACE.

In order to ensure the return traffic traverse ACE, You will need to configure PBR

. Policy based routing will look for the return traffic from servers (fo example srcip: "server IP" Src port:"80" -- in case of www return traffic) and will forward that traffic to the VLan interface of ACE.

With "one arm design", Ace is like connected to Cat on a stick. Only traffic hitting the Vips will be forwarded to the ACE and every other traffic to/from Servers (like backup / NAS) will bypass ACE.

Syed

mbittman · ‎10-30-2007

Ok. But won't having 2 routes on my server bypass the need for PBR on the MSFC? My default route points to ACE (to find internet connections from VIP) and I add a route for internal networks to go to MSFC.

Syed Iftekhar Ahmed · ‎10-30-2007

If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.

Syed

mbittman · ‎10-30-2007

My plan is to have the database servers behindand internal VIP but other than that I plan to use MSFC for internal traffic