10-29-2007 11:53 AM
I'm have difficulty understanding how to put my ACE blade in service. I have 1 vlan with external ips on my 6500 msfc. All the internal internal vlans default gateways on on my msfc as well (e.g. vlan 10 is 192.168.10.1). My plan is to create a new ip on the internal vlan on the ACE (e.g. 192.168.10.10) and the default gateway for the load balanced servers be 192.168.10. There will also be a route for the internal networks 192.168.0.0/16 and the gateway is set to the MSFC 192.168.10.1.
Is my thinking correct here or can I run into some loops this way?
I'm also confused on where I should be natting the external ips. Do I nat the external ips on the ACE or on the MSFC?
Solved! Go to Solution.
10-30-2007 10:28 AM
If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.
Syed
10-29-2007 12:29 PM
By internal Vlans do you mean Real server Vlans?
In typical routing mode there are no SVIs created on the MSFC for the server vlan. Real Servers points to the alias (similar to hsrp stanby ip) Server Vlan ip configured on ACE.
If its not possible to isolate server vlans then you will need to use either Policy based routing or Source nat to make sure that the return traffic from Reals doesnt bypass ACE.
Destination NAT is by default (unless you change the default settings) performed by ACE when you configure virtual and assign reals to it.
Syed
10-29-2007 12:54 PM
Yes I mean real server vlans. So if my ACE interface is the default gateway for all my real servers, doesn't that mean that all my internal traffic between real servers and internal network, such as my web server mounting a nfs volume on an internal ip is going to have to pass through the ACE which is limited to a 16Gig backplane connection and also consuming another tcp connection?
10-29-2007 01:24 PM
10-29-2007 02:29 PM
There are two way to work around that.
If the only issue is the NAS device then you can have a second NIC on servers configured for the NAS VLAN.
The other option would be go with one arm design. In one arm design only the load balanced traffic hits the ACE.The servers will have Vlan interface defined on MSFC as the default gateway. The only issue in this case is to ensure that the return traffic shouldnt bypass ACE.
In order to ensure the return traffic traverse ACE, You will need to configure PBR
. Policy based routing will look for the return traffic from servers (fo example srcip: "server IP" Src port:"80" -- in case of www return traffic) and will forward that traffic to the VLan interface of ACE.
With "one arm design", Ace is like connected to Cat on a stick. Only traffic hitting the Vips will be forwarded to the ACE and every other traffic to/from Servers (like backup / NAS) will bypass ACE.
Syed
10-30-2007 10:16 AM
Ok. But won't having 2 routes on my server bypass the need for PBR on the MSFC? My default route points to ACE (to find internet connections from VIP) and I add a route for internal networks to go to MSFC.
10-30-2007 10:28 AM
If your internal networks do not have clients for this applications (clients hitting Vips) then it should work.
Syed
10-30-2007 10:42 AM
My plan is to have the database servers behindand internal VIP but other than that I plan to use MSFC for internal traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide