ACE in one-arm model

Answered Question
Aug 17th, 2008

Hi Gurus,

I need to configure ACE in one-arm model and in routed mode. Does any Guru can post a sample configuration of ACE (one-arm) and Catalyst.

Thanks & Regrds,

Shahzad.

I have this problem too.
0 votes
Correct Answer by Syed Iftekhar Ahmed about 8 years 3 months ago

With PBR you need to create route-maps which will intercept return traffic from real servers and send it back to the ACE.

For example

If 3 reals (10.10.200.1-3) are listening on port 80 (vlan 200) then the server response will be from 10.10.200.1-3:80 to the clients. If the ACE vlan interface IP is "10.10.90.100" the on MSFC you will need something in line with

interface Vlan200

ip address 10.10.200.2 255.255.255.0

ip policy route-map From200Servers

route-map From200Servers permit 10

match ip address 100

set ip next-hop 10.10.90.100

access-list 100 permit tcp host 10.10.200.201 eq www any

access-list 100 permit tcp host 10.10.200.202 eq www any

access-list 100 permit tcp host 10.10.200.203 eq www any

On ACE you just need to configure one vlan connecting to the CAT. If you are running redundant pair of ACEs then assign an alias address and use this Alias address on MSFC as the next hop address under route-map defined for PBR.

With ONE arm design the upstream routers are defined as the default gateway. This ensures that server initiated traffic/ direct server access traffic can bypass the ACE.

Syed Iftekhar Ahmed

Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Syed Iftekhar Ahmed Sun, 08/17/2008 - 22:53

Shazad ~

Attached is a one arm ACE config with the relevant MSFC config. This config is based on the assumption that Vlan 90 is used to connect ACE with CAT6k (one arm).

If you are configuring a redundant pair of ACEs in two different CAT6k Chassis then you need to configure port channels for data & FT traffic on the Cat6k .

Thanks

Syed Iftekhar Ahmed

Ahmed Shahzad Sun, 08/17/2008 - 23:00

Thanks Iftikhar for your quick reply.

I have to configure redundant pair of ACE in two different CAT6k chassis, but I could not understand that how one-arm model is controlled, means how ACE will be used for few servers and not for others. Do we need PBR to control traffic?

Your detailed reply will be highly apprecaited.

Thanks and Regards,

Shahzad.

Regards,

Shahzad.

Syed Iftekhar Ahmed Sun, 08/17/2008 - 23:06

You have two options

1. Source NAT

2. Policy based routing.

The configuration I attached uses Source NAt.

Idea is to make sure that the return traffic should not bypass the ACE. With One arm config if the Real server's gateway is upstream router then its very likely that server's response will go to the client directly (by passing the ACE).

Iftekhar

Ahmed Shahzad Sun, 08/17/2008 - 23:09

Dear Iftikhar,

I want to use PBR. What configuration would be required on Catalyst, ACE and Servers?

Regards,

Shahzad.

Correct Answer
Syed Iftekhar Ahmed Sun, 08/17/2008 - 23:44

With PBR you need to create route-maps which will intercept return traffic from real servers and send it back to the ACE.

For example

If 3 reals (10.10.200.1-3) are listening on port 80 (vlan 200) then the server response will be from 10.10.200.1-3:80 to the clients. If the ACE vlan interface IP is "10.10.90.100" the on MSFC you will need something in line with

interface Vlan200

ip address 10.10.200.2 255.255.255.0

ip policy route-map From200Servers

route-map From200Servers permit 10

match ip address 100

set ip next-hop 10.10.90.100

access-list 100 permit tcp host 10.10.200.201 eq www any

access-list 100 permit tcp host 10.10.200.202 eq www any

access-list 100 permit tcp host 10.10.200.203 eq www any

On ACE you just need to configure one vlan connecting to the CAT. If you are running redundant pair of ACEs then assign an alias address and use this Alias address on MSFC as the next hop address under route-map defined for PBR.

With ONE arm design the upstream routers are defined as the default gateway. This ensures that server initiated traffic/ direct server access traffic can bypass the ACE.

Syed Iftekhar Ahmed

Syed Iftekhar Ahmed

Actions

This Discussion