ACE in one-arm model

Answered Question
Aug 17th, 2008
User Badges:

Hi Gurus,


I need to configure ACE in one-arm model and in routed mode. Does any Guru can post a sample configuration of ACE (one-arm) and Catalyst.


Thanks & Regrds,

Shahzad.

Correct Answer by Syed Iftekhar Ahmed about 8 years 10 months ago

With PBR you need to create route-maps which will intercept return traffic from real servers and send it back to the ACE.


For example


If 3 reals (10.10.200.1-3) are listening on port 80 (vlan 200) then the server response will be from 10.10.200.1-3:80 to the clients. If the ACE vlan interface IP is "10.10.90.100" the on MSFC you will need something in line with


interface Vlan200

ip address 10.10.200.2 255.255.255.0

ip policy route-map From200Servers



route-map From200Servers permit 10

match ip address 100

set ip next-hop 10.10.90.100



access-list 100 permit tcp host 10.10.200.201 eq www any

access-list 100 permit tcp host 10.10.200.202 eq www any

access-list 100 permit tcp host 10.10.200.203 eq www any



On ACE you just need to configure one vlan connecting to the CAT. If you are running redundant pair of ACEs then assign an alias address and use this Alias address on MSFC as the next hop address under route-map defined for PBR.


With ONE arm design the upstream routers are defined as the default gateway. This ensures that server initiated traffic/ direct server access traffic can bypass the ACE.


Syed Iftekhar Ahmed


Syed Iftekhar Ahmed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
Syed Iftekhar Ahmed Sun, 08/17/2008 - 22:53
User Badges:
  • Blue, 1500 points or more

Shazad ~


Attached is a one arm ACE config with the relevant MSFC config. This config is based on the assumption that Vlan 90 is used to connect ACE with CAT6k (one arm).


If you are configuring a redundant pair of ACEs in two different CAT6k Chassis then you need to configure port channels for data & FT traffic on the Cat6k .


Thanks

Syed Iftekhar Ahmed



Ahmed Shahzad Sun, 08/17/2008 - 23:00
User Badges:

Thanks Iftikhar for your quick reply.


I have to configure redundant pair of ACE in two different CAT6k chassis, but I could not understand that how one-arm model is controlled, means how ACE will be used for few servers and not for others. Do we need PBR to control traffic?


Your detailed reply will be highly apprecaited.


Thanks and Regards,

Shahzad.


Regards,

Shahzad.

Syed Iftekhar Ahmed Sun, 08/17/2008 - 23:06
User Badges:
  • Blue, 1500 points or more

You have two options


1. Source NAT

2. Policy based routing.


The configuration I attached uses Source NAt.


Idea is to make sure that the return traffic should not bypass the ACE. With One arm config if the Real server's gateway is upstream router then its very likely that server's response will go to the client directly (by passing the ACE).


Iftekhar

Ahmed Shahzad Sun, 08/17/2008 - 23:09
User Badges:

Dear Iftikhar,


I want to use PBR. What configuration would be required on Catalyst, ACE and Servers?


Regards,

Shahzad.

Correct Answer
Syed Iftekhar Ahmed Sun, 08/17/2008 - 23:44
User Badges:
  • Blue, 1500 points or more

With PBR you need to create route-maps which will intercept return traffic from real servers and send it back to the ACE.


For example


If 3 reals (10.10.200.1-3) are listening on port 80 (vlan 200) then the server response will be from 10.10.200.1-3:80 to the clients. If the ACE vlan interface IP is "10.10.90.100" the on MSFC you will need something in line with


interface Vlan200

ip address 10.10.200.2 255.255.255.0

ip policy route-map From200Servers



route-map From200Servers permit 10

match ip address 100

set ip next-hop 10.10.90.100



access-list 100 permit tcp host 10.10.200.201 eq www any

access-list 100 permit tcp host 10.10.200.202 eq www any

access-list 100 permit tcp host 10.10.200.203 eq www any



On ACE you just need to configure one vlan connecting to the CAT. If you are running redundant pair of ACEs then assign an alias address and use this Alias address on MSFC as the next hop address under route-map defined for PBR.


With ONE arm design the upstream routers are defined as the default gateway. This ensures that server initiated traffic/ direct server access traffic can bypass the ACE.


Syed Iftekhar Ahmed


Syed Iftekhar Ahmed

Actions

This Discussion