cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
402
Views
0
Helpful
4
Replies

ACE for layer 4 redirection

thedinuka
Level 1
Level 1

HI

I've asked a part of this question before, but need further clarifications. Hope some one can help.

We are trying to deploy an ACE to transparently re-direct http traffic to a set of proxy servers, that are also doing some content filtering. following is the expected high level setup.

clients -----[ACE] ---- internet

|

|

|

--------------------------

| | |

[proxy 1] [proxy 2] [proxy 3]

The proxy servers have to go through the ACE again to access the internet. The returning traffic should also go back through the ACE to the same proxy server that catered for the forward traffic. As the proxy does not modify the source IP of the forward traffic (source IP of the packets going to the internet remians to be the actual client IP) , this appears to be a problem. Would you be able to suggest a solution ?

Many thanks

4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

That should not be a problem because the vlans are different and the vlan is part of the flow matching function.

So the response from the internet to the client will come on a different vlan than the response from the proxy to the client.

The vlan being different, ACE is able to distinugish between the 2 flows.

G.

hi thanks for the response, but I don't think I understand you fully. when the internet traffic is coming back to the ACE, how do i match that traffic so that those can be sent back to the proxy server farm. And then how do I send that traffic to the same proxy which originated that http request on behalf of the client to the internet. ?

So sorry if I'm missing your point here.

RGDS

You don't have to worry about the response.

Ace will setup the return flow automatically when the request comes in.

G.

yes, but two problems.

1.) Since the return packet from the internet has actual client (not the proxy) IP address as the destination IP, will that traffic go back to the proxy rather than directly to client?

2.) Even if it can be sent back to the proxy server farm, how can I ensure that it will go to the same proxy that originated the http request/etc. ?

Sorry to bother you this much

thanks again

Din

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: