ACE : One-armed design and IP Routing through the alias address

Answered Question
Jun 29th, 2009

Hi,

I have a cluster of two ACE-4710 in a one-armed design on a VLAN. I cannot use client NAT as the source address has to be logged in the server log (source IP insert is not an option here). So, I configured an alias IP address which should serve a default gateway for the servers.

Is there anything to be configured to allow routing on the same subnet with the ACE, beside a permit ACL and a default route ?

I have the following interface configuration and the local routing does not work :

interface vlan 110

description *** ACE Context Virtual Interface ***

ip address 10.56.33.20 255.255.255.240

alias 10.56.33.22 255.255.255.240

peer ip address 10.56.33.21 255.255.255.240

access-group input ALL_TRAFFIC

service-policy input ACE_MGMT_POLICY

service-policy input VIP_PROD

no shutdown

ip route 0.0.0.0 0.0.0.0 10.56.33.17

Thank you,

Yves

I have this problem too.
0 votes
Correct Answer by Gilles Dufour about 7 years 5 months ago

nothing needs to be done to allow routing even in one-armed mode.

But, ACE is a stateful device so it needs to see both side of the traffic.

What is happening is that you only see traffic from the server ... the other side will probably bypass the ACE.

Try to configure 'no normalization' under the interface.

Gilles.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Gilles Dufour Tue, 06/30/2009 - 01:04

nothing needs to be done to allow routing even in one-armed mode.

But, ACE is a stateful device so it needs to see both side of the traffic.

What is happening is that you only see traffic from the server ... the other side will probably bypass the ACE.

Try to configure 'no normalization' under the interface.

Gilles.

yves.haemmerli Tue, 06/30/2009 - 01:32

Hi Gilles,

Too good! It was exactly what to be done. It works fine. This morning, I traced packets on the DMZ where the ACE is locate and effectively observed the stateful behaviour of the ACE. So, with your suggestion, it solved the TCP communication problem. I had to also enter the "no icmp-guard" to permit icmp reply to be routed.

Thanks again Gilles for your quick help !

Yves

Actions

This Discussion