ACE module in one-arm mode with PBR

Unanswered Question
Jul 8th, 2009

Trying to get an ACE blade to do L3/L4 load-balancing in one-arm mode, but using PBR rather than source NAT.

Got a base config together and load-balancing seems to be working Ok. The problem I am trying to figure out is how to deal with direct flows, e.g traffic which isn't part of a load-balanced flow.

Does anyone know if/how I can configure the ACE to forward return traffic from an rserver which doesn't match part of an existing flow back to the sup720 rather than dropping it? I believe this was an option in CSM.

Thanks for any replies,

George

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
osiristrading Wed, 07/08/2009 - 10:59

We encountered the same issue, except we are using the 4710 appliance. We found the simplest way to sort out this problem was to bind secondary IP addresses to the servers being load balanced, and using those IPs for services which are being load balanced. The PBR matches only these IPs - traffic initiated by the primary IP addresses do not match the PBR ACL.

Alternatively, could you not do PBR based on source port? Typical load balanced ports (80,25,etc) are not used as source ports.

george_daly Thu, 07/09/2009 - 00:31

Thanks for responding. Using a secondary IP isn't a bad idea. The second suggestion wouldn't fly because in this case customers must be able to use those typical ports for a mix of load-balanced and non load-balanced.

We actually found a good solution after much digging around, which was configure the SVI in the ACE with 'no normalization' (disclaimer: this disables various security checks in the ACE and makes it operate like a pure load-balancer).

Cheers,

George

Actions

This Discussion