ACE Appliance Design Guides

Unanswered Question
Aug 17th, 2009
User Badges:
  • Purple, 4500 points or more

Anyone know where I can find some for the appliance? Everything out there is for the module. Specifically I'm looking to see if the appliance does Direct Server Return and if any other designs are available for the appliance (and not the module per se).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Gilles Dufour Mon, 08/17/2009 - 22:22
User Badges:
  • Cisco Employee,

Anything for the module works for the appliance.

The only difference is that you need to setup the physical interfaces on the appliance.



DSR is possible. You require to setup transparent mode and disable normalization.

Obviously not possible if you need L7 (http,ftp,...) inspection.


For specific design guides:

http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide%2C_Release_A3(1.0)


Gilles

Collin Clark Tue, 08/18/2009 - 05:18
User Badges:
  • Purple, 4500 points or more

Thanks Gilles. All the docs show servers that are directly connected on the back end. What issues/design considerations do we need to consider when the real devices are not directly connected? The real server won't come back through the load balancer correct? Won't the TCP session be dropped from the client? If you know of a link to answer my questions, that would be great (so you don't have to answer).


Gilles Dufour Mon, 08/24/2009 - 00:13
User Badges:
  • Cisco Employee,

DSR is only an option if the servers are directly connected.

DSR requires the servers to use a loopback address and the serverfarm to be transparent, so that the servers can respond directly using the Virtual IP.


If your problem is that the servers are further hops away, you need to find a way to guarantee the traffic to come back to the loadbalancer.


This can be done with client nat on the loadbalancer.

The cons is that you lose the original client ip and the server log will only show connections from the nat ip address and not the client.

This can also be fixed with client ip header insert for http.


Another solution is to use policy-based routing. More complicated to set in place, but you do not lose the client ip address.


Gilles.

axfalk Mon, 08/24/2009 - 08:44
User Badges:

Can you please refer me to a doc explaining DSR in ACE?


Thanks..

Actions

This Discussion