Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
845
Views
5
Helpful
5
Replies

ACE Appliance Design Guides

Collin Clark
VIP Alumni
VIP Alumni

‎08-17-2009 11:30 AM

Anyone know where I can find some for the appliance? Everything out there is for the module. Specifically I'm looking to see if the appliance does Direct Server Return and if any other designs are available for the appliance (and not the module per se).

Labels:
0 Helpful
5 Replies 5

Gilles Dufour
Cisco Employee
Cisco Employee

‎08-17-2009 10:22 PM

Anything for the module works for the appliance.

The only difference is that you need to setup the physical interfaces on the appliance.

DSR is possible. You require to setup transparent mode and disable normalization.

Obviously not possible if you need L7 (http,ftp,...) inspection.

For specific design guides:

http://docwiki.cisco.com/wiki/Cisco_ACE_4700_Series_Appliance_Quick_Start_Guide%2C_Release_A3(1.0)

Gilles

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Gilles Dufour

‎08-18-2009 05:18 AM

Thanks Gilles. All the docs show servers that are directly connected on the back end. What issues/design considerations do we need to consider when the real devices are not directly connected? The real server won't come back through the load balancer correct? Won't the TCP session be dropped from the client? If you know of a link to answer my questions, that would be great (so you don't have to answer).

0 Helpful

Eric Rose
Cisco Employee
Cisco Employee
In response to Collin Clark

‎08-21-2009 09:38 AM

Collin, Here is the link thank might help as well.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html#wp1000603

Depending on the logically design the return traffic can still go back through the ACE. If not as Gilles mentioned DSR (direct server return) configuration could be an option.

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to Collin Clark

‎08-24-2009 12:13 AM

DSR is only an option if the servers are directly connected.

DSR requires the servers to use a loopback address and the serverfarm to be transparent, so that the servers can respond directly using the Virtual IP.

If your problem is that the servers are further hops away, you need to find a way to guarantee the traffic to come back to the loadbalancer.

This can be done with client nat on the loadbalancer.

The cons is that you lose the original client ip and the server log will only show connections from the nat ip address and not the client.

This can also be fixed with client ip header insert for http.

Another solution is to use policy-based routing. More complicated to set in place, but you do not lose the client ip address.

Gilles.

axfalk
Level 1
Level 1
In response to Gilles Dufour

‎08-24-2009 08:44 AM

Can you please refer me to a doc explaining DSR in ACE?

Thanks..

0 Helpful
Customers Also Viewed These Support Documents