ACE Design/Normalization Question

Unanswered Question
Jan 19th, 2010

We are deploying an ACE to LB some data center traffic.  The ACE will sit off of our core 6500 w/ SUP720.  We have multiple subnets that need to be loadbalanced that also reside on the same 6500.

We have done different tests in both routed and bridged mode and neither of these setups work without using a policy map on the 6500.  I have disabled normalization and everything seems to work with the asymetric flow.  Are there any disadvantages to disabling normalization?  Also, i've read through most of the Cisco documents about bridged and routed mode.  Does anyone know of any other documents out there with a similar design to above.

Thanks in Advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rvavale Tue, 01/19/2010 - 16:38

Hi Darren,

ACE normalization is more of a Security feature and won't allow asymmetrical flows through ACE. Normalization is enabled by
default.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to
consider the state as ESTABLISHED.

This link provides overview on TCP normalization,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.html#wp1002055

To prevent asymmetrical routing, you can configure Source NAT on ACE so that response from Server will go through ACE.

This link provides sample example on configuring Source NAT,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Hope this helps,

Best Regards,
Rahul

Darren Sasso Tue, 01/19/2010 - 19:37

Thanks Rahul.

If i'm not all that worried about security are there any other reasons to you wouldn't disable normalization.  Can if affect load balanced traffic.

I'm trying to say away from source nat since i will be unable to know the true source of the packet, but outside of source nat and policy routing on the 6500 is there any other way to handle traffic in this type of design?

Thanks Again.

rvavale Wed, 01/20/2010 - 02:34


Hi Darren,

Normalization can be disabled Only for Layer 4 traffic. By disabling TCP normalization the following Layer 4 connection parameters are ignored,

exceed-mss-----Configure behavior if a packet exceeds MSS

random-seq-num-disable----Disable TCP sequence number randomization

reserved-bits-----Configure Reserved bits in TCP header

syn-data-----Configure behavior for a SYN packet containing data

tcp-options-----Configure TCP header options

urgent-flag-----Allow/Clear Urgent flag


When using Source NAT, you could try considering the option of ACE inserting Client IP Header,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml


If possible, you could point default gateway of Real Servers to ACE, however I guess servers are couple of hops away.


Hope this helps,

Best Regards,
Rahul

Actions

This Discussion