ACE Design/Normalization Question

Unanswered Question
Jan 19th, 2010
User Badges:

We are deploying an ACE to LB some data center traffic.  The ACE will sit off of our core 6500 w/ SUP720.  We have multiple subnets that need to be loadbalanced that also reside on the same 6500.


We have done different tests in both routed and bridged mode and neither of these setups work without using a policy map on the 6500.  I have disabled normalization and everything seems to work with the asymetric flow.  Are there any disadvantages to disabling normalization?  Also, i've read through most of the Cisco documents about bridged and routed mode.  Does anyone know of any other documents out there with a similar design to above.


Thanks in Advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rvavale Tue, 01/19/2010 - 16:38
User Badges:
  • Cisco Employee,

Hi Darren,


ACE normalization is more of a Security feature and won't allow asymmetrical flows through ACE. Normalization is enabled by
default.


Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to
consider the state as ESTABLISHED.


This link provides overview on TCP normalization,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.html#wp1002055


To prevent asymmetrical routing, you can configure Source NAT on ACE so that response from Server will go through ACE.

This link provides sample example on configuring Source NAT,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml


Hope this helps,


Best Regards,
Rahul

Darren Sasso Tue, 01/19/2010 - 19:37
User Badges:

Thanks Rahul.


If i'm not all that worried about security are there any other reasons to you wouldn't disable normalization.  Can if affect load balanced traffic.


I'm trying to say away from source nat since i will be unable to know the true source of the packet, but outside of source nat and policy routing on the 6500 is there any other way to handle traffic in this type of design?


Thanks Again.

rvavale Wed, 01/20/2010 - 02:34
User Badges:
  • Cisco Employee,


Hi Darren,


Normalization can be disabled Only for Layer 4 traffic. By disabling TCP normalization the following Layer 4 connection parameters are ignored,

exceed-mss-----Configure behavior if a packet exceeds MSS


random-seq-num-disable----Disable TCP sequence number randomization


reserved-bits-----Configure Reserved bits in TCP header


syn-data-----Configure behavior for a SYN packet containing data


tcp-options-----Configure TCP header options


urgent-flag-----Allow/Clear Urgent flag



When using Source NAT, you could try considering the option of ACE inserting Client IP Header,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml



If possible, you could point default gateway of Real Servers to ACE, however I guess servers are couple of hops away.



Hope this helps,


Best Regards,
Rahul

Actions

This Discussion