ACE "reverse-sticky"

Unanswered Question
Apr 6th, 2010
User Badges:

Hi all,

        II know reverse-sticky command is not support in ACE, is there a equavient comment that i can ensure "reverse-sticky". I'm trying to loadbalance Cisco NAC servers with ACE. The NAC server LB concept should be like FWLB, i need the return traffic from to go throught the same NAC server that the traffic orginates.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Gilles Dufour Tue, 04/06/2010 - 04:02
User Badges:
  • Cisco Employee,

The solution is to use predictor hash address souce on the frontend ACE and predictor hash address destination on the backend

ACE.


Gilles.

adrian_teo Tue, 04/06/2010 - 04:31
User Badges:

Hi Gilles,

             Thank you for the reply. Does the solution needs to be in multiple ACE deployment? As i only have 1 ACE available can it be achived in a single ACE deployment?

Gilles Dufour Tue, 04/06/2010 - 04:53
User Badges:
  • Cisco Employee,

This can be done in a single ACE.  You could have 2 contexts 1 for frontend and 1 for backend.


A firewall loadbalancing (FWLB) design is always of the type



outside---------- ACE(front) --------------- Firewalls -------------- ACE(back) --------inside


This is to guarantee that packets flow through the same firewall in both direction.


This can be done with 2 physical ACE's or 2 contexts on a single ACE.

Can also be done inside a single context of a single ACE but maybe more difficult - more confusing.


Gilles.

Actions

This Discussion