ACE "reverse-sticky"

Unanswered Question
Apr 6th, 2010

Hi all,

        II know reverse-sticky command is not support in ACE, is there a equavient comment that i can ensure "reverse-sticky". I'm trying to loadbalance Cisco NAC servers with ACE. The NAC server LB concept should be like FWLB, i need the return traffic from to go throught the same NAC server that the traffic orginates.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Tue, 04/06/2010 - 04:02

The solution is to use predictor hash address souce on the frontend ACE and predictor hash address destination on the backend



adrian_teo Tue, 04/06/2010 - 04:31

Hi Gilles,

             Thank you for the reply. Does the solution needs to be in multiple ACE deployment? As i only have 1 ACE available can it be achived in a single ACE deployment?

Gilles Dufour Tue, 04/06/2010 - 04:53

This can be done in a single ACE.  You could have 2 contexts 1 for frontend and 1 for backend.

A firewall loadbalancing (FWLB) design is always of the type

outside---------- ACE(front) --------------- Firewalls -------------- ACE(back) --------inside

This is to guarantee that packets flow through the same firewall in both direction.

This can be done with 2 physical ACE's or 2 contexts on a single ACE.

Can also be done inside a single context of a single ACE but maybe more difficult - more confusing.



This Discussion