ACE design question

Answered Question
May 13th, 2010
User Badges:
  • Purple, 4500 points or more

Hopefully I can explain this intelligently. I have 10 racks of servers, each rack has stack of 2- 3750s. Each rack is it's on IP subnet. e.g. rack 1 is 10.100.1.0/24 rack 2 is 10.100.2.0/24. The 3750 is the DG and has a pair of layer 3 links that go back to a pair of 6500's (in VSS). The 6500s act as the server distribution point (physically not logically) that then connects to the core. It also has an ACE module. The way I see it I have two options; make 1 rack of servers dedicated to load balancing and use the ACE as the DG. Not a problem, but not optimal for the placement of servers (which I don't control). I believe my other option is to let the servers live in any rack and use routed mode and SNAT the servers (I don't care about losing the original source IP). I think I then have to use PBR on the 3750's for return traffic to the ACE. Is the PBR to point back to the ACE since the destination from the client request was the VIP? Would it be better to have the ACE as the DG for the servers and force the servers that need to be load-balanced into specific racks? Thanks for your consideration.

Correct Answer by dario.didio about 7 years 2 weeks ago

Hi,


refer to the first picture on following page.

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example


That is how your L3 setup would look like, with the addition of a router(s) in front of your servers.


The VLAN that interconnects the MSFC of the C6500s and the ACE is the VLAN that needs to be added.

In this VLAN - IP Subnet, your VIP addresses are configured.


When an external client connects to the VIP Address, he is routed to the ACE  in VLAN 50 on the drawing.

The ACE does what it does and sends the client request to one of its servers, performing SNAT using or the VIP address, or another IP Address in VLAN 50.


Via the C6500s, it is routed to the routed access switch, which delivers the request. Your server treats the request and answers to the SNATed address, which is located on the ACE.


It forwards the response to its default GW, which does the same via a static or default route in its routing table. Tha packet arrives on the MSFC of the C6500, which has the subnet directly connected via VLAN 50, and forwards the packet to the ACE.


There, the SNAT is undone, and the packet is send, via the default route on the ACE on VLAN 50, to the MSFC of the C6500s, where it is routed back to the client.


Note that all traffic directly send to the server does not pass the ACE. Only the traffic send to the VIPs passes the ACE.


Hope this clearifies things :-)


Br,

Dario

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
dario.didio Fri, 05/14/2010 - 01:07
User Badges:
  • Silver, 250 points or more

Hi,


When your servers are L3 away from your ACE, you have the choice between SNAT or PBR, you don't need to combine them.


If SNAT is a possibile solution for you, I would go for that one, combined with L3 one-arm mode.


That way, you don't have to change anything (physically or logicaly), you just add a VLAN and maybe static routes on your L3 access switches if needed.


HTH,

Dario

Collin Clark Fri, 05/14/2010 - 06:35
User Badges:
  • Purple, 4500 points or more

Thanks Dario it does help. I thought I might need PBR on the access switch so the return traffic goes to the ACE, but all other traffic flows the correct way. Does that make sense? You stated that I 'add a vlan', I'm not sure where I would put that VLAN?

Correct Answer
dario.didio Fri, 05/14/2010 - 07:08
User Badges:
  • Silver, 250 points or more

Hi,


refer to the first picture on following page.

http://docwiki.cisco.com/wiki/FTP_Load_Balancing_on_ACE_in_One-Arm_Mode_Configuration_Example


That is how your L3 setup would look like, with the addition of a router(s) in front of your servers.


The VLAN that interconnects the MSFC of the C6500s and the ACE is the VLAN that needs to be added.

In this VLAN - IP Subnet, your VIP addresses are configured.


When an external client connects to the VIP Address, he is routed to the ACE  in VLAN 50 on the drawing.

The ACE does what it does and sends the client request to one of its servers, performing SNAT using or the VIP address, or another IP Address in VLAN 50.


Via the C6500s, it is routed to the routed access switch, which delivers the request. Your server treats the request and answers to the SNATed address, which is located on the ACE.


It forwards the response to its default GW, which does the same via a static or default route in its routing table. Tha packet arrives on the MSFC of the C6500, which has the subnet directly connected via VLAN 50, and forwards the packet to the ACE.


There, the SNAT is undone, and the packet is send, via the default route on the ACE on VLAN 50, to the MSFC of the C6500s, where it is routed back to the client.


Note that all traffic directly send to the server does not pass the ACE. Only the traffic send to the VIPs passes the ACE.


Hope this clearifies things :-)


Br,

Dario

Collin Clark Fri, 05/14/2010 - 07:15
User Badges:
  • Purple, 4500 points or more

Ahhh that VLAN. Gotcha.It's all cear now. I really appreciate your effort in clearing up my thinking.

Actions

This Discussion