ACE ftp inspection for a VIP giving other services.

Answered Question
Jul 5th, 2010
User Badges:
  • Silver, 250 points or more

Hello community,


I am very new to ACE domain and would like to be adviced.


ACE module since version A2(1.x) has stricter error checks for application protocol  inspection. Generic class-map matching is no longer accepted.

(http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html#wp365052)


With this being said, we were wondering in the case of a VIP giving services to other ports (not only ftp with inspection) if there was some recommendations or best practice about the corresponding configuration :


- Only one VIP configured (one 'match virtual address' with an extended port range + inspect ftp)


or


- Two VIPs : One with ' match virtual-address x.x.x.x tcp eq 21' + 'inspect ftp' / And One with a more generic port range ?


or any other approach ?


Any suggestion would be appreciated.

Thanks.

Karim

Correct Answer by UHansen1976 about 6 years 10 months ago

Hi Karim,


I'd recommend a per-service based configuration approach.


This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.


hth


/Ulrich

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
UHansen1976 Mon, 07/05/2010 - 10:29
User Badges:
  • Bronze, 100 points or more

Hi Karim,


I'd recommend a per-service based configuration approach.


This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.


hth


/Ulrich

krahmani323 Mon, 07/05/2010 - 10:54
User Badges:
  • Silver, 250 points or more

Hello Ulrich,


Thank you for your recommendations. I appreciate.


Regards.

Karim

Actions

This Discussion