ACE ftp inspection for a VIP giving other services.

Answered Question
Jul 5th, 2010

Hello community,

I am very new to ACE domain and would like to be adviced.

ACE module since version A2(1.x) has stricter error checks for application protocol  inspection. Generic class-map matching is no longer accepted.

(http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html#wp365052)

With this being said, we were wondering in the case of a VIP giving services to other ports (not only ftp with inspection) if there was some recommendations or best practice about the corresponding configuration :

- Only one VIP configured (one 'match virtual address' with an extended port range + inspect ftp)

or

- Two VIPs : One with ' match virtual-address x.x.x.x tcp eq 21' + 'inspect ftp' / And One with a more generic port range ?

or any other approach ?

Any suggestion would be appreciated.

Thanks.

Karim

I have this problem too.
0 votes
Correct Answer by UHansen1976 about 6 years 6 months ago

Hi Karim,

I'd recommend a per-service based configuration approach.

This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.

hth

/Ulrich

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
UHansen1976 Mon, 07/05/2010 - 10:29

Hi Karim,

I'd recommend a per-service based configuration approach.

This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.

hth

/Ulrich

krahmani323 Mon, 07/05/2010 - 10:54

Hello Ulrich,

Thank you for your recommendations. I appreciate.

Regards.

Karim

Actions

This Discussion