×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Transparent ACE Design

Answered Question
Nov 7th, 2010
User Badges:

Hi,


I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html


my topology will be routed access with transparent contexts, so;


client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.


I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.


my questions are:


1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

4) likewise for LB traffic that hits the VIP, how is it forwarded?

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?


Thanks in advance!


Lee.

Correct Answer by ddastoli about 6 years 9 months ago

Hi Lee,


Let me reply you in line:


1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

Yes, you can use any subnet, of course you must have a route to reach the rservers.

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

either static routes or a gateway.

4) likewise for LB traffic that hits the VIP, how is it forwarded?

normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?

yes it is.


Hope this helps,

/dom


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
ddastoli Mon, 11/08/2010 - 02:49
User Badges:
  • Cisco Employee,

Hi Lee,


Let me reply you in line:


1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

Yes, you can use any subnet, of course you must have a route to reach the rservers.

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

either static routes or a gateway.

4) likewise for LB traffic that hits the VIP, how is it forwarded?

normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?

yes it is.


Hope this helps,

/dom


l.stafford Mon, 11/08/2010 - 03:49
User Badges:

Hi Dom,


Thanks for the response. All good answers, which help this design! 


I will clarify question 4 a little for you - I am confused as to how ACE knows how to reach the Rserver subnets as they are not adjacent, as all the literature suggests that no static routes are needed in bridged ACE (apart from mgmt traffic routes).


I assume that with a VRF routed backend between ACE and the Rservers then ACE will need static routes to reach those subnets via the VRF next hop? I just want to clarify that is the case, as this means although the ACE is bridging, it is also making routing decisions?


is that about right?


Cheers,

Lee.

ddastoli Mon, 11/08/2010 - 12:40
User Badges:
  • Cisco Employee,

You are right Lee,


If you need the Rserver to be in a different subnet, then the ACE must know the gateway to reach them.

Possibly you may put the SVI configured in the catalyst as gateway.


However when the rserver will reply back, you might need a PBR on the catalyst to forward back to the ACE.


Have a look at this doc here if you wish, I find it very interesting:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html


Hope this helps,

/dom

Actions

This Discussion