Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
666
Views
0
Helpful
3
Replies

Transparent ACE Design

Go to solution
l.stafford
Level 1
Level 1

‎11-07-2010 11:47 PM

Hi,

I am designing a data centre with VSS, FWSM & ACE. I am using the design guide below as a start point, using the red service chain.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html

my topology will be routed access with transparent contexts, so;

client -> MSFC -> Trans FWSM -> Trans ACE -> VRF - > Rservers subnets A & B.

I will be using RHI to advertise the VIPs to the MSFC. The VRF and MSFC will use OSPF to propagate reach-ability.

my questions are:

1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

4) likewise for LB traffic that hits the VIP, how is it forwarded?

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?

Thanks in advance!

Lee.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ddastoli
Cisco Employee
Cisco Employee

‎11-08-2010 02:49 AM

Hi Lee,

Let me reply you in line:

1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

Yes, you can use any subnet, of course you must have a route to reach the rservers.

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

either static routes or a gateway.

4) likewise for LB traffic that hits the VIP, how is it forwarded?

normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?

yes it is.

Hope this helps,

/dom

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ddastoli
Cisco Employee
Cisco Employee

‎11-08-2010 02:49 AM

Hi Lee,

Let me reply you in line:

1) can I use any IP address range for the VIP, or does it have to be part of the subnet that the ACE BVI is in?

Yes, you can use any subnet, of course you must have a route to reach the rservers.

2) what IP address does the MSFC see as the next hop for the RHI advertised VIP?

It will be either the alias IP defined in the interface VLAN of the ACE if it exists, or its IP address if no alias is available.

3) how does the ACE know where to send the Rserver probes, do I need static routes in ACE to Rserver subnets A & B?

either static routes or a gateway.

4) likewise for LB traffic that hits the VIP, how is it forwarded?

normally it uses the client IP as source and the destination IP of the rserver if you are not natting. Not sure if this answers your question.

5) can I provide SLB between Rserver subnet A and B, by using a new VIP in the ACE BVI range and source NAT, eg is this a supported config?

yes it is.

Hope this helps,

/dom

0 Helpful

Go to solution
l.stafford
Level 1
Level 1
In response to ddastoli

‎11-08-2010 03:49 AM

Hi Dom,

Thanks for the response. All good answers, which help this design! 

I will clarify question 4 a little for you - I am confused as to how ACE knows how to reach the Rserver subnets as they are not adjacent, as all the literature suggests that no static routes are needed in bridged ACE (apart from mgmt traffic routes).

I assume that with a VRF routed backend between ACE and the Rservers then ACE will need static routes to reach those subnets via the VRF next hop? I just want to clarify that is the case, as this means although the ACE is bridging, it is also making routing decisions?

is that about right?

Cheers,

Lee.

0 Helpful

Go to solution
ddastoli
Cisco Employee
Cisco Employee
In response to l.stafford

‎11-08-2010 12:40 PM

You are right Lee,

If you need the Rserver to be in a different subnet, then the ACE must know the gateway to reach them.

Possibly you may put the SVI configured in the catalyst as gateway.

However when the rserver will reply back, you might need a PBR on the catalyst to forward back to the ACE.

Have a look at this doc here if you wish, I find it very interesting:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/ACE_FWSM.html

Hope this helps,

/dom

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents