×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACE VIP and servers on the same vlan

Answered Question
Feb 7th, 2014
User Badges:

Hi,

I've built a web application load balanced by an ACE module on a Catalyst 6509. I have some doubt to choose the ACE one-arm or two-arm routerd mode. Right now I've built the following architecture:


FWSM---------------------------------------

                     |             |            |                 

                  ACE     VIP    SERVERS        


The ACE interface, VIP and real server are on the same vlan with the same subnet ip and servers have ACE as gateway. I would like to know if there is something wrong with this configuration. I read that in one arm mode there is a need to source nat to make server reply packet going to the ace, but in my case i set the server gateway directly on ACE. Is it correct?


Please any suggestion will be very appreciated.

Thanks in advance

regards

angelo

Correct Answer by Fnu Kanwaljeet Singh about 3 years 6 months ago

Hi Angelo,


If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.


Regards,

Kanwal

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Fnu Kanwaljeet Singh Fri, 02/07/2014 - 06:32
User Badges:
  • Cisco Employee,

Hi Angelo,


If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.


Regards,

Kanwal

ANGELO DE MASI Fri, 02/07/2014 - 06:52
User Badges:

Hi Kanwal, fist of all thank you for your reply.

You answered that I expected so you assured me about my doubt, yes client there aren't on the same vlan, they are external coming from FWSM outside interface.  So let me please clear this issue, what's happened then for traffic directed to real server from client outside? I mean for traffic not hitting the vip, not load balanced but for rserver destination? FWSM will forward this traffic directly to real server but server reply will first pass through the ACE who then will forward it to FWSM. Do you think that this situation could create a typical asymmetric routing scenario on FWSM with  "Deny TCP (no connection) from ..........  " ?

Fnu Kanwaljeet Singh Fri, 02/07/2014 - 07:08
User Badges:
  • Cisco Employee,

Hi Angelo,


Here's ACE won't be changing the IP address. FWSM will receive  the traffic from real server src ip but L2 MAC would be different i.e of ACE. Does it matter to FWSM from where it receives the packet? Is it going to track the L2 information? If it is expecting the traffic from same MAC to which it gave the packet then it could be a problem otherwise not.


Regards,

Kanwal

ANGELO DE MASI Fri, 02/07/2014 - 07:21
User Badges:

Hi Kanwal,

do u  mean that simply receving reply packet from different L2 MAC but same src ip doesn't interfere with default statefull inspection of FWSM?

Fnu Kanwaljeet Singh Fri, 02/07/2014 - 07:29
User Badges:
  • Cisco Employee,

Hi Angelo,


If it is not checking L2 then  i don't think so it should matter but i will have to check with FWSM guy. Give me sometime.


Regards,

Kanwal

ANGELO DE MASI Fri, 02/07/2014 - 07:33
User Badges:

Ok Kanwal, thank you. i wil wait for your king reply.

Anyway I didn't make any special configuration on FWSM to check L2 information inside packet.


Regards

angelo

Fnu Kanwaljeet Singh Fri, 02/07/2014 - 07:41
User Badges:
  • Cisco Employee,

Hi Angelo,


While i am checking FWSM behavior i missed to mention that by default due to normalization ACE will drop the packet it will receive from real server since it didn't have any information corresponding connection. You will need to disable normalization for this to work from ACE perspective.


Regards,

Kanwal

Fnu Kanwaljeet Singh Fri, 02/07/2014 - 07:44
User Badges:
  • Cisco Employee,

Hi Angelo,


I just checked and it should not matter to FWSM from where the packet came as long as IP's are same.


Regards,

Kanwal

ANGELO DE MASI Fri, 02/07/2014 - 07:58
User Badges:

Thanks a lot Kanwal for your useful support.

Regardds normalization that you mentioned, is it true for all traffic passing through the ACE also for that traffic not load-balanced, and moreover, do I have to disable it on ACE interface applying under config-if  "no normalization" command?


Regards

angelo

Fnu Kanwaljeet Singh Fri, 02/07/2014 - 08:48
User Badges:
  • Cisco Employee,

Hi Angelo,


Yes you will need to do it on the interface and it applies to all traffic. Normally disabling normalization is not suggested as it will expose your ACE to attacks but if you have FW taking care of the security you can do so.


Regards,

Kanwal

ANGELO DE MASI Mon, 02/10/2014 - 05:52
User Badges:

Hi Kanwal,

thank you very much for your kind collaboration.

Your support was very usefull.

thanks again


regards

angelo

Actions

This Discussion