cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2151
Views
0
Helpful
12
Replies

ACE VIP and servers on the same vlan

ANGELO DE MASI
Level 1
Level 1

Hi,

I've built a web application load balanced by an ACE module on a Catalyst 6509. I have some doubt to choose the ACE one-arm or two-arm routerd mode. Right now I've built the following architecture:

FWSM---------------------------------------

                     |             |            |                 

                  ACE     VIP    SERVERS        

The ACE interface, VIP and real server are on the same vlan with the same subnet ip and servers have ACE as gateway. I would like to know if there is something wrong with this configuration. I read that in one arm mode there is a need to source nat to make server reply packet going to the ace, but in my case i set the server gateway directly on ACE. Is it correct?

Please any suggestion will be very appreciated.

Thanks in advance

regards

angelo

1 Accepted Solution

Accepted Solutions

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Angelo,

If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.

Regards,

Kanwal

View solution in original post

12 Replies 12

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Angelo,

If server default gateway is ACE then you don't need to do source NAT unless client is also in the same subnet. If client is in same subnet then real server will reply directly to client. If the client is from different subnet then no, you don't need to configure NAT.

Regards,

Kanwal

Hi Kanwal, fist of all thank you for your reply.

You answered that I expected so you assured me about my doubt, yes client there aren't on the same vlan, they are external coming from FWSM outside interface.  So let me please clear this issue, what's happened then for traffic directed to real server from client outside? I mean for traffic not hitting the vip, not load balanced but for rserver destination? FWSM will forward this traffic directly to real server but server reply will first pass through the ACE who then will forward it to FWSM. Do you think that this situation could create a typical asymmetric routing scenario on FWSM with  "Deny TCP (no connection) from ..........  " ?

Hi Angelo,

Here's ACE won't be changing the IP address. FWSM will receive  the traffic from real server src ip but L2 MAC would be different i.e of ACE. Does it matter to FWSM from where it receives the packet? Is it going to track the L2 information? If it is expecting the traffic from same MAC to which it gave the packet then it could be a problem otherwise not.

Regards,

Kanwal

Hi Kanwal,

do u  mean that simply receving reply packet from different L2 MAC but same src ip doesn't interfere with default statefull inspection of FWSM?

Hi Angelo,

If it is not checking L2 then  i don't think so it should matter but i will have to check with FWSM guy. Give me sometime.

Regards,

Kanwal

Ok Kanwal, thank you. i wil wait for your king reply.

Anyway I didn't make any special configuration on FWSM to check L2 information inside packet.

Regards

angelo

Hi Angelo,

While i am checking FWSM behavior i missed to mention that by default due to normalization ACE will drop the packet it will receive from real server since it didn't have any information corresponding connection. You will need to disable normalization for this to work from ACE perspective.

Regards,

Kanwal

Hi Angelo,

I just checked and it should not matter to FWSM from where the packet came as long as IP's are same.

Regards,

Kanwal

Thanks a lot Kanwal for your useful support.

Regardds normalization that you mentioned, is it true for all traffic passing through the ACE also for that traffic not load-balanced, and moreover, do I have to disable it on ACE interface applying under config-if  "no normalization" command?

Regards

angelo

Hi Angelo,

Yes you will need to do it on the interface and it applies to all traffic. Normally disabling normalization is not suggested as it will expose your ACE to attacks but if you have FW taking care of the security you can do so.

Regards,

Kanwal

Hi Kanwal,

thank you very much for your kind collaboration.

Your support was very usefull.

thanks again

regards

angelo

Hi Angelo,

Glad to know that i was of help:)

Regards,

Kanwal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: