Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACE Design/Normalization Question

We are deploying an ACE to LB some data center traffic.  The ACE will sit off of our core 6500 w/ SUP720.  We have multiple subnets that need to be loadbalanced that also reside on the same 6500.

We have done different tests in both routed and bridged mode and neither of these setups work without using a policy map on the 6500.  I have disabled normalization and everything seems to work with the asymetric flow.  Are there any disadvantages to disabling normalization?  Also, i've read through most of the Cisco documents about bridged and routed mode.  Does anyone know of any other documents out there with a similar design to above.

Thanks in Advance.

3 REPLIES
Cisco Employee

Re: ACE Design/Normalization Question

Hi Darren,

ACE normalization is more of a Security feature and won't allow asymmetrical flows through ACE. Normalization is enabled by
default.

Without normalization ACE does not monitor the state of the TCP connections and the first SYN is therefore enough to
consider the state as ESTABLISHED.

This link provides overview on TCP normalization,
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/security/guide/tcpipnrm.html#wp1002055

To prevent asymmetrical routing, you can configure Source NAT on ACE so that response from Server will go through ACE.

This link provides sample example on configuring Source NAT,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml

Hope this helps,

Best Regards,
Rahul

New Member

Re: ACE Design/Normalization Question

Thanks Rahul.

If i'm not all that worried about security are there any other reasons to you wouldn't disable normalization.  Can if affect load balanced traffic.

I'm trying to say away from source nat since i will be unable to know the true source of the packet, but outside of source nat and policy routing on the 6500 is there any other way to handle traffic in this type of design?

Thanks Again.

Cisco Employee

Re: ACE Design/Normalization Question


Hi Darren,

Normalization can be disabled Only for Layer 4 traffic. By disabling TCP normalization the following Layer 4 connection parameters are ignored,

exceed-mss-----Configure behavior if a packet exceeds MSS

random-seq-num-disable----Disable TCP sequence number randomization

reserved-bits-----Configure Reserved bits in TCP header

syn-data-----Configure behavior for a SYN packet containing data

tcp-options-----Configure TCP header options

urgent-flag-----Allow/Clear Urgent flag


When using Source NAT, you could try considering the option of ACE inserting Client IP Header,
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809c3041.shtml


If possible, you could point default gateway of Real Servers to ACE, however I guess servers are couple of hops away.


Hope this helps,

Best Regards,
Rahul

3674
Views
0
Helpful
3
Replies
CreatePlease login to create content