Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

ACE migration

Migrating from a single 4710 appliance to a pair of ACE30s in a VSS cluster.  The 4710 is running in bridged mode and I plan on utilizing the same VLANs and mode for the ACE30s.  They are currently configured as a redundant pair.  I have not yet turned up the VLAN interfaces on the ACE30s.  The 4710 is currently connected to a single switch with the 2 VLANs defined on the switch.  The ACE30s I'm migrating to are on a VSS cluster and switches between are a pair of Nexus 7010s.  The end result is no spanning tree redundancy.  Everything is a port-channel or vPC.  My question is do I need to worry about spanning tree when migrating to the ACE30s utlizing the same VLANs on the 6509s.  This is to mimize changes to the servers on these VLANs.  I basically want to be able to migrate the VIPs from the 4710 to the ACE30s one at a time.  I've attached a diagram of the basic layout.

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACE migration

Hi David,

Yeah either src nat or introduce another server side vlan.

Regards,

Kanwal

10 REPLIES
Community Member

ACE migration

I've been thinking more about this.  One question I have is that when I move a VIP to the ACE30s how will I get the back end server to send the traffic back through the ACE30 as opposed to the 4710? I'm assuming the arp for the client address will lead it back to the firewall (which is in front of the ACEs and is the default gateway for the subnet).  How will it know to return through the ACE30 versus the 4710? Would I have to do source NAT on the ACE30s to work around this as a temporary solution until I remove the 4710 or should I use a third VLAN that only lives behind the ACE30s and move the servers onto it as part of each VIP migration.

Cisco Employee

ACE migration

Hi David,

I discussed this here and you shouldn't have any issues with STP while replacing AC4710 with ACE 30 in your above set up. Also, fyi ACE doesn't support STP.

Regarding the other question you can use the source NAT and that should take make the traffic go back via ACE.

Regards,

Kanwal

Community Member

ACE migration

Is using source NAT the only option for making sure the return path goes through the ACE30 as opposed to the 4710?

Cisco Employee

ACE migration

Hi David,

Src nat seems to be the best option here. Also, ACE30 will listen on VIP and fwd the traffic to servers. Now return traffic would go to FW since it is the severs default gateway. I am not sure why you are saying that traffic should go to ACE 30 as oppose to 4710. If you do src nat on ACE30 it will go back to ACE30.

Regards,

Kanwal

Community Member

Re: ACE migration

Today traversing the 4710 bridge is the only path back to the firewall and I don't do source NAT, once I enable the ACE30s that will be another path back to the firewall.  If I don't do the source NAT on the ACE30 would the return traffic from server back to the firewall randomly pick which bridge to traverse? I've attached a logical diagram if that will help.

Cisco Employee

ACE migration

Hi David,

I think it would be random but you can remove the corresponding VLAN's from the 4710 so that returning traffic has no option but to go from ACE30 only.

Regards,

Kanwal

Community Member

Re: ACE migration

So if I can't remove that VLAN from the 4710 until all the servers are moved, the source NAT is probably the best option for insuring the return traffic from the servers flows through the ACE30s. Either that or use a third VLAN that only exists behind the ACE30s and move the rservers to it as I move the associated VIP.

Sent from Cisco Technical Support iPad App

Cisco Employee

ACE migration

Hi David,

Yeah either src nat or introduce another server side vlan.

Regards,

Kanwal

Community Member

ACE migration

Thanks! I think I'll go the source NAT for now and then remove the source NAT once the servers are all moved.  The server admins like to see the original client address in their web logs.

Cisco Employee

ACE migration

Hi David,

You can also use X-forwarded-for for inserting actual client IP in HTTP header for reporting purposes as your server team wants. But if it is for a short while then probably removing src nat would be the better option.

Regards,

Kanwal

515
Views
0
Helpful
10
Replies
CreatePlease to create content