Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE : One-armed design and IP Routing through the alias address

Hi,

I have a cluster of two ACE-4710 in a one-armed design on a VLAN. I cannot use client NAT as the source address has to be logged in the server log (source IP insert is not an option here). So, I configured an alias IP address which should serve a default gateway for the servers.

Is there anything to be configured to allow routing on the same subnet with the ACE, beside a permit ACL and a default route ?

I have the following interface configuration and the local routing does not work :

interface vlan 110

description *** ACE Context Virtual Interface ***

ip address 10.56.33.20 255.255.255.240

alias 10.56.33.22 255.255.255.240

peer ip address 10.56.33.21 255.255.255.240

access-group input ALL_TRAFFIC

service-policy input ACE_MGMT_POLICY

service-policy input VIP_PROD

no shutdown

ip route 0.0.0.0 0.0.0.0 10.56.33.17

Thank you,

Yves

  • Application Networking
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ACE : One-armed design and IP Routing through the alias addr

nothing needs to be done to allow routing even in one-armed mode.

But, ACE is a stateful device so it needs to see both side of the traffic.

What is happening is that you only see traffic from the server ... the other side will probably bypass the ACE.

Try to configure 'no normalization' under the interface.

Gilles.

2 REPLIES
Cisco Employee

Re: ACE : One-armed design and IP Routing through the alias addr

nothing needs to be done to allow routing even in one-armed mode.

But, ACE is a stateful device so it needs to see both side of the traffic.

What is happening is that you only see traffic from the server ... the other side will probably bypass the ACE.

Try to configure 'no normalization' under the interface.

Gilles.

New Member

Re: ACE : One-armed design and IP Routing through the alias addr

Hi Gilles,

Too good! It was exactly what to be done. It works fine. This morning, I traced packets on the DMZ where the ACE is locate and effectively observed the stateful behaviour of the ACE. So, with your suggestion, it solved the TCP communication problem. I had to also enter the "no icmp-guard" to permit icmp reply to be routed.

Thanks again Gilles for your quick help !

Yves

379
Views
0
Helpful
2
Replies