We configured ACE enviroment like the previous topology. Vlan 10 is VIP Vlan and Vlan 20 is real server VLAN. Both of them are behind ASA firewall.There still is a management vlan 100 in this context. My questions are:
a. How to set up default route on ACE? If all of traffics are pointed to asa interface as the next hop, how about management traffics? the MGMT VLAN is internal VLAN. Inbound traffics won't be gone through firewall.But the default route will cause any return traffics going through firewall.
b. for example, vip is 18.104.22.168 ;real servers are 22.214.171.124 and 126.96.36.199. I had the experience with CSM beofre. When I configure as "no nat client, nat server" command on csm, all of return traffics will be changed source address as 188.8.131.52. How about the ACE? any similar commands?
For question A, you can use the "ip route" command. It works like the IOS one, and would allow you to configure the ASA as default gateway and a more specific route for the management traffic.
For question B, I believe you are misunderstanding the use of the CSM command, so let me give you a more detailed explanation.
On the client side, for a established connection, traffic from the servers will always come with the ip address of the VIP that the client was using to access.
The "nat server" command defines that, in the server side, the destination IP of the connection will be natted to the real IP address of the server, while the "nat client" will be used to nat the IP address of the client on the server side.
On the ACE, server nat is done by default, but you can still disable it if you configure the serverfarm as "transparent"
Thanks for your clarification. But I still did not understand your answer about Question A.
If I am correct, the routing table is controlled return traffics. For example, Subnet 184.108.40.206/24 is allowed to access both VIP VLAN and management VLAN. How to set up the specific route for this subnet?
I'm afraid it's not possible to have separate routing tables per interface, which is what you would need.
On the ACE, you can only configure router on a per-destination basis, so, even if a specific subnet is allowed to access both the VIPs and the management interface, only one return route can be configured.
I can think of two possible ways around this:
- Use some policy based routing on the switch to route traffic differently based on the source IP address (the one of the ACE)
- Use the default gateway for management traffic and "mac-sticky" for the load-balanced connections. With mac-sticky enabled, the ACE will send the return traffic to the MAC address from where the original traffic came instead of following the routing table
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...