Can someone please explain the exact functionality of the mac-sticky feature. I see in some documents a general idea of what it can be used for, but I'de prefer to know the exact functionality and how it is done.
If you have multiple next-hop on a vlan.
When traffic comes into the ACE module, it needs to setup a flow inbound but also outbound.
For the outbound flow we can either use the routing table and find out how to reach the source of the traffic or we can use mac-sticky and simply reuse the source mac-address of the incoming traffic when sending the response.
Often used in Firewall loadbalancing to make sure the traffic goes back to the same firewall it came in.
HI thanks for the response. can you clarify a few points for me.
We intend to use the ACE to loadbalance traffic to a set of transparent caches. The ACE will redirect the internet users http traffic to one of the caches. That cache will send the traffic to the internet (via the ACE)on behalf of the client using source IP spoofing. Now we want the return traffic from the internet to go via the same cache that originated the connection. I've been told by Cisco that we need to use the mac-sticky feature for this.
Will this work. Can you explain in bit more detail as to how this happens in this particular scenario.
Sorry for the long post.
Thanks and rgds
You don't need mac-sticky in this scenario unless the cache and the client are on the same interface.
If the cache is on a different interface, it will spoof the client ip, but for ACE this is a different connection because it comes on a different interface/vlan.
You would need mac-sticky if the interface was the same. In this case, mac-sticky would force ACE to distinguish the connection based on the src mac-address.
You should validate your solution in the lab.
This will answer all your questions.
Thanks for the response. Yes, I need to set this up at a lab, but thats not feasible at the moment. So these inputs from you experts are very valuable.
so do you mean to say that when i use mac-sticky on an interface (be it vlan or physical) then the ACE remembers the source and destination mac address of each incoming packets, and then do the reverse on the each of the returning packets ?
For every connection ACE needs to setup 2 flows.
When for client->server and one for server->client.
So, with a single SYN we already establish 2 flows - one for the SYN but also one for the SYN/ACK
When we setup the flow server->client we need to decide where to send the packets we will get from the server.
As mentioned before, without mac-sticky, we do a route lookup for the client and use whatever our routing table gives us.
This could be a different device that the one used for incoming traffic. This is the case when multiple routers are attached to the same interface vlan.
If you have mac-sticky, instead of doing the above, we simply setup the flow to forward the traffic to the src mac-address that was used for the SYN.
All this is then program into HW on the fly and the next packets matching client->server is then forwarded based on the flow description and same for the traffic server->client.
You need a good understanding of the HW to understand these functions and commands like mac-sticky.
I would simply say your setup is very common.
So it will work.
You may however need to add some commands like mac-sticky but you will only know it when you start implementing - lab or production.
thanks for the descriptive answer and taking the time for it. Being an electronics and Telecommunications engineer, I think I would be able to grasp it if your answer is more HW oriented.
I have one more question. In you reply you have said that
"we simply setup the flow to forward the traffic to the src mac-address that was used for the SYN. "
here how do you identify to which flow a certain return packet belong to when it hit the ACE. In other words, when the SYN/ACK come, how does the ACE determines to which SYN this SYN/ACK belongs to ?
Hope I'm not being a pain for you
The ACE tries to do as much as it can in hardware. So, when the SYN comes in or the ACK comes back, depending on the flow, the ACE associates that flow to the MAC address that is on the packet. I guess you could say that the ACE 'remembers' the next hop MAC address a connection came and went on. Thus, MAC sticky is the name
a flow is defined by (src ip, dst ip, protocol, src port, dst port, vlan).
The SYN will have (SIP, DIP,TCP, XXX, 80, VLAN_X) and we know the SYN/ACK will be (DIP,SIP,TCP,80,XXX,VLAN_Y)
These 2 flows are programmed in HW.
Each packet will be matched to an existing flow and forwarded accordingly.
If it does not match an existing flow, we send it to a higher level for processing.
This is the same process for every switch in the world nowadays.
Been a long time since we've discussed things on this conversation, but I've recently completed an ACE implementation and thought to come back here and discuss a few things with you.
What I implemented was the setup that i was talking in an earlier conversation of this thread. It is transparent redirection to a transparent cache.
Clients ---- ACE ----- Internet
Clients and Internet are bridged to bvi 10. Cache servers are in a different subnet. ACE matches all port 80 traffic incoming on the client VLAN and loadbalance that to Cache SF.
Accroding to one of your replies above, we should not need mac sticky here, as the clients and Cache are in different vlans.
But if I do not put the mac-sticky command here, then the clients can't access the web.
What do you think ?