topic ACE Multi-Context Shared VLAN? in Application Networking

ACE Multi-Context Shared VLAN?

davemit — Tue, 13 Sep 2011 19:32:34 GMT

I will be deploying the ACE with two virtual contexts in routed mode. Each context will have its own separate server VLAN, but I am wondering if I can share the Client side VLAN between contexts? Is this possible, or does each context need it's own client VLAN for routing back to the network core?

I was planning on using VIPs selected from the Client VLAN subnet. If I do share that VLAN between two contexts, would there be any issues with each context responding correctly to the VIP's configured on it?

Thanks!

ACE Multi-Context Shared VLAN?

Cesar Roque — Tue, 13 Sep 2011 20:58:29 GMT

Hi David,

You can use the same VLAN on different Context but each Context should have its own IP address.

http://tools.cisco.com/squish/880AF

Cesar R

ACE Multi-Context Shared VLAN?

davemit — Tue, 13 Sep 2011 22:47:41 GMT

Thanks for the answer. Are there any issues with the two contexts responding to VIP's when they're assigned from the shared client VLAN?

ACE Multi-Context Shared VLAN?

Marko Leopold — Wed, 14 Sep 2011 06:39:09 GMT

Yes, you can not access the VIP on context A from context B. Or the VIP of context B from context A. That's forbidden by security reasons.

ACE Multi-Context Shared VLAN?

davemit — Wed, 14 Sep 2011 12:41:11 GMT

What do you mean by "can not access the VIP"?

If servers behind Context A need to talk to a VIP in Context B, will it not work in this scenario?

Thanks!

ACE Multi-Context Shared VLAN?

Marko Leopold — Wed, 14 Sep 2011 12:58:34 GMT

Yep, you are right. Cisco says its forbidden by security reasons. So if you want them to talk together you better use two seperate VLANs.

ACE Multi-Context Shared VLAN?

davemit — Wed, 14 Sep 2011 13:05:57 GMT

Wow, okay thanks. I will definitely set up separate VLANs for this!

ACE Multi-Context Shared VLAN?

Cesar Roque — Wed, 14 Sep 2011 13:27:49 GMT

Hello David

This is correct. however, a easy way to fix this and still using the same VLAN is configuring the servers in both Context.

Cesar R.

ACE Multi-Context Shared VLAN?

davemit — Wed, 14 Sep 2011 13:43:03 GMT

Huh? The Real Servers are in separate VLANS (one in each Context). How would I "configure the servers in both contexts"?

ACE Multi-Context Shared VLAN?

Cesar Roque — Wed, 14 Sep 2011 14:39:52 GMT

Hi David,

To expalin this better, I have this two Contexts:

context test

allocate-interface vlan 144

member test

context test2

allocate-interface vlan 144

member test

The config of test is this:

rserver host test

ip address 10.198.16.93

inservice

serverfarm host test

rserver test

inservice

class-map match-all test

2 match virtual-address 10.198.44.180 tcp any

policy-map type loadbalance first-match test

class class-default

serverfarm test

policy-map multi-match test1

class test

loadbalance vip inservice

loadbalance policy test

nat dynamic 1 vlan 144

interface vlan 144

ip address 10.198.44.150 255.255.255.0

access-group input Allow_Access

nat-pool 1 10.198.44.180 10.198.44.180 netmask 255.255.255.0 pat

service-policy input NSS_MGMT

service-policy input test1

no shutdown

ip route 0.0.0.0 0.0.0.0 10.198.44.4

The config of test2 is:

rserver host test

ip address 10.198.44.24

inservice

serverfarm host test

rserver test

inservice

class-map match-all test

2 match virtual-address 10.198.44.181 tcp any

policy-map type loadbalance first-match test

class class-default

serverfarm test

policy-map multi-match test1

class test

loadbalance vip inservice

loadbalance policy test

nat dynamic 1 vlan 144

interface vlan 144

ip address 10.198.44.160 255.255.255.0

access-group input Allow_Access

nat-pool 1 10.198.44.181 10.198.44.181 netmask 255.255.255.0

service-policy input NSS_MGMT

service-policy input test1

no shutdown

ip route 0.0.0.0 0.0.0.0 10.198.44.4

From the rserver 10.198.44.24, I can get to the VIP of Context test 10.198.44.180.

Here is the output:

ACE-M3/test# sh conn

total current connections : 2

conn-id np dir proto vlan source destination state

----------+--+---+-----+----+---------------------+---------------------+------+

2584127 2 in TCP 144 10.198.44.24:52872 10.198.44.180:80 ESTAB

2584134 2 out TCP 144 10.198.16.93:80 10.198.44.180:1029 ESTAB

The condition here is that the ACE is not the default gateway of the servers. There is another L3 device that routes the traffic to the VIP.

Cesar R

ACE Multi-Context Shared VLAN?

davemit — Wed, 14 Sep 2011 16:58:10 GMT

Got it, thanks Cesar. The difference is that you are running One-Arm Mode on both contexts. I will be in-line routed mode, so if I understand properly I will need to have separate client VLANS for both contexts in order to avoid this problem.

ACE Multi-Context Shared VLAN?

nickjacobs — Wed, 21 Dec 2011 03:32:39 GMT

You can add a host route for the VIP of the other context via the upstream router on the context you want access from - it works (but its a bodge that relies on redirects and chews bandwidth!). Also if you run one context on one appliance in a HA pair, and the other context on another is another even bigger bodge that also works.

Re-address to non shared client VLAN is really the only solid way as you say.