ACE 4700 one-arm design with SSL termination

g-georgiou · ‎09-18-2008

Hi,

We are evaluating the one-arm design for the ACE 4700 and need some clarifications:

1. Are there any limitations in the one-arm design and the SSL offloading

2. Can the ACE be configured with an IN and an OUT vlan to the router

CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan

so that the SSL and the clear text traffic is in a separate Vlan?

3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?

I would appreciate if you can share some sample configs

Regards,

George Georgiou

Syed Iftekhar Ahmed · ‎09-18-2008

There are two ways to implement One Arm topology.

1. One Arm with PBR & 2.One Arm with SRC NAT

PBR/Source Nat is needed to ensure that the return traffic from Real Servers should not bypass ACE.

1. Are there any limitations in the one-arm design and the SSL offloading

The limitations/config issues I can think of are following

One ARM with PBR:

Direct access to Servers require the enabling of Assymtric routing (by turning off Normalization). If direct server access is not required then you dont need to enable assymtric routing. Now for these assymetric connection (Direct Server Access return traffic) its required to purge idle connections more frequently (default being one hour).

One ARM with SRC NAT:

You will loose the client information. Server logs will show the connections initiated from NAT IP Pool configured on ACE.

2. Can the ACE be configured with an IN and an OUT vlan to the router

CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan

so that the SSL and the clear text traffic is in a separate Vlan?

Yes you can do that but wouldnt it make it routed mode topology?

3. In some sample configuration i saw SNAT configuration on the ACE to modify the client IP. This i assume is for instructing the return traffic from the server to go through ACE? Using SNAT we eliminate the requirement for NAT or PBR on the router? Will i still be able to insert the client IP address after the SSL offload?

As I said earlier you loose the Source IP address with SRC NAT. But with ACE you have an option to use header-insert and insert this source ip as an HTTP Header.

Details at

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/slb/guide/classlb.html#wp1040008

HTH

Syed Iftekhar Ahmed

g-georgiou · ‎09-19-2008

See comments

Note: attached is a network diagram - will use 2 VIP for HTTPS termination and 1 VIP SSL native tcp termination

Why there would be asymmetric routing? You mean in the case were the client will hit the VIP but the response will come from the server IP?

2. Can the ACE be configured with an IN and an OUT vlan to the router

CLIENT -> Router -> ACE IN -> ACE OUT -> Router -> Server Vlan

so that the SSL and the clear text traffic is in a separate Vlan?

Yes you can do that but wouldnt it make it routed mode topology?

>> Yes in a sense but it would be more easy >> for troubleshooting since SSL will be in >> one vlan and clear text on the other

./G

Akhtar Samo · ‎06-10-2012

Hello Iftekhar,

Just wondering if there is any way to ensure that in one arm design mode with ssl offload (front end ssl + backend clear text) the backend session is not checked against ssl-proxy which is applied on the interface vlan ?

Regards,

Akhtar

ajayku2 · ‎06-11-2012

Backend session cannot match the VIP for SSL proxy session. As the servers are not initiating session they are just responding to client request on random ports. So untill and unless the server start a session pointing to VIP with the same port combination it is not going to HIT it.

hope that helps.

regards,

Ajay Kumar