cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

552
Views
0
Helpful
1
Replies
Highlighted
Beginner

ACE 4710 Deployment Guidance

Hi,

Appreciate there may not be a right or wrong answer here, as this varies from topology to topology, but I’m looking for some notes from the field guidance here from those that have much more deployment experience.

I have a GSS and an ACE, and its the ACE that's primarily giving me something to think about, in terms of placement and what mode to adopt.

The traffic flow will look loosely like this:-

Client---Internet---Firewall---GSS---ACE---Servers

Physically, it's like this. The RED line denotes a boundary, and pretty much anything North of that is not accessible to us, we simply have a L3 trunk between our switches and "their" switches (S3/S4) and talk using EIGRP.

There are other servers in the top tier, some that also require load balancing, some that don’t. Typically, I want to load balance https requests from the internet, to one of the 3 servers in the top half.

I’m not sure what mode to select, routed, one arm? What about placement of the ACE? At the moment, I’ve just configured 1/1 on it and made it part of the MGMT VLAN, it's SVI exists on the S1/S2 switches, so I’m open to change as it's still all in the lab.

What  suggestions for easy deployment can you give me?

CaptureACETOP1.PNG

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

ACE 4710 Deployment Guidance

Hi

As you correctly mentioned there is no right or wrong answer.

Regarding your particular situation I guess you should check these 2 modes :

1) Routed

2) One Arm

Bridge mode doesn't make a lot of sense in your case as anyway you have servers somewhere behind L3 point.

Regarding GSS - it shouldn't be considered as something between FW and ACE , as GSS is just a DNS server, so we can remove it from picture completely (you don't do loadbalacong between GSSes on ACE I presume)

So, back to our 2 modes

In Routed mode, ACE can be considered as a simple L3 router which can do loadbalancing. You can put it as an L3 hop between FW and your routers which are doing EIGRP. So, good thing here - with a right placement you don't need to wary about backward traffic getting to ACE (usually it's important) , bad thing - ACE will need to process all traffic between your 2 sides , even that one which is not supposed to be loadbalanced.

One ARM mode is a bit more flexible , as in this case you redirect to ACE only traffic  which is supposed to be loadbalanced (by applying correct routing in your network) , however you need to make sure that return traffic from real servers comes back to ACE. The only way to do it is basically doing Source NAT on ACE, that real servers receives packets from ACE, not from Internet and send replies back to ACE.

Problem you may hit here , sometimes applications need to know from what IP request came. Here it won't work. For HTTP traffic you can insert IP into HTTP header and then check it on client side. For other protocols - unfortunately client IP will be hidden

Of course you can implement one mode from one set of networks/vlans and another for another set of network/vlans. For comfortable management you may use different contexts on ACE.

View solution in original post

1 REPLY 1
Cisco Employee

ACE 4710 Deployment Guidance

Hi

As you correctly mentioned there is no right or wrong answer.

Regarding your particular situation I guess you should check these 2 modes :

1) Routed

2) One Arm

Bridge mode doesn't make a lot of sense in your case as anyway you have servers somewhere behind L3 point.

Regarding GSS - it shouldn't be considered as something between FW and ACE , as GSS is just a DNS server, so we can remove it from picture completely (you don't do loadbalacong between GSSes on ACE I presume)

So, back to our 2 modes

In Routed mode, ACE can be considered as a simple L3 router which can do loadbalancing. You can put it as an L3 hop between FW and your routers which are doing EIGRP. So, good thing here - with a right placement you don't need to wary about backward traffic getting to ACE (usually it's important) , bad thing - ACE will need to process all traffic between your 2 sides , even that one which is not supposed to be loadbalanced.

One ARM mode is a bit more flexible , as in this case you redirect to ACE only traffic  which is supposed to be loadbalanced (by applying correct routing in your network) , however you need to make sure that return traffic from real servers comes back to ACE. The only way to do it is basically doing Source NAT on ACE, that real servers receives packets from ACE, not from Internet and send replies back to ACE.

Problem you may hit here , sometimes applications need to know from what IP request came. Here it won't work. For HTTP traffic you can insert IP into HTTP header and then check it on client side. For other protocols - unfortunately client IP will be hidden

Of course you can implement one mode from one set of networks/vlans and another for another set of network/vlans. For comfortable management you may use different contexts on ACE.

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here