Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1314
Views
0
Helpful
3
Replies

ACE 4710 - Management Only Interface ?

sez sharp
Level 1
Level 1

‎04-26-2012 03:06 PM

Am trying to replicate the managment interface functionality of a CSS on ACE 4710 but have problem with it being treated as a general routed interface.

Scenario

On ACE 4710 I have a front-end interface for client facing VIPS and a back-end interface facing a server farm, taking care of load balancing flows

Non load-balance system traffic for the back-end servers also flows through these two ACE interfaces, following a default route path (the back-ends use the ACE as default gateway) i.e. dns requests from the servers flow through the ACE egressing the front-end interface to hit a firewall and route to an internal dns server.

Issue

If I add a "management interface" to the ACE 4710 and give it an IP address for management access, the interface by default assumes 'routed' mode and as the ACE treats this as a general interface it will route traffic out of it. For example if the IP address of this management interface is on the same network as the internal dns server, it breaks that connectivity. This as the ACE will see the "management" interface as best route to directly connected network and send traffic to dns server over that, however dns server response traffic will follow its defult route path via firewall and ACE front-end interface to get reply to back-end server. The firewall will block this traffic as traffic is asymmetrically routed and firewall not seen the initial dns request packet.

Question

Is there a way of making an ACE interface a 'non routed' management only interface for out of band management use?

That is ACE will not attempt to route general traffic through the interface

I realise I could achieve this with multiple contexts but want to have a single context for various reasons - i.e. to have a kind of like for like CSS replacement using ACE 4710

TIA,

Sez

Labels:
0 Helpful
3 Replies 3

mwinnett
Level 3
Level 3

‎05-08-2012 11:45 PM

Sez, I dont think that this isn possible. Matthew

0 Helpful

sez sharp
Level 1
Level 1
In response to mwinnett

‎05-10-2012 11:48 PM

Just in case someone else has to go down this path....

I had no luck with trying to a achieve a seperate 'management interface' ala CSS (using A5(1) f/w)

The short answer as it stands is you prob have to use separate context to split LB and management access and accept the other baggage that goes with that.

As workarounds I tried

  • SNAT to the interface IP, didn't appear to work

  • mac-sticky enable on the management interface to use that rather than ip route on ACE for return traffic propagation. Should have worked and got icmp response to management IP but tcp connections would not establish - suspect syn/ack response was not going out of the original ingress i/f and hence handshake fail

This is a bit of a pain if you are trying to migrate/replicate a CSS install and or you want a 'simple' LB with no virtualisation - i.e. everything running in the default admin context

Seeing as on the ACE 4710 there is blanked off unused motherboard NIC, you'd think it might not be that hard to give the platform a separate Ethernet management port (like for example  the CSS and ASA firewalls etc..) - leaving the 4 x GigE ports for LB traffic only

Sez

0 Helpful

sez sharp
Level 1
Level 1

‎05-10-2012 11:48 PM

Just in case someone else has to go down this path....

I had no luck with trying to a achieve a seperate 'management interface' ala CSS (using A5(1) f/w)

The short answer as it stands is you prob have to use separate context to split LB and management access and accept the other baggage that goes with that.

As workarounds I tried

  • SNAT to the interface IP, didn't appear to work
  • mac-sticky enable on the management interface to use that rather than ip route on ACE for return traffic propagation. Should have worked and got icmp response to management IP but tcp connections would not establish - suspect syn/ack response was not going out of the original ingress i/f and hence handshake fail

This is a bit of a pain if you are trying to migrate/replicate a CSS install and or you want a 'simple' LB with no virtualisation - i.e. everything running in the default admin context

Seeing as on the ACE 4710 there is blanked off unused motherboard NIC, you'd think it might not be that hard to give the platform a separate Ethernet management port (like for example  the CSS and ASA firewalls etc..) - leaving the 4 x GigE ports for LB traffic only

Sez

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents