Solved: ACE ftp inspection for a VIP giving other services.

krahmani323 · ‎07-05-2010

Hello community,

I am very new to ACE domain and would like to be adviced.

ACE module since version A2(1.x) has stricter error checks for application protocol inspection. Generic class-map matching is no longer accepted.

(http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/release/note/racea2_x.html#wp365052)

With this being said, we were wondering in the case of a VIP giving services to other ports (not only ftp with inspection) if there was some recommendations or best practice about the corresponding configuration :

- Only one VIP configured (one 'match virtual address' with an extended port range + inspect ftp)

or

- Two VIPs : One with ' match virtual-address x.x.x.x tcp eq 21' + 'inspect ftp' / And One with a more generic port range ?

or any other approach ?

Any suggestion would be appreciated.

Thanks.

Karim

UHansen1976 · ‎07-05-2010

Hi Karim,

I'd recommend a per-service based configuration approach.

This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.

hth

/Ulrich

View solution in original post

UHansen1976 · ‎07-05-2010

Hi Karim,

I'd recommend a per-service based configuration approach.

This way, you can configure service-specific features (e.g parameter maps, application inspections) for each service, even if you have several services configured for the same VIP. I find this gives much greater flexibility.

hth

/Ulrich

krahmani323 · ‎07-05-2010

Hello Ulrich,

Thank you for your recommendations. I appreciate.

Regards.

Karim