Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4038
Views
0
Helpful
10
Replies

ACE migration

Go to solution
David Niemann
Level 3
Level 3

‎12-11-2013 01:21 PM

Migrating from a single 4710 appliance to a pair of ACE30s in a VSS cluster.  The 4710 is running in bridged mode and I plan on utilizing the same VLANs and mode for the ACE30s.  They are currently configured as a redundant pair.  I have not yet turned up the VLAN interfaces on the ACE30s.  The 4710 is currently connected to a single switch with the 2 VLANs defined on the switch.  The ACE30s I'm migrating to are on a VSS cluster and switches between are a pair of Nexus 7010s.  The end result is no spanning tree redundancy.  Everything is a port-channel or vPC.  My question is do I need to worry about spanning tree when migrating to the ACE30s utlizing the same VLANs on the 6509s.  This is to mimize changes to the servers on these VLANs.  I basically want to be able to migrate the VIPs from the 4710 to the ACE30s one at a time.  I've attached a diagram of the basic layout.

Labels:
Preview file
677 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-13-2013 10:39 AM

Hi David,

Yeah either src nat or introduce another server side vlan.

Regards,

Kanwal

View solution in original post

0 Helpful
10 Replies 10

Go to solution
David Niemann
Level 3
Level 3

‎12-12-2013 08:54 AM

I've been thinking more about this.  One question I have is that when I move a VIP to the ACE30s how will I get the back end server to send the traffic back through the ACE30 as opposed to the 4710? I'm assuming the arp for the client address will lead it back to the firewall (which is in front of the ACEs and is the default gateway for the subnet).  How will it know to return through the ACE30 versus the 4710? Would I have to do source NAT on the ACE30s to work around this as a temporary solution until I remove the 4710 or should I use a third VLAN that only lives behind the ACE30s and move the servers onto it as part of each VIP migration.

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-12-2013 09:21 AM

Hi David,

I discussed this here and you shouldn't have any issues with STP while replacing AC4710 with ACE 30 in your above set up. Also, fyi ACE doesn't support STP.

Regarding the other question you can use the source NAT and that should take make the traffic go back via ACE.

Regards,

Kanwal

0 Helpful

Go to solution
David Niemann
Level 3
Level 3
In response to Kanwaljeet Singh

‎12-12-2013 11:52 AM

Is using source NAT the only option for making sure the return path goes through the ACE30 as opposed to the 4710?

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-12-2013 11:59 AM

Hi David,

Src nat seems to be the best option here. Also, ACE30 will listen on VIP and fwd the traffic to servers. Now return traffic would go to FW since it is the severs default gateway. I am not sure why you are saying that traffic should go to ACE 30 as oppose to 4710. If you do src nat on ACE30 it will go back to ACE30.

Regards,

Kanwal

0 Helpful

Go to solution
David Niemann
Level 3
Level 3
In response to Kanwaljeet Singh

‎12-12-2013 12:21 PM

Today traversing the 4710 bridge is the only path back to the firewall and I don't do source NAT, once I enable the ACE30s that will be another path back to the firewall.  If I don't do the source NAT on the ACE30 would the return traffic from server back to the firewall randomly pick which bridge to traverse? I've attached a logical diagram if that will help.

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-13-2013 09:39 AM

Hi David,

I think it would be random but you can remove the corresponding VLAN's from the 4710 so that returning traffic has no option but to go from ACE30 only.

Regards,

Kanwal

0 Helpful

Go to solution
David Niemann
Level 3
Level 3
In response to Kanwaljeet Singh

‎12-13-2013 09:50 AM

So if I can't remove that VLAN from the 4710 until all the servers are moved, the source NAT is probably the best option for insuring the return traffic from the servers flows through the ACE30s. Either that or use a third VLAN that only exists behind the ACE30s and move the rservers to it as I move the associated VIP.

Sent from Cisco Technical Support iPad App

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-13-2013 10:39 AM

Hi David,

Yeah either src nat or introduce another server side vlan.

Regards,

Kanwal

0 Helpful

Go to solution
David Niemann
Level 3
Level 3
In response to Kanwaljeet Singh

‎12-13-2013 10:49 AM

Thanks! I think I'll go the source NAT for now and then remove the source NAT once the servers are all moved.  The server admins like to see the original client address in their web logs.

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to David Niemann

‎12-13-2013 11:05 AM

Hi David,

You can also use X-forwarded-for for inserting actual client IP in HTTP header for reporting purposes as your server team wants. But if it is for a short while then probably removing src nat would be the better option.

Regards,

Kanwal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents