cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1526
Views
4
Helpful
2
Replies

ACE module in one-arm mode with PBR

george_daly
Level 1
Level 1

Trying to get an ACE blade to do L3/L4 load-balancing in one-arm mode, but using PBR rather than source NAT.

Got a base config together and load-balancing seems to be working Ok. The problem I am trying to figure out is how to deal with direct flows, e.g traffic which isn't part of a load-balanced flow.

Does anyone know if/how I can configure the ACE to forward return traffic from an rserver which doesn't match part of an existing flow back to the sup720 rather than dropping it? I believe this was an option in CSM.

Thanks for any replies,

George

2 Replies 2

osiristrading
Level 1
Level 1

We encountered the same issue, except we are using the 4710 appliance. We found the simplest way to sort out this problem was to bind secondary IP addresses to the servers being load balanced, and using those IPs for services which are being load balanced. The PBR matches only these IPs - traffic initiated by the primary IP addresses do not match the PBR ACL.

Alternatively, could you not do PBR based on source port? Typical load balanced ports (80,25,etc) are not used as source ports.

Thanks for responding. Using a secondary IP isn't a bad idea. The second suggestion wouldn't fly because in this case customers must be able to use those typical ports for a mix of load-balanced and non load-balanced.

We actually found a good solution after much digging around, which was configure the SVI in the ACE with 'no normalization' (disclaimer: this disables various security checks in the ACE and makes it operate like a pure load-balancer).

Cheers,

George

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: