Solved: Re: ACE Questions

p.maciasc · ‎03-18-2009

Hi everyone,

In a few days I must install and configure two ACEs modules (Software version 3.0(0)A16). Although I have already read the documentation there are a things that I don't have clear, and I really need your help!!!

1. The costumer wants redundancy between the two 6500 and the two ACEs. The redundancy in the 6500 is made via HSRP. The Administration guide tells that one FT group must have a standby context, but doesn't say what configuration must have the standby context (I assume that is the same configuration in the active context and the standby context, that's correct?). As well I suppose that the HSRP track configuration is made in the active context.

2. The costumer can't made changes in the server's ip configuration, further more the clients and servers are in the same subnet, so I am planning to use bridge mode. Again I suppose that the ip address configured in the BVI interface, is the one that the clients use when want access the server, and the server's ip configuration remains the same.

3. What are the main benefits of use different contexts?

Thanks and best regards,

Syed Iftekhar Ahmed · ‎03-18-2009

1.In standby context you just need the FT related config (ft interface, ft peer, ft group) and standby module will copy the config from Primary.

2.With Clients & Servers in same subnet your only option is Bridge mode. However remember that you need to create a new vlan and move servers/clients to this new Vlan and finally bridge the new & old vlans using ACE.

3. Each context act as a dedicated Loadbalancer.For example you can use a single module acting as 3 devices to loadbalance web servers (context1), App Servers(context 2),DB servers(context3).

Similarly you can have DEV, Staging & Production environments separated by contexts.

HTH

Syed Iftekhar Ahmed

View solution in original post

Syed Iftekhar Ahmed · ‎03-18-2009

1.In standby context you just need the FT related config (ft interface, ft peer, ft group) and standby module will copy the config from Primary.

2.With Clients & Servers in same subnet your only option is Bridge mode. However remember that you need to create a new vlan and move servers/clients to this new Vlan and finally bridge the new & old vlans using ACE.

3. Each context act as a dedicated Loadbalancer.For example you can use a single module acting as 3 devices to loadbalance web servers (context1), App Servers(context 2),DB servers(context3).

Similarly you can have DEV, Staging & Production environments separated by contexts.

HTH

Syed Iftekhar Ahmed

p.maciasc · ‎03-18-2009

Hi Syed,

Thanks for your help. That was very useful.

I only have a new doubt. You said that when I use Bridge mode, I have to create a new vlan and move the servers and clients to the new vlan and the bridge the new and the old vlan with a BVI.

But, if I move all (servers and clients) to the new vlan what is in the old vlan, or what I need to put in the old vlan???

Regards,

Pablo

Syed Iftekhar Ahmed · ‎03-18-2009

Let suppose your servers and client are at vlan 10 (old vlan). If you want to use ACE in bridge mode then you need two vlans to beidge.

What you can do is that create a new vlan lets say 110. Now assign all the switch ports where your servers are to vlan 110.

Now your servers are in vlan 110 & clients are in vlan 10. On ACE you will bridge these two vlans.

Vlan 110 should be only a Layer 2 Vlan (no SVI configured). This way any traffic from client to/from server will always hit ACE first.

Syed

p.maciasc · ‎03-20-2009

Thanks Syed,

Again a few questions,

There is a recommendation or best practice for the Admin context? For example, is recommend use it only for FT configuration?

In the same context, the ACE module can work in bridge mode and routing mode? (Obviously with different vlans)

About redundancy. What configuration is made in the standby module? I suppose that the only configuration needed is the standby context and the FT related configuration (FT track, FT peer, FT group and FT interface)

What is the resource limits recommendation for the standby context in FT?

Thanks and Regards,

PM

ropethic · ‎03-20-2009

See Bridge Configuration example below. With bridged mode the servers gateway is still that of the default router. You create the two vlans, client and server. No IP is needed on the vlan interfaces. IP is applied to the bridged interface, BVI for context management.

From my lab

ACE-1/bridged# show run

Generating configuration....

access-list everyone line 8 extended permit ip any any

access-list everyone line 16 extended permit icmp any any

rserver host lnx1

ip address 172.16.3.11

inservice

rserver host lnx2

ip address 172.16.3.12

inservice

rserver host lnx3

ip address 172.16.3.13

inservice

rserver host lnx4

ip address 172.16.3.14

inservice

rserver host lnx5

ip address 172.16.3.15

inservice

serverfarm host web

rserver lnx1

inservice

rserver lnx2

inservice

rserver lnx3

inservice

rserver lnx4

inservice

rserver lnx5

inservice

class-map match-all slb-vip

2 match virtual-address 172.16.3.100 any

policy-map type management first-match remote-access

class class-default

permit

policy-map type loadbalance http first-match slb

class class-default

serverfarm web

policy-map multi-match client-vips

class slb-vip

loadbalance vip inservice

loadbalance policy slb

interface vlan 30

description "Client Side"

bridge-group 3

access-group input everyone

service-policy input client-vips

no shutdown

interface vlan 31

description "Server Side"

bridge-group 3

service-policy input remote-access

no shutdown

interface bvi 3

ip address 172.16.3.5 255.255.255.0

description "client - server bridge group"

no shutdown

ip route 0.0.0.0 0.0.0.0 172.16.3.1