02-09-2010 03:55 PM
Hello,
Here is the scenario. We are an enterprise with various business units with varying
degrees of IT independence.
In a new Internet facing datacenter deployment we are looking to use ACE contexts to allow
resource allocation / control as well as delegated admin access, but want to keep our
public addressing flexible & simple.
Previous deployments have used all single context with the public addresses in a large
subnet with VIPs in that space configured directly on the ACE, but we are testing multiple
contexts for reasons above.
We want to have a single public segment that we can assign VIPs to whichever business
needs them, but have separate vlans for the rservers, and separate configuration spaces
for admins of the different business units.
We have configured contexts on ACE with a single, public vlan associated to all contexts,
but each context having it's own vlans for the rservers. This is all set up and working
except rservers in an rserver-subnet associated with context A can not communicate with
VIP associated with context B.
I understand that this may be by design, but can't find information if there is anyway to
change this behavior.
We have tried SNAT configuration
(http://docwiki.cisco.com/wiki/Cisco_Application_Control_Engine_%28ACE%29_Mod
ule_Troubleshooting_Guide,_Release_A2%28x%29_--_Troubleshooting_Network_Address_Transl
ation#Configuring_Dynamic_NAT_and_PAT) , SNATing rserver IP to an IP in the public
segment, and this allows communicates to VIPs in it's own context, but not other contexts.
Is there anyway to do this without carving up public space (or dramatically rearranging
our design in some other way)? Otherwise, I think we give up resource allocation, go back
to single context and use domains to control administration functions?
Thanks,
02-10-2010 06:43 AM
ACE does not allow intercontext communication for security reasons. This can't be changed.
However, you can still achieve communication by going through an external gateway.
If rserver RA in vlan A of context A wants to communicate with vlan B, VIP-B, you should configure context A with a static host route, pointing VIP-B to the default gateway on the shared vlan. This default gateway will then forward the traffic to context B and for ACE it is like the connection comes from outside and not another context.
Same for the response, you need on context B a route for vlan A via the shared vlan and the gateway - not the other context.
Gilles.
04-22-2010 03:27 AM
Hi Gilles,
In this matter I just realized that it even does not seem to be possible to configure a static route in context A for real server network behind context B pointing to any address that is active in context B. In fact you can configure the static route, but the route will not make it into the routing table of the context. The ACE seems to check if any static route points in a context points to an active IP in another context on the same ACE and excludes it from the routing table. I did not find this anywhere documented on CCO - can you confirm that?
Here are my details:
ACE version: A2(3.1)
IP 10.122.178.133 is an active VLAN interface in context B:
LB01/LB1# conf t
Enter configuration commands, one per line. End with CNTL/Z.
LB01/LB1(config)# ip route 10.122.179.64 255.255.255.192 10.122.178.133
LB01/LB1(config)#
LB01/LB1(config)#
LB01/LB1(config)# do sh ip route
Routing Table for Context LB1 (RouteId 1)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 10.122.178.129 vlan20 S [0xc]
10.122.178.128/26 0.0.0.0 vlan20 IA [0x30]
10.122.179.0/26 0.0.0.0 vlan31 IA [0x30]
Total route entries = 3
As soon as I point the very same route to an IP NOT active anywhere on the ACE:
LB01/LB1(config)# no ip route 10.122.179.64 255.255.255.192 10.122.178.133
LB01/LB1(config)# ip route 10.122.179.64 255.255.255.192 10.122.178.129
LB01/LB1(config)# do sh ip route
Routing Table for Context LB1 (RouteId 1)
Codes: H - host, I - interface
S - static, N - nat
A - need arp resolve, E - ecmp
Destination Gateway Interface Flags
------------------------------------------------------------------------
0.0.0.0 10.122.178.129 vlan20 S [0xc]
10.122.178.128/26 0.0.0.0 vlan20 IA [0x30]
10.122.179.0/26 0.0.0.0 vlan31 IA [0x30]
10.122.179.64/26 10.122.178.129 vlan20 S [0xc]
Total route entries = 4
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide