01-04-2011 09:01 PM
Hi Folks
We've just purchased a ACE 4710 to provide SSL termination, sticky sessions, and load balancing between two windows IIS application servers. We we're planning on using the Layer 2, bridged mode because all our servers on on the same network segment, but the technician we're contracting with says that he's not familiar with this configuration and that he doesn't think it will perform the same as a layer 3, routed mode.
I've seen posts stating that the Load balancing is the same in both configs, but can we still have SSL Term and sticky sessions? I really don't want to segment the network for I don't have to.
Thanks,
Ivan
01-04-2011 09:37 PM
the best option is not the bridge mode but instead use a one arm topology.
VIP and source nat address in the same subnet.
01-06-2011 12:06 PM
Hi,
Thanks for the response. Why is the one-armed a better config than having the ACE in bridge mode?
Regards,
Ivan
01-06-2011 12:20 PM
Only the load balanced flows will hit the ACE, this is less intrusive, no impact on the global design of the network and on the high availiablity features (STP...)
You will have to perform source nat on the ACE to have the flows back to the ACE for the return traffic.
01-06-2011 12:29 PM
Ivan,
Here is a good guide you can use to evaluate the different design options:
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078de90.pdf
Of the three topologies (routed, bridged and one-armed mode), one-armed mode is the easiest to insert into the environment. However, it does require the use of Client source NAT or PBR.
To answer your question, no there are no differences between the 3 topologies on how loadbalancing works and yes you can still terminate SSL and do sticky.
Since the ACE blocks BPDUs, you will need to configure an ACL to allow them. This is a key point in bridge mode in order to avoid possible bridging loops. Here is a guide for configuring bridge mode.
Thanks,
Chris
01-06-2011 12:33 PM
thanks for the links.
Just something to add, I ALWAYS use one arm, except if there are design issues for some reasons..., because it's the least intrusive mode, with that you can even make your tests in production environments without any impact on the network.
The only caveat if the use of source nat (ok, you can use PBR or DSR but it's very complex), but for HTTP-based applications, you can add the source ip address in the HTTP headers... So for HTTP-based apps it may not be a problem.
01-06-2011 12:56 PM
Hi Folks,
Thank you both for your responses. I'll research both the one armed and bridged configuration.
Regards,
Ivan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide