cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

4381
Views
0
Helpful
6
Replies
ivan_polk
Beginner

Layer 2 or Layer 3 Load balancing

Hi Folks

We've just purchased a ACE 4710 to provide SSL termination, sticky sessions, and load balancing between two windows IIS application servers. We we're planning on using the Layer 2, bridged mode because all our servers on on the same network segment, but the technician we're contracting with says that he's not familiar with this configuration and that he doesn't think it will perform the same as a layer 3, routed mode.

I've seen posts stating that the Load balancing is the same in both configs, but can we still have SSL Term and sticky sessions?  I really don't want to segment the network for I don't have to.

Thanks,

Ivan

6 REPLIES 6
Surya ARBY
Enthusiast

the best option is not the bridge mode but instead use a one arm topology.

VIP and source nat address in the same subnet.

Hi,

Thanks for the response. Why is the one-armed a better config than having the ACE in bridge mode?

Regards,

Ivan

Only the load balanced flows will hit the ACE, this is less intrusive, no impact on the global design of the network and on the high availiablity features (STP...)

You will have to perform source nat on the ACE to have the flows back to the ACE for the return traffic.

Ivan,

Here is a good guide you can use to evaluate the different design options:

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns376/c649/ccmigration_09186a008078de90.pdf

Of the three topologies (routed, bridged and one-armed mode), one-armed mode is the easiest to insert into the environment.  However, it does require the use of Client source NAT or PBR.

To answer your question, no there are no differences between the 3 topologies on how loadbalancing works and yes you can still terminate SSL and do sticky.

Since the ACE blocks BPDUs, you will need to configure an ACL to allow them.  This is a key point in bridge mode in order to avoid possible bridging loops.  Here is a guide for configuring bridge mode.

http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_1_0/configuration/routing_bridging/guide/bridge.html

Thanks,

Chris

thanks for the links.

Just something to add, I ALWAYS use one arm, except if there are design issues for some reasons..., because it's the least intrusive mode, with that you can even make your tests in production environments without any impact on the network.

The only caveat if the use of source nat (ok, you can use PBR or DSR but it's very complex), but for HTTP-based applications, you can add the source ip address in the HTTP headers... So for HTTP-based apps it may not be a problem.

Hi Folks,

Thank you both for your responses.  I'll research both the one armed and bridged configuration.

Regards,

Ivan

Content for Community-Ad