One-armed ACE with servers gateway to ACE (no SNAT?)

KristofB · ‎05-02-2012

Hello ACE experts, I have two questions;

Design;

One-armed ACE appliance where the servers use the ACE as default gateway? (and ACE of course a default route to the router)

Apparently it works in my lab… But since it’s not documented I wonder what the gotcha’s are?

(This would eliminate the SNAT requirement for one-armed)

I know I need;

-no icmp-guard to allow ‘asymmetric icmp’

-no normalisation to allow asymmetric traffic when not using VIP (router to server is direct, but server response uses the ACE)

And other question;

Bandwidth license, apparently ALL traffic counts to this limit, even only routed traffic, is this true?

So In routed mode, all traffic from server backend that needs to be routed over ACE - a backup!? - counts?

Regards Kristof

gaursin2 · ‎05-02-2012

Hi Kristof,

SNAT mentioned in cisco document is done for sole purpose of redirecting the server reply back to ACE. This can be achieved (as you have done it already) by putting ACE interface as gateway for servers. probably because of asymmetric packet flow cisco has not documented it. moreover i have encountered situation where ACE is in altogether in different VLAN comapring to server's or servers are in various VLAN's:- in these situation SNAT provide an ease for palcement of ACE. One more problem with this approach is what you have doubted in your next Q? ACE has to process every packet sent from servers not even related to ACE actual functionallity i.e mere routed packets.

Yes this will counted and will consume the limit provided in B/w license.

KristofB · ‎05-03-2012

Hello Gaurav,

I know it’s not perfect.

A server consulting a VIP will also not work (because the destination server will reply directly to the source)

“The ACE has to process every packet” Isn’t that the case in most situations?

Routed mode -> ALL traffic from server-backend need to be processed.

Bridge mode –> does ‘switched traffic’ count to the bandwidth license?

Only in one-armed with SNAT you would avoid this.

Correct?

I don’ know why, from the moment I talk about sNAT during consultancy they don’t like it.

Unless statistics or ACL’s are used I doubt sNAT is an issue for any application? Right?

Is bridged mode still a good option? Although you cannot bridge the same VLAN number as you could with CSS

But then again, If bandwidth counts to the license…

Regards

gaursin2 · ‎05-03-2012

Hi

the reason I use "process every packet" was it was one of the advantage being offerd by one arm mode to not to process every packet. The main reason for one arm deployment, as i mentioned previously also, is ease in placement of ACE. We can have servers in any vlan and can put ACE altogther iin different VLAN. i guess this advantage is of no use for you because servers are already in same segment as that of ACE.

The main cause ,which i understand, customer don't like the concept of SNAT is because of its restriction on reporting and security. Client IP will be hide, so any reporting on servers for sessions source (or for monitoring attacks) will not be fruitfull. Although with feaures like XFF we can overcome this fault for HTTP traffic, but still customers don't like the consept of hiding details of IP accessing their servers.

regarding B/w count in bridge mode i am not 100% sure but beleive here again every passing traffic will count as ACE still monitor every packet and decide whether its a passing traffic or part of loadbalancing or hitting any of its confiugred policy.