PBR in ACE4710 or in a 6500?

nestlelan · ‎02-02-2012

Hello,

We are in the idea of performing PBR for traffic that enters 4 interfaces and needs to be policy based routed at L4 (IP addresses and ports).

What are the pro's and cons' of the 2 approaches?

I understand that this is done well (simply) in the 6500 in HW but is it feasable also in the ACE?

I havent found any configuration around but I think it could be feasable....using the keyword "forward"..

I have some doubts by the fact that we have 4 interfaces from where the traffic comes and goes out...and it could be a mess with the policy-maps

Thanks for sharing your thoughts..

Daniel Arrondo Ostiz · ‎02-03-2012

Hi,

It's not possible to do PBR on ACE. The "forward" keyword is just to route traffic instead of load-balancing it. However, you have no control over the routing table.

You could potentially achieve a behavior similar to PBR using catch all VIPs (0.0.0.0), matching on source-address and sending to transparent serverfarms composed of only 1 real server, but it would be a very messy configuration and can cause some issues (for example, you would not be able to route connections for which you don't see a SYN packet).

Just forget completely about the ACE and do the PBR on the 6500, it'll make your life much easier.

Regards

Daniel

GIULIO FAINI · ‎02-07-2012

thanks!

but what about simple traffic redirection using the 0.0.0.0 catch-all rule? we need just to discriminate HTTP traffic from the other traffic without checking the source IP address.

would it be possible?

Daniel Arrondo Ostiz · ‎02-07-2012

Hi Giulio,

If you don't need to do the PBR based on the source IP address, then yes, you could just configure two different 0.0.0.0 vips (one for port 80 and one for any port) and point them to two transparent serverfarms.

Still, if possible I would recommend doing this on the 6500 switch itself.

Daniel