Re: routed or bridged mode + licensing question

betacomsvc · ‎02-12-2011

Hi Cisco ACE gurus,

I have the following questions and I would be grateful if anyone could answer them.

1) As we know the basic license for ACE limits its throughput to 4Gbps. What does it mean? Does it mean that only load balanced traffic is limited (policed) to 4Gbps? Or any other traffic passing through ACE is limited to 4Gbps (from what I know ACE is a cef720 linecard having 20Gbps to a switch fabric)?

My question comes from the following scenario. Let's say ACE is deployed in routed mode and it has 1 client vlan and 2 server vlans. There are VIPs, serverfarms, rservers defined etc.... Now there is a need for a rserver from vlan1 to communicate with a rserver from vlan2 (directly and not through a VIP). In this scenario def gateway of both servers points to ACE (ACE is doing inter-vlan routing).

So in this case in order to allow for that communication I would need to create ACLs and apply them to ACE interfaces.

Does it mean that the traffic would be limited to only 4Gbps?

2) let's say I have 2 DC (2 different geo locations). ACE is located only in one of them. Real servers are dispersed in both of them. ACE is deployed in routed mode. Is it possible to configure ACE in such a scenario (to server VIPs for clients when rservers are in 2 different DC)?

My assumption is that it is possible and in order to do that I would have to use NAT (and source NAT client traffic) so that traffic sent from client to a VIP could be src natted and go to the other DC (through client vlan), reach the rsevers in the other DC and come back.

Is it possible to also do that while ACE is deployed in bridged mode?

While reading about ACE and NAT I came across the sentence "ACE is not able to NAT bridged traffic". What does it mean?

regards

Marko Leopold · ‎02-14-2011

For answering your first question, the license is for the whole traffic that is going through the ACE fabric interface. It doesn't matter if it is loadbalanced or not. Everything that exceeds the license will be dropped.

Maciej Waliszko · ‎02-14-2011

Hi Marko,

Thank you for your answer. Do you happen to know if it is possible to use 2 contexts (other than Admin) where each is deployed in one-armed mode and the same vlan is used in each context (one context is used for prod traffic and the 2nd is used for testing purposes)?

regards,

Marko Leopold · ‎02-15-2011

Hello Maciej!

Yes you can have 2 contexts sharing the same VLAN. But for security-reasons it is forbidden to access the VIPs in context1 from the VLAN in context2. So you have to have this in mind while designing your network there.

Maciej Waliszko · ‎02-15-2011

Thx for the answer Marko. Can you please explain that?

Is there any way to overcome that limitation?

Marko Leopold · ‎02-15-2011

Just like I said, if you have server A in the shared VLAN of context A, you can not reach a VIP from context B. This is disabled because of security reasons. U only can overcome this, if you route the traffic outside of the ACE and back inside.

Maciej Waliszko · ‎02-15-2011

sorry Marko but I am lost. We are talking now about one-armed mode of deployment. There

are 2 contexts and the same vlan is used in both of them (that's why it is shared). In this case I don' understand what you wrote "you have server A in the shared VLAN of context A, you can not reach a VIP from context B" ... that is the same vlan so I can't see any problems..... unless you are describing situation for bridged mode deployment of ACE.