[c-nsp] Cisco ACE and ASN
oles at ovh.net
oles at ovh.net
Mon Mar 23 20:51:13 EDT 2009
> >From the cisco website:
> Asymmetric server normalization (ASN): Cisco ACE can load balance an
> initial request from the client to a real server; however, the server
> directly responds to the client, bypassing Cisco ACE.
>
> I am curious how the ACE perfomance scales.
with linux, iproute2 is your friend. the request is going to an IP1
and the answser is from the same IP1 (normal). with iproute2 you
can choose the routing strategy like this "gateway = f(IP1)" and the
gateway's IP can be IP on the router (and not the ip attached on the ACE).
So incoming trafic is going thought ACE, and outcoming trafic thought
the router.
but you have no "protection" against the attacks like SYN-flood. and
it's a big ACE's problem. you have 1'000'000 (max 2'000'000 simu sessions)
and when you get an attack with no protections like "pending" & "no unidir"
your ACE is full and doesn't accept any new connexion. the downtime begins ...
> There are no fancy requirements, just weighted round robin and keepalive tests.
>
> We are looking to host a website that generates ~80Gbps of outward traffic.
> Incoming traffic is approx 5Gbps and 8.000.000 pps
what I would use is the ospf's "maximum-paths" to distribute your trafic to
32 ACE (SXI the max is 32, with SXH is 8). 80/32=2.5Gbps. you can use the
"pending" & "no unidir". but it's complicated setup I agree.
More information about the cisco-nsp
mailing list