Forum Discussion
NimbostratusLoad Balancing Cisco ACS 5.2
I was wondering if anyone is currently load balancing their Cisco ACS deplyment behind a BigIP LTM? I have a basic one-arm config setup to redirect TCP 49 and am using SNAT AutoMap to get the traffic to flow correctly between the VS and the nodes.
The only issue I have is with the use of SNAT we lose the source IP. I could set the gateway of the ACS boxes as the LTM, but I was wondering if anyone else had anything different in place.
6 Replies
- JRahm
Admin
I think that'll work only if you put the LTM in bridge mode between ACS and it's proper gateway. That way you can intercept and direct without manipulating L3. Radius works with one-arm because of UDP, but with tacacs being TCP-based, you'll break the 3-way handshake if you change the snat address to the source IP. Another option would be npath routing, but I doubt ACS supports it.
coda6_52611That makes sense. I don't see us being able to move the device behind the LTM, so to speak, since I am dealing with different geographical locations and layer 3 boundries.
I really don't want to try nPath...
Thanks, Jason.
Ken
Josh_41258Ken,
Did you ever figure out a solution for ACS? I'm looking at the same thing.
Josh
- Josh_41258
@Jason,
I'm sort of confused. Are you saying that this will NOT work if I disable SNAT and configure the ACS server's gateway as the BIG-IP?
Thanks,
Josh
- coda6_52611
Josh,
He's saying that the only way to preserve the source IP of an ACS request would be to make the BigIP the default gateway for the ACS servers. Then you wouldn't need SNAT.
We made load balancing work, I just couldn't use the configuration with SNAT since our security standards require me to keep the source IP of the requestor.
Ken
- Josh_41258
Ken,
Thanks for clarifying. Are you doing anything special with persistence when load balancing TACACS+ requests?
Thanks!
