Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Prime Network Services Controller Adaptor for DFA
  5. White Paper

Cisco Cisco Prime Network Services Controller Adaptor for DFA White Paper

Download
Page of 32
 
 
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 26 of 32 
The load balancer and hardware-accelerated ADC can be deployed using any of the first three scenarios 
discu
ssed in this document, depending on the requirements and each platform’s capabilities. However, to make 
this scenario simpler, the deployment uses scenario 1 to deploy both the load balancer and hardware-accelerated 
ADC. Also, each of the two devices in the network needs to perform NAT operations to enforce the return traffic 
path. 
Network autoconfiguration on Cisco Nexus switches dynamically instantiates autoconfiguration profiles anywhere 
in the fabric, so the load balancer or hardware-accelerated ADC can be placed anywhere in the fabric. However, to 
optimize fabric utilization, it is recommended to enforce a single location for placement of service nodes. This can 
be performed by designating a single leaf or a pair of leaf nodes bundled in a virtual PortChannel (vPC+) as service 
leaves and then attaching the most demanded and utilized service nodes there. This approach helps ensure that 
back-end traffic is locally switched on a service leaf and does not need to traverse the fabric across spines.  
Note that Layer 3 route peering over vPC+ is supported on the Cisco Nexus 6000 Series and 5600 platform, 
switches, as well as Nexus 7000 and Nexus 7700 series with the NX-OS version 7.2.1 or later. 
Also note that the “service leaf” designation does not pertain to any special leaf configuration, but rather is an 
administrative designation. 
Data Traffic Path in the Fabric 
Figures 19 and 20 show how application data traffic is load-balanced in the DFA fabric in this deployment scenario.  
1.  Clients external or internal to the fabric request data from the SSL-encrypted web application (TCP port 443), 
which can be reached through the VIP address (VIP1). The VIP addresses are already configured on the load 
balancer and shared with the fabric, so any workload or device attached to fabric in the same VRF instance 
will be able to reach the desired VIP address. 
2.  The load balancer is configured to forward any received SSL-encrypted traffic to the hardware-accelerated 
ADC. The load balancer will perform a SNAT operation to enforce the return path. 
3.  Upon receipt of the traffic, the hardware-accelerated ADC will decrypt the web traffic, select one of the web 
servers according to the configured algorithm, and forward the data. Upon forwarding the data, the ADC will 
perform a NAT operation and also change the destination TCP port from 443 to 81. This process enforces the 
return path and helps ensure that the web server recognizes that the traffic received on port 81 is decrypted 
traffic.