Configuration Example: Peer Synchronization For Sandwich Mode - Cisco Nexus 9000 Series Configuration Manual

Configuration Example: Peer Synchronization for Sandwich Mode

Note Only port filtering is possible using the Layer 4 range operator. Also, the exclude ACL supports only permit
entries.
Step 4: Configure the return exclude ACL to exclude all but ports 80 and 443.
ip access-list itd_exclude_return
10 permit tcp any range 0 79 any
20 permit tcp any range 81 442 any
30 permit tcp any range 444 65535 any
Step 5: Configure the return ITD service for the return traffic and apply the exclude ACL.
Itd Web_proxy_SERVICE
device-group Web_Proxy_Servers
exclude access-list itd_exclude_return
ingress interface Vlan 20
failaction node reassign
load-balance method dst ip
flipping the LB parameter
no shutdown
Configuration Example: Peer Synchronization for Sandwich Mode
Whenever the link to a sandwiched appliance on an ITD peer service goes down, the service sends a notification
to its peer indicating that the link to the node is down. The peer service then brings the link down so that no
traffic traverses that link.
Without peer synchronization, if the link connected to appliance APP #1 on ITD service A goes down in the
following topology and ITD service B is not notified, service B will continue to send traffic to APP #1, and
the traffic will be dropped.
The configuration below uses this topology:
Figure 11: Peer Synchronization for Sandwich Mode
Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x
50
<- Internet-facing ingress interface on the Nexus switch
<- Flow symmetry between forward/return flow achieved by
Configuring ITD