ACE 4170 port redirection in Bridged mode

Hi Friends,
Is it possible to do port redirection on ACE while it is configured on Bridged Mode. For example. a user is accessing the Loadbalancer VIP on port 80 and this is redirected to port 8080 on backend servers?
I have attached a diagram for easier understanding. Is there a need to configure NAT in such cases?
Any help will be appreciated. Thanks in advance guys.

Hi,
if you want to allow ping to the VIP address, you only need to apply this command in your L3-4 policy map:
loadbalance vip icmp-reply
example:
policy-map multi-match L4-TEST-VIPS
class WWW-TEST
loadbalance vip inservice
loadbalance policy WWW_POLICY
loadbalance vip icmp-reply
more info can be found here:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/slb/guide/classlb.html#wp1000929
If you want ICMP to pass through the ACE tp reach the real servers, you need to allow it in an ACL.
Hope this helps,
Dario

Similar Messages

ACE CRL's download in bridge-mode

Hello
Does anybody can explain to me which interface is being used by the ACE do download the CRL list, when the ACE is being configured in a bridge-mode with mac-sticky option ?
Thank you in advance for your help
Regards
Lukas

Hi Lukas,
Logically it should be the interface on which ACE is learning the default gateway MAC.
You should see that in show arp output.
Regards,
Kanwal

ACE bridged mode

Hi All,
I've a quick question about bridged mode in an ACE module.
Is it possible to have the servers on a separate subnet rather than on a directly connected VLAN?
Due to limitations brought on by physical aspects of the setup (and also security policy), I cannot put the ACE right next to the servers. ACE on a stick isn't feasible due to PBR smashing the CPU of the msfc so I'm thinking the ACE needs to be in bridged mode as we have to keep IP address transparency so the servers can perform policy functions based on client IP address.
I've attached a .jpg illustrating the basic setup.
The pertinent question i guess is: Can we use the ACE to loadbalance to servers that are NOT on the bridged VLAN subnet and will also quite possibly be on different subnets themselves?
Any suggestions are very much appreciated.
Thanks All!
Brad

Hi Brad,
As long as there is one to one nat on the firewall it should work just fine.
Even though the servers will be one subnet away but the natted IP will act as local IP for the ACE.
For config reference look at the following link :
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
hope that helps.
regards,
Ajay Kumar

I have FIOS and the latest version of the Airport Extreme Basestation set up in bridge mode.

OK need some technical answers I have FIOS and am forced to use their Router. I have WiFi turned off on the FIOS router and my New version Airport Exteme Basestation set up in Bridge Mode. I have CAD 5 running to all my Mac computers and a CAD 5 up to the second floor. I have an older version Airport Extreme Basestation that I would like to connect to the CAD 5 cable on the second floor where the WiFi signal is weak as the main Airport is in the basement. How would I connect the second Airport to the Airport that is in Bridge Mode? Will this setup mess up my signal strength on either CAD 5 or WiFi? I will also have one Macbook Pro plugged into the upstairs Airport. This is mainly for the WiFi for my iPad and iPhone. Details will help. Thanks.

How would I connect the second Airport to the Airport that is in Bridge Mode?
Connect from a LAN <-> port on the Bridge Mode AirPort to the WAN "O" port on the second floor AirPort and then use AirPort Utility on a Mac or iPad to set things up.
Will this setup mess up my signal strength on either CAD 5 or WiFi?
Nothing will be messed up, and you will have a much stronger WiFi signal upstairs.
If you need more details on setup.....we need to know.....
1) What model number of AirPort Extreme will be upstairs. The model number is usually embedded in the foam base on the bottom of the device. Starts with an "A" followed by four numbers. Example.....A1143.
2) What operating system you are using on your Mac, or whether you want to use the iPad for the setup...assuming that the upstairs AirPort is compatible.

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

Ace module in bridged mode with client nat

Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
   inservice
real 10.36.3.102 443
   inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
   inservice
real 10.36.3.102 80
   inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
    inservice
rserver 10-36-3-102 443
    inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
    inservice
rserver 10-36-3-102 80
    inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
    serverfarm WEBMAIL-80
    nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
    sticky-serverfarm 30
    nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdown

Hello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
   nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class class-default
    nat dynamic 1025 vlan 436
Regards,
Chris Higgins

ACE problem - bridge mode - behind a firewall

Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
Damian

Thanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
â¢ Traffic is coming from a separate local subnet
â¢ Traffic is not coming from the internet so it does not required a NAT
â¢ We need 1 VIP listening on two ports
â¢ The backend servers are four Linux boxes
Thanks again,
Damian

ACE dropped conns problem (Bridged mode)

Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
Abdelaziz

Hi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
    inservice
rserver CASHUB132
    inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
    serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254

Port forwarding but can only connect to wifi in Bridge Mode

Hi
Our ISP is TalkTalk and we use their Fibre service which connects through a BT Open Reach Modem. The TalkTalk router seemed to causing drop outs in wifi on my macbook pro so I bought an Airport Time Capsule for the wifi router and to back up my mac.
We aren't issued with PPPoE details and the advice from the TalkTalk community was to connect with the Router in Bridge Mode. This has worked a treat with the various Apple and non Apple items we have in out house except one.
We have security cameras which we control through a Windows laptop and can view one out phones. To make this happen we have to set up port forwarding. However, we can't do this as it's in Bridge Mode (as far as I understand).
I'm afraid my knowledge of these things is very basic so I'm hoping that someone will have an easy answer to this. Anyone got any advice on how I can make this pretty white box do its stuff please?
Thanks in advance!

No idea what a double NAT is but you clearly do so here goes...
traceroute 8.8.8.8 on the mac gives as follows:
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 6.246 ms 2.840 ms 2.875 ms
2 89-168-80-1.dynamic.dsl.as9105.com (89.168.80.1) 14.513 ms 14.967 ms 20.831 ms
3 host-78-151-225-23.static.as13285.net (78.151.225.23) 19.752 ms 20.399 ms 28.106 ms
4 host-78-151-229-12.as13285.net (78.151.229.12) 19.760 ms
    host-78-151-225-140.static.as13285.net (78.151.225.140) 18.391 ms
    host-78-151-225-136.static.as13285.net (78.151.225.136) 18.467 ms
5 host-78-144-8-11.as13285.net (78.144.8.11) 29.582 ms
    host-78-144-8-53.as13285.net (78.144.8.53) 31.276 ms
    host-78-144-8-5.as13285.net (78.144.8.5) 27.278 ms
6 72.14.214.222 (72.14.214.222) 37.593 ms 25.132 ms
    72.14.242.127 (72.14.242.127) 30.195 ms
7 209.85.252.188 (209.85.252.188) 27.070 ms
    209.85.252.186 (209.85.252.186) 77.680 ms
    209.85.252.188 (209.85.252.188) 24.477 ms
8 209.85.253.90 (209.85.253.90) 24.506 ms
    209.85.253.196 (209.85.253.196) 29.255 ms
    209.85.253.90 (209.85.253.90) 26.403 ms
9 66.249.95.173 (66.249.95.173) 41.521 ms
    72.14.232.134 (72.14.232.134) 35.473 ms 30.789 ms
10 209.85.251.231 (209.85.251.231) 30.069 ms
    216.239.49.45 (216.239.49.45) 31.578 ms
    209.85.252.83 (209.85.252.83) 31.383 ms
11 * * *
12 google-public-dns-a.google.com (8.8.8.8) 38.442 ms 30.063 ms 30.282 ms
traceroute 8.8.8.8 on the mac plugged into the HG533 gives as follows:
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 0.999 ms 0.679 ms 0.668 ms
2 89-168-80-1.dynamic.dsl.as9105.com (89.168.80.1) 13.577 ms 12.817 ms 13.668 ms
3 host-78-151-225-23.static.as13285.net (78.151.225.23) 16.828 ms 15.490 ms 24.315 ms
4 host-78-151-225-140.static.as13285.net (78.151.225.140) 18.755 ms
    host-78-151-225-30.static.as13285.net (78.151.225.30) 20.538 ms
    78.151.229.0 (78.151.229.0) 19.488 ms
5 host-78-144-8-29.as13285.net (78.144.8.29) 23.690 ms
    host-78-144-8-39.as13285.net (78.144.8.39) 26.756 ms
    host-78-144-8-59.as13285.net (78.144.8.59) 23.145 ms
6 72.14.242.127 (72.14.242.127) 24.608 ms 26.403 ms
    72.14.214.222 (72.14.214.222) 22.601 ms
7 209.85.255.78 (209.85.255.78) 26.205 ms 23.783 ms
    209.85.252.186 (209.85.252.186) 25.291 ms
8 209.85.253.94 (209.85.253.94) 25.553 ms
    209.85.253.196 (209.85.253.196) 58.607 ms 31.902 ms
9 66.249.95.173 (66.249.95.173) 49.369 ms
    72.14.232.134 (72.14.232.134) 32.418 ms 32.654 ms
10 72.14.238.43 (72.14.238.43) 34.146 ms
    209.85.252.83 (209.85.252.83) 34.292 ms
    216.239.49.45 (216.239.49.45) 29.860 ms
11 * * *
12 google-public-dns-a.google.com (8.8.8.8) 36.619 ms 36.902 ms 29.731 ms
Hope this gives the result we're after

Port forwarding for Mac that shares internet to Airport in bridge mode?

I use Air Video server, which allows me to stream movies from my Mac to my iPhone or iPad. It sits on port 45631 and that's closed.
I recently moved from NYC to CO, and because of my cable modem not being compatible with my older Airport router, I must use my Mac Pro to forward my Internet service from one Ethernet port to another - so that my older Airport Extreme can then broadcast wirelessly.
Since I use the AirPort in bridge mode, and the Mac is forwarding the connection - how do I forward the port so Air Video can send through to the internet?
thanks for ANY help, I'm a bit lost here

I use Air Video server, which allows me to stream movies from my Mac to my iPhone or iPad. It sits on port 45631 and that's closed.
I recently moved from NYC to CO, and because of my cable modem not being compatible with my older Airport router, I must use my Mac Pro to forward my Internet service from one Ethernet port to another - so that my older Airport Extreme can then broadcast wirelessly.
Since I use the AirPort in bridge mode, and the Mac is forwarding the connection - how do I forward the port so Air Video can send through to the internet?
thanks for ANY help, I'm a bit lost here

How to plug a hard drive on the USB port of a Time Capsule. TC in bridge mode

Hello
I would like to connect a hard drive onto the USB port of a Time Capsule. This is for saving files (different frome the Time Machine savings). I am struggling to get it working it seems that I can see the HD when under "drives or discs" (running Snow Leopard in French) from the AirPort Utility but I can't access to it.
The TC is in bridge mode.
Thanks for help and guidances.
Best
Pierre

The question is clear enough.. I just don't understand why you are having issues.
Can you see in the internal disk of the TC in the finder?
What format are you using on this disk? Try and format it HFS+ if it isn't already.
If you plug it directly into the Mac it works ok??
The other issue is the need for a powered hub on the TC due to the low power it gives the internal port.. or lack of bios compatibility with a range of usb hub chips. Try a powered hub as that can also help.

How to use SNMP to access interface counters for WAN port when not in bridged mode

Hi All,
Can't fault my timecapsule, however just struggling to get one little bit of functionality working. I'm keen to get access to the WAN port interface counter information via SNMP, so I can track total bandwidth/throughput & also volume.
I have no issue getting SNMP to work & can see the 2.4 & 5.0GHz network counters, also total number of WIFI clients, wlan0, wlan1 and bridge0 interfaces. Trouble is none of these are the WAN/external ethernet port.
I see that it is likely that I'm trying to find the vlan1 port, however from what I'm reading this may only be available when the device is running in a routed mode (I'm running in bridge mode).
Anyone able to suggest anything?

Some cable modem you can turn off NAT.. and then use the TC in router mode.. or even use DMZ if the cable router allows that.
Have you ever looked at gargoyle router firmware and its ability to count and quota all clients connecting to internet service.. it is a simply fantastic firmware and can be loaded onto a router that costs $70-130 dollars.. it is 3rd party but very solid if you choose the right combo.
http://www.gargoyle-router.com/wiki/doku.php?id=screenshots

Design question: ACE module connected to 2 different L3 engine while in bridge mode

fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizian

Hi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300   RSERVER    4775   239 sec      up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1   00.23.33.6a.bf.80 vlan802   RSERVER    4785   5 sec        up
Regards
Mats

Share Airport Connection to Ethernet port in BRIDGE mode?

I've been trying to do this for a while now, but I haven't been able.
I have the modem form my ISP hooked to a Airport Express configured in BRIDGE mode, thus creating a wireless network for my home with "live" IPs for all the computers (yes... I know the security risks...).
My G4 (across the room) gets Internet from it's Airport Card and I configured the Share Internet preference pane to "Share the Internet Connection from the Airport to the Ethernet Port", so I can create (...extend, really) a WIRED network from my G4's Ethernet Port.
The thing is that I want this wired network to have also "live" IPs, but the Airport Card always has the "Distribute IP Addresses" (or it's equivalent, from the Airport Admin Setup) activated, so it provides a 192.168.X.X network and I can't find a way to turn that off.
In other words, I want it to acts as a BRIDGE and not as DHCP Server.
Anyone?
TIA

I was trying to use IPNetShareX to configure it, but I didn't find a way. I'll keep looking...
http://www.sustworks.com/site/prodgnatoverview.html
Thanks anyway

Trouble with bridge mode and port forwarding

I have a Westell Model 6100F DSL modem in bridge mode into my network and I'm having trouble forwarding ports. Is there any general guidance available to do this. I have set many of my friends networks up to allow port forwarding but all have been on other service providers, mainly cable. (my experience) My network is the only one I have had trouble with.
Basically, my question is, while in bridge mode, does the modem forward all incoming traffic to my NAT router or do I need to apply special port forwarding settings in the modem to allow this?
If bridge mode is the reason I cannot forward the ports, can someone explain how to set the WEstell 6100F back to factory defaults so I can start over.
Any other suggestions?
Thanks in advance.
Paul

If bridge mode is set up correctly, your router should be holding the Public IP address (basically not something that is a 192.168 address) as shown at http://www.whatismyip.com/ and compared against what IP your router has.
If your router has the public IP, all problems lie with either your router or your PC's firewall and configuration. I'd check out portforward.com for some guides on forwarding ports for your router or poarticular application if you need some additional help.
========
The first to bring me 1Gbps Fiber for $30/m wins!

ACE 4170 port redirection in Bridged mode

Similar Messages

Maybe you are looking for