ACE Bridge-mode: How to do FT?

Similar Messages

• ACE bridge mode , FWSM routed mode

  i have the following senario:
  MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
  FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
  ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
  vlan 180 is the server side vlan
  i want he FWSM ip address to be the Server gateway while ACE module in
  bridge mode
  i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
  ACE
  if i change ACE to routed mode , i can ping to FWSM
  any body can help me in this issue?

  The config looks good.
  I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
  Is evertyhing else working ?
  Like ping through the ACE module ?
  Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
  Gilles.

• ACE bridged mode

  Hi All,
  I've a quick question about bridged mode in an ACE module.
  Is it possible to have the servers on a separate subnet rather than on a directly connected VLAN? 
  Due to limitations brought on by physical aspects of the setup (and also security policy), I cannot put the ACE right next to the servers. ACE on a stick isn't feasible due to PBR smashing the CPU of the msfc so I'm thinking the ACE needs to be in bridged mode as we have to keep IP address transparency so the servers can perform policy functions based on client IP address.
  I've attached a .jpg illustrating the basic setup.
  The pertinent question i guess is:  Can we use the ACE to loadbalance to servers that are NOT on the bridged VLAN subnet and will also quite possibly be on different subnets themselves?
  Any suggestions are very much appreciated.
  Thanks All!
  Brad

  Hi Brad,
  As long as there is one to one nat on the firewall it should work just fine.
  Even though the servers will be one subnet away but the natted IP will act as local IP for the ACE.
  For config reference look at the following link :
  http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
  hope that helps.
  regards,
  Ajay Kumar

• EA6700 in Bridge Mode, How to change password

  Evening all....another frustrating day trying to use my highly limited network skills.
  Have an EA6700 in bridge mode to extend wireless signal to my gym (read garage with a rowing machine in it!) .... main router is an EA9600. Both units working fine but when I set up the EA6700 Bridge, I left the default password setup instead of making the password the same as the EA9600.
  So if I understand right, EA9600 has dhcp on and is 192.168.1.1.....EA6700 Bridge has 192.168.1.138 (this is the IP I read from the device page of the EA9600. I switched dchp off and optioned bridge mode. 
  I cannot get to the admin page of the EA6700 to change the password. If I put 192.168.1.138 in the google box it comes back with nothing. As I say, this IP comes from the device page of the EA6900.
  Anyone point me in the right direction to get to the configuration page of the EA6700 Bridge to change the password to the same as the main EA9600 please? It sounds simple but many hours later :-( .... the perils of an amateur hour trying do tech things.
  Just to note, devices in the garage (Sonos box, Panasonic TV, very old Sony laptop) are all hard wired to the EA6700 and work fine for music and video....the reason for the wireless is to connect to a Chromecast in the back of the TV. Also works great I just can't change anything.
  Many thanks for any help you can give me .... think I'm close to answer but as normal missing key componets of knowledge

  ...ouch feared you might say that.
  So essentially if you elect to go with bridge mode can you access the configuration pages ...if you have the IP number.
  Now as it goes I also have an EA6500 which I'm trying to do the same thing on....e.g bridge mode access point for Chromecast and music bits. So I could try that without spoiling (in the first instance) what I already have working.
  I have a proceedure for setting the unit into bridge mode (in fact I'm fairly sure one of you network hero's ...Furry Nutz / BigDave pointed me towards some time back) .... but everytime I do it......10 second reset / 30 second power off / re-power up.....it still refuses to find 192.168.1.1
  If I swap out the main EA9600 router and put the EA6500 in place, I can get the dchp switched down, the IP address changed and bridge mode set. But If I just connect it to a laptop and reset/poweron/off, the laptop network dialog box just keeps going through a re-boot sequence. I tried a second laptop in case there was something odd on mine....same thing.
  Any ideas why the EA6500 won't play well directly connected to the laptop RJ45?
  Thanks for the support as always guys

• ACE bridge mode not working

  Folks,
  I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
  hostname abc
  boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
  access-list ANY line 8 extended permit ip any any
  rserver host rs1
  ip address 1.1.1.1
  inservice
  rserver host rs2
  ip address 1.1.1.2
  inservice
  serverfarm host SF1
  rserver rs1
  inservice
  rserver rs2
  inservice
  class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
  class-map match-all VIP
  2 match virtual-address 1.1.1.3 any
  class-map type http loadbalance match-any src1
  2 match source-address 0.0.0.0 0.0.0.0
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match R-Policy
  class class-defaut
  serverfarm SF1
  policy-map multi-match R-LB
  class VIP
  loadbalance vip inservice
  loadbalance policy R-Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  interface vlan 3
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface vlan 4
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input R-LB
  no shutdown
  interface bvi 1
  ip address 1.1.1.4 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 1.1.1.5

  I made some progress, but still it is not working.
  When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
  hostname RBharti
  boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
  access-list ANY line 8 extended permit ip any any
  rserver host rs1
  ip address 1.1.1.1
  inservice
  rserver host rs2
  ip address 1.1.1.3
  inservice
  serverfarm host SF1
  rserver rs1
  inservice
  rserver rs2
  inservice
  class-map type management match-any REMOTE_ACCESS
  10 match protocol telnet any
  20 match protocol ssh any
  30 match protocol icmp any
  class-map match-all VIP
  2 match virtual-address 1.1.1.5 any
  policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
  class REMOTE_ACCESS
  permit
  policy-map type loadbalance first-match R-Policy
  class class-default
  serverfarm SF1
  policy-map multi-match R-LB
  class VIP
  loadbalance vip inservice
  loadbalance policy R-Policy
  loadbalance vip icmp-reply active
  loadbalance vip advertise
  interface vlan 3
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  service-policy input R-LB
  no shutdown
  interface vlan 4
  bridge-group 1
  access-group input ANY
  access-group output ANY
  service-policy input REMOTE_MGMT_ALLOW_POLICY
  no shutdown
  interface bvi 1
  ip address 1.1.1.4 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 202.137.232.193
  Ri/Admin# sh service-policy
  Policy-map : R-LB
  Status : ACTIVE
  Interface: vlan 3
  service-policy: R-LB
  class: VIP
  loadbalance:
  L7 loadbalance policy: Rediff-Policy
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED-WHEN-ACTIVE
  VIP State: INSERVICE
  curr conns : 0 , hit count : 54
  dropped conns : 54
  client pkt count : 81 , client byte count: 3888
  server pkt count : 0 , server byte count: 0

• ACE - bridged mode - blocking Traffic

  Hi
  Just a short question. Is an ACE blocking traffic from a Source if the mac-address of that source is not in the ARP/MAC table? No security feature is enabled. The sniffer shows, that the packet is not going through. Other traffic works fine. So no problem with incoming ACL or something else. Any reason for that.
  Cheers
  patrick

  Patrick,
  indeed, if the src mac is not in the arp table, we can't setup a flow entry for that traffic and it is dropped.
  We should first learn the mac-address from arp traffic.
  Also check the following command to see if that helps:
  switch/Admin(config-if)# arp inspection validate src-mac ?
  flood Enable the flood option
  no-flood Enable the no flood option
  Carriage return.
  Gilles.

• Client/Bridge Mode: How to Setup AE to do WiFi-to-Ethernet

  I'm trying to set up the AE as follows:
  cablemodem
  <wired-to> dlink-DIR825-dual-band-wiress-router
  <dual-wifi-over-the-air-to> AirPort Extreme 80211n Wi-Fi
  <wired-to> Ethernet-Switch
  <wired-to> multiple computers (PCs, Macs, Unix), printers, etc.
  The Apple Store folks told me that I could do the above, but the manual that came with the AE did not show how to do this. Can anyone explain how to do the above configuration?
  Many thanks!
  Steve Amerige

  Sorry but Bob's comments are NOT correct and this is NOT possible. The AirPort Extreme base station (AEBS) can ONLY wireless join a network if that wireless network is created by another AEBS, an AirPort Express (AX), or a Time Capsule.
  A Time Capsule can join the wireless network provided by the D-Link but the Ethernet ports on the Time Capsule would NOT be active.
  An AX can join the wireless network provided by the D-Link but the Ethernet ports on the Time Capsule would ONLY be active if the D-Link is compatible with ProxySTA.

• ACE redundancy with bridge mode

  I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
  can anybody explain me, how it works?

  Yes, that's correct.
  If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
  Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
  access-list NONIP ethertype permit bdpu
  int vlan 10 ! client-side
  access-group input NONIP
  int vlan 20 ! server-side
  access-group input NONIP
  more info:
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
  Please rate if this was useful for you.
  Kind regards,
  Dario

• ACE 4710 in bridge mode

  Hi,
  We got new ACE 4710 device and i am trying to configure that in Bridging mode.
  I am trying to loadbalance between two servers which is connected as shown below:
  Servers -> Switch -> Router (with subinterface).
  Servers IP: 172.16.11.1 and 172.16.11.2
  Router IP: 172.16.11.254
  Default route is router IP address for servers.
  I am new to ACE and I am confused about how to assign interface on ACE so that ACE can bridge the traffic between router and servers VLAN.
  We have some more servers which are on different VLAN but can connect to these servers as router is doing inter-vlan routing too.
  I want inter-vlan routing and load balancing between above two servers concurrently. Pls. help in this regard.
  Also attaching the ACE config file.

  Here is the config, hope this will help.
  Admin Context
  =============
  resource-class ngmp_rc1
  limit-resource all minimum 0.00 maximum unlimited
  limit-resource sticky minimum 0.20 maximum unlimited
  interface gigabitEthernet 1/1
  switchport access vlan 1000
  no shutdown
  interface gigabitEthernet 1/2
  switchport trunk allowed vlan 10,13
  no shutdown
  interface gigabitEthernet 1/3
  no shutdown
  interface gigabitEthernet 1/4
  shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
  2 match protocol xml-https any
  3 match protocol icmp any
  4 match protocol telnet any
  5 match protocol ssh any
  6 match protocol http any
  7 match protocol https any
  8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
  class remote_access
  permit
  interface vlan 1000
  ip address 192.168.16.16 255.255.255.0
  access-group input ALL
  service-policy input remote_mgmt_allow_policy
  no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.16.254
  context apps
  allocate-interface vlan 10
  allocate-interface vlan 13
  member apps_rc1
  APPS Context
  ============
  rserver host srv1
  ip address 192.168.10.1
  inservice
  rserver host srv2
  ip address 192.168.10.2
  inservice
  rserver host srv3
  ip address 192.168.10.3
  inservice
  serverfarm host apps_srv
  rserver srv1
  inservice
  rserver srv2
  inservice
  rserver srv3
  inservice
  class-map match-all ftp-vip
  2 match virtual-address 172.16.10.10 tcp eq ftp
  class-map match-all http-vip
  2 match virtual-address 172.16.10.11 tcp eq 8080
  class-map type management match-any remote-mgmt
  201 match protocol snmp any
  202 match protocol ssh any
  203 match protocol icmp any
  204 match protocol http any
  205 match protocol https any
  206 match protocol xml-https any
  policy-map type management first-match remote-mgmt
  class remote-mgmt
  permit
  policy-map type loadbalance first-match slb
  class class-default
  serverfarm apps_srv
  policy-map multi-match client-vips
  class ftp-vip
  loadbalance vip inservice
  loadbalance policy slb
  loadbalance vip icmp-reply
  inspect ftp
  class http-vip
  loadbalance vip inservice
  loadbalance policy slb
  loadbalance vip icmp-reply
  interface vlan 10
  bridge-group 1
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  no shutdown
  interface vlan 13
  bridge-group 1
  access-group input bpdu-fixup
  access-group input ALL
  access-group output ALL
  service-policy input remote-mgmt
  service-policy input client-vips
  no shutdown
  interface bvi 1
  ip address 192.168.10.9 255.255.255.0
  no shutdown
  ip route 0.0.0.0 0.0.0.0 192.168.10.254
  Thanks,
  Pawan

• ACE in bridge mode with FWSM as gateway

  our design
  FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
  originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
  since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
  what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
  with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
  e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
  so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
  with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
  Thanks

  First, why don't you have an ip in your ACE vlan ?
  Then, for traffic hitting a vip, we can do source nating even in bridge mode.
  But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
  The FWSM should then send the request back to ACE (not sure how this can be done).
  So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
  So your policy-map with client nat must be on vlan 7.
  Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
  In this case, the policy-map will have to be in vlan 8 with client-nat.
  Gilles.

• How do I configure my Airport Extreme to work in Bridge Mode and provide specific IP addresses to clients

  My Airport Extreme is working with an Airport Express to wirelessly extend my wireless network.  Both Airports are configured in Bridge Mode per the instructions I found on Apple's support site.  I want to assign a specific DHCP address to a wireless camera that is in range of the Extreme, but I understand that the Extreme needs to be in DHCP Only mode to do this.  But if I change the mode to DHCP Only, the Extreme will lose contact with the Express.  How can I get both functions to work - wireless network extension and specific DHCP addresses?

  Then what device is providing DHCP? Only once device per subnet should be the DHCP server. One should be DHCP and NAT and the other in Bridge mode for most home setups. The unit with DHCP and NAT should be the one connected to your cable or DSL and the other set in Bridge mode only extends your network.
  On the wireless config page set whichever you're using to extend your network to "Extend a wireless network" and give it the details of the network to which you're attaching it.

• How do I set up time capsule to just backup multiple macs on a wireless network without using the TC in the bridge mode?

  I have an AT&T modem that serves as our home wireless network.  I wanted to backup up our computer data so I got a time capsule to back up our three household MACs.  After purchase, I found how that I needed to put the exising modem in "bridge mode" so the Time capsule would establish the network. Four frustrating hours later talking to 3 different people at Yahoo, I got the **** thing established.  It worked fine for 4 months - then a power failure forced me to repeat the process again.  I had to reestablish everything and it took another 4 hours.  After 6 months, another power failure forced me to go through the entire process again.  Now, of course, Yahoo is charging a fee to help you establish the TC as the network if you have one of their modems - and to make things interesting, they really don't understand MACs.  After 5 hours, in frustration, I gave up and asked the Yahoo folks to just put their modem back in as the network hub and I unplugged the Time Capsule.  Now after 3 months of looking at an expensive Time Capsule and searching the internet for help, I figured I try the Apple help network,
  I just want to backup the data on my MACS.  I have a network in the house that works just fine.  How do I configure the TC to work as a backup on a wireless network?  It seems like it should be simple, but it isn't.  Can anybody help?

  I have no idea about the modem and bridge mode (I don't do networking -- hopefully Bob Timmons, Tesserax, or one of the other networking gurus will drop in and address that).
  But . . . you should be able to back up to the TC as long as it's on your network and recognized by your Macs.  I think being in bridge mode means it will be rather slow, but it should work.  Until/unless we hear otherwise, you might want to see #Q1 in Using Time Machine with a Time Capsule.

• How do I set up OpenDNS to work with my Time Capsule running 7.7.3 in Bridge Mode?

  How do I set up OpenDNS to work with my Time Capsule running 7.7.3 in Bridge Mode?

  Set up your "main" router to use the OpenDNS servers, and the Time Capsule will automatically pick up those settings. No configuration is needed on the Time Capsule.

• How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  The Guest Network function of the Time Capsule and AirPort Extreme cannot be enabled when the device is in Bridge Mode. Unfortunately, with another router...the Telus...upstream on your network, Bridge Mode is indicated as the correct setting for all other routers on the network.
  If you can replace the Telus gateway with a simple modem (that performs no routing functions), you should be able to configure either the Time Capsule or the AirPort Extreme....whichever is connected to the modem....to provide a Guest Network.

• ACE 4710 in bridge mode not working

  I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
  I am not able to ping servers as well as gateway. Below are the topology and context configuration:
  Router   (vlan 13: IP 172.16.11.254)
       |
  ACE     (int gig1/2)
       |
  L2 Switch
       |
  Servers (vlan 11: IP 172.16.11.1 and 11.2)
  Admin Context
  ===========
  resource-class rc1
    limit-resource all minimum 0.00 maximum unlimited
    limit-resource sticky minimum 0.20 maximum unlimited
  boot system image:c4710ace-mz.A3_2_4.bin
  interface gigabitEthernet 1/1
    switchport access vlan 1000
    no shutdown
  interface gigabitEthernet 1/2
    switchport trunk allowed vlan 11,13
    no shutdown
  interface gigabitEthernet 1/3
    shutdown
  interface gigabitEthernet 1/4
    shutdown
  access-list ALL line 8 extended permit ip any any
  access-list everyone line 8 extended permit ip any any
  access-list everyone line 16 extended permit icmp any any
  class-map type management match-any remote_access
    2 match protocol xml-https any
    3 match protocol icmp any
    4 match protocol telnet any
    5 match protocol ssh any
    6 match protocol http any
    7 match protocol https any
    8 match protocol snmp any
  policy-map type management first-match remote_mgmt_allow_policy
    class remote_access
      permit
  interface vlan 1000
    ip address 172.16.16.16 255.255.255.0
    access-group input ALL
    service-policy input remote_mgmt_allow_policy
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.16.254
  context test
    allocate-interface vlan 11
    allocate-interface vlan 13
    member rc1
  test Context
  =========
  access-list bpdu-fixup ethertype permit bpdu
  access-list ALL line 8 extended permit ip any any
  access-list ALL line 16 extended permit icmp any any
  rserver host srv1
    ip address 172.16.11.1
    inservice
  rserver host srv2
    ip address 172.16.11.2
    inservice
  serverfarm host srv
    rserver srv1
      inservice
    rserver srv2
      inservice
  sticky ip-netmask 255.255.255.255 address both SG1
    timeout 120
    serverfarm srv
  class-map type management match-any remote-mgmt
    201 match protocol snmp any
    202 match protocol ssh any
    203 match protocol icmp any
    204 match protocol http any
    205 match protocol https any
    206 match protocol xml-https any
  class-map match-all slb-vip
    2 match virtual-address 172.16.11.10 any
  policy-map type management first-match remote-mgmt
    class remote-mgmt
      permit
  policy-map type loadbalance first-match slb
    class class-default
      sticky-serverfarm SG1
  policy-map multi-match client-vips
    class slb-vip
      loadbalance vip inservice
      loadbalance policy slb
      loadbalance vip icmp-reply
  interface vlan 11
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    no shutdown
  interface vlan 13
    bridge-group 1
    access-group input bpdu-fixup
    access-group input ALL
    access-group output ALL
    service-policy input remote-mgmt
    service-policy input client-vips
    no shutdown
  interface bvi 1
    ip address 172.16.11.9 255.255.255.0
    no shutdown
  ip route 0.0.0.0 0.0.0.0 172.16.11.254
  Could you pls. suggest where I am doing wrong?
  Thanks,
  Pawan

  " I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
  What is the setup on the switch ? Trunk or access vlan ?
  What is the status of the interface ? up ? down ?
  Do you see something in your arp table ?
  Gilles.