ACE - bridged mode - blocking Traffic

Hi
Just a short question. Is an ACE blocking traffic from a Source if the mac-address of that source is not in the ARP/MAC table? No security feature is enabled. The sniffer shows, that the packet is not going through. Other traffic works fine. So no problem with incoming ACL or something else. Any reason for that.
Cheers
patrick

Patrick,
indeed, if the src mac is not in the arp table, we can't setup a flow entry for that traffic and it is dropped.
We should first learn the mac-address from arp traffic.
Also check the following command to see if that helps:
switch/Admin(config-if)# arp inspection validate src-mac ?
flood Enable the flood option
no-flood Enable the no flood option
Carriage return.
Gilles.

Similar Messages

ACE bridge mode , FWSM routed mode

i have the following senario:
MSFC ---vlan 777----FWSM----vlan160---ACE----VLAN180
FWSM is working in routed mode and vlan 777 is shared between the MSFC and FWSM
ACE is working in bridged mode and vlan 160 is shared between the FWSM and ACE
vlan 180 is the server side vlan
i want he FWSM ip address to be the Server gateway while ACE module in
bridge mode
i create bvi interface but i can't ping from ACE to FWSM or from FWSM to
ACE
if i change ACE to routed mode , i can ping to FWSM
any body can help me in this issue?

The config looks good.
I would look at the arp table on FWSM and ACE when the ping fails and also capture a sniffer trace of ACE tengig interface and see if the ping request goes out - on which vlan - and if we get a response.
Is evertyhing else working ?
Like ping through the ACE module ?
Your config does not show a 'no shutdown' on the vlan interface, but I assume you fixed that already.
Gilles.

ACE bridged mode

Hi All,
I've a quick question about bridged mode in an ACE module.
Is it possible to have the servers on a separate subnet rather than on a directly connected VLAN?
Due to limitations brought on by physical aspects of the setup (and also security policy), I cannot put the ACE right next to the servers. ACE on a stick isn't feasible due to PBR smashing the CPU of the msfc so I'm thinking the ACE needs to be in bridged mode as we have to keep IP address transparency so the servers can perform policy functions based on client IP address.
I've attached a .jpg illustrating the basic setup.
The pertinent question i guess is: Can we use the ACE to loadbalance to servers that are NOT on the bridged VLAN subnet and will also quite possibly be on different subnets themselves?
Any suggestions are very much appreciated.
Thanks All!
Brad

Hi Brad,
As long as there is one to one nat on the firewall it should work just fine.
Even though the servers will be one subnet away but the natted IP will act as local IP for the ACE.
For config reference look at the following link :
http://docwiki.cisco.com/wiki/Basic_Load_Balancing_Using_Bridged_Mode_on_the_Cisco_Application_Control_Engine_Configuration_Example
hope that helps.
regards,
Ajay Kumar

ACE Bridge-mode: How to do FT?

Dear All,
I've set up a test user context in Bridge mode on an ACE blade and now want to set up FT to a second blade. The manuals have confused me slightly and most of the examples I have seen relate to routed mode.
In my topology I have Router1 connected to Router2 which has the ACE blade. Router1 is also connected to Router3 which is in turn connected to Router4 which contains a second ACE blade.
Do I create an identical configuration for the context on the second blade and how to I define the FT vlan?
The current configuration and toplogy are attached. Any pointers would be much appreciated.
Thank you
Cathy

Gilles,
The Admin Guide warns about the use of the force option (7-20) - and the command itself warns of possible network disruption.
Without the force option these are the states of the two blades:
ace1/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 200
My Net Priority : 200
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 08:10:30 2007
No. of Contexts : 1
Context Name : Test
Context Id : 2
ace2/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_HOT
My Config Priority : 100
My Net Priority : 100
My Preempt : Enabled
Peer State : FSM_FT_STATE_ACTIVE
Peer Config Priority : 200
Peer Net Priority : 200
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 08:10:29 2007
No. of Contexts : 1
Context Name : Test
Context Id : 1
switchover
ace1/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_STANDBY_BULK
My Config Priority : 200
My Net Priority : 200
My Preempt : Disabled
Peer State : FSM_FT_STATE_ACTIVE
Peer Config Priority : 100
Peer Net Priority : 100
Peer Preempt : Enabled
Peer Id : 1
Last State Change time : Tue Sep 18 09:31:20 2007
No. of Contexts : 1
Context Name : Test
Context Id : 2
ace2/Admin# sh ft gro 1 de
FT Group : 1
Configured Status : in-service
Maintenance mode : MAINT_MODE_OFF
My State : FSM_FT_STATE_ACTIVE
My Config Priority : 100
My Net Priority : 100
My Preempt : Enabled
Peer State : FSM_FT_STATE_STANDBY_HOT
Peer Config Priority : 200
Peer Net Priority : 200
Peer Preempt : Disabled
Peer Id : 1
Last State Change time : Tue Sep 18 09:31:33 2007
No. of Contexts : 1
Context Name : Test
Context Id : 1
I can ping my PC from the standby blade, but a traceroute to the VIP for the webservers still shows it going to the router housing the primary ACE blade even though the context on the standby blade is active.
Thanks
Cathy

ACE bridge mode not working

Folks,
I am trying to configure ACE in transparent mode and it is not working, i can browse to the servers directly,but when i try to hit the vip , I do not get any webpages, all keepalives are up and everything is in inservice.
hostname abc
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.2
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.3 any
class-map type http loadbalance match-any src1
2 match source-address 0.0.0.0 0.0.0.0
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-defaut
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 1.1.1.5

I made some progress, but still it is not working.
When the server behind the ACE module default gateway is set to the firewall, i can telnet to the vip at port 80,but i still do not see the page when i open the browser and point to the vip. here are the outputs.
hostname RBharti
boot system image:c6ace-t1k9-mz.3.0.0_A1_6_1.bin
access-list ANY line 8 extended permit ip any any
rserver host rs1
ip address 1.1.1.1
inservice
rserver host rs2
ip address 1.1.1.3
inservice
serverfarm host SF1
rserver rs1
inservice
rserver rs2
inservice
class-map type management match-any REMOTE_ACCESS
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
class-map match-all VIP
2 match virtual-address 1.1.1.5 any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
policy-map type loadbalance first-match R-Policy
class class-default
serverfarm SF1
policy-map multi-match R-LB
class VIP
loadbalance vip inservice
loadbalance policy R-Policy
loadbalance vip icmp-reply active
loadbalance vip advertise
interface vlan 3
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input R-LB
no shutdown
interface vlan 4
bridge-group 1
access-group input ANY
access-group output ANY
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface bvi 1
ip address 1.1.1.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 202.137.232.193
Ri/Admin# sh service-policy
Policy-map : R-LB
Status : ACTIVE
Interface: vlan 3
service-policy: R-LB
class: VIP
loadbalance:
L7 loadbalance policy: Rediff-Policy
VIP Route Metric : 77
VIP Route Advertise : DISABLED
VIP ICMP Reply : ENABLED-WHEN-ACTIVE
VIP State: INSERVICE
curr conns : 0 , hit count : 54
dropped conns : 54
client pkt count : 81 , client byte count: 3888
server pkt count : 0 , server byte count: 0

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

Difference between bridge mode and routed mode on CSS

Hi,
Could some one tell me the difference between routed mode and bridge mode.
Regards
Neha

Hi,
routed mode:
The CSS acts as a router, it routes packets from the client to the server. The server has the ACE configured as default-gateway.
There is a client-side VLAN and a server-side VLAN. These VLANs have different subnets.
Bridged mode:
The CSS acts as a bridge, it switches frames from the client to the server. The server has the upstream router configured as default-gateway.
There is a client-side VLAN and a server-side VLAN. These VLANs have the same subnet, but different VLAN IDs. The ACE bridges the client traffic from the client-side VLAN to the server-side VLAN.
Bridged mode would be most used in case one cannot change the servers IP addresses, or if address space is an issue.
Hope this helps.
Kind regards,
Dario

Design question: ACE module connected to 2 different L3 engine while in bridge mode

fellow engineers,
i have been working on a design model , where the ACE mldule will provide SLB for both virtual and real servers. we have been deploying several UCS systems and the customer would like to use the ACE as our Enterprise SLB layer
configured in bridcge mode.
the msfc within the 6509 provide the L3 routing. however we may extends multiple vlans (v160-v163) via nexus switch layer (7k,5k,2k) to a FW appliance which now is the svi interface for the extended vlans. these vlans will be configured on a dedicated context.
the extension is based on the bridge mode operation as follow:
need help with the following:
1) if i have 4 bvi's configured, do i need to have default route configured?
2) my total count for vlans are: v160-v163 for server vlans, and v101 is the management vlan. the svi for this vlan is on the msfc card. the server GW are pointing to each dedicated svi's on the FW+L3 apliance.
3) if my default route on the context is pointing to the v160 svi on the FW+L3 engine, will that prevent the return traffic for other vlans ( v161-v163) from the ace toward the client?
4) is default route neccessary if you hae the ace in bridge mode.
it was brought to my attention that if you have multiple vlans configured in bridge mode pointing to another L3 engine, then each vlan would have to be configured on seperate context since you can only have one default route per context.
i appreciate any feedback on this inquiry. if you need additional information please le me know.
thanks and best regards,
raman azizian

Hi Raman,
You can have up to eight default routes in one context. What the ACE is doing with the entries is to create a ARP-entry with the name GATEWAY. If you need more then eight entries, just declare gateway as rservers. In that case the ARP-entry is stored as RSERVER instead of GATEWAY. The trick is to tell ACE to learn the MAC-address for the IP-address and store it int the ARP-table. The ACE never learn for itself a MAC-address. Don't forget mac-sticky enable on vlan's facing gateway.
I'm running one context in bridge mode and have 18 bvi's with FW and Router 6509 as gateways.
Exampel:
Interface to ROUTER 6509
interface vlan 300
bridge-group 300
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan300
no shutdown
rserver host 300GATEWAY
ip address 164.135.121.47
inservice
A#1/prod1# sho arp | i 164.135.121.47
164.135.121.47 00.08.e3.ff.fc.14 vlan300   RSERVER    4775   239 sec      up
A#1/prod1#
Interface to FIREWALL
interface vlan 802
bridge-group 802
no normalization
mac-sticky enable
access-group input BPDU
access-group input alla
access-group output alla
service-policy input lb-int-vlan802
no shutdown
rserver host 802GATEWAY
ip address 192.168.137.1
inservice
192.168.137.1   00.23.33.6a.bf.80 vlan802   RSERVER    4785   5 sec        up
Regards
Mats

ACE problem - bridge mode - behind a firewall

Hello
We are having problems with one of you ACE context, this implementation was done by a supplier and I am trying to troubleshoot it.
The clients and the servers are on different subnets, there is a Nokia firewall in the middle. The firewalls are setup on a cluster.
Connecting to port 7072 is taking at least 30 seconds. If I move the server into the VLAN in front of the ACE, the connection is instant. So it does indicate a problem on the ACE.
The client IP is .99.11.
The VIP is .100.62 and the server node is .100.12.
Running the capture command I can see the following behavior:
1. The client initiates the connection to the ACE Vip
2. At the same time it looks like a second connection is initiated from the client to the server node
Please see attachment.
Is this a normal situation where the connection is duplicated?
Does this interface setup look correct?
Is the bridge mode the correct setup in this scenario?
interface vlan 10
bridge-group 2
no normalization
mac-sticky enable
access-group input PERMITALL
service-policy input VLAN10-INTER-MMPM
no shutdown
interface vlan 15
bridge-group 2
no normalization
access-group input PERMITALL
no shutdown
interface bvi 2
ip address 192.168.100.7 255.255.255.192
alias 192.168.100.6 255.255.255.192
peer ip address 192.168.100.8 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.100.1
Many thanks,
Damian

Thanks for replying James,
I am sure I configured the capture only for VLAN10 which is in the VIP side.
But you are right, it looks like is showing both VLAN10 and VLAN15. So that is one of my theories out of the window! :)
This is a new installation, still on the testing stage. So it would be good time to make changes.
Do you normally implement a routed setup behind a firewall? Rather than a bridgedâ¦.
It is quite a small setup:
â¢ Traffic is coming from a separate local subnet
â¢ Traffic is not coming from the internet so it does not required a NAT
â¢ We need 1 VIP listening on two ports
â¢ The backend servers are four Linux boxes
Thanks again,
Damian

ACE; Dynamic SNAT in bridge mode without Dnat (VIP) needed

Hi,
We are interested about the ACE NAT performance. We would like to use this module just for the SNAT feature and only in bridge mode (to facilitate the ACE integration in the current network).
the configuration could be similar to this one:
class-map PrivateSource
match source-address 10.0.0.0 255.0.0.0
policy-map multimatch SourceNat
class PrivateSource
nat dynamic 1 vlan X
interface vlan X (incoming traffic from the source)
bridge-group 1
service-policy in SourceNat
nat-pool 1 publicIP netmask A.B.C.D pat
interface vlan Y
bridge-group 1
Could anyone confirm if this feature is supported on the ACE and if the above configuration could be a good one?
Many thanks for your help.
Regards/Ludovic.

Ludovic,
ACE does not NAT bridged traffic.
You could catch it with a catch-all-destination class-map
ie:
class-map all
match virtual 0.0.0.0 0.0.0.0 any
And use a transparent serverfarm sending all traffic to a unique default gateway.
That would work.
Gilles.

PBR with ACE in bridge mode

I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advance

Good afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel

ACE redundancy with bridge mode

I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?

Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
Please rate if this was useful for you.
Kind regards,
Dario

ACE 4710 in bridge mode

Hi,
We got new ACE 4710 device and i am trying to configure that in Bridging mode.
I am trying to loadbalance between two servers which is connected as shown below:
Servers -> Switch -> Router (with subinterface).
Servers IP: 172.16.11.1 and 172.16.11.2
Router IP: 172.16.11.254
Default route is router IP address for servers.
I am new to ACE and I am confused about how to assign interface on ACE so that ACE can bridge the traffic between router and servers VLAN.
We have some more servers which are on different VLAN but can connect to these servers as router is doing inter-vlan routing too.
I want inter-vlan routing and load balancing between above two servers concurrently. Pls. help in this regard.
Also attaching the ACE config file.

Here is the config, hope this will help.
Admin Context
=============
resource-class ngmp_rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 10,13
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.16.254
context apps
allocate-interface vlan 10
allocate-interface vlan 13
member apps_rc1
APPS Context
============
rserver host srv1
ip address 192.168.10.1
inservice
rserver host srv2
ip address 192.168.10.2
inservice
rserver host srv3
ip address 192.168.10.3
inservice
serverfarm host apps_srv
rserver srv1
inservice
rserver srv2
inservice
rserver srv3
inservice
class-map match-all ftp-vip
2 match virtual-address 172.16.10.10 tcp eq ftp
class-map match-all http-vip
2 match virtual-address 172.16.10.11 tcp eq 8080
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm apps_srv
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp
class http-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 10
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 192.168.10.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
Thanks,
Pawan

ACE in bridge mode with FWSM as gateway

our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
Thanks

First, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles.

ACE - bridged mode - blocking Traffic

Similar Messages

Maybe you are looking for