ACE ethertype ACL & bpdu

Hopefully an easy one to solve, I'm new to ACE appliances.
I have two ACE appliances in bridged mode and configured as redundant pairs, they are connected to two separate 6500 switches. What I am seeing in the switch logs is the following error:
%SPANTREE-SP-2-LOOPGUARD_BLOCK: Loop guard blocking port Port-channel1 on VLAN066
The bridged vlans are 66 & 76.
i have "access-list bpduallow ethertype permit any" in my config and it is assigned to both of the bridged vlans, on both ACE appliances, with "access-group input bpduallow"
Is this correct or do I need a specific "access-list bpduallow ethertype permit bpdu" entry in the ACL? I would have thought the "permit any" included it.
And if this is correct and allowing bpdu packets through why would I be getting the the error on the switch?
Thanks
Mel

It's the switch IOS version that is at fault not the ACE
https://supportforums.cisco.com/message/614359

Similar Messages

ACE VIP & ACL

Hi,
The ace config contains more than 20 service-policy and many VIP addresses. The ace works in L3 mode.
We have to restrict one of VIP traffic to 6 node only from public side.
How can i restrict the traffic with ACL in the L3 class map.
different policies use the   servers on server side VLAN thus we would not like to use general traffic ACL under server VLAN configuration.
Unfortunetly, only one entry are permitted in Class L3 map !
However, this one entry is the virtual-address row.
What is the smart solution in this case. ( VIP & ACL together )
Regards,

Hi,
I think the easier way that you can do this is using a HTTP class-map (regardless of the load balanced protocol, weird eh?)
Instead of an ACL you would use the match source-address command to specify the source allowed to make it to the servers.
Here is how it looks like:
class-map type http loadbalance match-any Hosts
10 match source-address 192.168.10.20 255.255.255.255
11 match source-address 192.168.10.21 255.255.255.255
12 match source-address 192.168.10.22 255.255.255.255
class-map match-any Internet
2 match virtual-address 192.168.20.15 tcp eq www
policy-map type loadbalance first-match Internet-FMP
class Hosts
    serverfarm Backend
policy-map multi-match CLIENT-VIPS
class Internet
    loadbalance vip inservice
    loadbalance policy Internet-FMP
    loadbalance vip icmp-reply active
Hope this helps!
Pablo

¿Can Extended and Ethertype (input) ACLs be applied to the same interface?

Hello team:
¿ Is it possible to apply one Extended ACL and one Ethertype ACL, in input mode, to the same interface?
Thank you very much in advance.
Mariela Musitani

Thank you very much Borys. I assumed that it was possible, but the documentation was not clear in this context.
regards, Mariela

Delay in ping through ACE

Hi,
Topology:
HOST1 <- ACE <- MSFC -> FWSM -> HOST2
When I ping HOST1 from HOST2, I 'sometimes' experience delay in starting the ping. However, once the ping starts it continues without a problem. The issue is only while starting the ping i.e. its goes into a halt for 3,5,10, 15 seconds and then starts getting echo-responses.
Now, HOST1 is on the Server Vlan of the ACE module. So it is bridged the client vlan which is defined on MSFC.
Would you know of any reason why the start of the ping responds late. And this does not happen everytime.
Could it be ARP related problem.
Thanks.

Since you are running redundant pair of ACE's in bridge mode, I would like
you to check the following items
1. Have you disabled BPDU guard & Loopgurad on cat
You should have following configured on cat6k
no spanning-tree portfast bpduguard default
no spanning-tree loopguard default
2. Are you allowing BPDUs to pass through ACE
It can be done using an ethertype ACL to permit BPDUs and this
ACL should be applied to both bridged vlan interfaces.
acccess-list xyz ethertype permit bpdu
To capture packets passing through ACE, you will need to do the following.
Type 'monitor session 10 source interface port-channel 2xy both'
Where 2xy is 256 + slot number of ACE.
3. Type 'monitor session 10 destination interface fastEthernet a/b'
Where a/b is a port that you plug your PC in on the cat
4. Run Ethereal on your PC
Syed Iftekhar Ahmed

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

ACE - SSL Termination is not working

HTTPS is not working from official IE browser but it is working from test Firefox browser. However HTTP is working with both IE and Firefox browsers. This is true for multiple implementations on the ACE service module with SSL termination.
ACE software 3.0(0)A1(4a)
IE v6 SP3 Cipher 128
Firefox v3.6.3
Sample configuration:
access-list FT ethertype permit bpdu
access-list ALL-ACCESS extended permit icmp any any
access-list ALL-ACCESS extended permit ip any any
crypto chaingroup ROOT-CERT
cert abc.PEM
cert xyz.PEM
parameter-map type ssl SSL-PARAMETER-1
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 2
cipher RSA_WITH_AES_256_CBC_SHA
cipher RSA_EXPORT1024_WITH_DES_CBC_SHA
parameter-map type ssl SSL-PARAMETER-2
cipher RSA_WITH_AES_128_CBC_SHA priority 2
ssl-proxy service SSL-1
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-1
ssl-proxy service SSL-2
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
ssl advanced-options SSL-PARAMETER-2
ssl-proxy service SSL-3
key KEY-1.PEM
cert CERT-1.PEM
chaingroup ROOT-CERT
rserver host server1
ip address 10.100.15.89
inservice
rserver host server2
ip address 10.100.15.121
inservice
probe http PROBE-1
interval 30
faildetect 2
request method get url /keepalive.htm
expect status 200 200
serverfarm host SERVERFARM-1
probe PROBE-1
rserver server1 80
    inservice
rserver server2 80
    inservice
sticky ip-netmask 255.255.255.255 address both STICKY-1
timeout 30
replicate sticky
serverfarm SERVERFARM-1
class-map type management match-any REMOTE-ACCESS
match protocol icmp any
match protocol snmp any
match protocol ssh any
match protocol https any
class-map match-all VIP-1
match virtual-address 10.100.15.140 tcp eq https
class-map match-all VIP-2
match virtual-address 10.100.15.140 tcp eq www
policy-map type management first-match REMOTE-ACCESS
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-1
class class-default
    sticky-serverfarm STICKY-1
policy-map multi-match LB-1
class VIP-1
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1
    ssl-proxy server SSL-1
(i have tried with ssl-proxy server SSL-2 and ssl-proxy server SSL-3 but did not helP)
policy-map multi-match LB-2
class VIP-2
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    loadbalance policy POLICY-1
interface vlan 15
description client vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
service-policy input LB-1
service-policy input LB-2
no shutdown
interface vlan 2015
description server vlan
bridge-group 15
mac-sticky enable
access-group input FT
access-group input ALL-ACCESS
access-group output ALL-ACCESS
service-policy input REMOTE-ACCESS
no shutdown
interface bvi 15
description bridge group
ip address 10.100.15.5 255.255.255.0
peer ip address 10.100.15.6 255.255.255.0
alias 10.100.15.4 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.100.15.1
note: Subnet, Server Name, Certificate Name and Key Name are modified for security reason.

Hello,
We will not be able to determine why your SSL terminated connections fail with only your config. You may want to take a look at a similar thread where someone else was having problems with IE and SSL termination, but Firefox worked fine. It also includes a solid action plan you can use to gather data needed to diagnose root cause. That thread can be viewed at the following link:
https://supportforums.cisco.com/thread/2025417?tstart=0
Also, the ACE software you are running is extremely old now and very buggy. I would strongly urge you to upgrade to A2(2.4) as soon as possible. It will help you avoid some headaches as you move forward.
Hope this helps,
Sean

ACE dropped conns problem (Bridged mode)

Dear all,
I configured an ACE in bridged mode (inside vlan: 2012, outside vlan: 2021) and I apply the L4 policy on the 2 VLAN interface to loadbalance HTTP incoming request (Virtual IP: 172.22.22.130).
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
But I need also that some other server connected to the same vlan 2112 and having to send HTTP request on the same VIP but this failed and I get dropped conns.
Can anyone helps?
Regards
Abdelaziz

Hi Olivier,
This below the full config, and my need is to make a server in the inside VLAN 2112 (172.22.22.121) to open HTTPS connexion on the VIP (172.22.22.130 for rserver .131 & .132). Trafic from the outside is working well.
Thanx,
Abdealziz
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
probe tcp HTTPS
port 443
interval 15
passdetect interval 15
passdetect count 1
probe icmp PING
interval 5
rserver host CASHUB131
ip address 172.22.22.131
inservice
rserver host CASHUB132
ip address 172.22.22.132
inservice
serverfarm host SFARM-EXCAS130
probe HTTPS
rserver CASHUB131
    inservice
rserver CASHUB132
    inservice
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
class-map match-all CLASS-L4-VIP-EXCAS130
2 match virtual-address 172.22.22.130 any
class-map type management match-any REMOTE-ACCESS
description management ACE
10 match protocol telnet any
20 match protocol ssh any
30 match protocol icmp any
31 match protocol https any
32 match protocol snmp any
policy-map type management first-match REMOTE-MGT
class REMOTE-ACCESS
    permit
policy-map type loadbalance first-match POLICY-L7-VIP-EXCAS130
class class-default
    serverfarm SFARM-EXCAS130
policy-map multi-match POLICY-LB-HMC-2112
class CLASS-L4-VIP-EXCAS130
    loadbalance vip inservice
    loadbalance policy POLICY-L7-VIP-EXCAS130
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
interface vlan 2112
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface vlan 2122
bridge-group 1
access-group input BPDU-Allow
service-policy input POLICY-LB-HMC-2112
no shutdown
interface bvi 1
ip address 172.22.22.250 255.255.255.0
peer ip address 172.22.22.251 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.22.254

Transparent ACE - 2 VLAN's, 1 context, 2 VIPs

Hi,
We have a 3 tier application that needs to be load balanced from client to middleware and from middleware to backend.
Usually we do this with multiple context's on the ACE.
This time we are doing this with multiple VLAN's within the same context. Is this possible?
setup
client VIP = 10.0.103.3 which is mapped to IRIS_Reporting serverfarm in VLAN47
middleware VIP = 10.0.103.4 which is mapped to IRIS_Web serverfarm in VLAN41
client VIP hits 10.0.103.3 and then middleware box then hits 10.0.103.4. First part is working fine but middleware cannot open connection to 10.0.103.4 VIP over tcp/80. In the ACE log i see the connection timing out...
Oct 5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to vl
an47:10.0.103.4/80 (10.0.103.4/80)
Oct 5 2010 15:33:40 INTERNAL-LB: %ACE-6-302022: Built TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to vla
n341:10.0.103.4/80 (10.0.2.149/80)
Oct 5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x39181f for vlan347:10.0.4.18/49731 (10.0.4.18/49731) to
vlan47:10.0.103.4/80 (10.0.103.4/80) duration 0:00:05 bytes 104 SYN Timeout
Oct 5 2010 15:33:45 INTERNAL-LB: %ACE-6-302023: Teardown TCP connection 0x229206 for vlan41:10.0.4.18/49731 (10.0.4.18/49731) to
vlan341:10.0.103.4/80 (10.0.2.149/80) duration 0:00:05 bytes 232 TCP Reset
thanks,
John.

Hi Ivan,
Here is the config,
access-list BPDU ethertype permit bpdu
access-list everyone line 10 extended permit ip any any
parameter-map type http HTTP_PARAM
server-conn reuse
case-insensitive
persistence-rebalance
parameter-map type generic SSLID_PARAM
set max-parse-length 70
parameter-map type ssl SSL_PARAM
session-cache timeout 300
parameter-map type connection TCP_PARAM
syn-data drop
exceed-mss allow
rserver host BL-VAN-CDMSPBI1
description IRIS Sharepoint Reporting Server
ip address 10.0.4.15
inservice
rserver host BL-VAN-CDMSPBI2
description IRIS Sharepoint Reporting Server
ip address 10.0.4.18
inservice
rserver host BL-VAN-ITSM03
description ITSM Reporting Server
ip address 10.0.4.16
inservice
rserver host BL-VAN-ITSM04
description ITSM Reporting Server
ip address 10.0.4.17
inservice
rserver host VM-VAN-CDMSPNT1
description IRIS Sharepoint Web Server
ip address 10.0.2.148
inservice
rserver host VM-VAN-CDMSPNT2
description IRIS Sharepoint Web Server
ip address 10.0.2.149
inservice
serverfarm host IRIS_Reporting
description IRIS Reporting Servers
failaction reassign
fail-on-all
rserver BL-VAN-CDMSPBI1 80
    inservice
rserver BL-VAN-CDMSPBI2 80
serverfarm host IRIS_Web
description IRIS Front End Web Servers
failaction reassign
fail-on-all
rserver VM-VAN-CDMSPNT1 80
    inservice
rserver VM-VAN-CDMSPNT2 80
    inservice
serverfarm host ITSM_Reporting
description ITSM Reporting Servers
failaction reassign
rserver BL-VAN-ITSM03 80
    inservice
rserver BL-VAN-ITSM04 80
    inservice
class-map match-all IRIS_REPORTING_HTTP
2 match virtual-address 10.0.103.3 tcp eq www
class-map match-all IRIS_WEB_HTTP
2 match virtual-address 10.0.103.4 tcp eq www
class-map match-all ITSM_HTTP
2 match virtual-address 10.0.103.1 tcp eq www
class-map type management match-any PING
10 match protocol icmp any
20 match protocol snmp any
policy-map type management first-match PING-POLICY
class PING
    permit
policy-map type loadbalance first-match IRIS_REPORTING_HTTP-l7slb
class class-default
    serverfarm IRIS_Reporting
policy-map type loadbalance first-match IRIS_WEB_HTTP-l7slb
class class-default
    serverfarm IRIS_Web
policy-map type loadbalance first-match ITSM_HTTP-l7slb
class class-default
    serverfarm ITSM_Reporting
policy-map multi-match int41
class IRIS_WEB_HTTP
    loadbalance vip inservice
    loadbalance policy IRIS_WEB_HTTP-l7slb
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options HTTP_PARAM
    connection advanced-options TCP_PARAM
policy-map multi-match int47
class ITSM_HTTP
    loadbalance vip inservice
    loadbalance policy ITSM_HTTP-l7slb
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
class IRIS_REPORTING_HTTP
    loadbalance vip inservice
    loadbalance policy IRIS_REPORTING_HTTP-l7slb
    loadbalance vip icmp-reply active
    loadbalance vip advertise active
    appl-parameter http advanced-options HTTP_PARAM
    connection advanced-options TCP_PARAM
interface vlan 41
description Client-Side VIP for Internal WEB LB
bridge-group 2
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
service-policy input int41
no shutdown
ip route inject vlan 41
interface vlan 47
description Client-Side VIP for Gen Applications LB
bridge-group 1
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
service-policy input int47
no shutdown
ip route inject vlan 47
interface vlan 341
description Server-Side for Internal WEB
bridge-group 2
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
no shutdown
interface vlan 347
description Server-Side for Gen Applications
bridge-group 1
no icmp-guard
access-group input BPDU
access-group input everyone
service-policy input PING-POLICY
no shutdown
interface bvi 1
ip address 10.0.4.58 255.255.255.192
alias 10.0.4.59 255.255.255.192
peer ip address 10.0.4.57 255.255.255.192
no shutdown
interface bvi 2
ip address 10.0.2.186 255.255.255.192
alias 10.0.2.187 255.255.255.192
peer ip address 10.0.2.185 255.255.255.192
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.4.62

Transparent ASA BPDU issue

Hi All
Hopefully someone will be able to help, I have an ASA running 8.4 in Multi-context transparent mode.
The problem I am seeing this is passing BPDU (I see this is expect in this mode) which is making the network converge.
Which is the best way to stop this, I had thought an ACL on the ASA but I think you can have only 1 type.
Many thanks MJ

You are right, you cannot mix different types of access lists.
Here is what I can think as a workaround to achieve your requirement.
>>Try creating a different access-list to block BPDU and apply it on different interface.
For eg:
Say you have two acl:
access-list 1 ethertype deny bpdu
access-list 1 ethertype permit any
access-list 2 extended permit ip any any
>>you can apply acl 1 at one interface to block bpdu
>>and acl 2 on the other interface to filter other traffic.
So, by doing this you will inspecting same traffic flow at two different interfaces by different type of ACLs.
Hope it helps!!

Trying to change the ACL of a domain user

I am using the Set-Acl cmdlet to add a user to another user's domain account so that the second user will be able to read the permissions available to the first user. I get an error on the very last line "this security id may not be assigned as
the owner of this object". I suspect that perhaps the error is caused because I am not permitted to change the owner of the account and the code is trying to do a wholesale rewrite of the ACL. I am allowed to add the entry to the account through
the UI and that is all I want to do via powershell. Any ideas?
$name1 = "someuser" #this is the user whose acl I want to edit
$name2 = "someotheruser" #this is the user that I want to add to the first user's acl
$objUser = Get-ADUser -LDAPFilter "(sAMAccountName=$Name1)"
$objDelegate = New-Object System.Security.Principal.NTAccount("$name2")
Set-Location AD:
$dn = $objUser.DistinguishedName
$Acl = (Get-Acl $dn)
$Ar = New-Object system.DirectoryServices.ActiveDirectoryAccessRule ($objDelegate,"GenericRead","Allow",$objUser.ObjectGUID)
$Acl.AddAccessRule($Ar)
Set-Acl -Path $dn -AclObject $Acl

Hi Jay,
To change the AD user permission with powershell, the script below is for your reference:
Import-Module ActiveDirectory
# Figure out our domain
$root = (Get-ADRootDSE).defaultNamingContext
# Get or create the System Management container
$ou = $null
try
$ou = Get-ADObject "CN=System Management,CN=System,$root"
catch
Write-Verbose "System Management container does not currently exist."
if ($ou -eq $null)
$ou = New-ADObject -Type Container -name "System Management" -Path "CN=System,$root" -Passthru
# Get the current ACL for the OU
$acl = get-acl "ad:CN=System Management,CN=System,$root"
# Get the computer's SID
$computer = get-adcomputer $env:ComputerName
$sid = [System.Security.Principal.SecurityIdentifier] $computer.SID
# Create a new access control entry to allow access to the OU
$ace = new-object System.DirectoryServices.ActiveDirectoryAccessRule $sid, "GenericAll", "Allow", "All"
# Add the ACE to the ACL, then set the ACL to save the changes
$acl.AddAccessRule($ace)
Set-acl -aclobject $acl "ad:CN=System Management,CN=System,$root"
I think you need to add the line to get user2's SID "$sid".
Refer to:
http://blogs.technet.com/b/mniehaus/archive/2012/01/05/creating-the-configmgr-system-management-container-with-powershell.aspx
If there is anything else regarding this matter, please feel free to let me know.
Best Regards,
Anna Wang

Access control: what is the priority of access control entities (ACE)?

Dear Bee-lievers,
as I had some troubles implementing some special access control, I just read through the admin guide, chapter 13 (Managing Oracle Beehive Access Control).
Even after that, I'm not clear about priority of ACEs in ACLs: if, for a given accessor, one ACE denies access, while another grants access ... which will win? I'd guess (and it looks like) the deny will win.
Furthermore: What about inheritance of ACEs, e.g. in team workspaces?
An explicit ACE on a special folder does seem to imply implicit access for workspace members.
What I'm trying to implement is the following: within a team workspace, where access is granted on group basis, I want to set up a restricted folder for another group (all members of the restricted group are also members of the team group).
Regards, Thomas

Bee-lievers,
for the time being we found the following workaround, with the help of
support:
The privileged members of group group2 are tagged in their user
attributes with a unique string, say "beehive-grp-wrkrnd-group2" (we
take the unused, but always non-null field LDAP field gecos, mapped to
UDS attribute nickname, to minimize GAL visibility of this
workaround).
These members are then sorted out in a dynamic group, say
ZZ_group2_complement with the following query: nickname does not
contain "beehive-grp-wrkrnd-group2".
Thus, the following access does what we desire:
-----------------------------------------+--------------------------------------
accessor | access_types
-----------------------------------------+--------------------------------------
agrp=ALL_USERS |
-----------------------------------------+--------------------------------------
grup=ZZ_group2_complement,enpr=enpr | -RWDEO
-----------------------------------------+--------------------------------------
We hope that ER 9414428 will be addressed soon. It could be all very
simple if there was no implicit inheritance of the perms defined at
workspace level!
Regards, Tom Beekeeper

ACE20 Module with Exchange 2010 Configuration

Hello all,
I have deployed the following configuration for Exchange 2010, if all services are up on the two servers it functions good but if a service goes down on one server (especially outlook) some clients are disconnected (stickiness) ...
Stickiness is needed for all services by ip source sticky and by coockies for OWA.
Because all services are on the same server (ip address) the configured sticky causes problems !!! when a service is down the ACE usually forwards requests to it !!!! Any help please.
Configuration :
XXXXX-ACE1/CTXT-EXCHANGE(config)# do sh run
Generating configuration....
access-list BPDU-Allow ethertype permit bpdu
access-list EXCH-LB line 10 extended permit ip any any
probe http HTTP-GET
interval 10
passdetect interval 10
request method get url /iisstart.htm
expect status 200 202
probe icmp PING
interval 3
probe tcp abport
port 7575
interval 2
faildetect 2
passdetect interval 10
passdetect count 1
connection term forced
probe tcp epmap
port 135
interval 2
faildetect 2
passdetect interval 10
passdetect count 1
connection term forced
probe tcp http
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe http http-probe
interval 60
passdetect interval 60
passdetect count 2
request method get url /exchweb/bin/auth/owalogon.asp
expect status 400 404
probe tcp https
port 443
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe http https-probe
interval 60
passdetect interval 60
passdetect count 2
request method get url /owa/auth/login.aspx
expect status 400 404
probe tcp imap
port 143
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp imaps
port 993
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe udp ipsec
port 500
interval 2
passdetect interval 2
passdetect count 1
probe icmp ping
interval 2
passdetect interval 2
passdetect count 1
probe tcp pop3
port 110
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp pop3s
port 995
interval 2
passdetect interval 2
passdetect count 1
connection term forced
probe tcp rpcport
port 7576
interval 2
faildetect 2
passdetect interval 10
passdetect count 5
connection term forced
probe tcp smtp
port 25
interval 2
passdetect interval 2
passdetect count 1
connection term forced
rserver host CAS1
ip address 172.22.101.74
inservice
rserver host CAS2
ip address 172.22.101.76
inservice
rserver host HUB1
ip address 172.22.101.75
inservice
rserver host HUB2
ip address 172.22.101.77
inservice
rserver redirect RPC-REDIRECT
rserver redirect SSLREDIRECT
webhost-redirection https://mail.tunisiana.com/owa 302
inservice
serverfarm host CAS-Outlook
probe PING
probe abport
probe epmap
probe rpcport
fail-on-all
rserver CAS1 135
    inservice
rserver CAS1 7575
    inservice
rserver CAS1 7576
    inservice
rserver CAS2 135
    inservice
rserver CAS2 7575
    inservice
rserver CAS2 7576
    inservice
serverfarm host CAS-http
probe HTTP-GET
probe PING
rserver CAS1 80
    inservice
rserver CAS2 80
    inservice
serverfarm host CAS-https
probe https
probe ping
rserver CAS1 443
    inservice
rserver CAS2 443
    inservice
serverfarm host CAS-imap
probe PING
probe imap
rserver CAS1 143
    inservice
rserver CAS2 143
    inservice
serverfarm host CAS-imaps
probe imaps
probe ping
rserver CAS1 993
    inservice
rserver CAS2 993
    inservice
serverfarm host CAS-ipsec
probe ipsec
probe ping
rserver CAS1
    inservice
rserver CAS2
    inservice
serverfarm host CAS-pop3
probe ping
probe pop3
rserver CAS1 110
    inservice
rserver CAS2 110
    inservice
serverfarm host CAS-pop3s
probe ping
probe pop3s
rserver CAS1 995
    inservice
rserver CAS2 995
    inservice
serverfarm host CAS-smtp
probe ping
probe smtp
fail-on-all
rserver CAS1 25
    inservice
rserver CAS2 25
    inservice
serverfarm host HUB
probe ping
probe smtp
rserver HUB1
    inservice
rserver HUB2
    inservice
serverfarm redirect RPC-REDIRECT
serverfarm redirect SSLREDIRECT
rserver SSLREDIRECT
    inservice
parameter-map type http STICKY
persistence-rebalance
parameter-map type connection TCP_IDLE_30min
set timeout inactivity 1800
sticky ip-netmask 255.255.255.255 address source HUB-ST
timeout 30
replicate sticky
serverfarm HUB
sticky ip-netmask 255.255.255.255 address source CAS-http-ST
timeout 30
replicate sticky
serverfarm CAS-http
sticky ip-netmask 255.255.255.255 address source CAS-https-ST
timeout 30
replicate sticky
serverfarm CAS-https
sticky ip-netmask 255.255.255.255 address source CAS-imap-ST
timeout 30
replicate sticky
serverfarm CAS-imap
sticky ip-netmask 255.255.255.255 address source CAS-imaps-ST
timeout 30
replicate sticky
serverfarm CAS-imaps
sticky ip-netmask 255.255.255.255 address source CAS-smtp-ST
timeout 30
replicate sticky
serverfarm CAS-smtp
sticky ip-netmask 255.255.255.255 address source CAS-pop3-ST
timeout 30
replicate sticky
serverfarm CAS-pop3
sticky ip-netmask 255.255.255.255 address source CAS-pop3s-ST
timeout 30
replicate sticky
serverfarm CAS-pop3s
sticky ip-netmask 255.255.255.255 address source CAS-ipsec-ST
timeout 30
replicate sticky
serverfarm CAS-ipsec
sticky ip-netmask 255.255.255.255 address source CAS-Outlook-ST
timeout 30
replicate sticky
serverfarm CAS-Outlook
sticky http-cookie sessionid exchange-sticky-sessionid-grp
timeout 20
serverfarm CAS-http
sticky http-cookie cookie OWA-STICKY
cookie insert browser-expire
timeout 60
replicate sticky
serverfarm CAS-http
sticky http-header Authorization CAS-RPC-HTTP
serverfarm CAS-http
class-map match-any CAS-OUTL-MAPI-VIP
2 match virtual-address 172.22.101.69 tcp any
class-map match-any CAS-Outlook-VIP
2 match virtual-address 172.22.101.69 tcp eq 135
3 match virtual-address 172.22.101.69 tcp eq 7575
4 match virtual-address 172.22.101.69 tcp eq 7576
class-map match-any CAS-http-VIP
2 match virtual-address 172.22.101.69 tcp eq www
class-map match-any CAS-https-VIP
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-any CAS-imap-VIP
2 match virtual-address 172.22.101.69 tcp eq 143
class-map match-any CAS-imaps-VIP
2 match virtual-address 172.22.101.69 tcp eq 993
class-map match-any CAS-ipsec-VIP
2 match virtual-address 172.22.101.69 udp eq 500
class-map match-any CAS-pop3-VIP
2 match virtual-address 172.22.101.69 tcp eq pop3
class-map match-any CAS-pop3s-VIP
2 match virtual-address 172.22.101.69 tcp eq 995
class-map match-any CAS-smtp-VIP
2 match virtual-address 172.22.101.69 tcp eq smtp
class-map match-all CAS_SERVERS
2 match source-address 172.22.101.64 255.255.255.192
class-map match-any HUB-VIP
2 match virtual-address 172.22.101.80 any
class-map match-all HUB_SERVERS
2 match source-address 172.22.101.64 255.255.255.192
class-map match-all OWA-OUTLOOKANYWHERE-SSL
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-all OWA-SSL-CM
2 match virtual-address 172.22.101.69 tcp eq https
class-map match-all OWAREDIRECT
2 match virtual-address 172.22.101.69 tcp eq www
class-map type management match-any REMOTE-MGT
201 match protocol snmp any
202 match protocol http any
203 match protocol https any
204 match protocol icmp any
205 match protocol ssh any
206 match protocol telnet any
policy-map type management first-match REMOTE-MGT
class REMOTE-MGT
    permit
policy-map type loadbalance first-match CAS-Outlook-policy
class class-default
    sticky-serverfarm CAS-Outlook-ST
policy-map type loadbalance first-match CAS-http-policy
class class-default
    sticky-serverfarm CAS-http-ST
policy-map type loadbalance first-match CAS-https-policy
class class-default
    sticky-serverfarm CAS-https-ST
policy-map type loadbalance first-match CAS-imap-policy
class class-default
    sticky-serverfarm CAS-imap-ST
policy-map type loadbalance first-match CAS-imaps-policy
class class-default
    sticky-serverfarm CAS-imaps-ST
policy-map type loadbalance first-match CAS-ipsec-policy
class class-default
    serverfarm CAS-ipsec
policy-map type loadbalance first-match CAS-pop3-policy
class class-default
    sticky-serverfarm CAS-pop3-ST
policy-map type loadbalance first-match CAS-pop3s-policy
class class-default
    sticky-serverfarm CAS-pop3s-ST
policy-map type loadbalance first-match CAS-smtp-policy
class class-default
    serverfarm CAS-smtp
policy-map type loadbalance first-match HUB-policy
class class-default
    serverfarm HUB
policy-map type loadbalance first-match OWA-OUTLOOKANYWHERE
match OUTLOOK_ANYWHERE http header User-Agent header-value "MSRPC"
policy-map type loadbalance first-match OWA-SSL-PM
class class-default
    sticky-serverfarm OWA-STICKY
policy-map type loadbalance http first-match SSLREDIRECT
class class-default
    serverfarm SSLREDIRECT
policy-map multi-match CAS-Outlook-POLICY-MAP
class CAS-Outlook-VIP
    loadbalance vip inservice
    loadbalance policy CAS-Outlook-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-http-POLICY-MAP
class CAS-http-VIP
    loadbalance vip inservice
    loadbalance policy CAS-http-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-https-POLICY-MAP
class CAS-https-VIP
    loadbalance vip inservice
    loadbalance policy CAS-https-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-imap-POLICY-MAP
class CAS-imap-VIP
    loadbalance vip inservice
    loadbalance policy CAS-imap-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-imaps-POLICY-MAP
class CAS-imaps-VIP
    loadbalance vip inservice
    loadbalance policy CAS-imaps-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-ipsec-POLICY-MAP
class CAS-ipsec-VIP
    loadbalance vip inservice
    loadbalance policy CAS-ipsec-policy
    loadbalance vip icmp-reply
policy-map multi-match CAS-pop3-POLICY-MAP
class CAS-pop3-VIP
    loadbalance vip inservice
    loadbalance policy CAS-pop3-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-pop3s-POLICY-MAP
class CAS-pop3s-VIP
    loadbalance vip inservice
    loadbalance policy CAS-pop3s-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match CAS-smtp-POLICY-MAP
class CAS-smtp-VIP
    loadbalance vip inservice
    loadbalance policy CAS-smtp-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match EXCH-POLICY
class CAS-imap-VIP
    loadbalance vip inservice
    loadbalance policy CAS-imap-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-imaps-VIP
    loadbalance vip inservice
    loadbalance policy CAS-imaps-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-pop3-VIP
    loadbalance vip inservice
    loadbalance policy CAS-pop3-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-pop3s-VIP
    loadbalance vip inservice
    loadbalance policy CAS-pop3s-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-smtp-VIP
    loadbalance vip inservice
    loadbalance policy CAS-smtp-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-http-VIP
    loadbalance vip inservice
    loadbalance policy CAS-http-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-https-VIP
    loadbalance vip inservice
    loadbalance policy CAS-https-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
class CAS-OUTL-MAPI-VIP
    loadbalance vip inservice
    loadbalance policy CAS-Outlook-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
policy-map multi-match HUB-POLICY-MAP
class HUB-VIP
    loadbalance vip inservice
    loadbalance policy HUB-policy
    loadbalance vip icmp-reply
    connection advanced-options TCP_IDLE_30min
interface vlan 52
description #### vlan client side EXCHANGE ####
bridge-group 1
access-group input BPDU-Allow
access-group input EXCH-LB
service-policy input REMOTE-MGT
service-policy input HUB-POLICY-MAP
service-policy input EXCH-POLICY
no shutdown
interface vlan 54
description #### vlan client side ACE_EXCHANGE ####
bridge-group 1
access-group input BPDU-Allow
access-group input EXCH-LB
service-policy input REMOTE-MGT
service-policy input HUB-POLICY-MAP
service-policy input EXCH-POLICY
no shutdown
interface bvi 1
ip address 172.22.101.123 255.255.255.192
peer ip address 172.22.101.122 255.255.255.192
description EXCHANGE-Bridged-vlans
no shutdown
ip route 0.0.0.0 0.0.0.0 172.22.101.126
Best Regards

Thank you for your email. I am out of the office until March 25th, I will have limited access to my e-mail during this period.
In my absence, please feel free to contact Mr Akram Allani : [email protected]
Thank you for your understanding.
Best regards,
Youssef Boukari

How can I preserve Client IP address?

I am configuring the ACE for bridged mode. However, the real server is seeing VIP IP but not Client IPs. Our business requires that the real server must see client IPs. Do you have any idea how to set that up?
I tried to turn ON/OFF normalization but it is still not working.
Thanks,
Vincent
==============================
Here is my configuration:
rserver host 192.168.71.71
ip address 192.168.71.71
inservice
serverfarm host WEB_FARM
failaction purge
probe ICMP
rserver 192.168.71.71
    inservice
access-list PERMIT-BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
sticky ip-netmask 255.255.255.255 address source WEB_FARM_Sticky
timeout 180
replicate sticky
serverfarm WEB_FARM
class-map match-all WEB_FARM_VIP
2 match virtual-address 192.168.71.154 tcp eq 80
class-map type management match-any remote_access
2 match protocol xml-https any
4 match protocol icmp any
5 match protocol telnet any
6 match protocol ssh any
7 match protocol http any
8 match protocol https any
9 match protocol snmp any
policy-map type loadbalance first-match WEB_FARM_Policy
class class-default
    sticky-serverfarm WEB_FARM_Sticky
policy-map multi-match WEB_VIPS
class WEB_FARM_VIP
    loadbalance vip inservice
    loadbalance policy WEB_FARM_Policy
    loadbalance vip icmp-reply active
    nat dynamic 6 vlan 31
    nat dynamic 5 vlan 21
interface vlan 21
description Client VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 5 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
interface vlan 31
description Server VLAN
bridge-group 171
no normalization
mac-sticky enable
access-group input PERMIT-BPDU
access-group input ALL
service-policy input WEB_VIPS
nat-pool 6 192.168.71.154 192.168.71.154 netmask 255.255.255.255 pat
no shutdown
interface bvi 171
ip address 192.168.71.3 255.255.255.0
no shutdown

Do you have a default route on the ACE and the rservers? Are they all pointing to the same IP? I have the same configuration. An ACE 4710 in transparent mode, but I have no NATing and my rservers are able to see the original client IPs (security requirement).
Here is part of my config for one serverfarm
rserver host RS_MIDTIER_220
description
ip address 172.31.0.131
inservice
rserver host RS_MIDTIER_221
description
ip address 172.31.0.132
inservice
rserver host RS_MIDTIER_222
description
ip address 172.31.0.133
inservice
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p 301
inservice
action-list type modify http SSL_URL_REWRITE
ssl url rewrite location ".*"
serverfarm redirect SF_SSL_Redirects
predictor leastconns
rserver RS_SSL_Redirects
inservice
serverfarm host SF_Midtier_Prod
description Midtier Production
predictor leastconns
probe APACHE
probe ICMP
rserver RS_MIDTIER_220 80
    inservice
rserver RS_MIDTIER_221 80
    inservice
rserver RS_MIDTIER_222 80
    inservice
ssl-proxy service SSL_PSERVICE_MIDTIER_PROD
key
cert
chaingroup EntrustChainGroup
sticky http-cookie JSESSIONID Sticky_Jsession_Cookie_Midtier_Prod
timeout 90
serverfarm SF_Midtier_Prod
class-map type management match-any REMOTE_MGT_ACCESS
description remote access traffic match
2 match protocol ssh source-address
4 match protocol https source-address
5 match protocol snmp source-address
class-map match-any VS_Midtier_Prod_L3SLB
description Midtier Prod IPs
2 match virtual-address 172.31.0.46 tcp eq https
3 match virtual-address 172.31.0.47 tcp eq https
class-map match-any VS_SSL_Redirects
description Redirects any http VIPS to https
5 match virtual-address 172.31.0.46 tcp eq www
6 match virtual-address 172.31.0.47 tcp eq www
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_MGT_ACCESS
    permit
policy-map type loadbalance http first-match Midtier_Prod_L4SLB
class class-default
    sticky-serverfarm Sticky_Jsession_Cookie_Midtier_Prod
    action SSL_URL_REWRITE
policy-map type loadbalance first-match SSL_Redirect_L4SLB
class class-default
    serverfarm SF_SSL_Redirects
policy-map multi-match Farm_VIPS
class VS_SSL_Redirects
    loadbalance vip inservice
    loadbalance policy SSL_Redirect_L4SLB
class VS_Midtier_Prod_L3SLB
    loadbalance vip inservice
    loadbalance policy Midtier_Prod_L4SLB
    loadbalance vip icmp-reply active
    ssl-proxy server SSL_PSERVICE_MIDTIER_PROD
interface vlan 100
description DMZ ACE frontside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
service-policy input REMOTE_MGMT_ALLOW_POLICY
service-policy input Farm_VIPS
no shutdown
interface vlan 110
description DMZ ACE backside
bridge-group 1
access-group input BPDUALLOW
access-group input ALL
no shutdown
interface bvi 1
ip address 172.31.0.150 255.255.255.0
no shutdown
rserver redirect RS_SSL_Redirects
webhost-redirection https://%h/%p
301
inservice
domain
ip route 0.0.0.0 0.0.0.0 172.31.0.1

Transparent design with router on both sides?

I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.
1. Transparent design with VRF on both sides:
FW-VRF (Subnet A)
      |
      | (VLAN 11)      | ACE (Subnet A)
      |
      | (VLAN 12)
      |
LAN-VRF
      |
      | (VLAN 13)
      |
Real servers (Subnet B)
2. Transparent design in plain bridge mode
FW-VRF (Subnet A)
      |
      | (VLAN 11)      |
   ACE (Subnet A)
      |
      | (VLAN 12)
      |
Real servers (Subnet A)
As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.
Thanks in advance for any help!

I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!
Addresses:
10.3.66.1 - FW_VRF on client side
10.3.66.6 - LAN_VRF on server side
10.3.66.7 - BVI if on ACE
===Admin===
resource-class TEST_res
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_0.bin
hostname 4710Appl
interface gigabitEthernet 1/1
description Management port
switchport access vlan 752
no shutdown
interface gigabitEthernet 1/2
description Client side LAN
switchport trunk allowed vlan 2522
no shutdown
interface gigabitEthernet 1/3
description Server side LAN
switchport trunk allowed vlan 2524
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol snmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 752
description Management VLAN
ip address 10.7.52.63 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.3.66.1
context TEST_context
allocate-interface vlan 752
allocate-interface vlan 2522
allocate-interface vlan 2524
member TEST_res
context TEST_context_routed
username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/ role Admin domain
default-domain
username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1 role Admin domain de
fault-domain
ssh key rsa 1024 force
===Application context===
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 752
ip address 10.7.52.64 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 2522
description Client side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown
interface vlan 2524
description Server side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown
interface bvi 1
ip address 10.3.66.7 255.255.255.240
no shutdown
ip route 0.0.0.0 0.0.0.0 10.3.66.1

Transparent Firewall Configuration

I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
Thanking you in advance,
with best regards
Meenaakshi Sundaram
Network Consultant

Hi Kirk,
Yes, you can.
You just have to make sure that you configure only 1 SVI on the switch.
Example:
L3 subnet: 10.1.1.0/24
VLAN 100 -- Inside (ASA) Outside -- VLAN 200
Hosts will all be connected to VLAN 100 on the switch.
ASA inside interface will be connected to VLAN 100 on the switch
ASA outside interface will be connected to VLAN 200 on the switch
Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
Hope that helps.

ACE ethertype ACL & bpdu

Similar Messages

Maybe you are looking for