ACE redundancy with bridge mode

I need configure redundancy between two ACE modules (no problem). There is context in bridge mode. My question is, in which state is standby context. Is it in blocked state (that means, it not ansfer to any L2 requests) similar as for example ASA? I need explain loop-free topology.
can anybody explain me, how it works?

Yes, that's correct.
If you have a redundant setup, don't forget to allow the Spanning-tree BPDUs!
Create an ACL that permits BPDUs and configure it on the both ACEs on the client- and serverside:
access-list NONIP ethertype permit bdpu
int vlan 10 ! client-side
access-group input NONIP
int vlan 20 ! server-side
access-group input NONIP
more info:
http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/bridge.html#wp1174530
Please rate if this was useful for you.
Kind regards,
Dario

Similar Messages

ACE MODULE IN BRIDGE MODE NOT LOADBALANCING

Hi,
I setup an ace module in bridge mode as follows:
mfsc(vla80) > (vla80)outside fwsm, fwsm inside(vla40) > (vla40)ace-clientside, aceserverside(vla41)
and the servers have the fwsm svi(vla40) as their gateway. But, the ace is not loadbalancing.
The config script is attached. Is their anything I am missing?
Attach

Check my troubleshooting guide on this forum.
There are few things to do to narrow down the issue.
Gilles.

We recently switched ISPs. To connect to the new ISP our Airport Extreme has to be in bridge mode. Now our Nintendo Wii won't connect to the Airport. Is it an issue with bridge mode that is causing this?

We recently switched ISPs. To connect to the new ISP our Airport Extreme has to be in bridge mode. Now our Nintendo Wii won't connect to the Airport. Is it an issue with bridge mode that is causing this? We're running two Macs wirelessly with no problems. And the Wii did connect before the switch.

Hello and thanks for the reply. I gave this a try, turned off Airport on one of the computers and tried the Wii again. Still no connection. I should say that we're also running an old G4 (wired) off the Airport as well, with no problems. I've tried many things to make the Wii to work, including power cycling the Airport, turning off the security settings in the Airport, resetting the Airport to it's default and redoing the network, resetting the network setting on the Wii (several times), moved the Airport closer to the Wii, all with no luck. The Wii "sees" the Airport but won't connect to it. I'm at a loss for anything else to try, so any help is appreciated.

Ace module in bridged mode with client nat

Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
   inservice
real 10.36.3.102 443
   inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
   inservice
real 10.36.3.102 80
   inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
    inservice
rserver 10-36-3-102 443
    inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
    inservice
rserver 10-36-3-102 80
    inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
    serverfarm WEBMAIL-80
    nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
    sticky-serverfarm 30
    nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdown

Hello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
   nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class class-default
    nat dynamic 1025 vlan 436
Regards,
Chris Higgins

ACE 4710 in bridge mode

Hi,
We got new ACE 4710 device and i am trying to configure that in Bridging mode.
I am trying to loadbalance between two servers which is connected as shown below:
Servers -> Switch -> Router (with subinterface).
Servers IP: 172.16.11.1 and 172.16.11.2
Router IP: 172.16.11.254
Default route is router IP address for servers.
I am new to ACE and I am confused about how to assign interface on ACE so that ACE can bridge the traffic between router and servers VLAN.
We have some more servers which are on different VLAN but can connect to these servers as router is doing inter-vlan routing too.
I want inter-vlan routing and load balancing between above two servers concurrently. Pls. help in this regard.
Also attaching the ACE config file.

Here is the config, hope this will help.
Admin Context
=============
resource-class ngmp_rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 10,13
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.16.254
context apps
allocate-interface vlan 10
allocate-interface vlan 13
member apps_rc1
APPS Context
============
rserver host srv1
ip address 192.168.10.1
inservice
rserver host srv2
ip address 192.168.10.2
inservice
rserver host srv3
ip address 192.168.10.3
inservice
serverfarm host apps_srv
rserver srv1
inservice
rserver srv2
inservice
rserver srv3
inservice
class-map match-all ftp-vip
2 match virtual-address 172.16.10.10 tcp eq ftp
class-map match-all http-vip
2 match virtual-address 172.16.10.11 tcp eq 8080
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm apps_srv
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp
class http-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 10
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 192.168.10.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
Thanks,
Pawan

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

Trouble with bridge mode and port forwarding

I have a Westell Model 6100F DSL modem in bridge mode into my network and I'm having trouble forwarding ports. Is there any general guidance available to do this. I have set many of my friends networks up to allow port forwarding but all have been on other service providers, mainly cable. (my experience) My network is the only one I have had trouble with.
Basically, my question is, while in bridge mode, does the modem forward all incoming traffic to my NAT router or do I need to apply special port forwarding settings in the modem to allow this?
If bridge mode is the reason I cannot forward the ports, can someone explain how to set the WEstell 6100F back to factory defaults so I can start over.
Any other suggestions?
Thanks in advance.
Paul

If bridge mode is set up correctly, your router should be holding the Public IP address (basically not something that is a 192.168 address) as shown at http://www.whatismyip.com/ and compared against what IP your router has.
If your router has the public IP, all problems lie with either your router or your PC's firewall and configuration. I'd check out portforward.com for some guides on forwarding ports for your router or poarticular application if you need some additional help.
========
The first to bring me 1Gbps Fiber for $30/m wins!

Problems with Bridge Mode - Please advise.

Folks I have my Time Capsule on our network in bridge mode to use it as a switch and wireless access point. Internet connectivity seems to keep having problems and I am not sure if my setup makes sense:
My Setup: Netgear DGN3500 Router (modem built in) ->Time Capsule (in bridge mode via ethernet) -> Network devices
Problems:
- Time Capsule TCP/IP has 169.xxx.xx.xx IP Address using DHCP, subnet is wrong (missing one "255" set) , router address is correct
- Netgear router sees Time Capsule connected with a proper IP address (192.168.1.xxx) in routing table
- flashing amber light due to airport not having a valid IP address even though I turned wireless off temporarily for the purposes of trouble shooting. I first just want to get ethernet working correctly
I've reset my router, the Time Capsule all settings, renewed DHCP Lease in Time Capsule...all the standard fanfare.
Any ideas folks or is this thing just done?
Tesserax if you're out there, please respond. I think you've addressed this as well, but I have no solution.

If my router is the DHCP server and my TC is in bridge mode (accepting DHCP info) shouldn't my TC be getting 192.xxx.x.xxx numbers and same subnet mask?
Yes. Have you power cycled the entire network as a troubleshooting step in this regard? If not, power everything down on the entire network, order is not important.
Start your modem first and let it run a moment by itself, then start the next router connected to the modem the same way. Start the Time Capsule the same way. Continue starting devices one a time the same way until the entire network is powered back up.
Additionally, if the TC is in bridge mode, can it serve other devices through the other LAN ports?
Yes. In bridge mode the ethernet ports are acting like a simple ethernet switch. Since they all behave like LAN ports in this configuration, try a different port on the Time Capsule for your connection from the switch to see if that helps.
I suppose I could tell my netgear to only give a range of addresses and the TC another range, but I didn't think I'd have to go through all of that.
I would not recommend that you do this. Even if you are able to avoid IP address conflicts, you'll have a Double NAT error on the network, at best slowing communications down. At worst, devices on one sub net will not be able to communicate with devices on the other sub net.
By the way I forgot to mention one part of my network - the switch (not the LAN one built into my netgear router). There's a 24-port
As a troubleshooting step, try bypassing the switch to see if that makes any difference in the performance of the TC. I like Netgear switches and have used them for years, but I've also had an occasional failure in several of their ethernet switches. It does happen.
Message was edited by: Bob Timmons

Problems with Bridge mode at a hotel

Hi there,
I have my Airport Express (N) set up to create a wireless network, use DHCP, and be in Bridge mode. When I plug in the Ethernet cable from a hotel (where you are required to subscribe and pay for their service), I can use the internet from my laptop wirelessly without problems. However when I connect to wifi from my iPhone 3GS, it connects to the network, but prompts me to repay for another service. The site also states that the price is 'per computer'. I was under the impression that when a router was in Bridge mode, it was invisible to the hotel network, and you can share the internet connection with multiple computers, but somehow the hotel is detecting exactly that. Am I missing anything here?

Sorry, the hotel router is configured to charge you for each separate device that connects. In other words, if you connected with your computer and paid the fee, and then another person tried to connect their laptop, the hotel router sees another device and will charge for that device.
Bridge mode on the Express allows you to configure your computer so that the hotel router sees your computer as the connecting device. Bridge mode is the only setting that will work correctly to allow you to configure your Express.
Specifically, the hotel assigns an IP when you connect your computer, if you try to connect another device, it needs to assign another IP address. The hotel will charge you for each IP address.

Port Forwarding Time Capsule With Bridge Mode

Whoever says that the Time Capsule opens all ports if it is in Bridge Mode, it does not.
I have put my Time Capsule in DMZ, firewall disabled, and it is still blocking ports, except for a couple (Apple Filesharing, Telnet,…)
My TC was set up in Bridge Mode as it SHOULD indeed open all ports, but this is not the case, it seems you have to add the ports yourself.
How it works is completely not intuitive and i would even consider it a bug.
Adding the following port configuration opened up the port, even though it was blocked before adding it with the TC in Bridge Mode.
This doesn't seem to work for all ports however, so i am at a loss as to what is going on
I'm using the following site to test the Network ports
http://www.whatsmyip.org/port-scanner/
If anyone could explain or help out, that would be great
Kind Regards,
Cipher

Hi, Thank you both for your continued support!
The main router is from our ISP, it is remotely controlled by our ISP and they will not allow us to access it and adjust/view the configuration ourselves (dumb, i know, but can't be helped), which is why is i went with the DMZ option, as i don't want to keep having to call them, wait and trouble shoot every time a specific port needs to be opened.
That router goes to 2 floors in the building, with a switch on the first floor and another one on the second floor, this second one extends the network to the third floor. My Time Capsule is connected to this switch.
The main router from our ISP has the IP 192.168.254.150 set up to be in DMZ (per request) as well as the, what they call, "soft firewall" disabled.
My Time capsule has it's network setup manually, so it has the static IP mentioned just above, the router is the main router from our ISP
Currently the TC is set up to to share that IP address using DHCP & NAT, where the private IP range identifier is different from the one used by the main router (TC is using 10.0.X.X) resulting in a double NAT, but causing no problem since the IP identifier is different
Ports that need to be forwarded have been mapped in the TC
IPv6 is configured to be setup automatically and it's mode is set to Native
The TC also broadcasts a secure wireless network
My Main Desktop (running OS X Mountain Lion) is connected through ethernet, directly to the TC
I have tried connecting to an external server @ IP XX.XXX.XX.XX on port 7777, but the connection fails
That's pretty much it i think.

SNAT on ACE 4700 in bridging mode

Hi,
I would like to implement Source-NAT for some traffic, but not all traffic for the ACE 4700. The ACE 4700 will be configured as a bridge.
Can I configure Source-NAT using an extended access-list when the ACE 4700 is used as a bridge? I need Source-NAT for servers that need to access the VIPs on the ACE. All VIPs and real servers are on the same IP subnet. I was going to configure the ACE as a bridge so that IP addresses don't have to change.
Let me know how Source-NAT will work in this bridging scenario. If not, what examples or options do I have?
Thank you.

Thanks, Gilles!
So, does it mean I can just use a standard access-list to identify traffic for Source-NAT? Meaning, I can just Source-NAT based on source IP addresses instead of using an extended access-list to specify both source address and destination VIP?

Ace redundancy with different software licences

Hi,
We have 4710 with ACE-4710-1F-K9.
1G Bundle: Includes ACE 4710 Hardware, 1 Gbps Throughput, 5,000 SSL TPS, 500 Mbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
We have another 4710 with ACE-4710-2F-K9.
2G Bundle: Includes ACE 4710 Hardware, 2 Gbps Throughput, 7,500 SSL TPS, 1Gbps Compression, 5 Virtual Devices, 50 Application Acceleration Connection License, Embedded Device Manager
Is that possible to make redundancy (FT GROUP) with 2 devices has different software bundles?

Hello-
When you initially setup the ACE's in an FT pair, they initially figure out who is master based on priority, then they check if the licenses that they each have installed are the same. If there is a mismatch, FT will continue to check the configuration and will eventually go into a "standby warm" state. It will not config-sync the startup or running configurations until you install the correct license and toggle config sync.
This is what yo uwould see:
ACE-A/Admin# show ft group 1 status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_WARM
Peer Id                      : 1
No. of Contexts              : 1
Running cfg sync status      : Detected license mismatch with peer, disabling running-config auto sync
Startup cfg sync status      : Detected license mismatch with peer, disabling running-config auto sync
If you disable config sync, it will still stay in a warm state and ignore the license mismatch:
ACE-A/Admin# show ft group 1 status
FT Group                     : 1
Configured Status            : in-service
Maintenance mode             : MAINT_MODE_OFF
My State                     : FSM_FT_STATE_ACTIVE
Peer State                   : FSM_FT_STATE_STANDBY_WARM
Peer Id                      : 1
No. of Contexts              : 1
Running cfg sync status      : Sync disabled by CLI.
Startup cfg sync status      : Sync disabled by CLI.
It is not recommended to run with 2 different licenses because it is possible that you failover and don't have enough resources to carry the traffic that the active was running - however - if you disable configuration sync, it will allow you to do such.
Regards,
Chris Higgins

PBR with ACE in bridge mode

I have one ACE configured in bridge mode.
for proxy users : they have the VIP as proxy so the traffice from the client with destination the VIP
but there are some users without proxy so we used the Policy Base Routing and it is working and can see the connections on the ACE
but with destination IP of the websites so the traffice is not comming back as show below
BC-LB1/BlueCoat# sho conn | include 10.1.50.10
1782765 1 in TCP 210 10.1.50.10:52052 67.195.160.76:80 SYNSEEN
1355728 1 out TCP 210 67.195.160.76:80 10.1.50.10:52052 INIT
BC-LB1/BlueCoat#
in the PBR , we used the VIP as next hop address.
please advice what is the problem?
thanks in advance

Good afternoon,
As you mentioned, it seems the return traffic is not coming back through the ACE. You should review your PBR configuration to ensure that also the return traffic is matched and sent to the ACE
Regards
Daniel

ACE in bridge mode with FWSM as gateway

our design
FWSM--vlan 7--ACE-vlan 8---servers with default gateway as FWSM
originally there were no plans of servers looking to load balance traffic when they wanted to communicate each other. now there is a need this
since ACE is in bridge mode, there are no ip address to VLAN configured on it and cant do source NAT
what we want servers in serverfarm A can contact a single ip which can be load balanced and traffic to be sent to serverfarm B. both serverfarms reside in vlan 8 and ace is in bridge. with VLAN not having IP how can we get this working. we were looking to create a policy on ACE with an ip address in vlan 8 and then do a source NAT to send the traffic to serverfarm 7.
with FWSM as the default gateway, by enabling permit intra traffic , it doesnt work because the command routes the traffic, dont think will send the traffic back to the same vlan
e.g static (inside,outside) 10.7.0.1 10.7.8.13 and allow intra traffic.
so when a machine 10.7.8.11 pings 10.7.0.1 it goes to the FWSM but fwsm doesnt look for 10.7.8.13
with ACE in bridge and FWSM doing above how to get around. can something be done on ACE in bridge mode with source NAT
Thanks

First, why don't you have an ip in your ACE vlan ?
Then, for traffic hitting a vip, we can do source nating even in bridge mode.
But if the vip is not an ip in vlan 8, your server will anyway send the traffic to the FWSM and ACE will first bridge the request.
The FWSM should then send the request back to ACE (not sure how this can be done).
So the request from the server will actually hit the vip on vlan 7 (not vlan 8).
So your policy-map with client nat must be on vlan 7.
Another option would be to configure a static route on the server to point the vip to the ACE vlan 8 ip address (which you should have configured).
In this case, the policy-map will have to be in vlan 8 with client-nat.
Gilles.

Firewall Load Balance using bridged mode ACE

Dear Folks,
I 'd like to load balance 2 ASA using 3 ACE [ Inside,outside,dmz network zone]
I 've seen sample configuration, all of them are running the ACE in the route mode, and asa are running in route mode
Would it be possible to run the ACE in the bridge Mode, because the ip subneted problem, We don't have enough to split,,
by the way if possible,All server that install behind ACE, what is default gateway should Server Point to [ in our case we have 2 independent firewall ] should I create the VIP for both firewall ? or should I just simply set the server's gateway to BVI interface, ?
Please Help Thanks

Thank you very much Gilles,
You 're the man. ;-)
Another question in my case I try to load balance 3 interface firewall [inside,outside,dmz] in order to make the packet return the same firewall it has passed earlier,
What kind of hashing technique do I need to use and Do i need to use mac sticky command ???
I tried to find some configuration sample from cisco website , but i only found with only 2 interface with ACE running source hash and destination hash in each ends,
Thank you very much

ACE redundancy with bridge mode

Similar Messages

Maybe you are looking for