Alias vlan interfaces on the ACE

Similar Messages

• VLAN Tagging on the ACE 4710 Appliance

  Hello all,
  I have a quick question. How does the ACE 4710 Appliance works with VLAN tagging? I have virtual servers that I am trying to configure behind ACE. The VMs support VLAN tagging. Can I just trunk to link to my core switch and allow the ACE vlans to pass through?
  Your help is greatly appreciated.

  ACE 4710 support dot1q trunkning.
  Configure the interface between 4710 and core switch as a trunk.
  Same between your VMS and core switch.
  Gilles

• Add additional Interface at a ACE in HA and to an alredy active context

                     Hello,
  I have a question about the ACE 4710. I have running two boxes in Active / Hotstandby mode.
  At the boxes there is running an admin context and addtionally a Loadbalancing context. There are alredy 3 VLAN's where the boxes does already lobalance serives in. Classic connection with a 4 port - Gigabit-Ethernet-Channel.
  Now there is a serverfarm for some reasons placed in another VLAN what does the ACE not know. I think it should not be a problem to allow a new VLAN at the Portchannel...
  but when I setup the new VLAN Interface with IP-Address / Alias IP addres and Peer ip address.. there I am not shure if can do this on the fly and the box continues work or will this have an influence on the HA ?
  The other thing what I am not shure about is: what will happen at the loadbalancing context adding the new vlan interface...
  Within the admin context:
  context Loadbalancing
    allocate-interface vlan 200
    allocate-interface vlan 300
    allocate-interface vlan 400
    allocate-interface vlan 5      This will be the new VLAN-Interface....
    member class1
  Will the context Loadbalancing and all the defintions about serverfarms / rservers and so on remain? and the box does at this moment continue Loadbalancing the traffic... or is there any danger to loose the Loadbalancing context ?
  Any tipps about the correct steps that keeps the box alive with adding a new VLAN interface will be appreciated.
  Thank you in advance for your help.
  Gerhard

  Hi Gerhard,
  Yes, you should not have any issue.
  However you can follow these generals suggestions:
  1) Do a checkpoint on both units:
  #  checkpoint create INSERTING-VLAN
  2) Save a backup of your configuration on a FTP server
  Hope this helps.
  Jorge

• I need to all icmp through the ACE to servers behind the ACE

  I have been trying to figure this out and I've made several attempts at a configuration that will work, but I just don't get it.  Here's what I have configured.  I'm trying to ping from a server outside of the ACE to a server on vlan 308.  I send my ICMP it should ingress through vlan 302 and hit the server on vlan 308.  Instead I get nothing and I see no traffic hits on my policy or from the show icmp statistics.  I am able to ping the IP addresses on vlan 302 but nothing on the inside.
  access-list icmp line 10 extended permit icmp any any
  class-map match-all icmp-allow-inspect
    2 match access-list icmp
  policy-map multi-match icmp-allow-inspect-mmpl
    class icmp-allow-inspect
      inspect icmp error
  interface vlan 302 --------- public facing VIPs- ingress
    ip address 71.113.93.37 255.255.255.224
    alias 71.113.93.36 255.255.255.224
    peer ip address 71.113.93.38 255.255.255.224
    service-policy input mgmt
    service-policy input icmp-allow-inspect-mmpl
    no shutdown
  interface vlan 308 ---------- server - L2
    ip address 10.60.22.130 255.255.255.192
    alias 10.60.22.129 255.255.255.192
    peer ip address 10.60.22.131 255.255.255.192
    service-policy input icmp-allow-inspect-mmpl
    no shutdown

  I ran a capture and I see the traffic hit the ingress interface of the ACE, but it never gets passed to the backend server vlan.  The icmp is recieved and the connection is closed, but then I get 4 more packets marked PKT_XMT then the packet is dropped.  The capture was done on the ingress vlan.  If I do a capture on the server side vlan I get nothng at all in the capture.
  0001: msg_type: PKT_RCV
  ace_id: 6809            action_flag: 0x13
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0002: msg_type: CON_CLOSE
  con_id: 1345505684       out_con_id: 271763861
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  0003: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0011: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0019: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0029: msg_type: PKT_XMT
  con_id: 1345505684              other_con_id: 0
  0037: msg_type: PKT_DROP
  con_id: 1345505684           reason: 0
  src_addr: 74.113.193.34            src_port: 53575
  dst_addr: 10.62.222.136            dst_port: 2048
  l3_protocol: 0          l4_protocol: 1
  This is my access list and its applied globally with the access-group input ALL command.  I also have my default gateway pointing back to my upstream router and there are no other routes on the ACE.  I can ping the ingress interface from my upstream router and I can ping my gateway from the ACE.  I can ping my backend server from the ACE, but not from anything outside the ACE.  I can not ping anything behind my ACE module.
  access-list ALL line 12 extended permit icmp any any
  access-list ALL line 18 extended permit ip any any

• A few questions on the ACE

  I am getting up to speed on the ACE and was wondering if someone could please clarify a couple of things for me as the docs I am using are pretty confusing.
  We have the ACE module in a Cisco 65XX switch, along with FWSM.
  1) Do I need to create a Layer 3 int on the switch for the Vlan's that I have assigned to the ACE?
  2) I have created a Layer 3 Client side and a Server side Vlans on the ACE. Do I need to create a default gateway for each of these Vlan's or create just one DG and point it to the switch?
  3)Do I need to create a class map, a policy map and a service policy for the Client and Server Vlan L3 interfaces on the ACE?
  Thanks much.

  Have you had a chance to read through the config guide?
  http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A2/configuration/rtg_brdg/guide/rtbrgdgd.html
  In general,
  1) yes for client-side vlans
  no for server-side vlans
  2) just one default route to an SVI on MSFC
  3) yes

• MSFC - cannot ping vlan interface

  Hi,
  We have several vlans defined on the mfsc. On the msfc we could ping all the vlans interface except 1 vlan. The interface is up and just recently we weren't able to ping it. Any help is much appreciated.
  TIA.
  PF

  Hi PF,
  AFAIK, When you are pinging a particular interface stting on the MSFC the source IP would be of any other available interfaces. If you are pinging vlan 110 it will take source ip of any other available vlan interface and the destination is Vlan 110, but ACL defined on the interface doesnot have any ACE for the same so that packets will be dropped.
  Removing the ACL worked as explained above.
  regards,
  -amit singh

• WLC - 4402/4 - Vlan Interface Addressing

  I currently have 7 WLCs with the same Vlan interfaces defined across all 7 controllers. Does anyone know the best practice for addressing these interfaces on each of the WLCs. I currently have each unique Vlan interface assigned with the same IP address across all 7 WLCs. This is working. Should I leave it this way or should I assign each controller with a different address for the Vlan interface?

  The controllers, assuming you have it configured as such, act as dhcp relay agents. Presumably, if the router got the wrong mac address in its arp entry, the dhcp message would be lost.
  Clients could have taken a while before getting a dhcp addr (race condition for router arp entry) and not been able to work if dhcp was required.
  That said, I've seen the controllers work with the dhcp server set to 255.255.255.255 so the ip helper addresses on the routers would pick up the requests.

• FWSM vlan interface

  Hello, quick question I hope someone can help with.
  Is it possible for me to create 2 vlan interfaces on the 6500 and have them both in the same subnet?
  For a specific customer requirement I would like to have a vlan interface on the 6500 as default gateway, sat in it's own vrf, and then route all traffic inbound and outbound to this vlan through the FWSM interface, preferably in the same subnet. I don't think this will be possible so just looking for confirmation either way.
  As I will be running EIGRP between a pair of central 6500's and 2 remote offices it will make things much easier for me advertise the connected FWSM interfaces in to EIGRP for access in/out of all my VRF'd subnets. If I need another subnet for each VRF FWSM next hop then I'll have to reditribute a list of statics which I don't really want to do.
  The reason I am not just using the FWSM as gateway is because I need to run HSRP across 3 different devices (another 6500 in a second suite), and failover FWSM will only give me 1 level of redundancy for those gateways.
  Hope that makes sense, let me know if you have further questions.
  Thanks

  Thanks Marvin. You do understand the question, and it occurred to me after writing the above that I could just use a single FWSM inside interface and route in and out of each VRF via that 1 interface (All VRF's belong to a single customer, just required for segregation of internal traffic).
  The third 6500 running HSRP will be located in a DC 100km away connected via dual 1Gb circuits (3ms latency), and has it's own default route to a pair of ASA 5520's. If both FWSM's go down then the gateway will go live in the second site and traffic will be switched over our SP qinq tunnel to that gateway. Relevant BGP bits (MED), etc. will also be in place for seemless failover and traffic flow to and from the /23 pi range peered with the same ISP in each location..
  Thanks again.
  Chris

• ASA 5545-X SVI/Vlan Interface

  I am looking to deploy ASA 5545-X with Layer 3 Vlan Interfaces, the device out of the box dosent let you create vlan interfaces. Is there any module available which enables to create Switch Virtual Interfaces.
  I was looking at I/O 6 ports Gigabit Ethernet card, but wanted to make sure before ordering.
  Many Thanks                  

  Hi,
  You are only able to configure Sub Interfaces for the Vlan ID on your ASA model.
  You can only configure actual Vlan interfaces with ASASM and ASA5505 model. This relates to the fact that ASA5505 has a switch module while your model does not.
  I have no expirience with the ASASM but I would imagine its similiar to the FWSM which also used Vlan interfaces as its a module in an actual larger switch/router platform.
  You can check this limitation from the Command Reference also
  interface vlan For the ASA 5505 and ASASM, to configure a VLAN interface and enter interface configuration mode, use the interface vlan command in global configuration mode. To remove a VLAN interface, use the no form of this command. interface vlan number no interface vlan number Syntax Description
  number
  Specifies a VLAN ID.
  For the ASA 5505, use an ID between 1 and 4090. The VLAN interface ID is enabled by default on VLAN 1.
  For the ASASM, use an ID between 2 to 1000 and from 1025 to 4094.
  - Jouni

• EIGRP IPv6 and VLAN interfaces

  We've found that we have to set static link local IPs when two routers might peer over multiple VLAN interfaces.
  The issue is that the routers, 6500s with sup720s, utilize the same autoconfig'd link local address on each VLAN interface.   EIGRP IPv6 refuses to peer with the other router on multple VLANs when the link local are the same.
  Anyone else encounter this?   Did we miss a config option that would force unique link locals on different VLANs interfaces?
  Because of this issue, we've made it our best practice to configure static link local for all inter-router transits.

  HI Gary,
  I had a setup with SU720 on 2 7600s and I am able to enable the neighborship without any issues. I didnt configure static link local as below,
  Ryanair#show ipv6 int vlan 500  | inc FE
    IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
  Ryanair#sho ipv6 int vlan 501 | inc FE
    IPv6 is enabled, link-local address is FE80::21C:B0FF:FEB5:6D00
  Ryanair#show ipv6 eigrp nei
  EIGRP-IPv6 neighbors for process 100
  H   Address                 Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                              (sec)         (ms)       Cnt Num
  1   Link-local address:     Vl501             11 00:15:51  816  4896  0  13
      FE80::222:55FF:FE17:25C0
  0   Link-local address:     Vl500             11 00:17:14    1   200  0  12
      FE80::222:55FF:FE17:25C0
  Ryanair#
  Can you let us know the version on oth the devices?.
  Regards,
  Nagendra

• ACE - Query VLAN Interfaces Status

  Hi,
  I am wondering what the status of the query vlan interface means in the command 'show ft peer detail':
  Query Vlan IF State          : UP, Manual validation - please ping peer
  I am pretty sure that I did not see this status when I configured query vlan last time. Current version is A2(2.3).
  Unfortunately this status does not seem to be documented anywhere on CCO.
  I appreciate any help!
  Thanks,
  Daniel

  Hi Daniel,
  The FT Query VLAN interface is an optional, yet very good, feature to be used when using redundant ACE modules or appliances. Without it, if the FT VLAN was to go down, the standby ACE will no longer receive FT heartbeats from the active ACE and therefore take the active role.  However, if the active ACE is still running fine in the active role, then you don't want the standby ACE to take over as active because that will put them into an active/active scenario, which may lead to connectivity issues.
  This is where the FT Query VLAN interface comes in.  If the FT VLAN goes down, the standby ACE will notice this, but before taking the active role, it will ping it's peer IP address configured on the interface that is designated as the FT Query VLAN.  If the ping is successful, then it will stay in the standby role, thereby saving you some headaches.
  The status that you are seeing is the ACE's way of telling you that the interface is UP, but if you want to know if it can successfully ping the peer IP address, then you would have to manually ping the peer IP address from the CLI.  The ACE does not periodically check the ping connectivity through any automatic mechanism.  The automatic mechanism is only triggered by the FT VLAN going down.
  Does this help?
  Sean

• PING TO ACE VLAN INTERFACES

  Hi,
  I am not able to ping the VLAN interfaces defined on the ACE devices unless directly connected to the subnet.
  I tried options - defining Access-list,service-policy.I can ping the servers behind the ACE but i cannt ping the ACE vlan interface.
  I captured the traffic on the ACE.I cannt see any traffic on the interfaces if i ping the VLAN ip address.I can see the traffic if i am pinging the host behind the ACE.
  Is there any option available to enable icmp on the interfaces.

  In order to ping the Vlan Interface you just need management policy applied to the vlan interface.
  Class-maps used in the management-policy
  defines the source addresses from where these management accesses are allowed.
  If you can ping the interfaces from locally connected subnets but not from the remote subnets then there could be 2 reasons.
  1. Some routing issues
  2. Source IPs in Management class maps are not defined.
  Following is an example of typical management policy
  #Allow telnet & SSH from these ip addresses
  #Allow ICMP from any source
  class-map type management match-any MGMT-CLASS
  10 match protocol telnet
  20 match protocol ssh
  30 match protocol icmp any
  policy-map type management first-match MGMT-POLICY
  class MGMT-CLASS
  permit
  interface vlan 10
  ip address x.x.x.x 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  interface vlan 20
  ip address y.y.y.y 255.255.255.0
  service-policy input MGMT-POLICY
  no shutdown
  Syed Iftekhar Ahmed

• ACE bridge and routed interface in the same context

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  I am wondering if it is possible to configure one ACE context to support both routed and bridge interface?
  I would like to have a bridge-mode context but in the same time I would like to have a separated OOB interface for management.
  If it is possible how they could interact to each other?
  Thank you in advance for any answer
  Regards
  Lukasz

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:Standardowy;
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman";
  mso-ansi-language:#0400;
  mso-fareast-language:#0400;
  mso-bidi-language:#0400;}
  Hello
  We've just tried to configure bridged and routed interfaces at the same time in the lab and we've had a problem.
  When we added the def gw for the bridged config we noticed that we had an issue with the traffic src by the rservers in the routed config.
  When we deleted the new def gw, the problem disappeared.
  I am attaching the lab config.
  When we added to it the following line
  ip route 0.0.0.0 0.0.0.0 10.1.1.163
  reals B1-B10 could not communicate to the outside world.
  Do you know why it does not worked and what could we do to fix it ?
  Thank you in advance.
  Regards
  Lukas

• VPLS with IP in the vlan interface

  I have this config in a Cat6500:
  l2 vfi XXX manual
  vpn id XXX
  neighbor 1.1.1.1
  interface vlan XXX
  ip addrr 2.2.2.2
  xconnect vfi XXX
  With this config I can't reach from 6500 other equipments on this vlan with vpls.
  It is ok to setup an ip address in a VLAN interface even if the interface have VPLS "xconnect" configuration?

  Hi Guys,
  I would like to put my idea only but i do't know if it is correct or not.
  but if we defice any ip address on the interface than this will help us to improve anything but will appear in the routing table of PE router and it could be a part of it's routing and MPLS which is not required.
  secondly we are trying to emulate layer2 briedge accross the VPLS backbone not the Layer 3 switch domain. than it could be possible that you configure routing accross the backbone but there is no such kind of mechanism to enable routing.
  please rate if it helps.
  Kamlesh SHarma

• Simple SLB with the ACE Module

  Hello,
  i have some problems with a ACE module i am currently tesing.
  I have a simple Serverfarm with two Servers.
  But there seems to be some Problems with the Loadbalancing i not understand:
  1) I use Round Robin, but the ACE seems to put me serval times to the same server. I notice this, because i have different content on both servers, also different URLs.
  2) withz the show serverfarm statement the total connects do not increment.
  switch/slb-c1# show serverfarm webfarm
  serverfarm : webfarm, type: HOST
  total rservers : 2
  ----------connections-----------
  real weight state current total
  ---+---------------------+------+------------+----------+--------------------
  rserver: web1
  10.0.33.201:0 8 OPERATIONAL 0 0
  rserver: web2
  10.0.33.200:0 8 OPERATIONAL 0 0
  switch/slb-c1# show service-policy L4_LB_VIP
  Status : ACTIVE
  Interface: vlan 300
  service-policy: L4_LB_VIP
  class: L4_VIP_CLASS
  loadbalance:
  L7 loadbalance policy: L7_SLB_POLICY
  VIP Route Metric : 77
  VIP Route Advertise : DISABLED
  VIP ICMP Reply : ENABLED
  VIP State: INSERVICE
  curr conns : 0 , hit count : 15
  dropped conns : 0
  client pkt count : 10198 , client byte count: 420991
  server pkt count : 23367 , server byte count: 34915173
  I have attatched the Config.
  Any Idea what is going on?

  what version do you have ?
  I would recommend to run the very recent A1.4.
  This is something that really should work.
  Gilles.