Bridge mode - MAP /RAP - Client service

Hi all.
I'm very confused about the MAP and RAP mode as they are APs configured in Bridge mode.
In the CCNA Wireless, we are clearly taught that Bridge mode APs do NOT deliver client service...
Apparently Mesh and Root APs are APs in bridge mode but do deliver client service!!!
I've surelly missed something. Could someone help please?
Thanks
Alex

Hi Alex,
Bridge Mode AP
Many Wi-Fi bridging mode products exist with varying levels of functionality. Some wireless bridges support only a single point-to-point connection to another AP. Others support point-to-multipoint connections to several other APs.
Each AP in bridging mode connects to a wired LAN. Some AP models simultaneously support wireless clients while operating in bridging mode, but others work as "bridge-only" and disallow any clients from connecting.
Root AP - Places the bridge in the access point mode. In this mode, the bridge emulates a Cisco Aironet Access Point(example: 1100 Series ) and accepts associations from client devices.
Hope it helps
Regards

Similar Messages

Bridge Mode and Wireless Clients

I have my network up and running fine, but I am now thinking I may need to tweak it a bit. I have an AEBS(n) and an Airport Express both set up with WDS. The Extreme is the base station and the Express is set in WDS Remote and in Bridge mode under the internet tab. The Express is hooked up via a wired ethernet connection to my PS3. Everything works.
I am wondering if in bridge mode, the express accepts wireless clients as well as providing net access to my PS3 over the ethernet cable. Both the extreme and express stations are close enough together that I am not sure which one I am connecting to when I use my laptop wifi.
Thanks in advance for your help.

I am wondering if in bridge mode, the express accepts wireless clients as well as providing net access to my PS3 over the ethernet cable.
Yes if you enable that option.

Question about Airport Express in WDS bridge mode with wired clients

I am looking to buy an Airport Extreme N router, and then use the Express I already have to extend my network using WDS. I intend to setup the Express as a bridge in WDS mode and then connect a wired client to the Express. The question is can I connect a multi port switch or hub to the Express so that multiple wired clients can use the bridge or does Express only support one wired client. I looked at the FAQ at http://docs.info.apple.com/article.html?artnum=108038 but it doesn't address that.
Thanks

Hmmm, I haven't actually tried that myself, but it should work since, as a Remote Base Station in a WDS, the Ethernet port on the AX acts like a LAN port.

Ace module in bridged mode with client nat

Could someone confirm whatever a NAT is supported for ACE-20 module, please?
Let me to explain technical details.
I do need to convert working CSM(SLB) config to ACE configuration and I am not quite sure
if the configuration below is correct. ACE module should be configured in bridge mode with two
vlans - vlan 36 (client) and vlan 436 (server) - bridged with interface bvi 36.
NAT on ACE configurad as "nat dynamic 1025 vlan 436" into corresponding
"policy-map type loadbalance"
Could you check two parts of configs and advise me if the ACE config is
properly converted from CSM and will be working in the same way (especialy for NAT).
Thank you in advance.
CSM config
=======
vlan 36 client
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
gateway 10.36.3.1
vlan 436 server
ip address 10.36.3.3 255.255.255.0 alt 10.36.3.4 255.255.255.0
natpool WEB-MAIL 10.36.3.100 10.36.3.100 netmask 255.255.255.0
sticky 30 netmask 255.255.255.255 address source timeout 60
probe SHAREPOINT tcp
interval 30
failed 120
open 3
port 80
probe WEBMAIL-443 tcp
interval 5
failed 60
open 2
port 443
serverfarm WEBMAIL-443
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 443
   inservice
real 10.36.3.102 443
   inservice
probe WEBMAIL-443
serverfarm WEBMAIL-80
nat server
nat client WEB-MAIL
predictor leastconns
real 10.36.3.101 80
   inservice
real 10.36.3.102 80
   inservice
probe SHAREPOINT
vserver WEBMAIL-443
virtual 10.36.3.100 tcp https
serverfarm WEBMAIL-443
sticky 60 group 30
replicate csrp sticky
replicate csrp connection
persistent rebalance
inservice
vserver WEBMAIL-80
virtual 10.36.3.100 tcp www
serverfarm WEBMAIL-80
replicate csrp connection
persistent rebalance
inservice
ACE config
=======
probe tcp WEBMAIL-443
interval 5
open 2
passdetect interval 60
port 443
probe tcp SHAREPOINT
interval 30
open 3
passdetect interval 120
port 80
serverfarm host WEBMAIL-443
predictor leastconns
probe WEBMAIL-443
rserver 10-36-3-101 443
    inservice
rserver 10-36-3-102 443
    inservice
serverfarm host WEBMAIL-80
predictor leastconns
probe SHAREPOINT
rserver 10-36-3-101 80
    inservice
rserver 10-36-3-102 80
    inservice
class-map match-all WEBMAIL-80
match virtual-address 10.36.3.100 tcp eq www
class-map match-all WEBMAIL-443
match virtual-address 10.36.3.100 tcp eq https
sticky ip-netmask 255.255.255.255 address source 30
serverfarm WEBMAIL-443
replicate sticky
timeout 60
policy-map type loadbalance first-match WEBMAIL-80
class class-default
    serverfarm WEBMAIL-80
    nat dynamic 1025 vlan 436 serverfarm primary
policy-map type loadbalance first-match WEBMAIL-443
class class-default
    sticky-serverfarm 30
    nat dynamic 1025 vlan 436 serverfarm primary
parameter-map type http HTTP_ADV_OPT
persistence-rebalance
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
interface vlan 36
bridge-group 36
service-policy input IFVLAN36-POLICY
mac-sticky enable
no shutdown
interface vlan 436
bridge-group 36
nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0
no shutdown
interface bvi 36
ip address 10.36.3.3 255.255.255.0
peer ip address 10.36.3.4 255.255.255.0
no shutdown

Hello F.Makarenko-
You will want to use PAT while you do nat, so change the natpool configuration to this:
   nat-pool 1025 10.36.3.100 10.36.3.100 netmask 255.255.255.0 pat
You also need to apply the nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
    nat dynamic 1025 vlan 436
If you are going to build out a lot of classes, you can instead do source nat like this:
policy-map multi-match IFVLAN36-POLICY
class WEBMAIL-80
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-80
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class WEBMAIL-443
    appl-parameter http advanced-options HTTP_ADV_OPT
    loadbalance policy WEBMAIL-443
    loadbalance vip inservice
    loadbalance vip icmp-reply active
class class-default
    nat dynamic 1025 vlan 436
Regards,
Chris Higgins

Using Extreme in Bridge mode, can't see the DHCP clients if the D-Link router

I have an Airport Extreme attached to my DLink modem/router. I have configured the Airport Extreme in Bridge mode, and I was expecting all clients to show up in my D-Link router. Although the configuration works most of the time, I have been experience a few issues:
1. From time to time, computers attached (both Windows and/or Mac) complain about an IP address conflict. I can ignore the error and it works fine.
2. From time to time, I loose Internet connectivity, and I need to disconnect my computer and reconnect again to solve the issue. This is not necessarily linked to symptom #1
3. On my D-Link router/modem (which I only use to connect my Airport to my ISP), if I check the DHCP clients, I can see the Airport router connected and *some* of the wireless clients that connect through the Airport. The list changes quite randomly, and at times, I see the airport appearing twice with different IP addresses.
Any help configuring it "right" will be appreciated!
Alain

When the AirPort Extreme is in bridge mode, the AirPort Extreme is simply passing through the DHCP settings and services that are handled by the D-Link modem/router.
In other words, the D-Link device is in total charge of the DHCP services for devices on the network.
You might want to check with D-Link support to see if they have any recommended practices for configuing the modem/router when another router....the AirPort Extreme in this case....is being used in bridge mode on the network

GT784WNV not working in Bridge Mode! Fed up with lack of Customer Service

I don't even know where to start but I am this close to just cancelling Verizon and switching to cable internet. If you want to skip the rant, jump down a paragraph.
I recently moved from a house a few miles away in which I had a solid DSL connection with a Westell 7500 in routed bridge mode that worked just fine with my Asus RT-N56U that I use for browsing, streaming, and online gaming. When I moved, the technician insisted I take the newer Actiontec GT784WNV. Needless to say, Verizon support was unsuccessful in getting it set up in bridge mode. After about 4 hours of unsuccessful troubleshooting, I suggested swapping it back out with my 7500 which worked fine just 4 days prior in my old house. Surprise! It miraculously started working just as it had previously. As I began to use it more, I noticed the connection was unstable. I would get dropped from Xbox Live and lose connection temporarily on my iPad. I ran the Verizon speed test and it would drop to about 0 and spike back up 3 or 4 times during the download test (don't think this is normal but could be). Every day I would talk to Verizon who escalated it to a supervisor about 4 times. They would then close the ticket without calling me. When i would follow up, I was told the supervisor talked to me and I verified the connection was good. Lying makes me livid and there is no accountability whatsoever at Verizon and it happened more than once. It appears to be a way for them to pass the problem on to someone else. I can go on and on about being put on hold for 40 minutes before disconnected, the 20+ hours I have spent re-telling my account info and story to every Tier 1 technician on their payroll for the past week, or the lack of competent customer service supervisors. This weekend, I finally got a call from someone local who said my line had some faults on it and that the problem was somewhere between my jack and the central office and they would send someone out today. Well....today the tech showed up and said "your problem is this old modem" and plugged in the Actiontec that I started with a week ago. I asked if he tested my line or the jack as the lady on the phone told me, and he said no. The problem is the modem. I said, I don't want a modem/router, I just want a regular modem and he said he had one, but it would cost me. How on earth is a plain modem going to cost me when they just installed an 802.11n router/modem combo for free? Absolutely terrible. I told him I want it in bridge mode because I don't want to use the wireless or the routing capabilities of the Actiontec. He said I have to do that and people normally just call Best Buy to have the Geek Squad come out. This really **bleep** me off as I used to run a network shop and configure Cisco routers and switches for a living. Once again, I have spent the past 6 hours tonight on the phone with Verizon only to end up back where I started.
At this point, I need to make this Actiontec GT784WNV a dummy (bridge) and let my Asus Rt-N56U do the work on my network. My Asus has all the port forwarding in place that I need for Xbox Live, etc. I have tried releasing the IP, changing the modem to RFC 1483 Transparent Bridging, disabling DHCP, changing the LAN IP to 192.168.99.1, etc. and it just will NOT get an internet connection. My router is configured correctly, unless there is something different between the Westell and the Actiontec that would require a setting change. Verizon is stumped, Asus hasn't called me back yet, and I am ready to just switch to Cable unless someone can help with a solution. I've been at this for a week. I have spent WAYY too much time fighting with a company that has no desire to deliver or to follow through and with absolutely zero accountability or business sense. Westell 7500 + Asus RT-N56U in old house worked fine. Move houses, change modem, doesn't work, switch back to old modem, works but unstable, tech claims old modem is my problem, plugs in new modem, doesn't work. I just want to use my router. How hard can that be? Can anyone please help?

Unfortunately that didn't work. I ended up putting my router in the DMZ as a workaround but it still had it's share of issues. After another week of trying to get Verizon to fix my connection (constant dropped connections forcing reboots of modem and router multiple times daily) I had Cable Internet installed today. Went from an unstable 6Mb/s to a stable 30Mb/s with Cable. I should have done this weeks ago. I wasted over 50 hours of my time with Verizon bouncing my issue around to others hoping someone else would be willing to fix it. Still no accountability with everyone tinkering with my setup taking a stab in the dark. The last person I spoke with set up a technician to come to my house later this week...AGAIN because he said there is something wrong on the line. I've known that for weeks but the tech that refused to fix my issue when he was in my house last week instead tried blaming it on something completely irrelevant because he had no clue what to do. One would think someone from Verizon would have reached out to me from this thread but they did not. In fact, the last tech's supervisor called me when i wasn't home, said "hello, this is XXX from Verizon......hello?" and hung up. Never a follow up as I was left once again to solve the problem myself. Well...I did. The incompetence of Verizon, it's poor training, and awful follow up procedures has cost them a customer. I am truly disappointed.

HT3477 I am attempting to set up a guest network. When I change the Network settings to DHCP NAT I get a message that tells me that the service has a private IP address and so I must connect using off bridge mode. In this mode I can not connect to the int

I am attempting to set up a guest network on the Airport Extreme Base Station. The Base Station is connected to a DSL Modem. The network is also extended using an Airport Express. When I have attempted to set up the Base Station using DHCP NAT in the netword feature I get a message that because the service has a private IP address the only way that I can connect is in Off Bridge Mode. In this mode I do not seem to be able to connect to the internet using the guest network. Any suggestions would be helpful.

Ok, your Speedport is actually a combination DSL modem and wireless router. In this case you would typically configure a downstream router, like your AirPort Extreme in Bridge mode. Unfortunately, when in Bridge mode, the AirPort does NOT support providing a guest network.
The only possible option is to reconfigure the Speedport as a bridge and use the Extreme as your Internet router. You would still need the DSL modem provided by the Speedport for Internet connectivity.

How do I configure my Airport Extreme to work in Bridge Mode and provide specific IP addresses to clients

My Airport Extreme is working with an Airport Express to wirelessly extend my wireless network. Both Airports are configured in Bridge Mode per the instructions I found on Apple's support site. I want to assign a specific DHCP address to a wireless camera that is in range of the Extreme, but I understand that the Extreme needs to be in DHCP Only mode to do this. But if I change the mode to DHCP Only, the Extreme will lose contact with the Express. How can I get both functions to work - wireless network extension and specific DHCP addresses?

Then what device is providing DHCP? Only once device per subnet should be the DHCP server. One should be DHCP and NAT and the other in Bridge mode for most home setups. The unit with DHCP and NAT should be the one connected to your cable or DSL and the other set in Bridge mode only extends your network.
On the wireless config page set whichever you're using to extend your network to "Extend a wireless network" and give it the details of the network to which you're attaching it.

ACE 4710 in bridge mode not working

I am trying to configure ACE 4710 bridge mode and I am stuck up in physical interface configuration. I have configured gig1/2 of ACE as trunk port and on layer 2 switch I have assigned that interface (gig1/2) to VLAN 11. I tried trunk port also but it got disabled due to BPDU error.
I am not able to ping servers as well as gateway. Below are the topology and context configuration:
Router   (vlan 13: IP 172.16.11.254)
     |
ACE     (int gig1/2)
     |
L2 Switch
     |
Servers (vlan 11: IP 172.16.11.1 and 11.2)
Admin Context
===========
resource-class rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
boot system image:c4710ace-mz.A3_2_4.bin
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 11,13
no shutdown
interface gigabitEthernet 1/3
shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
    permit
interface vlan 1000
ip address 172.16.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.16.254
context test
allocate-interface vlan 11
allocate-interface vlan 13
member rc1
test Context
=========
access-list bpdu-fixup ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
rserver host srv1
ip address 172.16.11.1
inservice
rserver host srv2
ip address 172.16.11.2
inservice
serverfarm host srv
rserver srv1
    inservice
rserver srv2
    inservice
sticky ip-netmask 255.255.255.255 address both SG1
timeout 120
serverfarm srv
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
class-map match-all slb-vip
2 match virtual-address 172.16.11.10 any
policy-map type management first-match remote-mgmt
class remote-mgmt
    permit
policy-map type loadbalance first-match slb
class class-default
    sticky-serverfarm SG1
policy-map multi-match client-vips
class slb-vip
    loadbalance vip inservice
    loadbalance policy slb
    loadbalance vip icmp-reply
interface vlan 11
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 172.16.11.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 172.16.11.254
Could you pls. suggest where I am doing wrong?
Thanks,
Pawan

" I tried trunk port also but it got disabled"   <----- if your L2 config is not correct, nothing will work.
What is the setup on the switch ? Trunk or access vlan ?
What is the status of the interface ? up ? down ?
Do you see something in your arp table ?
Gilles.

ACE30-MOD-k9 in bridge mode. Individual server in the same vlan of Real Servers not reacheable.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE30_MOD-K9 in bridge mode. Individual servers in the same vlan of rserver not reach.

I configured ACE30-MOD-K9 in bridge mode and I configured a server farm with his real servers. The traffic passes and is balanced correctly between all RSERVER. But I can not contact a server that is on the same vlan of the serverpharm but doesn't belong at this serverfarm.
I Thought that the traffic directed to this "spare" server shouldn't be balanced but the bridge should permit traffic to pass. (trasperent mode) Is it correct ?
What does ACE in bridge mode with traffic directed to servers that do not belong to any server farm but are present on the same VLAN (same bridge group)?
In rispect at the following configuration 10.10.10.168 isn't reacheable
access-list INBOUND line 8 extended permit ip any any
access-list INBOUND line 16 extended permit icmp any any
probe http HTTP_PROBE1
expect status 200 200
rserver host RS_WEB1
ip address 10.10.10.163
inservice
rserver host RS_WEB2
ip address 10.10.10.164
inservice
rserver host RS_WEB3
ip address 10.10.10.165
inservice
rserver host RS_WEB4
ip address 10.10.10.167
inservice
serverfarm host SF_FIREGROUP
rserver RS_WEB1
    inservice
rserver RS_WEB2
    inservice
rserver RS_WEB3
    inservice
rserver RS_WEB4
    inservice
sticky ip-netmask 255.255.255.255 address source sticky-ip
replicate sticky
serverfarm SF_FIREGROUP
sticky http-cookie myCookie sticky-cookie
cookie insert browser-expire
serverfarm SF_FIREGROUP
class-map match-any VS_FIREGROUP
2 match virtual-address 10.10.10.169 tcp eq www
4 match virtual-address 10.10.10.169 tcp eq 8081
5 match virtual-address 10.10.10.169 tcp eq 8082
6 match virtual-address 10.10.10.169 tcp eq 8083
7 match virtual-address 10.10.10.169 tcp eq 8084
8 match virtual-address 10.10.10.169 tcp eq 8085
9 match virtual-address 10.10.10.169 tcp eq 8097
class-map match-any VS_FIREGROUP_HTTPS
2 match virtual-address 10.10.10.169 tcp eq https
policy-map type loadbalance first-match HTTP
class class-default
    sticky-serverfarm sticky-cookie
policy-map type loadbalance first-match HTTPS
class class-default
    sticky-serverfarm sticky-ip
policy-map multi-match HTTP_HTTPS_MULTI_MATCH
class VS_FIREGROUP
    loadbalance vip inservice
    loadbalance policy HTTP
    loadbalance vip advertise active
class VS_FIREGROUP_HTTPS
    loadbalance vip inservice
    loadbalance policy HTTPS
    loadbalance vip advertise active
interface vlan 4
bridge-group 1
access-group input INBOUND
service-policy input HTTP_HTTPS_MULTI_MATCH
no shutdown
interface vlan 700
bridge-group 1
access-group input INBOUND
no shutdown
interface bvi 1
ip address 10.10.10.150 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.10.10.1
Thanks a lot
Francesco

Hi Francesco,
Just to add more a bit, A bridge group is very similar to routed mode except ACE cannot NAT pass through traffic, vlan's cannot be shared and couple of other things but client's should be able to access the server as in before.
But also whether in bridge or routed mode, ACE does create flows and applies other security parameters if configured to the traffic. This is for security. Also, ACE should know the MAC of the device to forward the traffic to. Can you check if ACE has the MAC of the destination? You can also put a route for testing purpose and see if that resolves the issue. That should probably be the quickest way to check if ACE is creating any issue here.
Regards,
Kanwal

ACE 4710 in bridge mode

Hi,
We got new ACE 4710 device and i am trying to configure that in Bridging mode.
I am trying to loadbalance between two servers which is connected as shown below:
Servers -> Switch -> Router (with subinterface).
Servers IP: 172.16.11.1 and 172.16.11.2
Router IP: 172.16.11.254
Default route is router IP address for servers.
I am new to ACE and I am confused about how to assign interface on ACE so that ACE can bridge the traffic between router and servers VLAN.
We have some more servers which are on different VLAN but can connect to these servers as router is doing inter-vlan routing too.
I want inter-vlan routing and load balancing between above two servers concurrently. Pls. help in this regard.
Also attaching the ACE config file.

Here is the config, hope this will help.
Admin Context
=============
resource-class ngmp_rc1
limit-resource all minimum 0.00 maximum unlimited
limit-resource sticky minimum 0.20 maximum unlimited
interface gigabitEthernet 1/1
switchport access vlan 1000
no shutdown
interface gigabitEthernet 1/2
switchport trunk allowed vlan 10,13
no shutdown
interface gigabitEthernet 1/3
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match remote_mgmt_allow_policy
class remote_access
permit
interface vlan 1000
ip address 192.168.16.16 255.255.255.0
access-group input ALL
service-policy input remote_mgmt_allow_policy
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.16.254
context apps
allocate-interface vlan 10
allocate-interface vlan 13
member apps_rc1
APPS Context
============
rserver host srv1
ip address 192.168.10.1
inservice
rserver host srv2
ip address 192.168.10.2
inservice
rserver host srv3
ip address 192.168.10.3
inservice
serverfarm host apps_srv
rserver srv1
inservice
rserver srv2
inservice
rserver srv3
inservice
class-map match-all ftp-vip
2 match virtual-address 172.16.10.10 tcp eq ftp
class-map match-all http-vip
2 match virtual-address 172.16.10.11 tcp eq 8080
class-map type management match-any remote-mgmt
201 match protocol snmp any
202 match protocol ssh any
203 match protocol icmp any
204 match protocol http any
205 match protocol https any
206 match protocol xml-https any
policy-map type management first-match remote-mgmt
class remote-mgmt
permit
policy-map type loadbalance first-match slb
class class-default
serverfarm apps_srv
policy-map multi-match client-vips
class ftp-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
inspect ftp
class http-vip
loadbalance vip inservice
loadbalance policy slb
loadbalance vip icmp-reply
interface vlan 10
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
no shutdown
interface vlan 13
bridge-group 1
access-group input bpdu-fixup
access-group input ALL
access-group output ALL
service-policy input remote-mgmt
service-policy input client-vips
no shutdown
interface bvi 1
ip address 192.168.10.9 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 192.168.10.254
Thanks,
Pawan

Can you share an external hard drive over a network when your Apple Airport Extreme is in bridge mode?

Hello, is it possible to share an external hard drive over a network when I have my Airport Extreme in bridge mode? I can't use my AE as my main router at the moment but still want to be able to use the hard drive on the network, and the router I am using isn't capable of adding an external hard drive. I use Windows 7 and the other router is a Netgear. I have searched the communities and have not come across an answer to this question. I have tried several configurations within windows to try and see the hard drive but none have worked. I can see the hard drive when I run Airport utlities, but it cannot be seen on the network. Thanks to anyone who can help!

I think there is some confusion in this thread..
If you are sharing on a local LAN port forwarding is not required.
is it possible to share an external hard drive over a network when I have my Airport Extreme in bridge mode?
Answer is yes.. no port forwarding, mapping whatever term is used.. is needed. Port mapping is required when you cross over a NAT router.. as long as all the devices are inside a single LAN.. then no port mapping.
I assign to my Airport Extreme, do I do so with the settings of:
Service: SMB
Type: TCP
Server IP: xx.x.x.x
Port Start: 445
Port End: 445
This would not work even from WAN.. SMB is blocked by all responsible ISP.. there is simply too many unprotected windows machines out there. If they allowed SMB .. the world would be flooded with hijacked bots. And stolen data like bank accounts. SMB is not a secure protocol.
But this is not necessary on a LAN.
The problem can be Mavericks which does a terrible job presenting network drives.. The usual recommendations are to use AFP or force the connection to CIFS (ie SMB1 not 2).
If you use airport,, then use AFP.
In finder.. Go, Connect to server.
AFP://AEname or AEIPaddress. (replace with the network name of the AE or its actual IP address).
When asked for password.. type public if you did not change it or use whatever password you put.
Store the password in the keychain.

Multiple "vserver" for different apps in a single VLAN (Bridge Mode)

Hi,
I'm deploying Cat6500 with CSM-S & FWSM modules. Doing bridge mode for the CSM (and FWSM will do the inter-VLAN routing upfront).
There are 3 (three) different applications (Vidiator, BEA & XIAM) placed in the Internet VLAN. Each application consist of multiple servers. Two applications (BEA & XIAM) need to be load-balanced, and the other one (Encoder) in the same VLAN does NOT need to be load-balanced.
The questions are:
- Is it possible to create multiple virtual servers (vserver) for different applications (BEA & XIAM) on the same VLAN client/server ?
- Is it also possible to do Load Balancing only for some Servers (BEA & XIAM) on one VLAN, while other servers (Encoder) on the same VLAN do NOT need load-balance? If, so what is the method? If not, what should be done?
Below is the script for CSM-S that I'm planning to deploy, please kindly provide your comments and advices.
Thanks a lot in advance.
Johan KC
MY SCRIPT:
module ContentSwitchingModule 9
vlan 96 client
ip address 10.67.96.9 255.255.252.0
alias 10.67.96.8 255.255.252.0
vlan 296 server
ip address 10.67.96.9 255.255.252.0
vserver BEA-PROXY-WEB
virtual 10.67.96.1 tcp www
vlan 96
server farm BEA-PROXY-SERVERS
replicate csrp connection
persistent rebalance
inservice
server farm BEA-PROXY-SERVERS
nat server
no nat client
real 10.67.96.2
inservice
real 10.67.96.5
inservice
probe ICMP
server farm XIAM-WEB-SERVERS
nat server
no nat client
real 10.67.96.26
inservice
real 10.67.96.29
inservice
probe ICMP
vserver XIAM-WEB
virtual 10.67.96.25 tcp www
vlan 96
server farm XIAM-WEB-SERVERS
replicate csrp connection
persistent rebalance
inservice

Hi Gilles,
Thanks a lot for your respond.
1. For the multiple vservers.
Both applications provide HTTP service but think that I could run them on different port number: 80 and 8080. Will this work?
2. About the non-loadbalancing apps (encoder).
There are two servers and future adding is possible. They can work independently of each other. Both servers just provide FTP access, for content provider to upload files.
Since both servers will run the same service (FTP) and port number, I don't think we can create two vservers for them, right?
You also said that I could have the server in the internet vlan and client accessing it directly. Is this mean that no vserver config needed? So, from FWSM the client traffic will go straight to the servers (without passing the CSM)?
If this is possible, sound like good option to me.
Please kindly provide your advice/comments.
Thanks again.
Best Regards,
Johan KC

How to use SNMP to access interface counters for WAN port when not in bridged mode

Hi All,
Can't fault my timecapsule, however just struggling to get one little bit of functionality working. I'm keen to get access to the WAN port interface counter information via SNMP, so I can track total bandwidth/throughput & also volume.
I have no issue getting SNMP to work & can see the 2.4 & 5.0GHz network counters, also total number of WIFI clients, wlan0, wlan1 and bridge0 interfaces. Trouble is none of these are the WAN/external ethernet port.
I see that it is likely that I'm trying to find the vlan1 port, however from what I'm reading this may only be available when the device is running in a routed mode (I'm running in bridge mode).
Anyone able to suggest anything?

Some cable modem you can turn off NAT.. and then use the TC in router mode.. or even use DMZ if the cable router allows that.
Have you ever looked at gargoyle router firmware and its ability to count and quota all clients connecting to internet service.. it is a simply fantastic firmware and can be loaded onto a router that costs $70-130 dollars.. it is 3rd party but very solid if you choose the right combo.
http://www.gargoyle-router.com/wiki/doku.php?id=screenshots

Bridge mode - MAP /RAP - Client service

Similar Messages

Maybe you are looking for